Further Reading, Other Development, and Coming Events (7 December)

Further Reading

  • Facebook steps up campaign to ban false information about coronavirus vaccines” By Elizabeth Dwoskin — The Washington Post. In its latest step to find and remove lies, misinformation, and disinformation, the social media giant is now committing to removing and blocking untrue material about COVID-19 vaccines, especially from the anti-vaccine community. Will the next step be to take on anti-vaccination proponents generally?
  • Comcast’s 1.2 TB data cap seems like a ton of data—until you factor in remote work” By Rob Pegoraro — Fast Company. Despite many people and children working and learning from home, Comcast is reimposing a 1.2 terabyte limit on data for homes. Sounds like quite a lot until you factor in video meetings, streaming, etc. So far, other providers have not set a cap.
  • Google’s star AI ethics researcher, one of a few Black women in the field, says she was fired for a critical email” By Drew Harwell and Nitasha Tiku — The Washington Post. Timnit Gebru, a top flight artificial intelligence (AI) computer scientist, was fired for questioning Google’s review of a paper she wanted to present at an AI conference that is likely critical of the company’s AI projects. Google claims she resigned, but Gebru says she was fired. She has long been an advocate for women and minorities in tech and AI and her ouster will likely only increase scrutiny of and questions about Google’s commitment to diversity and an ethical approach to the development and deployment of AI. It will also probably lead to more employee disenchantment about the company that follows in the wake of protests about Google’s involvement with the United States Department of Defense’s Project Maven and hiring of former United States Department of Homeland Security chief of staff Miles Taylor who was involved with the policies that resulted in caging children and separating families on the southern border of the United States.
  • Humans Can Help Clean Up Facebook and Twitter” By Greg Bensinger — The New York Times. In this opinion piece, the argument is made that social media platforms should redeploy their human monitors to the accounts that violate terms of service most frequently (e.g., President Donald Trump) and more aggressively label and remove untrue or inflammatory content, they would have a greater impact on lies, misinformation, and disinformation.
  • Showdown looms over digital services tax” By Ashley Gold — Axios. Because the Organization for Economic Cooperation and Development (OECD) has not reached a deal on digital services taxes, a number of the United States (U.S.) allies could move forward with taxes on U.S. multinationals like Amazon, Google, and Apple. The Trump Administration has variously taken an adversarial position threatening to retaliate against countries like France who have enacted a tax that has not been collected during the OECD negotiations. The U.S. also withdrew from talks. It is probable the Biden Administration will be more willing to work in a multi-lateral fashion and may strike a deal on an issue that it not going away as the United Kingdom, Italy, and Canada also have plans for a digital tax.
  • Trump’s threat to veto defense bill over social-media protections is heading to a showdown with Congress” By Karoun Demirjian and Tony Romm — The Washington Post. I suppose I should mention of the President’s demands that the FY 2021 National Defense Authorization Act (NDAA) contain a repeal of 47 U.S.C. 230 (Section 230 of the Communications Act) that came at the eleventh hour and fifty-ninth minute of negotiations on a final version of the bill. Via Twitter, Donald Trump threatened to veto the bill which has been passed annually for decades. Republicans were not having it, however, even if they agreed on Trump’s desire to remove liability protection for technology companies. And yet, if Trump continues to insist on a repeal, Republicans may find themselves in a bind and the bill could conceivably get pulled until President-elect Joe Biden is sworn in. On the other hand, Trump’s veto threats about renaming military bases currently bearing the names of Confederate figures have not been renewed even though the final version of the bill contains language instituting a process to do just that.

