Further Reading, Other Developments, and Coming Events (16 November)

Further Reading

  • Trump’s refusal to begin the transition could damage cybersecurity” By Joseph Marks — The Washington Post. Former executive branch officials, some of whom served at the Department of Homeland Security (DHS), are warning that the Trump Administration’s refusal to start the transition to the Biden Administration may harm the United States’ (U.S.) ability to manage cyber risks if it stretches on too long.
  • Biden will get tougher on Russia and boost election security. Here’s what to expect.” By Joseph Marks — The Washington Post. Expect a Biden Administration to restore cybersecurity policy to the prominence it had in the Obama Administration with renewed diplomatic efforts to foster international consensus against nations like the Russian Federation or People’s Republic of China. A Biden Presidency will likely continue to pursue the Trump Administration’s larger objectives on the People’s Republic of China but without the capriciousness of the current President introducing an element of uncertainty. And, election security and funding will naturally be a focus, too.
  • Taking Back Our Privacy” By Anna Wiener — The New Yorker. This fascinating profile of Moxie Marlinspike (yes, that’s really his name), the prime mover behind end-to-end encryption in WhatsApp and his application, Signal, (hands down the best messaging app, in my opinion), is worth your time.
  • Biden’s Transition Team Is Stuffed With Amazon, Uber, Lyft, and Airbnb Personnel” By Edward Ongweso Jr — Vice’s Motherboard. This piece casts a critical eye on a number of members of the Biden-Harris transition team that have been instrumental in policy changes desired by their employers seemingly at odds with the President-elect’s policies. It remains to be seen how such personnel may affect policies for the new Administration.
  • Officials say firing DHS cyber chief could make U.S. less safe as election process continues” By Joseph Marks — The Washington Post. The head of the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) may well be among those purged by the Trump Administration regardless of the costs to national security. CISA Director Christopher Krebs has deftly navigated some of the most fraught, partisan territory in the Trump Administration in leading efforts on election security, but his webpage, Rumor Control, may have been too much for the White House. Consequently, Krebs is saying he expects to be fired like CISA Assistant Director Bryan Ware was this past week.

Other Developments

  • The Democratic leadership on a key committee wrote the chairs of both the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC), “demanding that the two commissions stop work on all partisan or controversial items currently under consideration in light of the results of last week’s presidential election” per the press release. House Energy and Commerce Committee Chair Frank Pallone Jr. (D-NJ), Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL), and Communications and Technology Subcommittee Chair Mike Doyle (D-PA) argued that FTC Chair Joseph Simons and FCC Chair Ajit Pai should “only pursue consensus and administrative matters that are non-partisan for the remainder of your tenure.” The agencies are, of course, free to dismiss the letters and the request and may well do so, especially in the case of the FCC and its rulemaking on 47 U.S.C. 230. Additionally, as rumored, the FTC may soon file an antitrust case against Facebook for its dominance of the social messaging market when Democrats on the FTC and elsewhere might prefer a broader case.
  • The Office of Personnel Management’s (OPM) Office of the Inspector General (OIG) released a pair of audits on the agency’s information security practices and procedures and found continued weaknesses in the agency’s systems. The OPM was breached by People’s Republic of China (PRC) hackers during the Obama Administration and massive amounts of information about government employees was exfiltrated. Since that time, the OPM has struggled to mend its information security and systems.
    • In “Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management’s Agency Common Controls,” the OIG found explained that its “audit of the agency common controls listed in the Common Security Control Collection (CSCC) determined that:
      • Documentation assigning roles and responsibilities for the governance of the CSCC does not exist.
      • Inconsistencies in the risk assessment and reporting of deficient controls were identified in the most recent assessment results documentation of the CSCC.
      • Weaknesses identified in an assessment of the CSCC were not tracked through a plan of actions and milestones.
      • Weaknesses identified in an assessment of the CSCC were not communicated to the Information System Security Officers, System Owners or Authorizing Officials of the systems that inherit the controls.
      • We tested 56 of the 94 controls in the CSCC. Of the 56 controls tested, 29 were either partially satisfied or not satisfied. Satisfied controls are fully implemented controls according to the National Institute of Standards and Technology.”
    • And, in the annual Federal Information Security Modernization Act (FISMA) audit, the OIG found middling progress. Specifically, with respect to the FISMA IG Reporting Metrics, the OIG found:
      • Risk Management – OPM has defined an enterprise-wide risk management strategy through its risk management council. OPM is working to implement a comprehensive inventory management process for its system interconnections, hardware assets, and software.
      • Configuration Management – OPM continues to develop baseline configurations and approve standard configuration settings for its information systems. The agency is also working to establish routine audit processes to ensure that its systems maintain compliance with established configurations.
      • Identity, Credential, and Access Management (ICAM) – OPM is continuing to develop its agency ICAM strategy, and acknowledges a need to implement an ICAM program. However, OPM still does not have sufficient processes in place to manage contractors in its environment.
      • Data Protection and Privacy – OPM has implemented some controls related to data protection and privacy. However, there are still resource constraints within OPM’s Office of Privacy and Information Management that limit its effectiveness.
      • Security Training – OPM has implemented a security training strategy and program, and has performed a workforce assessment, but is still working to address gaps identified in its security training needs.
      • Information Security Continuous Monitoring – OPM has established many of the policies and procedures surrounding continuous monitoring, but the agency has not completed the implementation and enforcement of the policies. OPM also continues to struggle to conduct security controls assessments on all of its information systems.
      • Incident Response – OPM has implemented many of the required controls for incident response. Based upon our audit work, OPM has successfully implemented all of the FISMA metrics at the level of “consistently implemented” or higher.
      • Contingency Planning – OPM has not implemented several of the FISMA requirements related to contingency planning, and continues to struggle to maintain its contingency plans as well as conducting contingency plan tests on a routine basis.
  • The Australian Competition and Consumer Commission (ACCC) announced “amendments to the Consumer Data Right Rules…[that] permit the use of accredited intermediaries to collect data, through an expansion of the rules relating to outsourced service providers” per the press release. The ACCC stated “The amendments expand the Consumer Data Right system by allowing for accredited businesses to rely on other accredited businesses to collect Consumer Data Right data on their behalf, so they can provide goods and services to consumers.” The ACCC stated “[t]he Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020 (Accredited Intermediary Rules) commenced on 2 October 2020 and are available on the Federal Register of Legislation.”
  • Singapore’s central bank called on financial institutions to ramp up cybersecurity because of increased threats during the COVID-19 pandemic. The Monetary Authority of Singapore (MAS)’s Cyber Security Advisory Panel (CSAP) held “its fourth annual meeting with MAS management…[and] shared its insights on cyber risks in the new operating environment and made several recommendations:”
    • Reviewing risk profiles and adequacy of risk mitigating measures. The Panel discussed the risks and vulnerabilities arising from the rapid adoption of remote access technologies and work processes that could affect FIs’ cyber risk profiles. The meeting highlighted the need for FIs to assess if their existing risk profiles have changed and remain acceptable. This is to ensure that in the long run appropriate controls are implemented to mitigate any new risks.  
    • Maintaining oversight of third-party vendors and their controls. With the increased reliance on third-party vendors, the Panel emphasised the need for FIs to step up their oversight of these counterparts and to monitor and secure remote access by third-parties to FIs’ systems. This is even more important during the COVID-19 pandemic where remote working has become pervasive.
    • Strengthening governance over the use of open-source software (OSS). Vulnerabilities in OSS are typically targeted and exploited by threat actors. The Panel recommended that FIs establish policies and procedures on the use of OSS and to ensure these codes are robustly reviewed and tested before they are deployed in the FIs’ IT environment.
  • Washington State Attorney General Bob Ferguson issued his fifth annual Data Breach Report “showed that the number of Washingtonians affected by breaches nearly doubled in the last year and ransomware attacks tripled” according to his press release. Ferguson asserted:
    • The total number of Washingtonians affected by a data breach increased significantly, from 351,000 in 2019 to 651,000 in 2020. Overall, there were fewer breaches reported to the Attorney General’s Office in 2020, decreasing from 60 reported breaches last year to 51 this year.
    • Ferguson made the following recommendations:
      • 1. Bring RCW 19.255.005 and RCW 42.56.590 into alignment by making sure that private entities also have to provide notice to consumers for breaches of a consumer’s name and the last-four digits of their Social Security number.
      • SB 6187, which was signed by Governor Inslee on March 18, 2020, and went into effect on June 11, 2020 modified the definition of personal information for breaches that occur at local and state agencies. Specifically, the bill modified the definition of personal information in RCW 42.56.590 to include the last four digits of a SSN in combination with a consumer’s name as a stand alone element that will trigger the requirement for consumer notice. This change should be extended to RCW 19.255.005 as well, to bring both laws into alignment, and provide consumers with the most robust protections possible, regardless of the type of entity that was breached.
      • 2. Expand the definition of “personal information” in RCW 19.255.005 and RCW 42.56.590 to include Individual Tax Identification numbers (ITINs).
      • ITINs are assigned by the IRS to foreign-born individuals who are unable to acquire a Social Security number for the purposes of processing various tax related documents. In other words, they are a unique identifier equivalent in sensitivity to a Social Security number. At present, ten states include ITINs in their definition of “personal information.” In 2018, Washington State was home to just over 1.1 million foreign born individuals, representing approximately 15% of the state’s population.
      • 3. Establish a legal requirement for persons or businesses that store personal information to maintain a risk-based information security program, and to ensure that information is not retained for a period longer than is reasonably required.
      • As this report discussed last year, it is imperative that entities who handle the private information of Washingtonians take steps necessary to keep it safe, and be prepared to act if they cannot. Such precautions are beneficial for both consumers and the organizations collecting their data. In 2019, Ponemon Report indicated that 48% of the companies surveyed lacked any form of security automation – security technologies used to detect breaches more efficiently than humans can.22 In 2020, that number dropped by only 7%.23
      • In 2019, the average cost of a data breach for companies without automation was nearly twice as expensive as for those who implemented security automation. That cost has only grown since, with data breaches in 2020 costing companies without security automation nearly triple that of business who have automation. Similarly, the formation of a dedicated Incident Response Team and testing of an Incident Response Plan reduced the average total cost of breaches in 2020 by more than $2 million.
      • Requiring data collectors to maintain an appropriately sized security program and incident response team and to dispose of consumer information that is no longer needed is a critical next step in mitigating the size and cost of breaches in our state.
  • Four former Secretaries of Homeland Security and two acting Secretaries wrote the leadership of the Congress regarding “the need to consolidate and strengthen Congressional oversight of the Department of Homeland Security (DHS) in order to make possible the fundamental changes that DHS urgently needs to protect the American people from the threats we face in 2021.” They noted “more than 90 different committees or subcommittees today have jurisdiction over DHS—far more than any other cabinet department.” They asserted:
    • DHS urgently needs to make major reforms, improvements, and enhancements to ensure the Department can protect the nation in the way Congress envisioned nearly two decades ago. DHS’s leadership, whether Democratic or Republican, needs to work with a single authorizing committee with broad subject matter authority to enact the changes and authorize the programs that DHS needs to address the threats of 2021.
  • Privacy International (PI) and 13 other groups from the European Union (EU) and Africa wrote the European Commission (EC), arguing the EU’s policies are supporting “the funding and development of projects and initiatives which threaten the right to privacy and other fundamental rights, such as freedom of expression and freedom of assembly.” These groups contended:
    • that by sponsoring such activities, the EU drives the adoption and use of surveillance technologies that, if abused by local actors, can potentially violate the fundamental rights of people residing in those countries. In the absence of rule of law and human rights safeguards enshrined in law, which seek to limit the state’s powers and protect people’s rights, these technologies can be exploited by authorities and other actors with access and result in onerous implications not just for the rights of privacy and data protection but also for other rights, such as freedom of expression and freedom of assembly.
    • In their press release, these groups stated the letter “comes following the public release of hundreds of documents obtained by PI after a year of negotiating with EU bodies under access to documents laws, which show:
      • How police and security agencies in Africa and the Balkans are trained with the EU’s support in spying on internet and social media users and using controversial surveillance techniques and tools; Read PI’s report here.
      • How EU bodies are training and equipping border and migration authorities in non-member countries with surveillance tools, including wiretapping systems and other phone surveillance tools, in a bid to ‘outsource’ the EU’s border controls; Read PI’s report here.
      • How Civipol, a well-connected French security company, is developing mass biometric systems with EU aid funds in Western Africa in order to stop migration and facilitate deportations without adequate risk assessments. Read PI’s report here.
    • They stated “we call on the European Commission, in coordination with the European Parliament and EU member states to:
      • Ensure no support is provided for surveillance or identity systems across external assistance funds and instruments to third countries that lack a clear and effective legal framework governing the use of the surveillance equipment or techniques.
      • Only provide support for surveillance or identity systems after an adequate risk assessment and due diligence are carried out.
      • Provide Parliament greater capabilities of scrutiny and ensuring accountability over funds.
      • All future projects aimed at addressing “the root causes of instability, forced displacement, and irregular migration” should be mainstreamed into the NDICI. In turn, discontinue the EUTF for Africa when the current fund comes to its end in 2020.
      • Ensure that EC Directorate-General for International Cooperation and Development (DEVCO), the EU body in charge of development aid, establishes a new Fund aimed at improving governance and legal frameworks in non-EU countries to promote the right to privacy and data protection. Priorities of the Fund should include:
        • Revising existing privacy and data protection legal frameworks, or where there is none developing new ones, that regulate surveillance by police and intelligence agencies, aimed at ensuring they are robust, effectively implemented, and provide adequate redress for individuals;
        • Strengthening laws or introducing new ones that set out clear guidelines within which the government authorities may conduct surveillance activities;
        • Focusing on promotion and strengthening of democratisation and human rights protections;
        • Strengthening the independence of key monitoring institutions, such as the judiciary, to ensure compliance with human rights standards.

Coming Events

  • On 17 November, the Senate Judiciary Committee will hold a hearing with Facebook CEO Mark Zuckerberg and Twitter CEO Jack Dorsey on Section 230 and how their platforms chose to restrict The New York Post article on Hunter Biden.
  • The Senate Homeland Security and Governmental Affairs Committee’s Regulatory Affairs and Federal Management Subcommittee will hold a hearing on how to modernize telework in light of what was learned during the COVID-19 pandemic on 18 November.
  • On 18 November, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Modernizing the 5.9 GHz Band. The Commission will consider a First Report and Order, Further Notice of Proposed Rulemaking, and Order of Proposed Modification that would adopt rules to repurpose 45 megahertz of spectrum in the 5.850-5.895 GHz band for unlicensed operations, retain 30 megahertz of spectrum in the 5.895-5.925 GHz band for the Intelligent Transportation Systems (ITS) service, and require the transition of the ITS radio service standard from Dedicated Short-Range Communications technology to Cellular Vehicle-to-Everything technology. (ET Docket No. 19-138)
    • Further Streamlining of Satellite Regulations. The Commission will consider a Report and Order that would streamline its satellite licensing rules by creating an optional framework for authorizing space stations and blanket-licensed earth stations through a unified license. (IB Docket No. 18-314)
    • Facilitating Next Generation Fixed-Satellite Services in the 17 GHz Band. The Commission will consider a Notice of Proposed Rulemaking that would propose to add a new allocation in the 17.3-17.8 GHz band for Fixed-Satellite Service space-to-Earth downlinks and to adopt associated technical rules. (IB Docket No. 20-330)
    • Expanding the Contribution Base for Accessible Communications Services. The Commission will consider a Notice of Proposed Rulemaking that would propose expansion of the Telecommunications Relay Services (TRS) Fund contribution base for supporting Video Relay Service (VRS) and Internet Protocol Relay Service (IP Relay) to include intrastate telecommunications revenue, as a way of strengthening the funding base for these forms of TRS and making it more equitable without increasing the size of the Fund itself. (CG Docket Nos. 03-123, 10-51, 12-38)
    • Revising Rules for Resolution of Program Carriage Complaints. The Commission will consider a Report and Order that would modify the Commission’s rules governing the resolution of program carriage disputes between video programming vendors and multichannel video programming distributors. (MB Docket Nos. 20-70, 17-105, 11-131)
    • Enforcement Bureau Action. The Commission will consider an enforcement action.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by cottonbro from Pexels

Further Reading, Other Developments, and Coming Events (11 November)

Further Reading

  • ICE, IRS Explored Using Hacking Tools, New Documents Show” By Joseph Cox — Vice. Federal agencies other than the Federal Bureau of Investigation (FBI) and the Intelligence Community (IC) appear to be interesting in utilizing some of the capabilities offered by the private sector to access devices or networks in the name of investigating cases.
  • China’s tech industry relieved by Biden win – but not relaxed” By Josh Horwitz and Yingzhi Yang — Reuters. While a Biden Administration will almost certainly lower the temperature between Beijing and Washington, the People’s Republic of China is intent on addressing the pressure points used by the Trump Administration to inflict pain on its technology industry.
  • Trump Broke the Internet. Can Joe Biden Fix It?” By Gilad Edelman — WIRED. This piece provides a view of the waterfront in technology policy under a Biden Administration.
  • YouTube is awash with election misinformation — and it isn’t taking it down” By Rebecca Heilweil — Recode. For unexplained reasons, YouTube seems to have avoided the scrutiny facing Facebook and Twitter on their content moderation policies. Whether the lack of scrutiny is a reason is not clear, but the Google owned platform had much more election-related misinformation than the other social media platforms.
  • Frustrated by internet service providers, cities and schools push for more data” By Cyrus Farivar — NBC News. Internet service providers are not helping cities and states identify families eligible for low-cost internet to help children attend school virtually. They have claimed these data are proprietary, so jurisdictions have gotten creative about identifying such families.