Other Developments

  • The Senate Judiciary Committee held over its most recent bill to narrow 47 U.S.C. 230 (Section 230 of the Communications Act) that provides liability protection for technology companies for third-party material posted on their platforms and any decisions to edit, alter, or remove such content. The committee opted to hold the “Online Content Policy Modernization Act” (S.4632), which may mean the bill’s chances of making it to the Senate floor are low. What’s more, even if the Senate passes Section 230 legislation, it is not clear there will be sufficient agreement with Democrats in the House to get a final bill to the President before the end of this Congress. On 1 October, the committee also decided to hold over bill to try to reconcile the fifteen amendments submitted for consideration. The Committee could soon meet again to formally markup and report out this legislation.
    • At the earlier hearing, Chair Lindsey Graham (R-SC) submitted an amendment revising the bill’s reforms to Section 230 that incorporate some of the below amendments but includes new language. For example, the bill includes a definition of “good faith,” a term not currently defined in Section 230. This term would be construed as a platform taking down or restricting content only according to its publicly available terms of service, not as a pretext, and equally to all similarly situated content. Moreover, good faith would require alerting the user and giving him or her an opportunity to respond subject to certain exceptions. The amendment also makes clear that certain existing means of suing are still available to users (e.g. suing claiming a breach of contract.)
    • Senator Mike Lee (R-UT) offered a host of amendments:
      • EHF20913 would remove “user[s]” from the reduced liability shield that online platforms would receive under the bill. Consequently, users would still not be legally liable for the content posted by another user.
      • EHF20914 would revise the language the language regarding the type of content platforms could take down with legal protection to make clear it would not just be “unlawful” content but rather content “in violation of a duly enacted law of the United States,” possibly meaning federal laws and not state laws. Or, more likely, the intent would be to foreclose the possibility a platform would say it is acting in concert with a foreign law and still assert immunity.
      • EHF20920 would add language making clear that taking down material that violates terms of service or use according to an objectively reasonable belief would be shielded from liability.
      • OLL20928 would expand legal protection to platforms for removing or restricting spam,
      • OLL20929 would bar the Federal Communications Commission (FCC) from a rulemaking on Section 230.
      • OLL20930 adds language making clear if part of the revised Section 230 is found unconstitutional, the rest of the law would still be applicable.
      • OLL20938 revises the definition of an “information content provider,” the term of art in Section 230 that identifies a platform, to expand when platforms may be responsible for the creation or development of information and consequently liable for a lawsuit.
    • Senator Josh Hawley (R-MO) offered an amendment that would create a new right of action for people to sue large platforms for taking down his or her content if not done in “good faith.” The amendment limits this right only to “edge providers” who are platforms with more than 30 million users in the U.S. , 300 million users worldwide, and with revenues of more than $1.5 billion. This would likely exclude all platforms except for Twitter, Facebook, Instagram, TikTok, Snapchat, and a select group of a few others.
    • Senator John Kennedy (R-LA) offered an amendment that removes all Section 230 legal immunity from platforms that collect personal data and then uses an “automated function” to deliver targeted or tailored content to a user unless a user “knowingly and intentionally elect[s]” to receive such content.
  • The Massachusetts Institute of Technology’s (MIT) Work of the Future Task Force issued its final report and drew the following conclusions:
    • Technological change is simultaneously replacing existing work and creating new work. It is not eliminating work altogether.
    • Momentous impacts of technological change are unfolding gradually.
    • Rising labor productivity has not translated into broad increases in incomes because labor market institutions and policies have fallen into disrepair.
    • Improving the quality of jobs requires innovation in labor market institutions.
    • Fostering opportunity and economic mobility necessitates cultivating and refreshing worker skills.
    • Investing in innovation will drive new job creation, speed growth, and meet rising competitive challenges.
    • The Task Force stated:
      • In the two-and-a-half years since the Task Force set to work, autonomous vehicles, robotics, and AI have advanced remarkably. But the world has not been turned on its head by automation, nor has the labor market. Despite massive private investment, technology deadlines have been pushed back, part of a normal evolution as breathless promises turn into pilot trials, business plans, and early deployments — the diligent, if prosaic, work of making real technologies work in real settings to meet the demands of hard-nosed customers and managers.
      • Yet, if our research did not confirm the dystopian vision of robots ushering workers off of factor y floors or artificial intelligence rendering superfluous human expertise and judgment, it did uncover something equally pernicious: Amidst a technological ecosystem delivering rising productivity, and an economy generating plenty of jobs (at least until the COVID-19 crisis), we found a labor market in which the fruits are so unequally distributed, so skewed towards the top, that the majority of workers have tasted only a tiny morsel of a vast har vest.
      • As this report documents, the labor market impacts of technologies like AI and robotics are taking years to unfold. But we have no time to spare in preparing for them. If those technologies deploy into the labor institutions of today, which were designed for the last century, we will see similar effects to recent decades: downward pressure on wages, skills, and benefits, and an increasingly bifurcated labor market. This report, and the MIT Work of the Future Task Force, suggest a better alternative: building a future for work that har vests the dividends of rapidly advancing automation and ever-more powerful computers to deliver opportunity and economic security for workers. To channel the rising productivity stemming from technological innovations into broadly shared gains, we must foster institutional innovations that complement technological change.
  • The European Data Protection Supervisor (EDPS) Wojciech Wiewiorówski published his “preliminary opinion on the European Commission’s (EC) Communication on “A European strategy for data” and the creation of a common space in the area of health, namely the European Health Data Space (EHDS).” The EDPS lauded the goal of the EHDS, “the prevention, detection and cure of diseases, as well as for evidence-based decisions in order to enhance effectiveness, accessibility and sustainability of the healthcare systems.” However, Wiewiorówski articulated his concerns that the EC needs to think through the applicability of the General Data Protection Regulation (GDPR), among other European Union (EU) laws before it can legally move forward. The EDPS stated:
    • The EDPS calls for the establishment of a thought-through legal basis for the processing operations under the EHDS in line with Article 6(1) GDPR and also recalls that such processing must comply with Article 9 GDPR for the processing of special categories of data.
    • Moreover, the EDPS highlights that due to the sensitivity of the data to be processed within the EHDS, the boundaries of what constitutes a lawful processing and a compatible further processing of the data must be crystal-clear for all the stakeholders involved. Therefore, the transparency and the public availability of the information relating to the processing on the EHDS will be key to enhance public trust in the EHDS.
    • The EDPS also calls on the Commission to clarify the roles and responsibilities of the parties involved and to clearly identify the precise categories of data to be made available to the EHDS. Additionally, he calls on the Member States to establish mechanisms to assess the validity and quality of the sources of the data.
    • The EDPS underlines the importance of vesting the EHDS with a comprehensive security infrastructure, including both organisational and state-of-the-art technical security measures to protect the data fed into the EHDS. In this context, he recalls that Data Protection Impact Assessments may be a very useful tool to determine the risks of the processing operations and the mitigation measures that should be adopted.
    • The EDPS recommends paying special attention to the ethical use of data within the EHDS framework, for which he suggests taking into account existing ethics committees and their role in the context of national legislation.
    • The EDPS is convinced that the success of the EHDS will depend on the establishment of a strong data governance mechanism that provides for sufficient assurances of a lawful, responsible, ethical management anchored in EU values, including respect for fundamental rights. The governance mechanism should regulate, at least, the entities that will be allowed to make data available to the EHDS, the EHDS users, the Member States’ national contact points/ permit authorities, and the role of DPAs within this context.
    • The EDPS is interested in policy initiatives to achieve ‘digital sovereignty’ and has a preference for data being processed by entities sharing European values, including privacy and data protection. Moreover, the EDPS calls on the Commission to ensure that the stakeholders taking part in the EHDS, and in particular, the controllers, do not transfer personal data unless data subjects whose personal data are transferred to a third country are afforded a level of protection essentially equivalent to that guaranteed within the European Union.
    • The EDPS calls on Member States to guarantee the effective implementation of the right to data portability specifically in the EHDS, together with the development of the necessary technical requirements. In this regard, he considers that a gap analysis might be required regarding the need to integrate the GDPR safeguards with other regulatory safeguards, provided e.g. by competition law or ethical guidelines.
  • The Office of Management and Budget (OMB) extended a guidance memorandum directing agencies to consolidate data centers after Congress pushed back the sunset date for the program. OMB extended OMB Memorandum M-19-19, Update to Data Center Optimization Initiative (DCOI) through 30 September 2022, which applies “to the 24 Federal agencies covered by the Chief Financial Officers (CFO) Act of 1990, which includes the Department of Defense.” The DCOI was codified in the “Federal Information Technology Acquisition Reform” (FITARA) (P.L. 113-291) and extended in 2018 until October 1, 2020. And this sunset was pushed back another two years in the FY 2020 National Defense Authorization Act (NDAA) (P.L. 116-92).
    • In March 2020, the Government Accountability Office (GAO) issued another of its periodic assessments of the DCOI, started in 2012 by the Obama Administration to shrink the federal government’s footprint of data centers, increase efficiency and security, save money, and reduce energy usage.
    • The GAO found that 23 of the 24 agencies participating in the DCOI met or planned to meet their FY 2019 goals to close 286 of the 2,727 data centers considered part of the DCOI. This latter figure deserves some discussion, for the Trump Administration changed the definition of what is a data center to exclude smaller ones (so-called non-tiered data centers). GAO asserted that “recent OMB DCOI policy changes will reduce the number of data centers covered by the policy and both OMB and agencies may lose important visibility over the security risks posed by these facilities.” Nonetheless, these agencies are projecting savings of $241.5 million when all the 286 data centers planned for closure in FY 2019 actually close. It bears note that the GAO admitted in a footnote it “did not independently validate agencies’ reported cost savings figures,” so these numbers may not be reliable.
    • In terms of how to improve the DCOI, the GAO stated that “[i]n addition to reiterating our prior open recommendations to the agencies in our review regarding their need to meet DCOI’s closure and savings goals and optimization metrics, we are making a total of eight new recommendations—four to OMB and four to three of the 24 agencies. Specifically:
      • The Director of the Office of Management and Budget should (1) require that agencies explicitly document annual data center closure goals in their DCOI strategic plans and (2) track those goals on the IT Dashboard. (Recommendation 1)
      • The Director of the Office of Management and Budget should require agencies to report in their quarterly inventory submissions those facilities previously reported as data centers, even if those facilities are not subject to the closure and optimization requirements of DCOI. (Recommendation 2)
      • The Director of the Office of Management and Budget should document OMB’s decisions on whether to approve individual data centers when designated by agencies as either a mission critical facility or as a facility not subject to DCOI. (Recommendation 3)
      • The Director of the Office of Management and Budget should take action to address the key performance measurement characteristics missing from the DCOI optimization metrics, as identified in this report. (Recommendation 4)
  • Australia’s Inspector-General of Intelligence and Security (IGIS) released its first report on how well the nation’s security services did in observing the law with respect to COVID  app  data. The IGIS “is satisfied that the relevant agencies have policies and procedures in place and are taking reasonable steps to avoid intentional collection of COVID app data.” The IGIS revealed that “[i]ncidental collection in the course of the lawful collection of other data has occurred (and is permitted by the Privacy Act); however, there is no evidence that any agency within IGIS jurisdiction has decrypted, accessed or used any COVID app data.” The IGIS is also “satisfied  that  the intelligence agencies within IGIS jurisdiction which have the capability to incidentally collect a least some types of COVID app data:
    • Are aware of their responsibilities under Part VIIIA of the Privacy Act and are taking active steps to minimise the risk that they may collect COVID app data.
    • Have appropriate  policies  and  procedures  in  place  to  respond  to  any  incidental  collection of COVID app data that they become aware of. 
    • Are taking steps to ensure any COVID app data is not accessed, used or disclosed.
    • Are taking steps to ensure any COVID app data is deleted as soon as practicable.
    • Have not decrypted any COVID app data.
    • Are applying the usual security measures in place in intelligence agencies such that a ‘spill’ of any data, including COVID app data, is unlikely.
  • New Zealand’s Government Communications Security Bureau’s National Cyber Security Centre (NCSC) has released its annual Cyber Threat Report that found that “nationally significant organisations continue to be frequently targeted by malicious cyber actors of all types…[and] state-sponsored and non-state actors targeted public and private sector organisations to steal information, generate revenue, or disrupt networks and services.” The NCSC added:
    • Malicious cyber actors have shown their willingness to target New Zealand organisations in all sectors using a range of increasingly advanced tools and techniques. Newly disclosed vulnerabilities in products and services, alongside the adoption of new services and working arrangements, are rapidly exploited by state-sponsored actors and cyber criminals alike. A common theme this year, which emerged prior to the COVID-19 pandemic, was the exploitation of known vulnerabilities in internet-facing applications, including corporate security products, remote desktop services and virtual private network applications.
  • The former Director of the United States’ (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) wrote an opinion piece disputing President Donald Trump’s claims that the 2020 Presidential Election was fraudulent. Christopher Krebs asserted:
    • While I no longer regularly speak to election officials, my understanding is that in the 2020 results no significant discrepancies attributed to manipulation have been discovered in the post-election canvassing, audit and recount processes.
    • This point cannot be emphasized enough: The secretaries of state in Georgia, Michigan, Arizona, Nevada and Pennsylvania, as well officials in Wisconsin, all worked overtime to ensure there was a paper trail that could be audited or recounted by hand, independent of any allegedly hacked software or hardware.
    • That’s why Americans’ confidence in the security of the 2020 election is entirely justified. Paper ballots and post-election checks ensured the accuracy of the count. Consider Georgia: The state conducted a full hand recount of the presidential election, a first of its kind, and the outcome of the manual count was consistent with the computer-based count. Clearly, the Georgia count was not manipulated, resoundingly debunking claims by the president and his allies about the involvement of CIA supercomputers, malicious software programs or corporate rigging aided by long-gone foreign dictators.