Other Developments

  • The Consumer Product Safety Commission’s (CPSC) Office of the Inspector General (OIG) released its annual Federal Information Security Modernization Act (FISMA) audit and found “that although management continues to make progress in implementing the FISMA requirements much work remains to be done.” More particularly, it was “determined that the CPSC has not implemented an effective information security program and practices in accordance with FISMA requirements.” The OIG asserted:
    • The CPSC information security program was not effective because the CPSC has not developed a holistic formal approach to manage information security risks or to effectively utilize information security resources to address previously identified information security deficiencies. Although the CPSC has begun to develop an Enterprise Risk Management (ERM) program to guide risk management practices at the CPSC, explicit guidance and processes to address information security risks and integrate those risks into the broader agency-wide ERM program has not been developed.
    • In addition, the CPSC has not leveraged the relevant information security risk management guidance prescribed by NIST to develop an approach to manage information security risk.
    • Further, as asserted by CPSC personnel, the CPSC has limited resources to operate the information security program and to address the extensive FISMA requirements and related complex cybersecurity challenges.
    • Therefore, the CPSC has not dedicated the resources necessary to fully address these challenges and requirements. The CPSC began addressing previously identified information security deficiencies but was not able to address all deficiencies in FY 2020.
  • The United States (U.S.) Department of Justice (DOJ) announced the seizure of 27 websites allegedly used by Iran’s Islamic Revolutionary Guard Corps (IRGC) “to further a global covert influence campaign…in violation of U.S. sanctions targeting both the Government of Iran and the IRGC.” The DOJ contended:
    • Four of the domains purported to be genuine news outlets but were actually controlled by the IRGC and targeted audiences in the United States, to covertly influence United States policy and public opinion, in violation of the Foreign Agents Registration Act (FARA). The remainder targeted audiences in other parts of the world.  This seizure warrant follows an earlier seizure of 92 domains used by the IRGC for similar purposes.
  • The United Nations (UN) Special Rapporteur on the right to privacy Joseph Cannataci issued his annual report that “constitutes  a  preliminary  assessment  as  the  evidence  base required to reach definitive conclusions on whether privacy-intrusive, anti-COVID-19 measures are necessary and proportionate in a democratic society is not yet available.” Cannataci added “[a] more definitive report is planned for mid-2021, when 16 months of evidence will be available to allow a more accurate assessment.” He “addresse[d]  two  particular  aspects  of  the impact of COVID-19 on the right to privacy: data protection and surveillance.” The Special Rapporteur noted:
    • While the COVID-19 pandemic has generated much debate about the value of contact tracing and reliance upon technology that track citizens and those they encounter, the use of information and technology is not new in managing public health emergencies. What is concerning in some States are reports of how technology is being used and the degree of intrusion and control being exerted over citizens –possibly to little public health effect.
    • The Special Rapporteur concluded:
      • It is far too early to assess definitively whether some COVID-19-related measures might be unnecessary or disproportionate. The Special Rapporteur will continue to monitor the impact of surveillance in epidemiology on the right to privacy and report to the General Assembly in 2021. The main privacy risk lies in the use of non-consensual methods, such as those outlined in the section on hybrid systems of surveillance, which could result in function creep and be used for other purposes that may be privacy intrusive.
      • Intensive and omnipresent technological surveillance is not the panacea for pandemic situations such as COVID-19. This has been especially driven home by those countries in which the use of conventional contact-tracing methods, without recourse to smartphone applications, geolocation or other technologies, has proven to be most effective in countering the spread of COVID-19.
      • If a State decides that technological surveillance is necessary as a response to the global COVID-19 pandemic, it must make sure that, after proving both the necessity and proportionality of the specific measure, it has a law that explicitly provides for such surveillance measures (as in the example of Israel).
      • A State wishing to introduce a surveillance measure for COVID-19 purposes, should not be able to rely on a generic provision in law, such as one stating that the head of the public health authority may “order such other action be taken as he [or she] may consider appropriate”. That does not provide explicit and specific safeguards which are made mandatory both under the provisions of Convention 108 and Convention 108+, and based on the jurisprudence of the European Court of Human Rights. Indeed, if the safeguard is not spelled out in sufficient detail, it cannot be considered an adequate safeguard.
  • The University of Toronto’s Citizen Lab issued its submission to the Government of Canada’s “public consultation on the renewal of its Responsible Business Conduct (RBC) strategy, which is intended to provide guidance to the Government of Canada and Canadian companies active abroad with respect to their business activities.” Citizen Lab addressed “Canadian technology companies and the threat they pose to human rights abroad” and noted two of its reports on Canadian companies whose technologies were used to violate human rights:
    • In 2018, the Citizen Lab released a report documenting Netsweeper installations on public IP networks in ten countries that each presented widespread human rights concerns. This research revealed that Netsweeper technology was used to block: (1) political content sites, including websites linked to political groups, opposition groups, local and foreign news, and regional human rights issues in Bahrain, Kuwait, Yemen, and UAE; (2) LGBTQ content as a result of Netsweeper’s pre-defined ‘Alternative Lifestyles’ content category, as well as Google searches for keywords relating to LGBTQ content (e.g., the words “gay” or “lesbian”) in the UAE, Bahrain, and Yemen; (3) non-pornographic websites under the mis-categorization of sites like the World Health Organization and the Center for Health and Gender Equity as “pornography”; (4) access to news reporting on the Rohingya refugee crisis and violence against Muslims from multiple news outlets for users in India; (5) Blogspot-hosted websites in Kuwait by categorizing them as “viruses” as well as a range of political content from local and foreign news and a website that monitors human rights issues in the region; and (6) websites like Date.com, Gay.com (the Los Angeles LGBT Center), Feminist.org, and others through categorizing them as “web proxies.” 
    • In 2018, the Citizen Lab released a report documenting the use of Sandvine/Procera devices to redirect users in Turkey and Syria to spyware, as well as the use of such devices to hijack the Internet users’ connections in Egypt, redirecting them to revenue-generating content. These examples highlight some of the ways in which this technology can be used for malicious purposes. The report revealed how Citizen Lab researchers identified a series of devices on the networks of Türk Telekom—a large and previously state-owned ISP in Turkey—being used to redirect requests from users in Turkey and Syria who attempted to download certain common Windows applications like antivirus software and web browsers. Through the use of Sandvine/Procera technology, these users were instead redirected to versions of those applications that contained hidden malware. 
    • Citizen Lab made a number of recommendations:
      • Reform Canadian export law:  
        • Clarify that all Canadian exports are subject to the mandatory analysis set out in section 7.3(1) and section 7.4 of the Export and Import Permits Act (EIPA). 
        • Amend section 3(1) the EIPA such that the human rights risks of an exported good or technology provide an explicit basis for export control.
        • Amend the EIPA to include a ‘catch-all’ provision that subjects cyber-surveillance technology to export control, even if not listed on the Export Control List, when there is evidence that the end-use may be connected with internal repression and/or the commission of serious violations of international human rights or international humanitarian law. 
      • Implement mandatory human rights due diligence legislation:
        • Similar to the French duty of vigilance law, impose a human rights due diligence requirement on businesses such that they are required to perform human rights risk assessments, develop mitigation strategies, implement an alert system, and develop a monitoring and public reporting scheme. 
        • Ensure that the mandatory human rights due diligence legislation provides a statutory mechanism for liability where a company fails to conform with the requirements under the law. 
      • Expand and strengthen the Canadian Ombudsperson for Responsible Enterprise (CORE): 
        • Expand the CORE’s mandate to cover technology sector businesses operating abroad.
        • Expand the CORE’s investigatory mandate to include the power to compel companies and executives to produce testimony, documents, and other information for the purposes of joint and independent fact-finding.
        • Strengthen the CORE’s powers to hold companies to account for human rights violations abroad, including the power to impose fines and penalties and to impose mandatory orders.
        • Expand the CORE’s mandate to assist victims to obtain legal redress for human rights abuses. This could include the CORE helping enforce mandatory human rights due diligence requirements, imposing penalties and/or additional statutory mechanisms for redress when requirements are violated.
        • Increase the CORE’s budgetary allocations to ensure that it can carry out its mandate.
  • A week before the United States’ (U.S.) election, the White House’s Office of Science and Technology Policy (OSTP) issued a report titled “Advancing America’s Global Leadership in Science and Technology: Trump Administration Highlights from the Trump Administration’s First Term: 2017-2020,” that highlights the Administration’s purported achievements. OSTP claimed:
    • Over the past four years, President Trump and the entire Administration have taken decisive action to help the Federal Government do its part in advancing America’s global science and technology (S&T) preeminence. The policies enacted and investments made by the Administration have equipped researchers, health professionals, and many others with the tools to tackle today’s challenges, such as the COVID-19 pandemic, and have prepared the Nation for whatever the future holds.

Coming Events

  • On 17 November, the Senate Judiciary Committee will reportedly hold a hearing with Facebook CEO Mark Zuckerberg and Twitter CEO Jack Dorsey on Section 230 and how their platforms chose to restrict The New York Post article on Hunter Biden.
  • On 18 November, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Modernizing the 5.9 GHz Band. The Commission will consider a First Report and Order, Further Notice of Proposed Rulemaking, and Order of Proposed Modification that would adopt rules to repurpose 45 megahertz of spectrum in the 5.850-5.895 GHz band for unlicensed operations, retain 30 megahertz of spectrum in the 5.895-5.925 GHz band for the Intelligent Transportation Systems (ITS) service, and require the transition of the ITS radio service standard from Dedicated Short-Range Communications technology to Cellular Vehicle-to-Everything technology. (ET Docket No. 19-138)
    • Further Streamlining of Satellite Regulations. The Commission will consider a Report and Order that would streamline its satellite licensing rules by creating an optional framework for authorizing space stations and blanket-licensed earth stations through a unified license. (IB Docket No. 18-314)
    • Facilitating Next Generation Fixed-Satellite Services in the 17 GHz Band. The Commission will consider a Notice of Proposed Rulemaking that would propose to add a new allocation in the 17.3-17.8 GHz band for Fixed-Satellite Service space-to-Earth downlinks and to adopt associated technical rules. (IB Docket No. 20-330)
    • Expanding the Contribution Base for Accessible Communications Services. The Commission will consider a Notice of Proposed Rulemaking that would propose expansion of the Telecommunications Relay Services (TRS) Fund contribution base for supporting Video Relay Service (VRS) and Internet Protocol Relay Service (IP Relay) to include intrastate telecommunications revenue, as a way of strengthening the funding base for these forms of TRS and making it more equitable without increasing the size of the Fund itself. (CG Docket Nos. 03-123, 10-51, 12-38)
    • Revising Rules for Resolution of Program Carriage Complaints. The Commission will consider a Report and Order that would modify the Commission’s rules governing the resolution of program carriage disputes between video programming vendors and multichannel video programming distributors. (MB Docket Nos. 20-70, 17-105, 11-131)
    • Enforcement Bureau Action. The Commission will consider an enforcement action.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Brett Sayles from Pexels

OIG Finds DHS Election Security Efforts Improved But Still Lacking

The OIG found issues with how CISA provided assistance on election cybersecurity and found a complete lack of planning or assistance on physical safety, terrorism, and violence issues.

The United States’ (U.S.) Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) released its second assessment in the last two years of the Cybersecurity and Infrastructure Security Agency’s (CISA) efforts to secure the U.S.’ election systems. The OIG lauded CISA’s progress in laying plans and taking precautions to secure U.S. election systems themselves but found room for CISA to improve its oversight and safeguarding the overall system. However, the OIG acknowledged the progress the agency has made since the February 2019 evaluation that was more critical of CISA’s efforts to date. But the OIG intimated that given the churn at the top of DHS over the last few years and the federal election system the U.S. has, CISA may be able to do only so much. In any event, the next few days may lead the OIG to rethink some of its assessment depending on how CISA performs.

The OIG summarized the scope of challenge before CISA:

  • As of September 2020, according to the Cybersecurity and Infrastructure Security Agency (CISA), there were 7,997 election administration jurisdictions in the country. The sizes of these jurisdictions vary dramatically, with the smallest towns having only a few hundred registered voters, while the largest jurisdiction in the country has more than 4.7 million.
  • The diversity in voting systems and software across the Nation presents considerable cybersecurity challenges. For example, there are 67 different types of voting machines manufactured by 7 different companies currently certified for use in any of the election administration jurisdictions across the United States. The election infrastructure’s reliance on technology for efficiency and convenience introduces even greater cybersecurity risks. Moreover, state and local jurisdictions may have different requirements for securing their systems, such as configuration settings, audit logging, intrusion detection capability, and patch management.

Nonetheless, beyond the effect of four different DHS heads since the beginning of the Trump Administration, the OIG pointed at CISA’s “protracted reorganization” since it was renamed and remade from its forerunner agency, the National Protection and Programs Directorate (NPPD). The OIG said CISA could not even produce an organizational chart, suggesting the possibility of dysfunction inside the agency. For example, the OIG noted:

For example, [Office of Intelligence and Analysis] officials told us in March 2020, the National Cybersecurity and Communications Integration Center (NCCIC) was recently re-organized. However, when we reached out to CISA officials for confirmation in April 2020, they dismissed this notion. According to CISA officials, the confusion may arise when some people refer to NCCIC according to its statutory authority while others refer to the organizational body (i.e., the Cybersecurity Division) that carries out the functions described in the statute.

The OIG flatly declared that until DHS and CISA get solid leadership and are properly organized, the assistance that can be provided to the election sector will be limited. As DHS is the sector-specific agency for a number of other sectors, this conclusion may also have repercussions in the following sectors:

  • Chemical Sector
  • Commercial Facilities Sector
  • Communications Sector
  • Critical Manufacturing Sector
  • Dams Sector
  • Emergency Services Sector
  • Information Technology Sector
  • Nuclear Reactors, Materials, and Waste Sector
  • Transportation Systems Sector (shared with the Department of Transportation)

To wit, the OIG asserted

Amid the leadership vacancies and repeated turnover, within DHS, CISA has not sufficiently prioritized key activities or established effective performance measures to monitor its progress in accomplishing its mission and goals of securing the Nation’s election infrastructure. Without DHS senior leadership guidance as a foundation, CISA cannot work successfully with sector representatives to develop the plans and strategies needed to secure the election infrastructure.

The under and unaddressed risks the OIG identified are “physical security risks, terrorism threats, and targeted violence.” The OIG speculated (correctly, I think) that after the 2016 election CISA was very focused on cybersecurity even though its remit over this subsector of a critical infrastructure sector also includes physical security:

Further, when assisting state and local election officials, CISA has primarily focused on the cybersecurity of election systems instead of broader election infrastructure aspects including related storage facilities, polling places, and centralized vote tabulation locations used to support the election process. CISA’s focus on cybersecurity may be attributed to reported cybersecurity threats and misinformation campaigns from foreign nations during the 2016 and 2018 elections. While beneficial, CISA’s primary focus on cybersecurity has limited DHS’ ability to provide the strategic direction needed to secure the election infrastructure from broader types of potential risks.

Given the protests and counter-protests this year related to Black Lives Matter, which has bled into the Presidential election campaign, CISA’s failure to focus on physical security, terrorism and violence may have left the election system susceptible. The OIG contended:

While attacks on physical election infrastructure locations and assets are rare, CISA should consider both physical and cyber threats as part of a comprehensive understanding of the threat and incorporate them in its election security and resilience planning. For example, an individual drove a van into a voter registration tent manned by campaign volunteers in February 2020. CISA cannot effectively secure the election infrastructure or manage risk to the Nation’s critical infrastructure based on the 2013 National Infrastructure Protection Plan by focusing on cybersecurity alone. A clear roadmap, sufficiently addressing broader risks, is needed to better guide DHS efforts and help achieve its goals of securing the election infrastructure. Moreover, the OIG found the quality fo the information provided by CISA to state and local election officials of questionable value. This is not surprising given the recent audit that found DHS’ cyber information sharing program was not providing quality information to the private sector. Based on our interviews with selected CISA regional staff, the cyber threat information CISA and I&A shared with election stakeholders was not always considered useful.

Based on our interviews with selected CISA regional staff, the cyber threat information CISA and I&A shared with election stakeholders was not always considered useful. DHS is required to maintain situational awareness of threats, and improve the sharing of threat intelligence with stakeholders to better prepare and protect election infrastructure. However, according to selected CISA regional staff, the information was over-classified, not tailored to election stakeholders needs, and could be obtained elsewhere. According to our interviews with CISA’s regional staff 12 Cybersecurity Advisors, 15 Protective Security Advisors, and 10 Regional Directors, the following are opportunities to improve the quality of information shared with stakeholders:

  • 8 (22 percent) of 37 CISA regional staff stated the information was overly classified.
  • 8 (22 percent) of 37 CISA regional staff stated briefings were not tailored to stakeholders needs.
  • 7 (19 percent) of 37 CISA regional staff stated the information could be obtained from public sources. In one example, by the time the cyber threat information was declassified for sharing with election stakeholders, they had already learned about it through the news media.
  • 5 (14 percent) of 37 CISA regional staff stated that after attending briefings, election officials could not share the information with their information technology staff and county clerks to remediate vulnerabilities as they did not possess the proper clearances.
  • 1 (3 percent) of 37 CISA regional staff stated some briefings were repetitive.
  • 7 (19 percent) of 37 CISA regional staff stated Fusion Centers were too far away and not convenient.

Representatives of other Federal agencies also told us about their work with CISA to secure the election infrastructure. One Federal agency representative discussed receiving duplicative election infrastructure threat information from CISA and DHS’ I&A. Another Federal agency official stated, “I cannot think of a single thing in a classified briefing that I have not read from the media,” indicating he had received complaints from others about DHS’ intelligence briefings not being helpful.

Worse still, when a state or local election authority requested that CISA perform an assessment of their systems or processes, the agency was often tardy in doing so. For example, the OIG found:

  • A Secretary of State initially requested a Phishing Campaign Assessment in October 2017. However, CISA did not begin the assessment until June 2018. CISA’s records show NCCIC did not complete the assessment until January 2019, more than a year after the request was made.
  • Another State Board of Elections requested CISA perform a Risk and Vulnerability Assessment in July 2018. The assessment did not begin until July 2019. NCCIC ultimately completed the testing in September 2019, more than a year after the initial request.

Staffing was also an issue. The OIG’s survey of CISA regional staff resulted in 73% of those interviewed saying “CISA needed more Cybersecurity Advisors to help private sector entities and state, local, territorial, and tribal governments prepare for and protect themselves against cybersecurity threats.”

The OIG made these recommendations to CISA:

  • Recommendation 1: Coordinate with the Office of the Secretary to revise the National Infrastructure Protection Plan and other planning documents to incorporate current and evolving risks as well as mitigation strategies needed to secure the Nation’s election infrastructure.
  • Recommendation 2: Improve the collaboration between I&A and CISA, which can help to enhance the quality and reduce the redundancy of information DHS shares with Federal agencies and state and local election officials.
  • Recommendation 3: Assign the staff resources needed to conduct timely cybersecurity and physical assessments to assist states and localities with securing the election infrastructure.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Free-Photos from Pixabay

Further Reading, Other Developments, and Coming Events (2 November)

Further Reading

  •  “Harris target of more misinformation than Pence, data shows” By Amanda Seitz — Associated Press News. Given the hostile treatment women and minorities in the United States face on social media, it is not a surprise that Senator Kamala Harris (D-CA) has faced a barrage of sexist, racist, and xenophobic invective online.
  • The Untold Technological Revolution Sweeping Through Rural China” By Clive Thompson — The New York Times. In a review of Xiaowei Wang’s new book, “Blockchain Chicken Farm,” one learns that the People’s Republic of China (PRC) is facing a bifurcated society of haves and haves not largely because of the boom in technology just like the United States.
  • DHS plans largest operation to secure U.S. election against hacking” By Joseph Marks — The Washington Post.  Looking to avert a repeat of 2016, the United States’ (U.S.) Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is expecting to be on high alert and will stand its capabilities through Election Day and beyond until winners have been declared. Not only will the agency’s technical capabilities be brought to bear, CISA will also look to liaise with the media regularly to tamp down any panic arising from reports of hacking or interference. And, it is expected that CISA’s relationship building with state and local officials will help speed action on any cyber intelligence the agency pushes out.
  • The Tech Antitrust Problem No One Is Talking About” By Tom Simonite — WIRED. The United States’ (U.S.) four dominant broadband providers Verizon, Comcast, Charter Communications, and AT&T appear to be providing inferior service at higher prices than broadband available in other advanced nations. The pandemic has, of course, focused more people on the lack of highspeed broadband for many Americans. But, the dominance of broadband providers has flown under the radar from an anti-trust and competition perspective. This could change in a Biden Administration.
  • ‘Tsunamis of Misinformation’ Overwhelm Local Election Officials” By Kellen Browning and Davey Alba — The New York Times. State and local officials are struggling in terms of human resources and capability to try to address the wave of misinformation and disinformation about the election and procedures being spewed across social media.

Other Developments

  • The United States’ (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released a joint advisory titled “Ransomware Activity Targeting the Healthcare and Public Health Sector.” The advisory “describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.” The agencies’ key findings include:
    • CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
    • These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.
  • The National Institute of Standards and Technology (NIST) published a companion guidance document to accompany the major update to guidance issued in September that federal agencies and federal contractors must follow. NIST’s Control Baselines for Information Systems and Organizations, NIST Special Publication (SP) 800-53B, a companion publication to SP 800-53 Revision 5, “establishes security and privacy control baselines for federal information systems and organizations and provides tailoring guidance for those baselines.” NIST explained “[i]mplementation of a minimum set of controls selected from NIST SP 800-53, Revision 5 is mandatory to protect federal information and information systems in accordance with the Office of Management and Budget (OMB) Circular A-130 [and the provisions of the Federal Information Security Modernization Act” (FISMA). NIST added while “the privacy control baseline is not mandated by law or OMB A-130,  SP 800-53B—along with other supporting NIST publications—is designed to help organizations identify the security and privacy controls needed to manage risk and to satisfy the security and privacy requirements in FISMA, the Privacy Act of 1974, selected OMB policies, and designated Federal Information Processing Standards (FIPS), among others.”
  • The United Kingdom’s (UK) Information Commissioner’s Office (ICO) has released its third significant fine in a few weeks with a £18.4 million fine on Marriott International Inc under the General Data Protection Regulation (GDPR). Because the GDPR came into force in May 2018, only a portion of the data breach dating back to 2014 falls under the EU’s data protection law. Also, the ICO finished its investigation and levied its fine before the UK leaves the European Union (EU). A few weeks ago, the ICO levied a £20 million fine on British Airways “for failing to protect the personal and financial details of more than 400,000 of its customers.” More recently, the ICO completed its investigation into the data brokering practices of Equifax, Transunion, and Experian and found widespread privacy and data protection violations.
    • The ICO originally proposed a £99 million fine on Marriott, but like the British Airways fine, it was dramatically revised downward, in part, because of the pandemic’s effect on the company.
    • In its investigation of Marriott, the ICO found:
      • Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott. 
      • The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.
      • The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK.
      • The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems…
      • Because the breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.
      • In July 2019, the ICO issued Marriott with a notice of intent to fine. As part of the regulatory process, the ICO considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty.
  • Five Democratic Senators wrote the United States’ (U.S.) Department of Homeland Security’s Office of the Inspector General (OIG) requesting an investigation of “warrantless domestic surveillance of phones by Customs and Border Protection (CBP).” Senators Ron Wyden (D-OR), Sherrod Brown (D-OH), Elizabeth Warren (D-MA), Ed Markey (D-MA), and Brian Schatz (D-HI) stated
    • According to public government contracts, CBP has spent nearly half a million dollars for subscriptions to a commercial database provided by a government contractor named Venntel, containing location data collected from millions of Americans’ mobile phones. In an oversight call with Senate staff on September 16, 2020, CBP officials confirmed the agency’s use of this surveillance product, without a court order, in order to track and identify people in the United States.
    • The Senators asserted:
      • CBP is not above the law and it should not be able to buy its way around the Fourth Amendment. Accordingly, we urge you to investigate CBP’s warrantless use of commercial databases containing Americans’ information, including but not limited to Venntel’s location database. We urge you to examine what legal analysis, if any, CBP’s lawyers performed before the agency started to use this surveillance tool. We also request that you determine how CBP was able to begin operational use of Venntel’s location database without the Department of Homeland Security Privacy Office first publishing a Privacy Impact Assessment.
  • The United States Patent and Trademark Office (USPTO) published “Public Views on Artificial Intelligence and Intellectual Property Policy” on the basis of two rounds of comments on artificial intelligence (AI), patents, and intellectual property (IP). The USPTO said a key priority “is to maintain United States leadership in innovation, especially in emerging technologies, including AI.” The USPTO stated “[t]o further this goal, the USPTO has been actively engaging with the innovation community and experts in AI to promote the understanding and reliability of intellectual property (IP) rights in relation to AI technology…[and] is working to ensure that appropriate IP incentives are in place to encourage further innovation in and around this critical area.”
    • The USPTO stated “[f]rom the synthesis of the public comments, a number of themes emerged:
      • General Themes
        • Many comments addressed the fact that AI has no universally recognized definition. Due to the wide-ranging definitions of the term, often comments urged caution with respect to specific IP policymaking in relation to AI.
        • The majority of public commenters, while not offering definitions of AI, agreed that the current state of the art is limited to “narrow” AI. Narrow AI systems are those that perform individual tasks in well-defined domains (e.g., image recognition, translation, etc.). The majority viewed the concept of artificial general intelligence (AGI)— intelligence akin to that possessed by humankind and beyond—as merely a theoretical possibility that could arise in a distant future.
        • Based on the majority view that AGI has not yet arrived, the majority of comments suggested that current AI could neither invent nor author without human intervention. The comments suggested that human beings remain integral to the operation of AI, and this is an important consideration in evaluating whether IP law needs modification in view of the current state of AI technology.
        • Across all IP topics, a majority of public commenters expressed a general sense that the existing U.S. intellectual property laws are calibrated correctly to address the evolution of AI. However, commenters appear split as to whether any new classes of IP rights would be beneficial to ensure a more robust IP system.
  • New Zealand’s Office of the Privacy Commissioner (OPC) has released more materials in the run up to the 1 December effective date of the Privacy Act 2020:
  • The Office of the Privacy Commissioner of Canada (OPC) announced it “has opened investigations into recent cyber security incidents involving attacks on Government of Canada online service accounts.” The Privacy Commissioner initiated the two investigations and “will examine whether the government institutions met their obligations under the Privacy Act, the federal public sector privacy law.” The OPC explained:
    • One investigation will focus on cyberattacks on the GCKey, an electronic credential issued by the government and used by federal institutions to provide individuals and organizations with access to online services. It relates to Shared Services Canada, which issues the GCKey, and federal government departments affected by the attacks on the GCKey.
    • The second investigation relates to cyberattacks on Canada Revenue Agency accounts. The incidents involved “credential stuffing,” where hackers use passwords and usernames collected from previous breaches to take advantage of the fact that many people use the same passwords and usernames for various accounts.
  • Microsoft is claiming that it foiled an Iranian cyber-attack on a high-profile cybersecurity conference held in Saudi Arabia. In a blog posting, Microsoft stated “we’re sharing that we have detected and worked to stop a series of cyberattacks from the threat actor Phosphorus masquerading as conference organizers to target more than 100 high-profile individuals.” Microsoft claimed that “Phosphorus, an Iranian actor, has targeted with this scheme potential attendees of the upcoming Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia.”
    • Microsoft contended:
      • The attackers have been sending possible attendees spoofed invitations by email. The emails use near-perfect English and were sent to former government officials, policy experts, academics and leaders from non-governmental organizations. Phosphorus helped assuage fears of travel during the Covid-19 pandemic by offering remote sessions.
      • We believe Phosphorus is engaging in these attacks for intelligence collection purposes. The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries.

Coming Events

  • On 10 November, the Senate Commerce, Science, and Transportation Committee will hold a hearing to consider nominations, including Nathan Simington’s to be a Member of the Federal Communications Commission.
  • On 17 November, the Senate Judiciary Committee will reportedly hold a hearing with Facebook CEO Mark Zuckerberg and Twitter CEO Jack Dorsey on Section 230 and how their platforms chose to restrict The New York Post article on Hunter Biden.
  • On 18 November, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Modernizing the 5.9 GHz Band. The Commission will consider a First Report and Order, Further Notice of Proposed Rulemaking, and Order of Proposed Modification that would adopt rules to repurpose 45 megahertz of spectrum in the 5.850-5.895 GHz band for unlicensed operations, retain 30 megahertz of spectrum in the 5.895-5.925 GHz band for the Intelligent Transportation Systems (ITS) service, and require the transition of the ITS radio service standard from Dedicated Short-Range Communications technology to Cellular Vehicle-to-Everything technology. (ET Docket No. 19-138)
    • Further Streamlining of Satellite Regulations. The Commission will consider a Report and Order that would streamline its satellite licensing rules by creating an optional framework for authorizing space stations and blanket-licensed earth stations through a unified license. (IB Docket No. 18-314)
    • Facilitating Next Generation Fixed-Satellite Services in the 17 GHz Band. The Commission will consider a Notice of Proposed Rulemaking that would propose to add a new allocation in the 17.3-17.8 GHz band for Fixed-Satellite Service space-to-Earth downlinks and to adopt associated technical rules. (IB Docket No. 20-330)
    • Expanding the Contribution Base for Accessible Communications Services. The Commission will consider a Notice of Proposed Rulemaking that would propose expansion of the Telecommunications Relay Services (TRS) Fund contribution base for supporting Video Relay Service (VRS) and Internet Protocol Relay Service (IP Relay) to include intrastate telecommunications revenue, as a way of strengthening the funding base for these forms of TRS and making it more equitable without increasing the size of the Fund itself. (CG Docket Nos. 03-123, 10-51, 12-38)
    • Revising Rules for Resolution of Program Carriage Complaints. The Commission will consider a Report and Order that would modify the Commission’s rules governing the resolution of program carriage disputes between video programming vendors and multichannel video programming distributors. (MB Docket Nos. 20-70, 17-105, 11-131)
    • Enforcement Bureau Action. The Commission will consider an enforcement action.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

“Awareness is Key” by Abraham Pena is licensed under CC BY 4.0

U.S. Alleges Russian and Iranian Election Interference

U.S. security services called out Russian and Iranian efforts to hack and disrupt the U.S. election. There was a split between the DNI’s view and those in the intelligence agencies, however.

The United States (U.S.) government announced that the Russian Federation and Iran have undertaken operations to disrupt and undermine next month’s U.S. election. The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a pair of advisories about Russian and Iranian attempts to interfere with the election. It appears U.S. intelligence community agencies and their partners want to avoid a repeat of 2016 when they were often behind the curve on Russian interference and failed to alert the public to what they knew.

Email sent to Democratic voters supposedly by the Proud Boys, a white supremacist group that supports President Donald Trump, was actually sent by Iran. These emails warned people in three swing states to vote for Trump or “we will come after you” because the group is “in possession of all your information.” According to media accounts, the day the Department of Homeland Security (DHS) identified Iran as the culprit, the Director of National Intelligence (DNI) John Ratcliffe decided to disclose this information at a hastily called press conference with Federal Bureau of Investigation (FBI) Director Christopher Wray.