Coming Events

  • The National Institute of Standards and Technology (NIST) will hold a webinar on the Draft Federal Information Processing Standards (FIPS) 201-3 on 9 December.
  • On 9 December, the Senate Commerce, Science, and Transportation Committee will hold a hearing titled “The Invalidation of the EU-US Privacy Shield and the Future of Transatlantic Data Flows” with the following witnesses:
    • The Honorable Noah Phillips, Commissioner, Federal Trade Commission
    • Ms. Victoria Espinel, President and Chief Executive Officer, BSA – The Software Alliance
    • Mr. James Sullivan, Deputy Assistant Secretary for Services, International Trade Administration, U.S. Department of Commerce
    • Mr. Peter Swire, Elizabeth and Tommy Holder Chair of Law and Ethics, Georgia Tech Scheller College of Business, and Research Director, Cross-Border Data Forum
  • On 10 December, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Securing the Communications Supply Chain. The Commission will consider a Report and Order that would require Eligible Telecommunications Carriers to remove equipment and services that pose an unacceptable risk to the national security of the United States or the security and safety of its people, would establish the Secure and Trusted Communications Networks Reimbursement Program, and would establish the procedures and criteria for publishing a list of covered communications equipment and services that must be removed. (WC Docket No. 18-89)
    • National Security Matter. The Commission will consider a national security matter.
    • National Security Matter. The Commission will consider a national security matter.
    • Allowing Earlier Equipment Marketing and Importation Opportunities. The Commission will consider a Notice of Proposed Rulemaking that would propose updates to its marketing and importation rules to permit, prior to equipment authorization, conditional sales of radiofrequency devices to consumers under certain circumstances and importation of a limited number of radiofrequency devices for certain pre-sale activities. (ET Docket No. 20-382)
    • Promoting Broadcast Internet Innovation Through ATSC 3.0. The Commission will consider a Report and Order that would modify and clarify existing rules to promote the deployment of Broadcast Internet services as part of the transition to ATSC 3.0. (MB Docket No. 20-145)

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Daniel Schludi on Unsplash

Further Reading, Other Developments, and Coming Events (18 November)

Further Reading

  • Trump fires top DHS official who refuted his claims that the election was rigged” By Ellen Nakashima and Nick Miroff — The Washington Post. As rumored, President Donald Trump has decapitated the United States’ (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Director Christopher Krebs was fired via Twitter, after he had endorsed a letter by 59 experts on election security who said there was no fraud in the election. Trump tweeted: “The recent statement by Chris Krebs on the security of the 2020 Election was highly inaccurate, in that there were massive improprieties and fraud — including dead people voting, Poll Watchers not allowed into polling locations, ‘glitches’ in the voting machines which changed votes from Trump to Biden, late voting, and many more. Therefore, effective immediately, Chris Krebs has been terminated as Director of the Cybersecurity and Infrastructure Security Agency.” Of course, the statement CISA cosigned and issued last week asserting there was no evidence of fraud or wrongdoing in the election probably did not help his prospects. Additionally, CISA Deputy Director Matthew Travis was essentially forced out when he was informed the normal succession plan would be ignored and he would not become the acting head of CISA. A CISA senior civil servant, Brandon Wales, will helm the agency in an acting basis. Last week, CISA’s Assistant Director for Cybersecurity Bryan Ware was forced out.
  • NSA Spied On Denmark As It Chose Its Future Fighter Aircraft: Report” By Thomas Newdick — The Drive. A Danish media outlet is claiming the United States U.S. National Security Agency (NSA) spied Denmark’s Ministry of Finance, the Ministry of Foreign Affairs, and the defense firm Terma in order to help Lockheed Martin’s bid to sell F-35 Joint Strike Fighters to Denmark. Eurofighter GmbH and Saab were offering their Typhoon and Gripen fighters to replace Denmark’s F-16s. Reportedly, the NSA used an existing arrangement with Denmark to obtain information from a program allowing the NSA access to fiber optics cables in the country. It is likely Denmark did not have such surveillance in mind when it struck this agreement with the U.S. Two whistleblowers reports have been filed with the Forsvarets Efterretningstjeneste (FE), Denmark’s Defense Intelligence Service, and there are allegations that the U.S. surveillance was illegal. However, the surveillance appears not to have influenced the Danish government, which opted for the F-35. Earlier this year, there were allegations the FE was improperly sharing Danish cables containing information on Danish citizens improperly.
  • Facebook Knows That Adding Labels To Trump’s False Claims Does Little To Stop Their Spread” By Craig Silverman and Ryan Mac — BuzzFeed News. These reporters must know half of Facebook’s staff because they always see what is going on internally with the company. In this latest scoop, they say they have seen internal numbers showing that labeling President Donald Trump’s false tweets have done little to slow their spread. In fact, labelling may only slow their spread by 8%. This outcome is contrary to a practice Facebook employed in 2017 under which fact checkers would label untrue posts as false. This reduced their virality by 80%.
  • Apple Halves Its App Store Fee for the Smaller Companies” By Jack Nicas — The New York Times. The holiday spirit must already be afoot in Cupertino, California, for small app developers will now only pay Apple 15% of in-app purchases for the privilege of being in the App Store. Of course, this decision has nothing to do with the antitrust pressure the company is facing in the European Union and United States (U.S.) and will have very little impact on their bottom line since app developers with less than $1 million in revenue (i.e., those entitled to a reduction) account for 2% of App Store revenue. It does give Apple leadership and executive some great talking points when pressed by antitrust investigators, legislators, and the media.
  • Inside the behind-the-scenes fight to convince Joe Biden about Silicon Valley” By Theodore Schleifer — recode. The jockeying among factions in the Democratic party and other stakeholders is fierce and will only grow fiercer when it comes to who will serve where in a Biden Administration. Silicon Valley and those who would reform tech are fighting to get people amenable to their policy goals placed in the new Administration. President-elect Joe Biden and his campaign were ambiguous on many tech policy issues and have flexibility which has been further helped by appointing people respected in both camps like new White House Chief of Staff Ron Klain.
  • Group of 165 Google critics calls for swift EU antitrust action – letter” By Foo Yun Chee — Reuters. A wide-ranging group of companies and industry associations are urging the European Union to investigate and punish what they see as Google’s anti-competitive dominance of online search engines, especially the One Box that now appears at the top of search results that points people to Google sites and products.

Other Developments

  • The European Union (EU) announced a revision of its export control process for allowing the export of dual use items, including cyber surveillance tools. The European Commission (EC) asserted “[t]hanks to the new Regulation, the EU can now effectively protect its interests and values and, in particular, address the risk of violations of human rights associated with trade in cyber-surveillance technologies without prior agreement at multilateral level…[and] also enhances the EU’s capacity to control trade flows in sensitive new and emerging technologies. The EC explained “[t]he new Regulation includes many of the Commission proposals for a comprehensive “system upgrade”, and will make the existing EU Export control system more effective by:
    • introducing a novel ‘human security’ dimension so the EU can respond to the challenges posed by emerging dual-use technologies – especially cyber-surveillance technologies – that pose a risk to national and international security, including protecting human rights;
    • updating key notions and definitions (e.g. definition of an “exporter” to apply to natural persons and researchers involved in dual-use technology transfers);
    • simplifying and harmonising licensing procedures and allowing the Commission to amend – by ‘simplified’ procedure, i.e. delegated act – the list of items or destinations subject to specific forms of control, thereby making the export control system more agile and able to evolve and adjust to circumstances;
    • enhancing information-exchange between licensing authorities and the Commission with a view to increasing transparency of licensing decisions;
    • coordination of, and support for, robust enforcement of controls, including enhancing secure electronic information-exchange between licensing and enforcement agencies;
    • developing an EU capacity-building and training programme for Member States’ licensing and enforcement authorities;
    • outreach to industry and transparency with stakeholders, developing a structured relationship with the private sector through specific consultations of stakeholders by the relevant Commission group of Member-State experts, and;
    • setting up a dialogue with third countries and seeking a level playing field at global level.
    • The European Parliament contended:
      • The reviewed rules, agreed by Parliament and Council negotiators, govern the export of so-called dual use goods, software and technology – for example, high-performance computers, drones and certain chemicals – with civilian applications that might be repurposed to be used in ways which violate human rights.
      • The current update, made necessary by technological developments and growing security risks, includes new criteria to grant or reject export licenses for certain items.
      • The Parliament added its negotiators
        • got agreement on setting up an EU-wide regime to control cyber-surveillance items that are not listed as dual-use items in international regimes, in the interest of protecting human rights and political freedoms;
        • strengthened member states’ public reporting obligations on export controls, so far patchy, to make the cyber-surveillance sector in particular more transparent;
        • increased the importance of human rights as licensing criterion; and
        • agreed on rules to swiftly include emerging technologies in the regulation.
  • The United States House of Representatives passed three technology bills by voice vote yesterday. Two of these bills would address in different ways the United States’ (U.S.) efforts to make up ground on the People’s Republic of China in the race to roll out 5G networks. It is possible but not foreseeable whether the Senate will take up these bills before year’s end and send them to the White House. It is possible given how discrete the bills are in scope. The House Energy and Commerce Committee provided these summaries:
    • The “Utilizing Strategic Allied (USA) Telecommunications Act of 2020” (H.R.6624) creates a new grant program through the National Telecommunications and Information Administration (NTIA) to promote technology that enhances supply chain security and market competitiveness in wireless communications networks.
      • One of the bill’s sponsors, House Energy and Commerce Committee Chair Frank Pallone Jr (D-NJ) stated:
        • Earlier this year, the House passed, and the President signed, my Secure and Trusted Communications Networks Act to create a program to fund the replacement of suspect network equipment. Suspect equipment, including that produced by Huawei and ZTE, could allow foreign adversaries to surveil Americans at home or, worse, disrupt our communications systems.
        • While we are still pushing for Congress to appropriate funds to that end, it is important to recognize that my legislation was only half the battle, even when it is funded. We also need to create and foster competition for trusted network equipment that uses open interfaces so that the United States is not beholden to a market for network equipment that is becoming less competitive. This bill before us today, the Utilizing Strategic Allied Telecommunications Act, or the USA Telecommunications Act, does just that.
        • The bipartisan legislation creates a grant program and authorizes $750 million in funding for the National Telecommunications and Information Administration to help promote and deploy Open Radio Access Network technologies that can spur that type of competition. We must support alternatives to companies like Huawei and ZTE…
    • The “Spectrum IT Modernization Act of 2020” (H.R.7310) requires NTIA – in consultation with the Policy and Plans Steering Group – to submit to Congress a report on its plans to modernize agency information technology systems relating to managing the use of federal spectrum. 
      • A sponsor of the bill, House Energy and Commerce Committee Ranking Member Greg Walden (R-OR) explained:
      • H.R. 7310 would require NTIA to establish a process to upgrade their spectrum management infrastructure for the 21st century. The bill would direct the policy coordination arm of NTIA to submit a plan to Congress as to how they will standardize the data collection across agencies and then directs agencies with Federal spectrum assignments from NTIA to issue an implementation plan to interoperate with NTIA’s plan.
      • This is a good-government bill–it really is–and with continued support and oversight from Congress, we can continue the United States’ leadership in making Federal spectrum available for flexible use by the private sector.
    • The “Reliable Emergency Alert Distribution Improvement (READI) Act of 2020” (H.R.6096) amends the Warning, Alert, and Response Network Act to classify emergency alerts from the Federal Emergency Management Agency as a type of alert that commercial mobile service providers may not allow subscribers to block from their devices. The bill also directs the Federal Communications Commission (FCC) to adopt regulations to facilitate coordination with State Emergency Communications Committees in developing and modernizing State Emergency Alert System plans. Finally, the READI Act directs the FCC to examine the feasibility of modernizing the Emergency Alert System by expanding alert distribution to the internet and streaming services.  
  • The same privacy activists that brought the suits that resulted in the striking down of the Safe Harbor and Privacy Shield agreements have filed complaints in Spain and Germany that Apple has violated the European Union’s (EU) e-Privacy Directive and laws in each nation through its use of IDFA (Apple’s Identifier for Advertisers). Because the General Data Protection Regulation (GDPR) is not the grounds for the complaints, each nation could act without needing to consult other EU nations. Moreover, a similar system used by Google is also being investigated for possible violations. The group none of your business (noyb) asserted:
    • IDFA – the cookie in every iPhone user’s pocket. Each iPhone runs on Apple’s iOS operating system. By default, iOS automatically generates a unique “IDFA” (short for Identifier for Advertisers) for each iPhone. Just like a license plate this unique string of numbers and characters allows Apple and other third parties to identify users across applications and even connect online and mobile behaviour (“cross device tracking”).
    • Tracking without user consent. Apple’s operating system creates the IDFA without user’s knowledge or consent. After its creation, Apple and third parties (e.g. applications providers and advertisers) can access the IDFA to track users’ behaviour, elaborate consumption preferences and provide personalised advertising. Such tracking is strictly regulated by the EU “Cookie Law” (Article 5(3) of the e-Privacy Directive) and requires the users’ informed and unambiguous consent.
    • Insufficient “improvement” on third-party access. Recently Apple announced plans for future changes to the IDFA system. These changes seem to restrict the use of the IDFA for third parties (but not for Apple itself). Just like when an app requests access to the camera or microphone, the plans foresee a new dialog that asks the user if an app should be able to access the IDFA. However, the initial storage of the IDFA and Apple’s use of it will still be done without the users’ consent and therefore in breach of EU law. It is unclear when and if these changes will be implemented by the company.
    • No need for EU cooperation. As the complaint is based on Article 5(3) of the e-Privacy Directive and not the GDPR, the Spanish and German authorities can directly fine Apple, without the need for cooperation among EU Data Protection Authorities as under GDPR.
  • The Federal Trade Commission (FTC) Chair made remarks at antitrust conference on how antitrust law should view “an acquisition of a nascent competitive threat by a monopolist when there is reason to think that the state of competition today may not tell the whole story.” Chair Joseph Simons views are timely for a number of reasons, particularly the extent to which large technology firms have sought and bought smaller, newer companies. Obviously, the acquisitions of WhatsApp and Instagram by Facebook and YouTube and AdSense by Google come to mind as the sorts of acquisitions United States (U.S.) regulators approved, possibly without much thought given to what a future market may look like for competition if the larger, dominant company is allowed to proceed. Simons suggested regulators and courts would be wise to give this aspect of antitrust mush more thought, which could theoretically inform the approach the Biden Department of Justice and FTC take. Simons stated:
    • And if firms are looking to the future, then antitrust enforcers should too. We must be willing and able to recognize that harm to competition might not be obvious from looking at the marketplace as it stands. If we confine ourselves to examining a static picture of the market at the moment we investigate a practice or transaction, without regard to the dynamic business realities at work, then we risk forfeiting the benefits of competition that could arise in the future to challenge the dominant firm, even when this future competition is to some extent uncertain.
    • Simons asserted:
      • A merger or acquisition can of course constitute anticompetitive conduct for purposes of Section 2 [of the Sherman Act]
      • From a competition perspective, a monopolist can “squash” a nascent competitor by buying it, not just by targeting it with anticompetitive actions as Microsoft did. In fact, from the monopolist’s perspective, it may be easier and more effective to buy the nascent threat (even if only to keep it out of the hands of others) than to target it with other types of anticompetitive conduct.
      • A central issue in potential competition cases is the nature and strength of evidence that the parties will become actual competitors in the future. Some cases have applied Section 7 [of the Clayton Act] narrowly in this context: too narrowly, I think, given that the purpose of Section 7 is to prohibit acquisitions that “may” substantially lessen competition or “tend” to create a monopoly.
    • Simons concluded:
      • But uncertainty has always been a feature of the competitive process, even in markets that appear to be simple or traditional, and dealing with uncertainty is all in a day’s work for an antitrust enforcer. I have referred to the Microsoft case repeatedly today, so, in closing, let me remind everyone that there was some uncertainty about the future in Microsoft as well. The court, in holding that the plaintiff does not and should not bear the burden of “reconstruct[ing] a product’s hypothetical development,” observed that the defendant should appropriately be “made to suffer the uncertain consequences of its own undesirable conduct.” The same holds when the monopolist has simply chosen to acquire the threat.
  • The National Institute of Standards and Technology’s (NIST) National Initiative for Cybersecurity Education (NICE) revised the Workforce Framework for Cybersecurity (NICE Framework) that “improves communications about how to identify, recruit, develop, and retain cybersecurity talent ­ – offering a common, consistent lexicon that categorizes and describes cybersecurity work.” NIST explained:
    • The NICE Framework assists organizations with managing cybersecurity risks by providing a way to discuss the work and learners associated with cybersecurity. These cybersecurity risks are an important input into enterprise risk decisions as described in NIST Interagency Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM).
    • NIST stated “[r]evisions to the NICE Framework (NIST Special Publication 800-181) provide:
      • A streamlined set of “building blocks” comprised of Task, Knowledge, and Skill Statements;
      • The introduction of Competencies as a mechanism for organizations to assess learners; and
      • A reference to artifacts, such as Work Roles and Knowledge Skills and Abilities statements, that will live outside of the publication to enable a more fluid update process.
  • A left center think tank published a report on how the United States (U.S.) and likeminded nations can better fight cybercrime. In the report addressed to President-elect Joe Biden and Vice President-elect Kamala Harris, the Third Way presented the results of a “multiyear effort to define concrete steps to improve the government’s ability to tackle the scourge of cybercrime by better identifying unlawful perpetrators and imposing meaningful consequences on them and those behind their actions.” In “A Roadmap to Strengthen US Cyber Enforcement: Where Do We Go From Here?,” the Third Way made a list of detailed recommendations on how the Biden Administration could better fight cybercrime, but in the cover letter to the report, there was a high level summary of these recommendations:
    • In this roadmap, we identify the challenges the US government faces in investigating and prosecuting these crimes and advancing the level of international cooperation necessary to do so. Cyberattackers take great pains to hide their identity, using sophisticated tools that require technical investigative and forensic expertise to attribute the attacks. The attacks are often done at scale, where perpetrators prey on multiple victims across many jurisdictions and countries, requiring coordination across criminal justice agencies. The skills necessary to investigate these crimes are in high demand in the private sector, making it difficult to retain qualified personnel. A number of diplomatic barriers make cross-border cooperation difficult, a challenge exacerbated often by blurred lines line between state and non-state actors in perpetrating these crimes.
    • This roadmap recommends actions that your administration can take to develop a comprehensive strategy to reduce cybercrime and minimize its impact on the American people by identifying the perpetrators and imposing meaningful consequences on them. We propose you make clear at the outset to the American public and global partners that cyber enforcement will be a top priority for your administration. In reinstating a White House cybersecurity position, we have extensive recommendations on how that position should address cybercrime. And, to make policy from an intelligence baseline, we believe you should request a National Intelligence Estimate on the linkages between cybercrime and nation-state cyber actors to understand the scope of the problem.
    • Our law enforcement working group has detailed recommendations to improve and modernize law enforcement’s ability to track and respond to cybercrime. And our global cooperation working group has detailed recommendations on creating a cohesive international cyber engagement strategy; assessing and improving the capacity of foreign partners on cybercrime; and improving the process for cross-border data requests that are critical to solving these crimes. We believe that with these recommendations, you can make substantial strides in bringing cybercriminals to justice and deterring future cybercriminals from victimizing Americans.