In Ratcliffe’s remarks, he put Iran before Russia as has been the wont of the Trump Administration to make it seem as if Russia’s capabilities and intentions are matched by two other adversaries of the U.S. Moreover, the Trump Administration has placed more emphasis generally on the dangers posed by Tehran than Moscow, particularly in light of the nuclear agreement from which the U.S. withdrew. Ratcliffe asserted:

  • we would like to alert the public that we have identified that two foreign actors – Iran and Russia – have taken specific actions to influence public opinion relating to our elections.
  • First, we have confirmed that some voter registration information has been obtained by Iran, and separately, by Russia. This data can be used by foreign actors to attempt to communicate false information to registered voters that they hope will cause confusion, sow chaos, and undermine your confidence in American democracy.
  • To that end, we have already seen Iran sending “spoofed” emails designed to intimidate voters, incite social unrest, and damage President Trump. You may have seen some reporting on this in the last 24 hours, or you may have been one of the recipients.
  • Additionally, Iran is distributing other content, to include a video that implies that individuals could cast fraudulent ballots, even from overseas. This video – and any claims about such allegedly fraudulent ballots – are not true.
  • These actions are desperate attempts by desperate adversaries. Even if the adversaries pursue further attempts to intimidate or attempt to undermine voter confidence, know that our election systems are resilient, and you can be confident your votes are secure.
  • Although we have not seen the same actions from Russia, we are aware that they have obtained some voter information, just as they did in 2016.

Unnamed U.S. intelligence officials shortly thereafter disagreed with Ratcliffe’s emphasis on Iran when they think the evidence clearly shows Russia to be the more dangerous threat. Some speculated Ratcliffe was improperly political given the DNI is supposed to be non-partisan.

In contrast, Wray sought to tamp down alarm about interference:

  • We’re not going to tolerate foreign interference in our elections or any criminal activity that threatens the sanctity of your vote or undermines public confidence in the outcome of the election.
  • When we see indications of foreign interference or federal election crimes, we’re going to aggressively investigate and work with our partners, to quickly take appropriate action.
  • We’re also coordinating with the private sector—both technology and social media companies—to make sure that their platforms are not used by foreign adversaries to spread disinformation and propaganda.
  • We’ve been working for years as a community to build resilience in our election infrastructure—and today that infrastructure remains resilient.
  • You should be confident that your vote counts.

Following Wray’s remarks, there were leaks to the media that Trump wants to remove him and Attorney General William Barr from office after the election. During “repeated” discussion on the removal of two of the U.S.’ two top law enforcement officials, Trump and top Administration officials have apparently decried Wray’s disinclination to announce an investigation of former Vice President Joe Biden and his son in a reprise of former FBI Director James Comey’s announcement days before the 2016 election he would reopen the investigation into former Secretary of State Hillary Clinton’s email. Moreover, the FBI also declined to support Ratcliffe’s public assertions that Russia had nothing to do with the purported email and data of Hunter Biden being portrayed as evidence of the corruption of the Biden family. In a letter to Senate Homeland Security & Governmental Affairs Committee Chair Ron Johnson (R-WI), the FBI referenced the Inspector General’s findings about the impropriety of Comey’s remarks so close to an election as a significant reason why it would neither confirm nor deny any such inquiry.

The FBI and CISA issued a pair of joint advisories:

  • Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets that “updates joint CISA-FBI cybersecurity advisory AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations.” The agencies asserted:
    • Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets. The Russian state- sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.
    • The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:
      • Sensitive network configurations and passwords.
      • Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
      • IT instructions, such as requesting password resets.
      • Vendors and purchasing information.
      • Printing access badges.
    • To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.
    • As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised. Due to the heightened awareness surrounding elections infrastructure and the targeting of SLTT government networks, the FBI and CISA will continue to monitor this activity and its proximity to elections infrastructure.
  • Iranian State-Sponsored Advanced Persistent Threat Actors Threaten Election-Related Systems in which the FBI and CISA “warn[] that Iranian advanced persistent threat (APT) actors are likely intent on influencing and interfering with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process.” They added:
    • The APT actors are creating fictitious media sites and spoofing legitimate media sites to spread obtained U.S. voter-registration data, anti-American propaganda, and misinformation about voter suppression, voter fraud, and ballot fraud.
    • The APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of- service (DDoS) attacks, structured query language (SQL) injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Nikita Karimov on Unsplash

Homeland Threat Assessment Finally Released

After a whistleblower filed a complaint, DHS released its assessment of threats to the U.S. and there is a gap between the acting Secretary’s views and the report itself on domestic violence and Russian interference with the election.

The United States Department of Homeland Security (DHS) has released its first Homeland Threat Assessment (HTA) that covers the gamut of groups, individuals, and trends posing risks to the United States (U.S.) As cybersecurity and terrorism are in the DHS portfolio, both figure prominently in the report. However, the HTA has been the object of controversy arising from a DHS whistleblower who claimed about a month ago that DHS leadership, including acting Secretary Chad Wolf, urged the downplaying of Russian election interference and white supremacist violence in order to please the White House. The HTA had been completed in March, and the official in charge of intelligence and analysis refused multiple requests to change the conclusions in these aspects. Consequently, the document released by the agency seems to have been prompted by the filing of the whistleblower complaint and has a foreword ostensibly written by Wolf that emphasizes a narrative aligned with the White House’s while the body of the report draws different conclusions.

In early September, former Principal Deputy Under Secretary in the Office of Intelligence and Analysis Brian Murphy filed a whistleblower reprisal complaint against DHS for providing intelligence analysis the Trump White House and DHS did not want, mainly for political reasons, and then refusing to make alterations to fit the Administration’s chosen narrative on issues, especially on the Russian Federation’s interference in the 2020 Election. Murphy alleges “he was retaliatorily demoted to the role of Assistant to the Deputy Under Secretary for the DHS Management Division” because he refused to comply with orders from Wolf. Specifically, he claims:

  • In mid-May 2020, Mr. Wolf instructed Mr. Murphy to cease providing intelligence assessments on the threat of Russian interference in the United States, and instead start reporting on interference activities by China and Iran. Mr. Wolf stated that these instructions specifically originated from White House National Security Advisor Robert O’Brien. Mr. Murphy informed Mr. Wolf he would not comply with these instructions, as doing so would put the country in substantial and specific danger.

Regarding the HTA, Murphy claimed (and I know it’s a long excerpt but worth your time to read):

  • In March 2020, Mr. Murphy’s team at DHS I&A completed a HTA. Completion of the HTA was a requirement set forth by Acting Secretary Kevin McCleenan prior to his departure from DHS. Mr. Murphy was intimately involved in the editing and crafting of the HTA. Following its completion, the HTA was distributed by Mr. Glawe to  Messrs. Wolf, Cuccinelli, and Gountanis. Shortly after the distribution, Mr. Glawe was informed that further distribution of the HTA was prohibited due to concerns raised by Messrs. Wolf and Cuccinelli regarding how the HTA would reflect upon President Trump. Two sections were specifically labeled as concerns: White Supremacy and Russian influence in the United States. Mr. Murphy stated to Mr. Glawe that this constituted an abuse of authority by Messrs. Wolf and Cuccinelli, and Mr. Glawe concurred with that assessment.
  • In May 2020, Mr. Glawe retired, and Mr. Murphy assumed the role of Acting Under Secretary. In May 2020 and June 2020, Mr. Murphy had several meetings with Mr. Cuccinelli regarding the status of the HTA. Mr. Cuccinelli stated that Mr. Murphy needed to specifically modify the section on White Supremacy in a manner that made the threat appear less severe, as well as include information on the prominence of violent “left-wing” groups. Mr. Murphy declined to make the requested modifications, and informed Mr. Cuccinelli that it would constitute censorship of analysis and the improper administration of an intelligence program.
  • On July 8, 2020, Mr. Murphy attended a meeting with Mr. Wolf and his Deputy Chief of Staff, Scott Erickson (“Mr. Erickson”). Mr. Murphy asked Mr. Wolf about the status of the HTA. Mr. Wolf relayed the concerns previously outlined by Mr. Cuccinelli regarding the sections on White Supremacy and Russian influence. Mr. Wolf asked for a copy of the HTA so it could be reviewed by policy officials, and so that information regarding the ongoing unrest in Portland, Oregon, could be added into the HTA. Mr. Wolf asked Mr. Murphy if he would accept his edits. Mr. Murphy responded that he would not concur with any edits that altered the underlying intelligence in the HTA, as any such action would constitute an abuse of authority and improper administration of an intelligence program. 
  • Completion of the HTA was subsequently handled by other DHS officials without consultation with Mr. Murphy. Another draft of the HTA was completed in August 2020:  Mr. Murphy did not work on that version of the HTA. On September 3, 2020, Mr. Murphy learned the new draft was provided to Mr. Wolf, who had ordered the HTA to be redesigned with the policy office completing the revisions. It is Mr. Murphy’s assessment that the final version of the HTA will more closely resemble a policy document with references to ANTIFA and “anarchist” groups than an intelligence document as originally formulated by DHS I&A.

As noted, Wolf’s foreword to the HTA reads more like standard Trump Administration talking points than the report itself. Wolf hints at groups other than white supremacists being responsible for domestic violence and terrorism and takes the approach that it is not Russia alone that threatens the 2020 Election.

However, the scrutiny created by Murphy’s complaint or infighting at DHS resulted in Wolf’s foreword not engaging in too much “both sides” claims with respect to domestic terrorism. For example, he argues DHS deigned its “programs to be threat agnostic – ensuring that we can combat a broad range of domestic threats” even though the body of the report makes clear that it is extremists on the right, mostly white supremacists, who are responsible for the spate of domestic terrorism and violence in the U.S. And yet, even in the report, there is no link between the white supremacists and coded language the Republican Party has used since President Richard Nixon’s Southern Strategy was built on wooing racist white Southerners from the Democratic Party that had championed the Civil Rights Act of 1964 among other legislation. In any event, Wolf asserted “I am particularly concerned about white supremacist violent extremists who have been exceptionally lethal in their abhorrent, targeted attacks in recent years.” It bears note Wolf seems only concerned about “white supremacist violent extremists” specifically and not “white supremacists” generally. Perhaps this is explained by Wolf’s nod to the First Amendment right to believe what one wants? Or, in light of Murphy’s whistleblower complaint, this is a softening of claims about white supremacists that dovetails with statements made by President Donald Trump after the white supremacists march and violence in Charlottesville, Virginia or in the first debate against Vice President Joe Biden.

But yet, Wolf’s next sentence is phrased weirdly and seemingly disconnected from his concern about white supremacists. He claimed that “I am proud of our work to prevent terrorizing tactics by domestic terrorists and violent extremists who seek to force ideological change in the United States through violence, death, and destruction.” He separates “domestic terrorists” from “violent extremists” and seemingly worries about “violence, death, and destruction.” It is this last word that seems to be a nod towards White House and Republican narratives that portray the ongoing protests against police killing African Americans without justification that do sometime involve property destruction as being an equal threat to white supremacists seeking to kill or intimidate these very protestors. In this same vein, Wolf contended:

During the course of developing the HTA we began to see a new, alarming trend of exploitation of lawful protests causing violence, death, and destruction in American communities. This anti-government, anti-authority and anarchist violent extremism was identified by DHS in September 2019 when we published our Strategic Framework for Countering Terrorism and Targeted Violence. As the date of publication of this HTA, we have seen over 100 days of violence and destruction in our cities. The co-opting of lawful protests led to destruction of government property and have turned deadly.

This seems very much in the vein of “there are fine people on both sides” (i.e. Trump’s remarks about Charlottesville) because it conflates the sources of the violence and equalizes the protestors and counter-protestors. This has been a policy viewpoint the Administration has trafficked in to make it seems as if the largely peaceful protestors around the U.S. are themselves inciting violence when it is often the case that it is white supremacists. Also, there is a conflation here of property damage and looting, which has definitely occurred at the hands of people protesting police killing of African Americans, and violence intended to suppress such protests. And, the reference to “government property” sure seems like a dog whistle about protestors vandalizing and toppling statutes and monuments to Confederate figures.

Moreover, there are no mentions of QAnon, a multi-headed conspiracy and movement with significant support from Trump loyalists and voters.

Wolf also references election interference. He asserted “[n]ation-states will continue to try to undermine American elections….like China, Russia, and Iran will try to use cyber capabilities or foreign influence to compromise or disrupt infrastructure related to the 2020 U.S. Presidential election, aggravate social and racial tensions, undermine trust in U.S. authorities,
and criticize our elected officials.” Putting the People’s Republic of China (PRC) before the Russian Federation is contrary to the body of the report:

Foreign influence activity will target U.S. foreign and domestic policy, international events such as COVID-19, and democratic processes and institutions, including the 2020 Presidential election. Russia is the likely primary covert influence actor and purveyor of disinformation and misinformation within the Homeland. We assess that Moscow’s primary objective is to increase its global standing and influence by weakening America—domestically and abroad—through efforts to sow discord, distract, shape public sentiment, and undermine trust in Western democratic institutions and processes.

Note that the PRC is not mentioned because apparently DHS staff do not consider them a threat on par with the Russian Federation. Seven paragraphs follow on the capabilities and goals of the Russians before the PRC is mentioned. It is safe to conclude Wolf chose to massage the findings and shoehorn them into a worldview the President and his advisors have been pedaling for months if not years. Likewise, in the subsection titled “2020 U.S. Presidential Election,” again, DHS analysts emphasize the considerable threat posed by Russian Federation, and it is paragraphs into this analysis before the PRC and Iran are mentioned.

From here on out, I’ll include key excerpts of the report itself:

  • Cyber threats to the Homeland from both nation-states and non-state actors will remain acute. U.S. critical infrastructure faces advanced threats of disruptive or destructive cyber-attacks. Federal, state, local, tribal and territorial governments, as well as the private sector, will experience an array of cyber-enabled threats designed to access sensitive information, steal money, and force ransom payments.
  • Russia—which possesses some of the most sophisticated cyber capabilities in the world—
    can disrupt or damage U.S. critical infrastructure networks via cyber-attacks. Russian state-affiliated actors will continue targeting U.S. industry and all levels of government with intrusive cyber espionage to access economic, policy, and national security information to further the Kremlin’s strategic interests.
    • Russia probably can conduct cyber-attacks that would result in at least localized effects over hours to days and probably is developing capabilities that would cause more debilitating effects.
    • We expect Russian cyber actors to use a range of capabilities including social engineering, publicly known software and hardware vulnerabilities, poorly configured networks, and sophisticated “zero-day” attacks that exploit security weaknesses in software.
    • Under Russian law, the Federal Security Service (FSB) can compel Russian rms doing business in the United States—or Russians working with U.S. rms—to comply with FSB information sharing and operational mandates, presenting additional routes for cyber espionage.
  • China already poses a high cyber espionage threat to the Homeland and Beijing’s cyber-attack capabilities will grow. Chinese cyber actors almost certainly will continue to engage in wide-ranging cyber espionage to steal intellectual property and personally identifiable information (PII) from U.S. businesses and government agencies to bolster their civil-military industrial development, gain an economic advantage, and support intelligence operations. China possesses an increasing ability to threaten and potentially disrupt U.S. critical infrastructure.
    • We expect China’s cyber operations against U.S. companies to focus on the critical manufacturing, defense industrial base, energy, healthcare, and transportation sectors.
    • Beijing has targeted information technology and communications rms whose products and services support government and private-sector networks worldwide, while concurrently advocating globally for Chinese information technology companies that could serve as espionage platforms.
    • Under China’s 2017 National Intelligence Law, Beijing can compel businesses based in China and Chinese citizens living abroad to provide intelligence to the Chinese government.
    • We remain concerned about China’s intent to compromise U.S. critical infrastructure in order to cause disruption or destruction.
    • China’s efforts to dominate the 5G world pose new challenges to U.S. efforts to national security, privacy, resistance to malign influence, and human rights. The exponential increases in speed, connectivity, and productivity could render American systems particularly vulnerable to Chinese cyber threats.
  • While Russia and China are the most capable nation-state cyber adversaries, Iranian and North Korean cyber actors also pose a threat to U.S. systems, networks, and information. Iran continues to present a cyber espionage threat and is developing access in the Homeland that could be repurposed for destructive cyber-attacks. North Korean cyber capabilities, while sophisticated, probably will remain confined to criminal generation of revenue. If Pyongyang’s intent changes, however, it probably could quickly build capabilities to conduct broader espionage activity or threaten infrastructure with disruptive cyber-attacks.
  • Cybercriminals increasingly will target U.S. critical infrastructure to generate pro t, whether through ransomware, e-mail impersonation fraud, social engineering3, or malware. Underground marketplaces that trade in stolen information and cyber tools will continue to thrive and serve as a resource, even for sophisticated foreign adversaries.
    • Ransomware attacks—which have at least doubled since 2017—often are directed against critical infrastructure entities at the state and local level by exploiting gaps in cybersecurity
    • Victims of cybercriminal activity in 2018 reported over $2.7 billion in losses—more than twice the amount lost in 2017. This figure does not represent the full scope of loss because some victims do not report incidents.
  • Foreign influence activity will target U.S. foreign and domestic policy, international events such as COVID-19, and democratic processes and institutions, including the 2020 Presidential election. Russia is the likely primary covert influence actor and purveyor of disinformation and misinformation within the Homeland. We assess that Moscow’s primary objective is to increase its global standing and influence by weakening America—domestically and abroad—through efforts to sow discord, distract, shape public sentiment, and undermine trust in Western democratic institutions and processes.
  • Russian influence actors will continue using overt and covert methods to aggravate social and racial tensions, undermine trust in U.S. authorities, stoke political resentment, and criticize politicians who Moscow views as anti-Russia. Although some of this activity might be framed in the context of the U.S. election—seemingly in support of or opposition to political candidates— we assess that Moscow’s overarching objective is to weaken the United States through discord, division, and distraction in hopes that America becomes less able to challenge Russia’s strategic objectives.
  • Russian influence actors will engage in media manipulation—across social media platforms, proxy websites4, and traditional media, to include state-controlled outlets—to exacerbate U.S. social, political, racial, and cultural fault lines.
  • Russian actors will attempt to undermine national unity and
    sow seeds of discord that exploit perceived grievances within minority communities, especially among African Americans. Russian influence actors often mimic target audiences and amplify both sides of divisive issues to maximize discord, tailoring messaging to specific communities to “push and pull” them in different ways.
  • The Russian government promulgates misinformation, threats, and narratives intended to incite panic or animosity among social and political groups. For example, Russian actors amplified narratives such as U.S. law enforcement ignoring ICE detention requests and releasing an illegal immigrant accused of rape; assaults on supporters and opponents of the President; and portrayals of U.S. law enforcement as racially biased. Russian influence actors also have exploited national tragedies, such as the 2017 mass shooting in Las Vegas, and protest movements—sometimes magnifying both a protest and a counter-protest—such as the 2017 protest activity in Charlottesville.
  • Chinese operatives probably are waging disinformation campaigns using overt and covert tactics—including social media trolls—to shift responsibility for the pandemic to other countries, including the United States. China might increase its influence activities in response to what it views as anti-China statements from the U.S. Government over China’s role in the pandemic.
    • Since August 2019, more than 10,000 suspected fake Twitter accounts have
      been involved in a coordinated influence campaign with suspected ties to the Chinese Government. Among these are hacked accounts from users around the world that post messaging and disinformation about the COVID-19 pandemic and other topics of interest to China.
    • China’s Foreign Ministry, state media, and official Twitter accounts promote overt narratives claiming the coronavirus may have originated in the United States, criticize the U.S. pandemic response, and publicize China’s COVID-19-related medical assistance to U.S. cities and states. China has doubled the number of official government posts disseminating false narratives about COVID-19 and has carried out persistent and large-scale disinformation and influence operations that correlate with diplomatic messaging.
    • China most likely will continue amplifying narratives supportive of its pandemic response while denigrating U.S. official criticism that Beijing views as tarnishing its global image.
  • China and Russia will continue to represent the top threats to U.S. supply chain security, given the sophisticated intelligence and cyber capabilities they can use to infiltrate trusted suppliers and vendors to target equipment and systems. Criminal actors also will engage in efforts to compromise supply chains, with such methods as inserting malicious code in a third party’s software to conduct operations against rms that use the software. Criminal and state actors also attempt to compromise supply chains through protectionist measures and by exploiting rapid procurement procedures at the local, state, and federal level during disasters.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Free-Photos from Pixabay

Further Reading, Other Developments, and Coming Events (8 October)

Coming Events

  • The European Union Agency for Cybersecurity (ENISA), Europol’s European Cybercrime Centre (EC3) and the Computer Emergency Response Team for the EU Institutions, Bodies and Agencies (CERT-EU) will hold the 4th annual IoT Security Conference series “to raise awareness on the security challenges facing the Internet of Things (IoT) ecosystem across the European Union:”
    • Artificial Intelligence – 14 October at 15:00 to 16:30 CET
    • Supply Chain for IoT – 21 October at 15:00 to 16:30 CET
  • The Federal Communications Commission (FCC) will hold an open commission meeting on 27 October, and the agency has released a tentative agenda:
    • Restoring Internet Freedom Order Remand – The Commission will consider an Order on Remand that would respond to the remand from the U.S. Court of Appeals for the D.C. Circuit and conclude that the Restoring Internet Freedom Order promotes public safety, facilitates broadband infrastructure deployment, and allows the Commission to continue to provide Lifeline support for broadband Internet access service. (WC Docket Nos. 17-108, 17-287, 11- 42)
    • Establishing a 5G Fund for Rural America – The Commission will consider a Report and Order that would establish the 5G Fund for Rural America to ensure that all Americans have access to the next generation of wireless connectivity. (GN Docket No. 20-32)
    • Increasing Unlicensed Wireless Opportunities in TV White Spaces – The Commission will consider a Report and Order that would increase opportunities for unlicensed white space devices to operate on broadcast television channels 2-35 and expand wireless broadband connectivity in rural and underserved areas. (ET Docket No. 20-36)
    • Streamlining State and Local Approval of Certain Wireless Structure Modifications –
    • The Commission will consider a Report and Order that would further accelerate the deployment of 5G by providing that modifications to existing towers involving limited ground excavation or deployment would be subject to streamlined state and local review pursuant to section 6409(a) of the Spectrum Act of 2012. (WT Docket No. 19-250; RM-11849)
    • Revitalizing AM Radio Service with All-Digital Broadcast Option – The Commission will consider a Report and Order that would authorize AM stations to transition to an all-digital signal on a voluntary basis and would also adopt technical specifications for such stations. (MB Docket Nos. 13-249, 19-311)
    • Expanding Audio Description of Video Content to More TV Markets – The Commission will consider a Report and Order that would expand audio description requirements to 40 additional television markets over the next four years in order to increase the amount of video programming that is accessible to blind and visually impaired Americans. (MB Docket No. 11-43)
    • Modernizing Unbundling and Resale Requirements – The Commission will consider a Report and Order to modernize the Commission’s unbundling and resale regulations, eliminating requirements where they stifle broadband deployment and the transition to next- generation networks, but preserving them where they are still necessary to promote robust intermodal competition. (WC Docket No. 19-308)
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • Harvard University’s Berkman Klein Center for Internet & Society published a study, “Mail-In Voter Fraud: Anatomy of a Disinformation Campaign,” which found a concerted, almost certainly coordinated campaign led by President Donald Trump, the Republican Party, and conservative media outlets to claim against all evidence that mail voting is rife with fraud. The study points to structural issues in the United States (U.S.) and the broader media that allow parties to disseminate disinformation and propaganda. The authors found the traditional print and television media more effective and complicit in spreading lies and disinformation than social media platforms like Facebook and Twitter. The Berkman Klein Center explained:
    • The claim that election fraud is a major concern with mail-in ballots has become the central threat to election participation during the Covid-19 pandemic and to the legitimacy of the outcome of the election across the political spectrum. President Trump has repeatedly cited his concerns over voter fraud associated with mail-in ballots as a reason that he may not abide by an adverse electoral outcome. Polling conducted in September 2020 suggests that nearly half of Republicans agree with the president that election fraud is a major concern associated with expanded mail-in voting during the pandemic. Few Democrats share that belief. Despite the consensus among independent academic and journalistic investigations that voter fraud is rare and extremely unlikely to determine a national election, tens of millions of Americans believe the opposite. This is a study of the disinformation campaign that led to widespread acceptance of this apparently false belief and to its partisan distribution pattern. Contrary to the focus of most contemporary work on disinformation, our findings suggest that this highly effective disinformation campaign, with potentially profound effects for both participation in and the legitimacy of the 2020 election, was an elite-driven, mass-media led process. Social media played only a secondary and supportive role.
    • Our results are based on analyzing over fifty-five thousand online media stories, five million tweets, and seventy-five thousand posts on public Facebook pages garnering millions of engagements. They are consistent with our findings about the American political media ecosystem from 2015-2018, published in  Network Propaganda , in which we found that Fox News and Donald Trump’s own campaign were far more influential in spreading false beliefs than Russian trolls or Facebook clickbait artists. This dynamic appears to be even more pronounced in this election cycle, likely because Donald Trump’s position as president and his leadership of the Republican Party allow him to operate directly through political and media elites, rather than relying on online media as he did when he sought to advance his then-still-insurgent positions in 2015 and the first half of 2016.
    • Our findings here suggest that Donald Trump has perfected the art of harnessing mass media to disseminate and at times reinforce his disinformation campaign by using three core standard practices of professional journalism. These three are: elite institutional focus (if the President says it, it’s news); headline seeking (if it bleeds, it leads); and  balance , neutrality, or the avoidance of the appearance of taking a side. He uses the first two in combination to summon coverage at will, and has used them continuously to set the agenda surrounding mail-in voting through a combination of tweets, press conferences, and television interviews on Fox News. He relies on the latter professional practice to keep audiences that are not politically pre-committed and have relatively low political knowledge confused, because it limits the degree to which professional journalists in mass media organizations are willing or able to directly call the voter fraud frame disinformation. The president is, however, not acting alone. Throughout the first six months of the disinformation campaign, the Republican National Committee (RNC) and staff from the Trump campaign appear repeatedly and consistently on message at the same moments, suggesting an institutionalized rather than individual disinformation campaign. The efforts of the president and the Republican Party are supported by the right-wing media ecosystem, primarily Fox News and talk radio functioning in effect as a party press. These reinforce the message, provide the president a platform, and marginalize or attack those Republican leaders or any conservative media personalities who insist that there is no evidence of widespread voter fraud associated with mail-in voting.
    • The primary cure for the elite-driven, mass media communicated information disorder we observe here is unlikely to be more fact checking on Facebook. Instead, it is likely to require more aggressive policing by traditional professional media, the Associated Press, the television networks, and local TV news editors of whether and how they cover Trump’s propaganda efforts, and how they educate their audiences about the disinformation campaign the president and the Republican Party have waged.
  • The Senate Minority Leader and the top Democrats on three committees sent a letter to the acting Secretary of Homeland Security asking him to “release a document that shows President Donald Trump’s attacks on American Elections are consistent with a foreign influence campaign.” Senate Minority Leader Chuck Schumer (D-NY), Senate Intelligence Committee Ranking Member Mark Warner (D-VA), Senate Rules Committee Ranking Member Amy Klobuchar (D-MN), Senate Homeland Security and Governmental Affairs Committee Ranking Member Gary Peters (D-MI), and Senator Ron Wyden (D-OR) wrote to acting Secretary of Homeland Security Chad Wolf:
    • We write to urge you to immediately release to the public a September 3, 2020, analysis produced by the Department’s Office of Intelligence and Analysis.  This document demonstrates that a foreign actor is attempting to undermine faith in the US electoral system, particularly vote-by-mail systems, in a manner that is consistent with the rhetoric being used by President Trump, Attorney General Barr, and others.
    • The document has been marked ‘Unclassified/For Official Use Only,’ meaning that its release would not pose a risk to sources and methods and that it has already been widely distributed around the country through unclassified channels. It is now critical and urgent that the American people have access to this document so that they can understand the context of Trump’s statements and actions.
  • Representatives Abigail Spanberger (D-VA) and John Katko (R-NY) introduced the “Foreign Agent Disclaimer Enhancement (FADE) Act” “to protect against the influence of foreign nations that seek to weaken the U.S. electoral system and sow division through online disinformation campaigns.” This bill would close a loophole in the Foreign Agents Registration Act (FARA) that does not require foreign agents to disclose social media posts intended to persuade Americans as they must for other forms of communication. They provided the context for the legislation:
    • This week, the Federal Bureau of Investigation alerted Twitter that accounts likely based in Iran attempted to spread disinformation during the U.S. presidential debate.
    • An April 2020 State Department report warned that China, Iran, and Russia are using the COVID-19 crisis to launch a propaganda and disinformation onslaught against the United States.
    • Spanberger and Katko summarized the bill in their press release:
      • The Foreign Agent Disclaimer Enhancement (FADE) Act would increase transparency by requiring disclaimers attributing political content to a foreign principal be embedded on the face of a social media post itself. With this new requirement, disclaimers would remain with a post whenever the post is subsequently shared. The FADE Act would also clarify that these disclaimer requirements apply to the internet and apply to any political communications directed at the United States — regardless of the foreign agent’s location around the world.
      • To ensure enforcement of these new transparency measures, the FADE Act would requirethe Department of Justice (DOJ) to notify online platforms if a foreign agent does not meet disclaimer requirements for posts on their platforms, and in these cases, require the platform to remove the materials and use reasonable efforts to inform recipients of the materials that the information they saw was disseminated by a foreign agent. Additionally, the bipartisan bill would requireDOJ to prepare a report to Congress on enforcement challenges.
  • Europol issued its annual “Internet Organised Crime Threat Assessment (IOCTA) 2020” that “provides a unique law enforcement- focused assessment of emerging challenges and key developments in the area of cybercrime” in the European Union (EU).
  • Europol highlighted its findings:
    • Cross-Cutting Crime Facilitators And Challenges To Criminal Investigations
      • Social engineering remains a top threat to facilitate other types of cybercrime.
      • Cryptocurrencies continue to facilitate payments for various forms of cybercrime, as developments evolve with respect to privacy- oriented crypto coins and services.
      • Challenges with reporting hinder the ability to create an accurate overview of crime prevalence across the EU.
    • Cyber-Dependent Crime
      • Ransomware remains the most dominant threat as criminals increase pressure by threatening publication of data if victims do not pay.
      • Ransomware on third-party providers also creates potential significant damage for other organisations in the supply chain and critical infrastructure.
      • Emotet is omnipresent given its versatile use and leads the way as the benchmark of modern malware.
      • The threat potential of Distributed Denial of Service (DDoS) attacks is higher than its current impact in the EU.
    • Child Sexual Exploitation Online
      • The amount of online Child sexual abuse material (CSAM) detected continues to increase, further exacerbated by the COVID-19 crisis, which has serious consequences for the capacity of law enforcement authorities.
      • The use of encrypted chat apps and industry proposals to expand this market pose a substantial risk for abuse and make it more difficult for law enforcement to detect and investigate online Child sexual exploitation (CSE) activities.
      • Online offender communities exhibit considerable resilience and are continuously evolving.
      • Livestreaming of child sexual abuse continues to increase and became even more prevalent during the COVID-19 crisis.
      • The commercialisation of online CSE is becoming a more widespread issue, with individuals uploading material to hosting sites and subsequently acquiring credit on the basis of the number of downloads.
    • Payment Fraud
      • SIM swapping is a key trend that allows perpetrators to take over accounts and has demonstrated a steep rise over the last year.
      • Business email compromise (BEC) remains an area of concern as it has increased, grown in sophistication, and become more targeted.
      • Online investment fraud is one of the fastest growing crimes, generating millions in losses and affecting thousands of victims.
      • Card-not-present (CNP) fraud continues to increase as criminals diversify in terms of target sectors and electronic skimming (e-skimming) modi operandi.
    • The Criminal Abuse Of The Darkweb
      • The Darkweb environment has remained volatile, lifecycles of Darkweb market places have shortened, and no clear dominant market has risen over the past year compared to previous years to fill the vacuum left by the takedowns in 2019.
      • The nature of the Darkweb community at administrator-level shows how adaptive it is under challenging times, including more effective cooperation in the search for better security solutions and safe Darkweb interaction.
      • There has been an increase in the use of privacy- enhanced cryptocurrencies and an emergence of privacy-enhanced coinjoin concepts, such as Wasabi and Samurai.
      • Surface web e-commerce sites and encrypted communication platforms offer an additional dimension to Darkweb trading to enhance the overall business model.
  • “43 center-right organizations, think tanks, and policy experts” wrote Senate Majority Whip John Thune (R-SD) “for his leadership and support for the American competitive approach to 5G deployment.” Last week, Thune and 18 Republican colleagues sent President Donald Trump a letter “to express our concerns about a Request For Information (RFI) released by the Department of Defense (DOD) that contradicts the successful free-market strategy you have embraced for 5G.” Late last month, the United States Department of Defense (DOD) released a  RFI on the possibility of the agency sharing its prized portions of electromagnetic spectrum with commercial providers to speed the development and adoption of 5G in the United States.
    • The 43 groups argued:
      • We too are concerned with the Department of Defense Request for Information on a government-managed process for 5G development and are alarmed with how quickly it is proceeding.  Even more disturbing are the rumors that the RFI was only for show and that the DoD already has an RFP it plans to greenlight. 
      • A government-run 5G backbone, wholesale network, or whatever name it goes by, is nationalization of private business. Spectrum sharing is something that must be considered as the nation moves forward with private networks, but it is not a reason for a government takeover. For a government-run network to happen, the federal government would have to either renege on licenses granted to private users or hoard spectrum at the expense of private industry. Either approach would upend well-established licensure policies at the FCC that establish certainty in operating and maintaining complex networks and create massive unnecessary delays to launching 5G networks. Moreover, the government should not be in the business of “competing” with private industry. That’s the business model of China and Russia, not the United States. 
  • The top Democrat on the Senate Intelligence Committee wrote Facebook, Twitter, and Google, urging the companies “to implement robust accountability and transparency standards ahead of the November election, including requirements outlined in the Honest Ads Act…to help prevent foreign interference in elections and improve the transparency of online political advertisements” according to his press release. Senator Mark Warner   (D-VA) asserted that “[i]n individual letters to FacebookGoogle, and Twitter, [he] detailed the various ways in which each company continues to contribute to the spread of disinformation, viral misinformation, and voter suppression efforts.” Warner “also warned about the imminent risk of bad actors once again weaponizing American-bred social media tools to undermine democracy ahead of the November election, and urged each company to take proactive measures to safeguard against these efforts.” Warner specified:
    • In his letter to Facebook, [he] criticized the platform’s efforts to label manipulated or synthetic content, describing these as “wholly inadequate.” He also raised alarm with instances of Facebook’s amplification of harmful content.
    • Similarly, in a letter to Google, [he] raised concern with the company’s efforts to combat harmful misinformation – particularly disinformation about voting, spread by right-leaning YouTube channels. He also criticized the comprehensiveness of Google’s ad archive, which presently excludes issue ads.
    • In his letter to Twitter, which has banned paid political content and placed restrictions on cause-based advertising, [he] noted that doctored political content continues to spread organically without adequate labeling that slows its spread or contextualizes it for users.
  • Representative Lauren Underwood (D-IL), the new Chair of the House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee, wrote Facebook, Twitter, and YouTube, urging them “to address ongoing reports of election-related disinformation targeting Black voters on their platforms” per her press release. She argued “[d]uring the 2016 election, social media platforms were used by malicious actors attempting to silence Black voters and sow racial division…[and] [f]our years later, social media companies have made too little progress toward containing this growing threat.” Underwood “requested information on the steps the companies are taking to prevent voter suppression, interference, and disinformation targeting Black voters.”