Coming Events

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (16 November)

Further Reading

  • Trump’s refusal to begin the transition could damage cybersecurity” By Joseph Marks — The Washington Post. Former executive branch officials, some of whom served at the Department of Homeland Security (DHS), are warning that the Trump Administration’s refusal to start the transition to the Biden Administration may harm the United States’ (U.S.) ability to manage cyber risks if it stretches on too long.
  • Biden will get tougher on Russia and boost election security. Here’s what to expect.” By Joseph Marks — The Washington Post. Expect a Biden Administration to restore cybersecurity policy to the prominence it had in the Obama Administration with renewed diplomatic efforts to foster international consensus against nations like the Russian Federation or People’s Republic of China. A Biden Presidency will likely continue to pursue the Trump Administration’s larger objectives on the People’s Republic of China but without the capriciousness of the current President introducing an element of uncertainty. And, election security and funding will naturally be a focus, too.
  • Taking Back Our Privacy” By Anna Wiener — The New Yorker. This fascinating profile of Moxie Marlinspike (yes, that’s really his name), the prime mover behind end-to-end encryption in WhatsApp and his application, Signal, (hands down the best messaging app, in my opinion), is worth your time.
  • Biden’s Transition Team Is Stuffed With Amazon, Uber, Lyft, and Airbnb Personnel” By Edward Ongweso Jr — Vice’s Motherboard. This piece casts a critical eye on a number of members of the Biden-Harris transition team that have been instrumental in policy changes desired by their employers seemingly at odds with the President-elect’s policies. It remains to be seen how such personnel may affect policies for the new Administration.
  • Officials say firing DHS cyber chief could make U.S. less safe as election process continues” By Joseph Marks — The Washington Post. The head of the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) may well be among those purged by the Trump Administration regardless of the costs to national security. CISA Director Christopher Krebs has deftly navigated some of the most fraught, partisan territory in the Trump Administration in leading efforts on election security, but his webpage, Rumor Control, may have been too much for the White House. Consequently, Krebs is saying he expects to be fired like CISA Assistant Director Bryan Ware was this past week.