Further Reading

  • Judge Orders Twitter To Unmask FBI Impersonator Who Set Off Seth Rich Conspiracy” By Bobby Allyn — NPR. A magistrate judge in California denied Twitter’s motion to quash a subpoena in order to not reveal the account information of an anonymous user who spread lies about deceased Democratic National Committee staffer Seth Rich and his family regarding the Russian Federation’s interference in the 2016 election.
  • Justices wary of upending tech industry in Google v. Oracle Supreme Court fight” By Tucker Higgins — CNBC. This week, the Supreme Court of the United States heard oral arguments in the decade long legal war between Google and Oracle arising from the latter’s claim that the former infringed its ownership rights by using roughly 11,500 lines of code to create its Android operating system from an application programming interface developed by Sun Microsystems, a company bought by Oracle. This case could have huge ramifications for the technology industry if Oracle wins because it could make the development of new products and services much harder.
  • Facebook to temporarily halt political ads in U.S. after polls close Nov. 3, broadening earlier restrictions” By Elizabeth Dwoskin — The Washington Post. In its newest announcement, Facebook announced it will not accept political or issues advertising in the week after election day. This effort is the latest measure the platform has announced to address misinformation and disinformation. Facebook will also label efforts of candidates to claim an election has been decided if it, in fact, has not been. The platform will also remove posts that aim to intimidate voters or suppress the voting turnout.
  • Leaked: Confidential Amazon memo reveals new software to track unions” By Jason Del Rey and Shirin Ghaffary — recode. The tech giant is turning its data collection and analysis capabilities on its workforce in an effort to prevent unionizing at the United States’ (U.S.) second largest employer.
  • QAnon High Priest Was Just Trolling Away as a Citigroup Tech Executive” By William Turton and Joshua Brustein — Bloomberg. The fascinating if not horrifying story of how a seemingly, well-to-do mild-mannered tech specialist became one of the key figures in the QAnon conspiracy.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by John Mounsey from Pixabay

Further Reading, Other Developments, and Coming Events (29 September)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • September 30 the House Veterans’ Affairs Committee’s Technology Modernization Subcommittee will meet for an oversight hearing titled “Examining VA’s Ongoing Efforts in the Electronic Health Record Modernization Program.”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.
  • On October 1, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing as part of its series on online competition at which it may unveil its proposal on how to reform antitrust enforcement for the digital age. The hearing is titled “Proposals to Strengthen the Antitrust Laws and Restore Competition Online.”
  • On 1 October, the Senate Commerce, Science, and Transportation Committee may hold a markup to authorize subpoenas to compel the attendance of the technology CEOs for a hearing on 47 U.S.C. 230 (aka Section 230). Ranking Member Maria Cantwell (D-WA) has said:
    • Taking the extraordinary step of issuing subpoenas is an attempt to chill the efforts of these companies to remove lies, harassment, and intimidation from their platforms. I will not participate in an attempt to use the committee’s serious subpoena power for a partisan effort 40 days before an election,” indicating a vote, should one occur, may well be along party lines.
    • Nonetheless, the Committee may subpoena the following CEOs:
      • Mr. Jack Dorsey, Chief Executive Officer, Twitter
      • Mr. Sundar Pichai, Chief Executive Officer, Alphabet Inc., Google
      • Mr. Mark Zuckerberg, Chief Executive Officer, Facebook
  • The Senate Judiciary Committee will markup the “Online Content Policy Modernization Act” (S.4632), a bill to reform 47 U.S.C. 230 (aka Section 230) that provides many technology companies with protection from lawsuits for third party content posted on their platforms and for moderating and removing such content.
  • On October 1, the Senate Armed Services Committee’s Readiness and Management Support Subcommittee will hold a hearing on supply chain integrity with Under Secretary of Defense for Acquisition and Sustainment Ellen Lord testifying. Undoubtedly, implementation of the ban on Huawei, ZTE, and other People’s Republic of China (PRC) equipment and services as required by Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) will be discussed. Also, the Cybersecurity Maturity Model Certification (CMMC) program will also likely be discussed.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • The Senate passed an extension of the “Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act of 2006” (U.S.  SAFE  WEB  Act) (H.R.4779), sending the bill to the White House. The Senate did not alter the bill the House sent to it in December. The House Energy and Commerce Committee explained in its committee report:
    • Enacted into law on December 22, 2006, the U.S. SAFE WEB Act amended the Federal Trade Commission Act (FTC Act) to improve the FTC’s ability to combat unfair or deceptive acts or practices that are international in scope. Specifically, U.S. SAFE WEB Act: (1) affirms the FTC’s cross-border enforcement authority; (2) authorizes collaboration with foreign law enforcement in the form of investigative assistance3and information sharing, provided certain statutory factors are met; (3) bolsters the FTC’s ability to receive information from foreign counterparts by allowing confidential treatment of information received; and (4) promotes relation-ship building through staff exchanges with foreign counterparts.
    • H.R. 4779 would ensure that the FTC continues to have the cross-border enforcement authority and international cooperation tools it needs to protect American consumers from unfair or deceptive acts or practices that originate abroad. This program provides a sound foundation for related issues of protecting and preserving cross-border data flows that are essential for Privacy Shield and other such agreements. Such legislation helps promote our leader ship  on  artificial  intelligence,  autonomous  vehicles,  quantum  computing, and other emerging technologies.
  • The Department of Veterans Affairs (VA) revealed it had been breached and “the personal information of approximately 46,000 Veterans” has been compromised. This announcement came the same day as an advisory issued by the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) that Chinese Ministry of State Security (MSS)-affiliated cyber threat actors have been targeting and possibly penetrating United States (U.S.) agency networks. The two events may not be linked, however. And yet, what is linked to the breach is an August VA request for information (RFI) for an entity “provide cyber security audit services support,” as confirmed by an agency spokesperson. The VA has experienced long running problems with information technology (IT) and cybersecurity as evidenced by this Government Accountability Office (GAO) testimony released a few weeks ago. In the notice of the breach, the VA explained:
    • The Financial Services Center (FSC) determined one of its online applications was accessed by unauthorized users to divert payments to community health care providers for the­ medical treatment of Veterans. The FSC took the application offline and reported the breach to VA’s Privacy Office. A preliminary review indicates these unauthorized users gained access to the application to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols. To prevent any future improper access to and modification of information, system access will not be reenabled until a comprehensive security review is completed by the VA Office of Information Technology. 
  • The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued Emergency Directive 20-04, “Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday” that directs United States’ (U.S.) agencies to act with respect to “non-national security systems,” meaning civilian agencies, to “immediately apply the Windows Server August 2020 security update to all domain controllers.” This most recent Emergency Directive follows two earlier ones this year (found here and here.)
  • The United States Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) announced a trio of enforcement actions for violations of HHS regulations on healthcare information these entities failed to properly protect. Specifically, these entities failed to meet their obligations under the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. OCR released these summaries of the actions:
    • Premera Blue Cross (PBC) has agreed to pay $6.85 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 10.4 million people. This resolution represents the second-largest payment to resolve a HIPAA investigation in OCR history. PBC operates in Washington and Alaska, and is the largest health plan in the Pacific Northwest, serving more than two million people.
      • On March 17, 2015, PBC filed a breach report on behalf of itself and its network of affiliates stating that cyber-attackers had gained unauthorized access to its information technology (IT) system.  The hackers used a phishing email to install malware that gave them access to PBC’s IT system in May 2014, which went undetected for nearly nine months until January 2015.  This undetected cyberattack, otherwise known as an advanced persistent threat, resulted in the disclosure of more than 10.4 million individuals’ protected health information including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information. 
      • OCR’s investigation found systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.
    •  CHSPSC LLC, (“CHSPSC”) has agreed to pay $2,300,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over six million people.  CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee.
      • In April 2014, the Federal Bureau of Investigation (FBI) notified CHSPSC that it had traced a cyberhacking group’s advanced persistent threat to CHSPSC’s information system. Despite this notice, the hackers continued to access and exfiltrate the protected health information (PHI) of 6,121,158 individuals until August 2014. The hackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network. 
      • OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.
    • Athens Orthopedic Clinic PA (“Athens Orthopedic”) has agreed to pay $1,500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Athens Orthopedic is located in Georgia and provides orthopedic services to approximately 138,000 patients annually.
      • On June 26, 2016, a journalist notified Athens Orthopedic that a database of their patient records may have been posted online for sale. On June 28, 2016, a hacker contacted Athens Orthopedic and demanded money in return for a complete copy of the database it stole. Athens Orthopedic subsequently determined that the hacker used a vendor’s credentials on June 14, 2016, to access their electronic medical record system and exfiltrate patient health data. The hacker continued to access protected health information (PHI) for over a month until July 16, 2016.
      • On July 29, 2016, Athens Orthopedic filed a breach report informing OCR that 208,557 individuals were affected by this breach, and that the PHI disclosed included patients’ names, dates of birth, social security numbers, medical procedures, test results, and health insurance information.
      • OCR’s investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules by Athens Orthopedic including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.
  • The Department of the Treasury published a final rule that changes the Committee on Foreign Investment in the United States (CFIUS) regulations with respect to mandatory filings for future deals in which foreign companies are investing in United States (U.S.) firms producing “critical technologies.” Previously, the trigger was if there was a nexus between the U.S. entity and certain industries. But now, the filing requirement will be triggered if “certain U.S. government authorizations would be required to export, reexport, transfer (in-country), or retransfer the critical technology or technologies produced, designed, tested, manufactured, fabricated, or developed by the U.S. business to certain transaction parties and foreign persons in the ownership chain.” The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) (P.L. 115-232) required the agency to make this, among many other changes, in the CFIUS regime. What constitutes “critical technologies” is defined in FIRRMA and includes all sorts of military, commercial items with military applications, and “emerging and foundational technologies.” The final rule also “makes amendments to the definition of the term “substantial interest” and a related provision, and makes one technical revision.”
  • The Government Accountability Office (GAO) has assessed how well the Department of the Treasury is doing in its role as the overseer of cybersecurity for the United States (U.S.) financial services industry. The GAO found Treasury’s efforts lacking, especially with respect in implementing the recommendations the GAO has previously made. The GAO concluded:
    • Increased access to financial services sector systems, combined with the potential for monetary gains and economic disruptions, poses significant information security risks to the sector’s systems and to the critical operations and infrastructures they support. The financial services sector faces several different types of cyber-related risks, including ensuring adequate security for service providers traditionally considered external to the sector, an increased interconnectivity between sector entities that could result in simpler attack vectors, and the potential introduction of malware such as ransomware through social engineering techniques, such as spear phishing, or insider access. The sector has also faced an increase in attacks from well-organized attackers with significant resources.
    • The financial services industry, including firms and sectorwide groups set up to assist firms in ensuring the cybersecurity and resilience of the sector, have undertaken a series of risk mitigation efforts, in areas such as coordination and information sharing between organizations, development of guidance and training for members, and sectorwide incident response exercises. However, industry firms also pointed to challenge areas for assistance from regulators and policymakers. The most common of these areas were improved information sharing of actionable data after a cyber incident; improved harmonization among regulators, such as minimizing differences in use of state versus national requirements; establishing clearer guidance regarding regulation of the sector’s third-party service providers; and increasing cybersecurity training to firm employees.
    •  Federal agencies are conducting risk mitigation efforts intended to support private industry in improving cybersecurity of the financial services sector. These efforts, including regular outreach by the designated financial sector-specific agency, Treasury, generally meet responsibilities laid out in policy. However, Treasury does not prioritize or track the progress of sectorwide risk mitigation efforts, and does not explicitly link sector efforts to the goals in the sector specific plan, which is the primary sector planning document. Furthermore, the plan is out of date and does not include information on how the sector plans to implement recently required efforts. The plan also does not identify ways to measure sector progress, such as explicit metrics for determining the progress of risk mitigation efforts to enhance the cybersecurity and resilience of the sector. Unless Treasury undertakes tracking and prioritization of efforts based on metrics that reflect sector planning documents, the sector will remain unable to determine the effectiveness of its efforts, which could leave the sector insufficiently prepared to deal with primary sector risks.
    • The GAO made two recommendations to Treasury:
      • Regarding financial sector cyber risk mitigation efforts, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, track the content and progress of sectorwide cyber risk mitigation efforts, and prioritize their completion according to sector goals and priorities in the sector-specific plan. (Recommendation 1)
      • Regarding the financial sector-specific plan, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, update the financial services sector-specific plan to include specific metrics for measuring the progress of risk mitigation efforts and information on how the sector’s ongoing and planned risk mitigation efforts will meet sector goals and requirements, such as requirements for the financial services sector in the National Cyber Strategy Implementation Plan. (Recommendation 2)
  • The Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) published its review of a May 2019 breach of a U.S. Customs and Border Protection (CBP) subcontractor that resulted in “CBP data, including traveler images from CBP’s facial recognition pilot, appear[ing] on the dark web.” The OIG explained that “CBP selected Unisys Corporation to design, develop, and install a biometric entry-exit solution that would verify and confirm the arrival and departures of passengers. In turn, Unisys Corporation hired Perceptics, LLC, as a subcontractor to install its proprietary facial image capture solution.” Perceptics then proceeded to violate DHS security and privacy protocols by transferring these data to its systems, but the agency did not store the personally identifiable information (PII) in an encrypted form. Consequently, when Perceptics was hit with a ransomware attack, “more than 184,000 traveler facial image files, as well as 105,000 license plate images from prior pilot work, were stored on the subcontractor’s network at the time of the ransomware attack.” The hackers also “stole an array of contractual documents, program management documents, emails, system configurations, schematics, and implementation documentation related to CBP license plate reader programs.” Worse still, CBP was notified of the breach through a media article instead of by either the prime or subcontractor even thought Perceptics informed Unisys, which opted against informing CBP in violation of its contractual duties.
  • The OIG summarized the facts of the case:
    • CBP did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot (known as the Vehicle Face System). A subcontractor working on this effort, Perceptics, LLC, transferred copies of CBP’s biometric data, such as traveler images, to its own company network. The subcontractor obtained access to this data between August 2018 and January 2019 without CBP’s authorization or knowledge. Later in 2019, the Department of Homeland Security experienced a major privacy incident, as the subcontractor’s network was subjected to a malicious cyber attack.
    • DHS requires subcontractors to protect personally identifiable information (PII) from identity theft or misuse. However, in this case, Perceptics staff directly violated DHS security and privacy protocols when they downloaded CBP’s sensitive PII from an unencrypted device and stored it on their own network. Given Perceptics’ ability to take possession of CBP-owned sensitive data, CBP’s information security practices during the pilot were inadequate to prevent the subcontractor’s actions.
    • This data breach compromised approximately 184,000 traveler images from CBP’s facial recognition pilot; at least 19 of the images were posted to the dark web. This incident may damage the public’s trust in the Government’s ability to safeguard biometric data and may result in travelers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry.
  • The OIG made 3 recommendations to CBP:
    • Recommendation 1: We recommend CBP’s Assistant Commissioner for the Office of Information and Technology implement all mitigation and policy recommendations to resolve the 2019 data breach identified in CBP’s Security Threat Assessments, including implementing USB device restrictions and applying enhanced encryption methods.
    • Recommendation 2: We recommend the Deputy Executive Assistant Commissioner, Office of Field Operations coordinate with the CBP Office of Information and Technology to ensure that all additional security controls are implemented on relevant devices at all existing Biometric Entry-Exit program pilot locations.
    • Recommendation 3: We recommend the Deputy Executive Assistant Commissioner, Office of Field Operations establish a plan for the Biometric Entry-Exit Program to routinely assess third-party equipment supporting biometric data collection to ensure partners’ compliance with Department security and privacy standards.