Other Developments

  • The Democratic leadership on a key committee wrote the chairs of both the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC), “demanding that the two commissions stop work on all partisan or controversial items currently under consideration in light of the results of last week’s presidential election” per the press release. House Energy and Commerce Committee Chair Frank Pallone Jr. (D-NJ), Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL), and Communications and Technology Subcommittee Chair Mike Doyle (D-PA) argued that FTC Chair Joseph Simons and FCC Chair Ajit Pai should “only pursue consensus and administrative matters that are non-partisan for the remainder of your tenure.” The agencies are, of course, free to dismiss the letters and the request and may well do so, especially in the case of the FCC and its rulemaking on 47 U.S.C. 230. Additionally, as rumored, the FTC may soon file an antitrust case against Facebook for its dominance of the social messaging market when Democrats on the FTC and elsewhere might prefer a broader case.
  • The Office of Personnel Management’s (OPM) Office of the Inspector General (OIG) released a pair of audits on the agency’s information security practices and procedures and found continued weaknesses in the agency’s systems. The OPM was breached by People’s Republic of China (PRC) hackers during the Obama Administration and massive amounts of information about government employees was exfiltrated. Since that time, the OPM has struggled to mend its information security and systems.
    • In “Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management’s Agency Common Controls,” the OIG found explained that its “audit of the agency common controls listed in the Common Security Control Collection (CSCC) determined that:
      • Documentation assigning roles and responsibilities for the governance of the CSCC does not exist.
      • Inconsistencies in the risk assessment and reporting of deficient controls were identified in the most recent assessment results documentation of the CSCC.
      • Weaknesses identified in an assessment of the CSCC were not tracked through a plan of actions and milestones.
      • Weaknesses identified in an assessment of the CSCC were not communicated to the Information System Security Officers, System Owners or Authorizing Officials of the systems that inherit the controls.
      • We tested 56 of the 94 controls in the CSCC. Of the 56 controls tested, 29 were either partially satisfied or not satisfied. Satisfied controls are fully implemented controls according to the National Institute of Standards and Technology.”
    • And, in the annual Federal Information Security Modernization Act (FISMA) audit, the OIG found middling progress. Specifically, with respect to the FISMA IG Reporting Metrics, the OIG found:
      • Risk Management – OPM has defined an enterprise-wide risk management strategy through its risk management council. OPM is working to implement a comprehensive inventory management process for its system interconnections, hardware assets, and software.
      • Configuration Management – OPM continues to develop baseline configurations and approve standard configuration settings for its information systems. The agency is also working to establish routine audit processes to ensure that its systems maintain compliance with established configurations.
      • Identity, Credential, and Access Management (ICAM) – OPM is continuing to develop its agency ICAM strategy, and acknowledges a need to implement an ICAM program. However, OPM still does not have sufficient processes in place to manage contractors in its environment.
      • Data Protection and Privacy – OPM has implemented some controls related to data protection and privacy. However, there are still resource constraints within OPM’s Office of Privacy and Information Management that limit its effectiveness.
      • Security Training – OPM has implemented a security training strategy and program, and has performed a workforce assessment, but is still working to address gaps identified in its security training needs.
      • Information Security Continuous Monitoring – OPM has established many of the policies and procedures surrounding continuous monitoring, but the agency has not completed the implementation and enforcement of the policies. OPM also continues to struggle to conduct security controls assessments on all of its information systems.
      • Incident Response – OPM has implemented many of the required controls for incident response. Based upon our audit work, OPM has successfully implemented all of the FISMA metrics at the level of “consistently implemented” or higher.
      • Contingency Planning – OPM has not implemented several of the FISMA requirements related to contingency planning, and continues to struggle to maintain its contingency plans as well as conducting contingency plan tests on a routine basis.
  • The Australian Competition and Consumer Commission (ACCC) announced “amendments to the Consumer Data Right Rules…[that] permit the use of accredited intermediaries to collect data, through an expansion of the rules relating to outsourced service providers” per the press release. The ACCC stated “The amendments expand the Consumer Data Right system by allowing for accredited businesses to rely on other accredited businesses to collect Consumer Data Right data on their behalf, so they can provide goods and services to consumers.” The ACCC stated “[t]he Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020 (Accredited Intermediary Rules) commenced on 2 October 2020 and are available on the Federal Register of Legislation.”
  • Singapore’s central bank called on financial institutions to ramp up cybersecurity because of increased threats during the COVID-19 pandemic. The Monetary Authority of Singapore (MAS)’s Cyber Security Advisory Panel (CSAP) held “its fourth annual meeting with MAS management…[and] shared its insights on cyber risks in the new operating environment and made several recommendations:”
    • Reviewing risk profiles and adequacy of risk mitigating measures. The Panel discussed the risks and vulnerabilities arising from the rapid adoption of remote access technologies and work processes that could affect FIs’ cyber risk profiles. The meeting highlighted the need for FIs to assess if their existing risk profiles have changed and remain acceptable. This is to ensure that in the long run appropriate controls are implemented to mitigate any new risks.  
    • Maintaining oversight of third-party vendors and their controls. With the increased reliance on third-party vendors, the Panel emphasised the need for FIs to step up their oversight of these counterparts and to monitor and secure remote access by third-parties to FIs’ systems. This is even more important during the COVID-19 pandemic where remote working has become pervasive.
    • Strengthening governance over the use of open-source software (OSS). Vulnerabilities in OSS are typically targeted and exploited by threat actors. The Panel recommended that FIs establish policies and procedures on the use of OSS and to ensure these codes are robustly reviewed and tested before they are deployed in the FIs’ IT environment.
  • Washington State Attorney General Bob Ferguson issued his fifth annual Data Breach Report “showed that the number of Washingtonians affected by breaches nearly doubled in the last year and ransomware attacks tripled” according to his press release. Ferguson asserted:
    • The total number of Washingtonians affected by a data breach increased significantly, from 351,000 in 2019 to 651,000 in 2020. Overall, there were fewer breaches reported to the Attorney General’s Office in 2020, decreasing from 60 reported breaches last year to 51 this year.
    • Ferguson made the following recommendations:
      • 1. Bring RCW 19.255.005 and RCW 42.56.590 into alignment by making sure that private entities also have to provide notice to consumers for breaches of a consumer’s name and the last-four digits of their Social Security number.
      • SB 6187, which was signed by Governor Inslee on March 18, 2020, and went into effect on June 11, 2020 modified the definition of personal information for breaches that occur at local and state agencies. Specifically, the bill modified the definition of personal information in RCW 42.56.590 to include the last four digits of a SSN in combination with a consumer’s name as a stand alone element that will trigger the requirement for consumer notice. This change should be extended to RCW 19.255.005 as well, to bring both laws into alignment, and provide consumers with the most robust protections possible, regardless of the type of entity that was breached.
      • 2. Expand the definition of “personal information” in RCW 19.255.005 and RCW 42.56.590 to include Individual Tax Identification numbers (ITINs).
      • ITINs are assigned by the IRS to foreign-born individuals who are unable to acquire a Social Security number for the purposes of processing various tax related documents. In other words, they are a unique identifier equivalent in sensitivity to a Social Security number. At present, ten states include ITINs in their definition of “personal information.” In 2018, Washington State was home to just over 1.1 million foreign born individuals, representing approximately 15% of the state’s population.
      • 3. Establish a legal requirement for persons or businesses that store personal information to maintain a risk-based information security program, and to ensure that information is not retained for a period longer than is reasonably required.
      • As this report discussed last year, it is imperative that entities who handle the private information of Washingtonians take steps necessary to keep it safe, and be prepared to act if they cannot. Such precautions are beneficial for both consumers and the organizations collecting their data. In 2019, Ponemon Report indicated that 48% of the companies surveyed lacked any form of security automation – security technologies used to detect breaches more efficiently than humans can.22 In 2020, that number dropped by only 7%.23
      • In 2019, the average cost of a data breach for companies without automation was nearly twice as expensive as for those who implemented security automation. That cost has only grown since, with data breaches in 2020 costing companies without security automation nearly triple that of business who have automation. Similarly, the formation of a dedicated Incident Response Team and testing of an Incident Response Plan reduced the average total cost of breaches in 2020 by more than $2 million.
      • Requiring data collectors to maintain an appropriately sized security program and incident response team and to dispose of consumer information that is no longer needed is a critical next step in mitigating the size and cost of breaches in our state.
  • Four former Secretaries of Homeland Security and two acting Secretaries wrote the leadership of the Congress regarding “the need to consolidate and strengthen Congressional oversight of the Department of Homeland Security (DHS) in order to make possible the fundamental changes that DHS urgently needs to protect the American people from the threats we face in 2021.” They noted “more than 90 different committees or subcommittees today have jurisdiction over DHS—far more than any other cabinet department.” They asserted:
    • DHS urgently needs to make major reforms, improvements, and enhancements to ensure the Department can protect the nation in the way Congress envisioned nearly two decades ago. DHS’s leadership, whether Democratic or Republican, needs to work with a single authorizing committee with broad subject matter authority to enact the changes and authorize the programs that DHS needs to address the threats of 2021.
  • Privacy International (PI) and 13 other groups from the European Union (EU) and Africa wrote the European Commission (EC), arguing the EU’s policies are supporting “the funding and development of projects and initiatives which threaten the right to privacy and other fundamental rights, such as freedom of expression and freedom of assembly.” These groups contended:
    • that by sponsoring such activities, the EU drives the adoption and use of surveillance technologies that, if abused by local actors, can potentially violate the fundamental rights of people residing in those countries. In the absence of rule of law and human rights safeguards enshrined in law, which seek to limit the state’s powers and protect people’s rights, these technologies can be exploited by authorities and other actors with access and result in onerous implications not just for the rights of privacy and data protection but also for other rights, such as freedom of expression and freedom of assembly.
    • In their press release, these groups stated the letter “comes following the public release of hundreds of documents obtained by PI after a year of negotiating with EU bodies under access to documents laws, which show:
      • How police and security agencies in Africa and the Balkans are trained with the EU’s support in spying on internet and social media users and using controversial surveillance techniques and tools; Read PI’s report here.
      • How EU bodies are training and equipping border and migration authorities in non-member countries with surveillance tools, including wiretapping systems and other phone surveillance tools, in a bid to ‘outsource’ the EU’s border controls; Read PI’s report here.
      • How Civipol, a well-connected French security company, is developing mass biometric systems with EU aid funds in Western Africa in order to stop migration and facilitate deportations without adequate risk assessments. Read PI’s report here.
    • They stated “we call on the European Commission, in coordination with the European Parliament and EU member states to:
      • Ensure no support is provided for surveillance or identity systems across external assistance funds and instruments to third countries that lack a clear and effective legal framework governing the use of the surveillance equipment or techniques.
      • Only provide support for surveillance or identity systems after an adequate risk assessment and due diligence are carried out.
      • Provide Parliament greater capabilities of scrutiny and ensuring accountability over funds.
      • All future projects aimed at addressing “the root causes of instability, forced displacement, and irregular migration” should be mainstreamed into the NDICI. In turn, discontinue the EUTF for Africa when the current fund comes to its end in 2020.
      • Ensure that EC Directorate-General for International Cooperation and Development (DEVCO), the EU body in charge of development aid, establishes a new Fund aimed at improving governance and legal frameworks in non-EU countries to promote the right to privacy and data protection. Priorities of the Fund should include:
        • Revising existing privacy and data protection legal frameworks, or where there is none developing new ones, that regulate surveillance by police and intelligence agencies, aimed at ensuring they are robust, effectively implemented, and provide adequate redress for individuals;
        • Strengthening laws or introducing new ones that set out clear guidelines within which the government authorities may conduct surveillance activities;
        • Focusing on promotion and strengthening of democratisation and human rights protections;
        • Strengthening the independence of key monitoring institutions, such as the judiciary, to ensure compliance with human rights standards.

Coming Events

  • On 17 November, the Senate Judiciary Committee will hold a hearing with Facebook CEO Mark Zuckerberg and Twitter CEO Jack Dorsey on Section 230 and how their platforms chose to restrict The New York Post article on Hunter Biden.
  • The Senate Homeland Security and Governmental Affairs Committee’s Regulatory Affairs and Federal Management Subcommittee will hold a hearing on how to modernize telework in light of what was learned during the COVID-19 pandemic on 18 November.
  • On 18 November, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Modernizing the 5.9 GHz Band. The Commission will consider a First Report and Order, Further Notice of Proposed Rulemaking, and Order of Proposed Modification that would adopt rules to repurpose 45 megahertz of spectrum in the 5.850-5.895 GHz band for unlicensed operations, retain 30 megahertz of spectrum in the 5.895-5.925 GHz band for the Intelligent Transportation Systems (ITS) service, and require the transition of the ITS radio service standard from Dedicated Short-Range Communications technology to Cellular Vehicle-to-Everything technology. (ET Docket No. 19-138)
    • Further Streamlining of Satellite Regulations. The Commission will consider a Report and Order that would streamline its satellite licensing rules by creating an optional framework for authorizing space stations and blanket-licensed earth stations through a unified license. (IB Docket No. 18-314)
    • Facilitating Next Generation Fixed-Satellite Services in the 17 GHz Band. The Commission will consider a Notice of Proposed Rulemaking that would propose to add a new allocation in the 17.3-17.8 GHz band for Fixed-Satellite Service space-to-Earth downlinks and to adopt associated technical rules. (IB Docket No. 20-330)
    • Expanding the Contribution Base for Accessible Communications Services. The Commission will consider a Notice of Proposed Rulemaking that would propose expansion of the Telecommunications Relay Services (TRS) Fund contribution base for supporting Video Relay Service (VRS) and Internet Protocol Relay Service (IP Relay) to include intrastate telecommunications revenue, as a way of strengthening the funding base for these forms of TRS and making it more equitable without increasing the size of the Fund itself. (CG Docket Nos. 03-123, 10-51, 12-38)
    • Revising Rules for Resolution of Program Carriage Complaints. The Commission will consider a Report and Order that would modify the Commission’s rules governing the resolution of program carriage disputes between video programming vendors and multichannel video programming distributors. (MB Docket Nos. 20-70, 17-105, 11-131)
    • Enforcement Bureau Action. The Commission will consider an enforcement action.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by cottonbro from Pexels

OIG Finds DHS Election Security Efforts Improved But Still Lacking

The OIG found issues with how CISA provided assistance on election cybersecurity and found a complete lack of planning or assistance on physical safety, terrorism, and violence issues.

The United States’ (U.S.) Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) released its second assessment in the last two years of the Cybersecurity and Infrastructure Security Agency’s (CISA) efforts to secure the U.S.’ election systems. The OIG lauded CISA’s progress in laying plans and taking precautions to secure U.S. election systems themselves but found room for CISA to improve its oversight and safeguarding the overall system. However, the OIG acknowledged the progress the agency has made since the February 2019 evaluation that was more critical of CISA’s efforts to date. But the OIG intimated that given the churn at the top of DHS over the last few years and the federal election system the U.S. has, CISA may be able to do only so much. In any event, the next few days may lead the OIG to rethink some of its assessment depending on how CISA performs.

The OIG summarized the scope of challenge before CISA:

  • As of September 2020, according to the Cybersecurity and Infrastructure Security Agency (CISA), there were 7,997 election administration jurisdictions in the country. The sizes of these jurisdictions vary dramatically, with the smallest towns having only a few hundred registered voters, while the largest jurisdiction in the country has more than 4.7 million.
  • The diversity in voting systems and software across the Nation presents considerable cybersecurity challenges. For example, there are 67 different types of voting machines manufactured by 7 different companies currently certified for use in any of the election administration jurisdictions across the United States. The election infrastructure’s reliance on technology for efficiency and convenience introduces even greater cybersecurity risks. Moreover, state and local jurisdictions may have different requirements for securing their systems, such as configuration settings, audit logging, intrusion detection capability, and patch management.

Nonetheless, beyond the effect of four different DHS heads since the beginning of the Trump Administration, the OIG pointed at CISA’s “protracted reorganization” since it was renamed and remade from its forerunner agency, the National Protection and Programs Directorate (NPPD). The OIG said CISA could not even produce an organizational chart, suggesting the possibility of dysfunction inside the agency. For example, the OIG noted:

For example, [Office of Intelligence and Analysis] officials told us in March 2020, the National Cybersecurity and Communications Integration Center (NCCIC) was recently re-organized. However, when we reached out to CISA officials for confirmation in April 2020, they dismissed this notion. According to CISA officials, the confusion may arise when some people refer to NCCIC according to its statutory authority while others refer to the organizational body (i.e., the Cybersecurity Division) that carries out the functions described in the statute.

The OIG flatly declared that until DHS and CISA get solid leadership and are properly organized, the assistance that can be provided to the election sector will be limited. As DHS is the sector-specific agency for a number of other sectors, this conclusion may also have repercussions in the following sectors:

  • Chemical Sector
  • Commercial Facilities Sector
  • Communications Sector
  • Critical Manufacturing Sector
  • Dams Sector
  • Emergency Services Sector
  • Information Technology Sector
  • Nuclear Reactors, Materials, and Waste Sector
  • Transportation Systems Sector (shared with the Department of Transportation)

To wit, the OIG asserted

Amid the leadership vacancies and repeated turnover, within DHS, CISA has not sufficiently prioritized key activities or established effective performance measures to monitor its progress in accomplishing its mission and goals of securing the Nation’s election infrastructure. Without DHS senior leadership guidance as a foundation, CISA cannot work successfully with sector representatives to develop the plans and strategies needed to secure the election infrastructure.

The under and unaddressed risks the OIG identified are “physical security risks, terrorism threats, and targeted violence.” The OIG speculated (correctly, I think) that after the 2016 election CISA was very focused on cybersecurity even though its remit over this subsector of a critical infrastructure sector also includes physical security:

Further, when assisting state and local election officials, CISA has primarily focused on the cybersecurity of election systems instead of broader election infrastructure aspects including related storage facilities, polling places, and centralized vote tabulation locations used to support the election process. CISA’s focus on cybersecurity may be attributed to reported cybersecurity threats and misinformation campaigns from foreign nations during the 2016 and 2018 elections. While beneficial, CISA’s primary focus on cybersecurity has limited DHS’ ability to provide the strategic direction needed to secure the election infrastructure from broader types of potential risks.

Given the protests and counter-protests this year related to Black Lives Matter, which has bled into the Presidential election campaign, CISA’s failure to focus on physical security, terrorism and violence may have left the election system susceptible. The OIG contended:

While attacks on physical election infrastructure locations and assets are rare, CISA should consider both physical and cyber threats as part of a comprehensive understanding of the threat and incorporate them in its election security and resilience planning. For example, an individual drove a van into a voter registration tent manned by campaign volunteers in February 2020. CISA cannot effectively secure the election infrastructure or manage risk to the Nation’s critical infrastructure based on the 2013 National Infrastructure Protection Plan by focusing on cybersecurity alone. A clear roadmap, sufficiently addressing broader risks, is needed to better guide DHS efforts and help achieve its goals of securing the election infrastructure. Moreover, the OIG found the quality fo the information provided by CISA to state and local election officials of questionable value. This is not surprising given the recent audit that found DHS’ cyber information sharing program was not providing quality information to the private sector. Based on our interviews with selected CISA regional staff, the cyber threat information CISA and I&A shared with election stakeholders was not always considered useful.

Based on our interviews with selected CISA regional staff, the cyber threat information CISA and I&A shared with election stakeholders was not always considered useful. DHS is required to maintain situational awareness of threats, and improve the sharing of threat intelligence with stakeholders to better prepare and protect election infrastructure. However, according to selected CISA regional staff, the information was over-classified, not tailored to election stakeholders needs, and could be obtained elsewhere. According to our interviews with CISA’s regional staff 12 Cybersecurity Advisors, 15 Protective Security Advisors, and 10 Regional Directors, the following are opportunities to improve the quality of information shared with stakeholders:

  • 8 (22 percent) of 37 CISA regional staff stated the information was overly classified.
  • 8 (22 percent) of 37 CISA regional staff stated briefings were not tailored to stakeholders needs.
  • 7 (19 percent) of 37 CISA regional staff stated the information could be obtained from public sources. In one example, by the time the cyber threat information was declassified for sharing with election stakeholders, they had already learned about it through the news media.
  • 5 (14 percent) of 37 CISA regional staff stated that after attending briefings, election officials could not share the information with their information technology staff and county clerks to remediate vulnerabilities as they did not possess the proper clearances.
  • 1 (3 percent) of 37 CISA regional staff stated some briefings were repetitive.
  • 7 (19 percent) of 37 CISA regional staff stated Fusion Centers were too far away and not convenient.

Representatives of other Federal agencies also told us about their work with CISA to secure the election infrastructure. One Federal agency representative discussed receiving duplicative election infrastructure threat information from CISA and DHS’ I&A. Another Federal agency official stated, “I cannot think of a single thing in a classified briefing that I have not read from the media,” indicating he had received complaints from others about DHS’ intelligence briefings not being helpful.

Worse still, when a state or local election authority requested that CISA perform an assessment of their systems or processes, the agency was often tardy in doing so. For example, the OIG found:

  • A Secretary of State initially requested a Phishing Campaign Assessment in October 2017. However, CISA did not begin the assessment until June 2018. CISA’s records show NCCIC did not complete the assessment until January 2019, more than a year after the request was made.
  • Another State Board of Elections requested CISA perform a Risk and Vulnerability Assessment in July 2018. The assessment did not begin until July 2019. NCCIC ultimately completed the testing in September 2019, more than a year after the initial request.

Staffing was also an issue. The OIG’s survey of CISA regional staff resulted in 73% of those interviewed saying “CISA needed more Cybersecurity Advisors to help private sector entities and state, local, territorial, and tribal governments prepare for and protect themselves against cybersecurity threats.”