Further Reading

  • Revealed: Trump campaign strategy to deter millions of Black Americans from voting in 2016” — Channel 4 News. The same British news organization that broke the Cambridge Analytica story is back with another article on the mining and use of personal data in microtargeting voters in the 2016 presidential election. Despite repeated denials, it appears the Trump Campaign in concert with Cambridge Analytica and the Republican National Committee targeted African Americans with messages on Facebook to keep them home on election day, possibly swinging a few keys states Trump could not have won the Electoral College without.
  • Why the right wing has a massive advantage on Facebook” By Alex Thompson — Politico. This piece lays the responsibility for the advantage in popularity conservative political posts and content on human nature, arguing that right-wing populism will always be more viscerally appealing to people than left-wing populism. The company also seems to be laying what many are calling its malign effects on human nature, too.  
  • Foreign Hackers Cripple Texas County’s Email System, Raising Election Security Concerns” By Jack Gillum, Jessica Huseman, Jeff Kao and Derek Willis — ProPublica. In an article based on information provided on a small Texas County’s breach, light is shined on how unprepared many localities and jurisdictions against common cyber threats. In this case, a common ransomware malware was placed successfully on the county’s system rending it unusable. It appears this, and other counties, have disregarded the cybersecurity advice furnished by the Department of Homeland Security in the hopes that the United States’ (U.S.) systems will be secure against election day hacks. With minimal effort, a sophisticated entity can wreak havoc in contested states this election.
  • TikTok was just the beginning: Trump administration is stepping up scrutiny of past Chinese tech investments” By Jeanne Whalen — The Washington Post. To no great surprise, the Trump Administration is looking to use the Committee on Foreign Investment in the United States (CFIUS) process. The Department of the Treasury’s Office of Investment Security Monitoring & Enforcement has been sending letters to technology companies since the early spring inquiring about foreign investment. The companies being targeted tend to collect, process, and store a lot of personal data or are pioneering or producing cutting edge technology considered vital for national security like electric batteries. This new office is reportedly looking back at transactions completed more than ten years ago. Already the scrutiny is having its intended effect as entities from the People’s Republic of China (PRC) have invested less this year in Silicon Valley than they have in six years.
  • China chip giant SMIC shares sink on US export controls” By Jerome Taylor — AFP; “U.S. sanctions on chipmaker SMIC hit at the very heart of China’s tech ambitions” By Arjun Kharpal — CNBC. The United States (U.S.) Department of Commerce has reportedly informed U.S. chipmakers and others that they must stop selling equipment to the People’s Republic of China’s (PRC) Semiconductor Manufacturing International Corp (SMIC) unless they get an export license. This latest move tightens further the chokehold the U.S. has placed on Huawei and other PRC firms that require U.S. technology to make their products. While SMIC has made strides in developing chips, it is still dependent on foreign technology. SMIC told western media outlets we “no relationship with the Chinese military and does not manufacture for any military end-users or end-uses.”
  • Activists slam Palantir for its work with ICE ahead of market debut” By Tonya Riley and Cat Zakrzewski — The Washington Post. Ahead of tomorrow’s initial public offering, human rights advocates are pressing investors to forego Palantir or to buy the stock and demand changes. These activists are arguing that the Peter Thiel launched company has worked with the United States government and others in violation of human rights.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Daniel Falcao on Unsplash

Further Reading, Other Developments, and Coming Events (16 September)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The House Homeland Security Committee will hold a hearing titled “Worldwide Threats to the Homeland” on 17 September with the following witnesses:
    • Chad Wolf, Department of Homeland Security
    • Christopher Wray, Director, Federal Bureau of Investigation
    • Christopher Miller, Director, National Counterterrorism Center (NCTC)
  • On 17 September, the House Energy and Commerce Committee’s Communications & technology Subcommittee will hold a hearing titled “Trump FCC: Four Years of Lost Opportunities.”
  • The House Armed Services Committee’s Intelligence and Emerging Threats and Capabilities Subcommittee will hold a hearing’ titled “Interim Review of the National Security Commission on Artificial Intelligence Effort and Recommendations” on 17 September with these witnesses:
    • Dr. Eric Schmidt , Chairman, National Security Commission on Artificial Intelligence 
    • HON Robert Work, Vice Chairman, National Security Commission on Artificial Intelligence, HON Mignon Clyburn, Commissioner, National Security Commission on Artificial Intelligence 
    • Dr. José-Marie Griffiths, Commissioner, National Security Commission on Artificial Intelligence
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” The agency has released its agenda and explained:
    • The workshop will also feature four panel discussions that will focus on: case studies on data portability rights in the European Union, India, and California; case studies on financial and health portability regimes; reconciling the benefits and risks of data portability; and the material challenges and solutions to realizing data portability’s potential.
  • The Senate Judiciary Committee’s Intellectual Property Subcommittee will hold a hearing “Examining Threats to American Intellectual Property: Cyber-attacks and Counterfeits During the COVID-19 Pandemic” with these witnesses:
    • Adam Hickey, Deputy Assistant Attorney General National Security Division, Department of Justice
    • Clyde Wallace, Deputy Assistant Director Cyber Division, Federal Bureau of Investigation
    • Steve Francis, Assistant Director, HSI Global Trade Investigations Division Director, National Intellectual Property Rights Center, U.S. Immigration and Customs Enforcement, Department of Homeland Security
    • Bryan S. Ware, Assistant Director for Cybersecurity Cyber Security and Infrastructure Security Agency, Department of Homeland Security
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled “Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.

Other Developments

  • The United States House of Representatives took up and passed two technology bills on 14 September. One of the bills, “Internet of Things (IoT) Cybersecurity Improvement Act of 2020” (H.R. 1668), was discussed in yesterday’s Technology Policy Update as part of an outlook on Internet of Things (IoT) legislation (see here for analysis). The House passed a revised version by voice vote, but its fate in the Senate may lie with the Senate Homeland Security & Governmental Affairs Committee, whose chair, Senator Ron Johnson (R-WI), has blocked a number of technology bills during his tenure to the chagrin of some House stakeholders. The House also passed the “AI in Government Act of 2019” (H.R.2575) that would establish an AI Center of Excellence within the General Services Administration that would
    • “(1) advise and promote the efforts of the Federal Government in developing innovative uses of artificial intelligence by the Federal Government to the benefit of the public; and
    • (2) improve cohesion and competency in the use of artificial intelligence.”
    • Also, this bill would direct the Office of Management and Budget (OMB) to “issue a memorandum to the head of each agency that shall—
      • inform the development of artificial intelligence governance approaches by those agencies regarding technologies and applications that—
        • are empowered or enabled by the use of artificial intelligence within that agency; and
        • advance the innovative use of artificial intelligence for the benefit of the public while upholding civil liberties, privacy, and civil rights;
      • consider ways to reduce barriers to the use of artificial intelligence in order to promote innovative application of those technologies for the benefit of the public, while protecting civil liberties, privacy, and civil rights;
      • establish best practices for identifying, assessing, and mitigating any bias on the basis of any classification protected under Federal nondiscrimination laws or other negative unintended consequence stemming from the use of artificial intelligence systems; and
      • provide a template of the required contents of the agency Governance Plans
    • The House Energy and Commerce Committee marked up and reported out more than 30 bills last week including:
      • The “Consumer Product Safety Inspection Enhancement Act” (H.R. 8134) that “would amend the Consumer Product Safety Act to enhance the Consumer Product Safety Commission’s (CPSC) ability to identify unsafe consumer products entering the United States, especially e-commerce shipments entering under the de minimis value exemption. Specifically, the bill would require the CPSC to enhance the targeting, surveillance, and screening of consumer products. The bill also would require electronic filing of certificates of compliance for all consumer products entering the United States.
      • The bill directs the CPSC to: 1) examine a sampling of de minimis shipments and shipments coming from China; 2) detail plans and timelines to effectively address targeting and screening of de minimis shipments; 3) establish metrics by which to evaluate the effectiveness of the CPSC’s efforts in this regard; 4) assess projected technology, resources, and staffing necessary; and 5) submit a report to Congress regarding such efforts. The bill further directs the CPSC to hire at least 16 employees every year until staffing needs are met to help identify violative products at ports.
      • The “AI for Consumer Product Safety Act” (H.R. 8128) that “would direct the Consumer Product Safety Commission (CPSC) to establish a pilot program to explore the use of artificial intelligence for at least one of the following purposes: 1) tracking injury trends; 2) identifying consumer product hazards; 3) monitoring the retail marketplace for the sale of recalled consumer products; or 4) identifying unsafe imported consumer products.” The revised bill passed by the committee “changes the title of the bill to the “Consumer Safety Technology Act”, and adds the text based on the Blockchain Innovation Act (H.R. 8153) and the Digital Taxonomy Act (H.R. 2154)…[and] adds sections that direct the Department of Commerce (DOC), in consultation with the Federal Trade Commission (FTC), to conduct a study and submit to Congress a report on the state of blockchain technology in commerce, including its use to reduce fraud and increase security.” The revised bill “would also require the FTC to submit to Congress a report and recommendations on unfair or deceptive acts or practices relating to digital tokens.”
      • The “American Competitiveness Of a More Productive Emerging Tech Economy Act” or the “American COMPETE Act” (H.R. 8132) “directs the DOC and the FTC to study and report to Congress on the state of the artificial intelligence, quantum computing, blockchain, and the new and advanced materials industries in the U.S…[and] would also require the DOC to study and report to Congress on the state of the Internet of Things (IoT) and IoT manufacturing industries as well as the three-dimensional printing industry” involving “among other things:1) listing industry sectors that develop and use each technology and public-private partnerships focused on promoting the adoption and use of each such technology; 2) establishing a list of federal agencies asserting jurisdiction over such industry sectors; and 3) assessing risks and trends in the marketplace and supply chain of each technology.
      • The bill would direct the DOC to study and report on the effect of unmanned delivery services on U.S. businesses conducting interstate commerce. In addition to these report elements, the bill would require the DOC to examine safety risks and effects on traffic congestion and jobs of unmanned delivery services.
      • Finally, the bill would require the FTC to study and report to Congress on how artificial intelligence may be used to address online harms, including scams directed at senior citizens, disinformation or exploitative content, and content furthering illegal activity.
  • The National Institute of Standards and Technology (NIST) issued NIST Interagency or Internal Report 8272 “Impact Analysis Tool for Interdependent Cyber Supply Chain Risks” designed to help public and private sector entities better address complicated, complex supply chain risks. NIST stated “[t]his publication de-scribes how to use the Cyber Supply Chain Risk Management (C-SCRM) Interdependency Tool that has been developed to help federal agencies identify and assess the potential impact of cybersecurity events in their interconnected supply chains.” NIST explained
    • More organizations are becoming aware of the importance of identifying cybersecurity risks associated with extensive, complicated supply chains. Several solutions have been developed to help manage supply chains; most focus on contract management or compliance. There is a need to provide organizations with a systematic and more usable way to evaluate the potential impacts of cyber supply chain risks relative to an organization’s risk appetite. This is especially important for organizations with complex supply chains and highly interdependent products and suppliers.
    • This publication describes one potential way to visualize and measure these impacts: a Cyber Supply Chain Risk Management (C-SCRM) Interdependency Tool (hereafter “Tool”), which is designed to provide a basic measurement of the potential impact of a cyber supply chain event. The Tool is not intended to measure the risk of an event, where risk is defined as a function of threat, vulnerability, likelihood, and impact. Research conducted by the authors of this publication found that, at the time of publication, existing cybersecurity risk tools and research focused on threats, vulnerabilities, and likelihood, but impact was frequently overlooked. Thus, this Tool is intended to bridge that gap and enable users and tool developers to create a more complete understanding of an organization’s risk by measuring impact in their specific environments.
    • The Tool also provides the user greater visibility over the supply chain and the relative importance of particular projects, products, and suppliers (hereafter referred to as “nodes”) compared to others. This can be determined by examining the metrics that contribute to a node’s importance, such as the amount of access a node has to the acquiring organization’s IT network, physical facilities, and data. By understanding which nodes are the most important in their organization’s supply chain, the user can begin to understand the potential impact a disruption of that node may cause on business operations. The user can then prioritize the completion of risk mitigating actions to reduce the impact a disruption would cause to the organization’s supply chain and overall business.
  • In a blog post, Microsoft released its findings on the escalating threats to political campaigns and figures during the run up to the United States’ (U.S.) election. This warning also served as an advertisement for Microsoft’s security products. But, be that as it may, these findings echo what U.S. security services have been saying for months. Microsoft stated
    • In recent weeks, Microsoft has detected cyberattacks targeting people and organizations involved in the upcoming presidential election, including unsuccessful attacks on people associated with both the Trump and Biden campaigns, as detailed below. We have and will continue to defend our democracy against these attacks through notifications of such activity to impacted customers, security features in our products and services, and legal and technical disruptions. The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated, and is consistent with what the U.S. government and others have reported. We also report here on attacks against other institutions and enterprises worldwide that reflect similar adversary activity.
    • We have observed that:
      • Strontium, operating from Russia, has attacked more than 200 organizations including political campaigns, advocacy groups, parties and political consultants
      • Zirconium, operating from China, has attacked high-profile individuals associated with the election, including people associated with the Joe Biden for President campaign and prominent leaders in the international affairs community
      • Phosphorus, operating from Iran, has continued to attack the personal accounts of people associated with the Donald J. Trump for President campaign
    • The majority of these attacks were detected and stopped by security tools built into our products. We have directly notified those who were targeted or compromised so they can take action to protect themselves. We are sharing more about the details of these attacks today, and where we’ve named impacted customers, we’re doing so with their support.
    • What we’ve seen is consistent with previous attack patterns that not only target candidates and campaign staffers but also those they consult on key issues. These activities highlight the need for people and organizations involved in the political process to take advantage of free and low-cost security tools to protect themselves as we get closer to election day. At Microsoft, for example, we offer AccountGuard threat monitoring, Microsoft 365 for Campaigns and Election Security Advisors to help secure campaigns and their volunteers. More broadly, these attacks underscore the continued importance of work underway at the United Nations to protect cyberspace and initiatives like the Paris Call for Trust and Security in Cyberspace.
  • The European Data Protection Supervisor (EDPS) has reiterated and expanded upon his calls for caution, prudence, and adherence to European Union (EU) law and principles in the use of artificial intelligence, especially as the EU looks to revamp its approach to AI and data protection. In a blog post, EDPS Wojciech Wiewiórowski stated:
    • The expectations of the increasing use of AI and the related economic advantages for those who control the technologies, as well as its appetite for data, have given rise to fierce competition about technological leadership. In this competition, the EU strives to be a frontrunner while staying true to its own values and ideals.
    • AI comes with its own risks and is not an innocuous, magical tool, which will heal the world harmlessly. For example, the rapid adoption of AI by public administrations in hospitals, utilities and transport services, financial supervisors, and other areas of public interest is considered in the EC White Paper ‘essential’, but we believe that prudency is needed. AI, like any other technology, is a mere tool, and should be designed to serve humankind. Benefits, costs and risks should be considered by anyone adopting a technology, especially by public administrations who process great amounts of personal data.
    • The increase in adoption of AI has not been (yet?) accompanied by a proper assessment of what the impact on individuals and on our society as a whole will likely be. Think especially of live facial recognition (remote biometric identification in the EC White Paper). We support the idea of a moratorium on automated recognition in public spaces of human features in the EU, of faces but also and importantly of gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals.
    • Let’s not rush AI, we have to get it straight so that it is fair and that it serves individuals and society at large.
    • The context in which the consultation for the Data Strategy was conducted gave a prominent place to the role of data in matters of public interest, including combating the virus. This is good and right as the GDPR was crafted so that the processing of personal data should serve humankind. There are existing conditions under which such “processing for the public good” could already take place, and without which the necessary trust of data subjects would not be possible.
    • However, there is a substantial persuasive power in the narratives nudging individuals to ‘volunteer’ their data to address highly moral goals. Concepts such as ‘Data altruism”, or ‘Data donation” and their added value are not entirely clear and there is a need to better define and lay down their scope, and possible purposes, for instance, in the context of scientific research in the health sector. The fundamental right to the protection of personal data cannot be ‘waived’ by the individual concerned, be it through a ‘donation’ or through a ‘sale’ of personal data. The data controller is fully bound by the personal data rules and principles, such as purpose limitation even when processing data that have been ‘donated’ i.e. when consent to the processing had been given by the individual.

Further Reading

  • Peter Thiel Met With The Racist Fringe As He Went All In On Trump” By Rosie Gray and Ryan Mac — BuzzFeed News. A fascinating article about one of the technology world’s more interesting figures. As part of his decision to ally himself with Donald Trump when running for president, Peter Thiel also met with avowed white supremacists. However, it appears that the alliance is no longer worthy of his financial assistance or his public support as he supposedly was disturbed about the Administration’s response to the pandemic. However, Palantir, his company has flourished during the Trump Administration and may be going public right before matters may change under a Biden Administration.
  • TikTok’s Proposed Deal Seeks to Mollify U.S. and China” By David McCabe, Ana Swanson and Erin Griffith — The New York Times. ByteDance is apparently trying to mollify both Washington and Beijing in bringing Oracle onboard as “trusted technology partner,” for the arrangement may be acceptable to both nations under their export control and national security regimes. Oracle handling and safeguarding TikTokj user data would seem to address the Trump Administration’s concerns, but not selling the company nor permitting Oracle to access its algorithm for making recommendations would seem to appease the People’s Republic of China (PRC). Moreover, United States (U.S.) investors would hold control over TikTok even though PRC investors would maintain their stakes. Such an arrangement may satisfy the Committee on Foreign Investment in the United States (CFIUS), which has ordered ByteDance to sell the app that is an integral part of TikTok. The wild card, as always, is where President Donald Trump ultimately comes out on the deal.
  • Oracle’s courting of Trump may help it land TikTok’s business and coveted user data” By Jay Greene and Ellen Nakashima — The Washington Post. This piece dives into why Oracle, at first blush, seems like an unlikely suitor to TikTok, but it’s eroding business position visa vis cloud companies like Amazon explains its desire to diversify. Also, Oracle’s role as a data broker makes all the user data available from TikTok very attractive.
  • Chinese firm harvests social media posts, data of prominent Americans and military” By Gerry Shih — The Washington Post. Another view on Shenzhen Zhenhua Data Technology, the entity from the People’s Republic of China (PRC) exposed for collecting the personal data of more than 2.4 million westerners, many of whom hold positions of power and influence. This article quotes a number of experts allowed to look at what was leaked of the data base who are of the view the PRC has very little in the way of actionable intelligence, at this point. The country is leveraging publicly available big data from a variety of sources and may ultimately makes something useful from these data.
  • “‘This is f—ing crazy’: Florida Latinos swamped by wild conspiracy theories” By Sabrina Rodriguez and Marc Caputo — Politico. A number of sources are spreading rumors about former Vice President Joe Biden and the Democrats generally in order to curb support among a key demographic the party will need to carry overwhelmingly to win Florida.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Alexander Sinn on Unsplash

Pending Legislation In U.S. Congress, Part III

Even though it is agreed Congress should revamp election security laws, there is no agreement on how.

Election security is a subject much on the minds of lawmakers and policymakers in Washington in this election; however, how the Congress should respond is a matter much disagreed upon. House Democrats have passed a number of bills to address a range of problems in the United States (U.S.) electoral system, but Republicans have generally rejected their proposed policy solutions, in no small part because of White House opposition. Moreover, President Donald Trump has steadfastly opposed any legislation intended to address future Russian interference in elections. Consequently, the prospects of any election security legislation being enacted are virtually nil even if lawmakers have steadily increased the amount of money the federal government is providing states to shore up security through the Election Assistance Commission’s grant program. These bills are nonetheless worthy of notice, for if Democrats capture the White House and Senate, it is very likely they will make a run at enacting election security legislation along the lines of some of these bills.  

In July, a deal was struck to add the “Intelligence Authorization Act for Fiscal Year 2021” (S.3905) to the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) but without an election security bill included in the package as reported out of the Senate Intelligence Committee: the “Foreign Influence Reporting in Elections Act” (FIRE Act) (S.2242). The sponsor of the FIRE Act, Senate Intelligence Committee Ranking Member Mark Warner (D-VA), went to the Senate floor to protest the striking of his bill and to announce his plans to offer it as an amendment and force a vote:

The  committee  voted  14  to 1 to  pass an intel authorization bill that included  the  FIRE Act,  the  act  that  I  just described, so that if a foreign government interferes or offers you assistance  or  offers  you  dirt,  you  don’t  say  thanks;  you  call  the  FBI.  So  you  can  imagine  my  surprise  and  frustration  when  I  learned  of  a  backroom  deal  to  strip  the  FIRE  Act  out  of  the  Intelligence   Committee’s   legislation   because  of  a  supposed  turf  war  with  another committee. I  am  back  again  today  because  the  security  of  our  elections  cannot  wait.  Let’s  not  hide  behind  process  or  jurisdictional  boundaries.  The  stakes  are  far  too  high  to  continue  the  partisan  blockade  of  election  security  legislation  that  we  have  seen  over  the  last  3  years. If,  behind  closed  doors,  my  Republican  colleagues  want  to  strip  this  legislation  out  of  the  NDAA,  then  I  am  going  to  offer  it  up  as  an  amendment  to  force  an  up-or-down  vote  and  put  every   Member   of   this   body   on   the   record: Are you for election security or are you for allowing foreign entities to interfere  and  offer  assistance  with  no  requirement to report?

Prior to its inclusion in the FY 2021 Intelligence Authorization Act, Warner had asked unanimous consent to take up the FIRE Act multiple times but was met with Republican objections each time. And there are other election security bills Republicans have continued to block, including:

  • The “Duty To Report Act” (S.1247) “to require reporting to the Federal Election Commission and the Federal Bureau of Investigation of offers by foreign nationals to make prohibited contributions, donations, expenditures, or disbursements.”
  • The “Senate Cybersecurity Protection Act” (S.890) “to protect the personal technology devices and accounts of Senators and covered employees from cyber attacks and hostile information collection activities, and for other purposes.”
  • The “Securing America’s Federal Elections Act” (SAFE Act) (H.R.2722) (see below)
  • The “Secure Elections Act of 2019” (S.1540) (see below)

The “Secure Elections Act of 2019” (S.1540) was cosponsored by 40 Democrats but has not been acted upon by the Senate. In her press release, primary sponsor, Senator Amy Klobuchar (D-MN), claimed the bill would do the following:

  • Require states use paper ballots.
  • Establish cybersecurity standards for voting systems vendors.
  • Fund grants for states to improve and maintain the security of their election systems, to provide cybersecurity training to election officials, and to implement post-election risk limiting audits.
  • Require the Director of National Intelligence to assess threats to election systems 180 days before an election and require the Department of Homeland Security and the Election Assistance Commission to issue recommendations to address threats.
  • Require the testing of voting systems nine months before an election.
  • Require the President to produce a national strategy for protecting democratic institutions.
  • Create a National Commission to Protect United States Democratic Institutions.

Yet, last summer, the Senate took up and passed two election-related bills addressing facets of the cybersecurity challenges. In July 2019, the Senate passed the “Defending the Integrity of Voting Systems Act” (S. 1321) by unanimous consent that would “make it a federal crime to hack any voting systems used in a federal election” according to the Senate Judiciary Committee’s website. In June 2019, the Senate also passed the “Defending Elections against Trolls from Enemy Regimes (DETER) Act” (S. 1328) that “will make “improper interference in U.S. elections” a violation of U.S. immigration law, and violators would be barred from obtaining a visa to enter the United States. The House has yet to act on these bills, and Democratic Leadership is likely not to let them come to the floor to maximize their leverage in getting their bills through the Senate.

In February 2019, the House passed the “For the People Act” (H.R. 1) by a 234-193 vote, a House Democratic priority bill that would seek to bolster the cybersecurity of election systems across the country, among other policy goals. If this bill were enacted as written, there would be significant changes to current regulation. However, it was unlikely the Senate will take up this bill as written, and any measure in the Senate regarding election security would be more circumscribed. And, Senate Republicans blocked efforts to take up this bill.

Regarding the cybersecurity of election systems, the bill includes a process by which cybersecurity standards would be established for election infrastructure vendors and would also authorize grants for states and localities to upgrade and secure their election systems. For example, “qualified election infrastructure vendors” must agree “to ensure that the election infrastructure will be developed and maintained in a manner that is consistent with the cybersecurity best practices issued by the Technical Guidelines Development Committee” and to promptly report cybersecurity incidents to the Department of Homeland Security (DHS) and the Election Assistance Commission (EAC).

The bill would authorize $1.7 billion in funding for the EAC to make grants to states for a number of purposes, including “to carry out voting system security improvements” to undertake the following

(1) The acquisition of goods and services from qualified election infrastructure vendors by purchase, lease, or such other arrangements as may be appropriate.

(2) Cyber and risk mitigation training.

(3) A security risk and vulnerability assessment of the State’s election infrastructure which is carried out by a provider of cybersecurity services under a contract entered into between the chief State election official and the provider.

(4) The maintenance of election infrastructure, including addressing risks and vulnerabilities which are identified under either of the security risk and vulnerability assessments described in paragraph (3), except that none of the funds provided under this part may be used to renovate or replace a building or facility which is used primarily for purposes other than the administration of elections for public office.

(5) Providing increased technical support for any information technology infrastructure that the chief State election official deems to be part of the State’s election infrastructure or designates as critical to the operation of the State’s election infrastructure.

(6) Enhancing the cybersecurity and operations of the information technology infrastructure described in paragraph (4).

(7) Enhancing the cybersecurity of voter registration systems.

The package requires “qualified election infrastructure vendors” (i.e. “any person who provides, supports, or maintains, or who seeks to provide, support, or maintain, election infrastructure on behalf of a State, unit of local government, or election agency”) to meet these requirements:

  • [T]o ensure that the election infrastructure will be developed and maintained in a manner that is consistent with the cybersecurity best practices issued by the Technical Guidelines Development Committee.
  • [T]o maintain its information technology infrastructure in a manner that is consistent with the cybersecurity best practices issued by the Technical Guidelines Development Committee.
  • Reporting cybersecurity incidents “involving any of the goods and services provided by the vendor” to the EAC and DHS within three days of discovery
  • “[T]o permit independent security testing by the [EAC]…and by the Secretary of the goods and services provided by the vendor pursuant to a grant”

H.R. 1 would also change the Department of Homeland Security’s organic statute to make “election infrastructure” a critical infrastructure sector. In January 2017, then Secretary of Homeland Security Jeh Johnson expanded the Government Facilities Sector to include an Election Infrastructure Subsector. However, if H.R. 1 were enacted, then the election sector would be the 17th critical infrastructure sector and a future Secretary could not rescind this designation as one may with Johnson’s addition of state and local elections systems to the Government Facilities sector.

The Committee Report detailed the addition of the “Honest Ads Act” to H.R. 1:

  • The Honest Ads Act updates the rules that apply to online political advertising by incorporating disclosure and disclaimer concepts that apply to traditional media, while providing regulatory flexibility for new forms of digital advertising. This will help ensure that voters make informed decisions at the ballot box and to know who is spending money on digital political advertisements that they view.
  • It also expands the definition of public communication to include paid internet or paid digital communications, and amends the definition of electioneering communication to include certain digital or internet communications placed or promoted for a fee online.
  • Finally, the bill requires that large online platforms (defined to include those with 50,000,000 or more unique monthly United States visitors) maintain public databases of political ad purchases. This is a concept that already applies to broadcasters, who must maintain public files of political advertisements. The online data- bases maintained by the platforms will provide the public with in- formation about the purchasers of online political ads, including how the audience is targeted. Political advertisements are defined to include those that communicate messages relating to political matters of national importance, including about candidates, elections, and national legislative issues of public importance.
  • Finally, the Honest Ads Act requires all broadcasters, cable or satellite television and online platforms to take reasonable efforts to ensure that political advertising is not purchased by foreign nationals, directly or indirectly.

Thereafter, House Democrats brought pieces of H.R. 1 to the House floor for separate votes in attempt to push Senate Republicans to take up the bill and if they do not, to put them on the record as opposing the reforms House Democrats think are necessary, including bolstering the cybersecurity of voting systems. In late June 2019, the House considered and passed the “Securing America’s Federal Elections (SAFE) Act of 2019” (H.R. 2722) also largely along a party-line vote. In the Committee Report, the House Administration Committee explained the bill:

  • H.R. 2722 provides critical resources to states and localities to bolster election infrastructure, including necessary funds to replace aging voting equipment with voter-verified paper ballot voting systems and implement additional cybersecurity protocols. The bill also helps states and localities plan for future elections by providing ongoing maintenance funding on a biannual basis. The legislation provides grant programs for states to implement required risk-limiting audits, a best practice audit system that confirms election outcomes with a high degree of confidence.

The House took up this bill and passed it by a 225-184 vote, but the Senate has not considered it.

The House took up and passed its third major bill on election security in 2019 the “Stopping Harmful Interference in Elections for a Lasting Democracy Act” (SHIELD Act) (H.R. 4617), that addresses two of the technological facets of foreign disinformation campaigns aimed at U.S. elections according to the House Administration Committee’s summary:

  • Helps prevent foreign interference in future elections by improving transparency of online political advertisements.
    • Russia attempted to influence the 2016 presidential election by buying and placing political ads on platforms such as Facebook, Twitter and Google. The content and purchasers of those online advertisements were a mystery to the public because of outdated laws that have failed to keep up with evolving technology. The SHIELD Act takes steps to prevent hidden, foreign disinformation campaigns in our elections by ensuring that political ads sold online are covered by the same rules as ads sold on TV, radio, and satellite.
  • Prohibits deceptive practices about voting procedures.
    • Independent experts have identified voter suppression tactics the Russians used on social media, including malicious misdirection designed to create confusion about voting rules. The SHIELD Act incorporates the Deceptive Practices and Voter Intimidation Prevention Act to prohibit anyone from providing false information about voting rules and qualifications for voting, provides mechanisms for disseminating correct information, and establishes strong penalties for voter intimidation.

The House passed H.R. 4617 by a 227-181 vote with all Republicans present voting no and one Democrat joining them. Again, the Senate did not take up the bill.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.