The OIG made these recommendations to CISA:

  • Recommendation 1: Coordinate with the Office of the Secretary to revise the National Infrastructure Protection Plan and other planning documents to incorporate current and evolving risks as well as mitigation strategies needed to secure the Nation’s election infrastructure.
  • Recommendation 2: Improve the collaboration between I&A and CISA, which can help to enhance the quality and reduce the redundancy of information DHS shares with Federal agencies and state and local election officials.
  • Recommendation 3: Assign the staff resources needed to conduct timely cybersecurity and physical assessments to assist states and localities with securing the election infrastructure.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Free-Photos from Pixabay

Further Reading, Other Developments, and Coming Events (2 November)

Further Reading

  •  “Harris target of more misinformation than Pence, data shows” By Amanda Seitz — Associated Press News. Given the hostile treatment women and minorities in the United States face on social media, it is not a surprise that Senator Kamala Harris (D-CA) has faced a barrage of sexist, racist, and xenophobic invective online.
  • The Untold Technological Revolution Sweeping Through Rural China” By Clive Thompson — The New York Times. In a review of Xiaowei Wang’s new book, “Blockchain Chicken Farm,” one learns that the People’s Republic of China (PRC) is facing a bifurcated society of haves and haves not largely because of the boom in technology just like the United States.
  • DHS plans largest operation to secure U.S. election against hacking” By Joseph Marks — The Washington Post.  Looking to avert a repeat of 2016, the United States’ (U.S.) Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is expecting to be on high alert and will stand its capabilities through Election Day and beyond until winners have been declared. Not only will the agency’s technical capabilities be brought to bear, CISA will also look to liaise with the media regularly to tamp down any panic arising from reports of hacking or interference. And, it is expected that CISA’s relationship building with state and local officials will help speed action on any cyber intelligence the agency pushes out.
  • The Tech Antitrust Problem No One Is Talking About” By Tom Simonite — WIRED. The United States’ (U.S.) four dominant broadband providers Verizon, Comcast, Charter Communications, and AT&T appear to be providing inferior service at higher prices than broadband available in other advanced nations. The pandemic has, of course, focused more people on the lack of highspeed broadband for many Americans. But, the dominance of broadband providers has flown under the radar from an anti-trust and competition perspective. This could change in a Biden Administration.
  • ‘Tsunamis of Misinformation’ Overwhelm Local Election Officials” By Kellen Browning and Davey Alba — The New York Times. State and local officials are struggling in terms of human resources and capability to try to address the wave of misinformation and disinformation about the election and procedures being spewed across social media.

Other Developments

  • The United States’ (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released a joint advisory titled “Ransomware Activity Targeting the Healthcare and Public Health Sector.” The advisory “describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.” The agencies’ key findings include:
    • CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
    • These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.
  • The National Institute of Standards and Technology (NIST) published a companion guidance document to accompany the major update to guidance issued in September that federal agencies and federal contractors must follow. NIST’s Control Baselines for Information Systems and Organizations, NIST Special Publication (SP) 800-53B, a companion publication to SP 800-53 Revision 5, “establishes security and privacy control baselines for federal information systems and organizations and provides tailoring guidance for those baselines.” NIST explained “[i]mplementation of a minimum set of controls selected from NIST SP 800-53, Revision 5 is mandatory to protect federal information and information systems in accordance with the Office of Management and Budget (OMB) Circular A-130 [and the provisions of the Federal Information Security Modernization Act” (FISMA). NIST added while “the privacy control baseline is not mandated by law or OMB A-130,  SP 800-53B—along with other supporting NIST publications—is designed to help organizations identify the security and privacy controls needed to manage risk and to satisfy the security and privacy requirements in FISMA, the Privacy Act of 1974, selected OMB policies, and designated Federal Information Processing Standards (FIPS), among others.”
  • The United Kingdom’s (UK) Information Commissioner’s Office (ICO) has released its third significant fine in a few weeks with a £18.4 million fine on Marriott International Inc under the General Data Protection Regulation (GDPR). Because the GDPR came into force in May 2018, only a portion of the data breach dating back to 2014 falls under the EU’s data protection law. Also, the ICO finished its investigation and levied its fine before the UK leaves the European Union (EU). A few weeks ago, the ICO levied a £20 million fine on British Airways “for failing to protect the personal and financial details of more than 400,000 of its customers.” More recently, the ICO completed its investigation into the data brokering practices of Equifax, Transunion, and Experian and found widespread privacy and data protection violations.
    • The ICO originally proposed a £99 million fine on Marriott, but like the British Airways fine, it was dramatically revised downward, in part, because of the pandemic’s effect on the company.
    • In its investigation of Marriott, the ICO found:
      • Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott. 
      • The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.
      • The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK.
      • The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems…
      • Because the breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.
      • In July 2019, the ICO issued Marriott with a notice of intent to fine. As part of the regulatory process, the ICO considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty.
  • Five Democratic Senators wrote the United States’ (U.S.) Department of Homeland Security’s Office of the Inspector General (OIG) requesting an investigation of “warrantless domestic surveillance of phones by Customs and Border Protection (CBP).” Senators Ron Wyden (D-OR), Sherrod Brown (D-OH), Elizabeth Warren (D-MA), Ed Markey (D-MA), and Brian Schatz (D-HI) stated
    • According to public government contracts, CBP has spent nearly half a million dollars for subscriptions to a commercial database provided by a government contractor named Venntel, containing location data collected from millions of Americans’ mobile phones. In an oversight call with Senate staff on September 16, 2020, CBP officials confirmed the agency’s use of this surveillance product, without a court order, in order to track and identify people in the United States.
    • The Senators asserted:
      • CBP is not above the law and it should not be able to buy its way around the Fourth Amendment. Accordingly, we urge you to investigate CBP’s warrantless use of commercial databases containing Americans’ information, including but not limited to Venntel’s location database. We urge you to examine what legal analysis, if any, CBP’s lawyers performed before the agency started to use this surveillance tool. We also request that you determine how CBP was able to begin operational use of Venntel’s location database without the Department of Homeland Security Privacy Office first publishing a Privacy Impact Assessment.
  • The United States Patent and Trademark Office (USPTO) published “Public Views on Artificial Intelligence and Intellectual Property Policy” on the basis of two rounds of comments on artificial intelligence (AI), patents, and intellectual property (IP). The USPTO said a key priority “is to maintain United States leadership in innovation, especially in emerging technologies, including AI.” The USPTO stated “[t]o further this goal, the USPTO has been actively engaging with the innovation community and experts in AI to promote the understanding and reliability of intellectual property (IP) rights in relation to AI technology…[and] is working to ensure that appropriate IP incentives are in place to encourage further innovation in and around this critical area.”
    • The USPTO stated “[f]rom the synthesis of the public comments, a number of themes emerged:
      • General Themes
        • Many comments addressed the fact that AI has no universally recognized definition. Due to the wide-ranging definitions of the term, often comments urged caution with respect to specific IP policymaking in relation to AI.
        • The majority of public commenters, while not offering definitions of AI, agreed that the current state of the art is limited to “narrow” AI. Narrow AI systems are those that perform individual tasks in well-defined domains (e.g., image recognition, translation, etc.). The majority viewed the concept of artificial general intelligence (AGI)— intelligence akin to that possessed by humankind and beyond—as merely a theoretical possibility that could arise in a distant future.
        • Based on the majority view that AGI has not yet arrived, the majority of comments suggested that current AI could neither invent nor author without human intervention. The comments suggested that human beings remain integral to the operation of AI, and this is an important consideration in evaluating whether IP law needs modification in view of the current state of AI technology.
        • Across all IP topics, a majority of public commenters expressed a general sense that the existing U.S. intellectual property laws are calibrated correctly to address the evolution of AI. However, commenters appear split as to whether any new classes of IP rights would be beneficial to ensure a more robust IP system.
  • New Zealand’s Office of the Privacy Commissioner (OPC) has released more materials in the run up to the 1 December effective date of the Privacy Act 2020:
  • The Office of the Privacy Commissioner of Canada (OPC) announced it “has opened investigations into recent cyber security incidents involving attacks on Government of Canada online service accounts.” The Privacy Commissioner initiated the two investigations and “will examine whether the government institutions met their obligations under the Privacy Act, the federal public sector privacy law.” The OPC explained:
    • One investigation will focus on cyberattacks on the GCKey, an electronic credential issued by the government and used by federal institutions to provide individuals and organizations with access to online services. It relates to Shared Services Canada, which issues the GCKey, and federal government departments affected by the attacks on the GCKey.
    • The second investigation relates to cyberattacks on Canada Revenue Agency accounts. The incidents involved “credential stuffing,” where hackers use passwords and usernames collected from previous breaches to take advantage of the fact that many people use the same passwords and usernames for various accounts.
  • Microsoft is claiming that it foiled an Iranian cyber-attack on a high-profile cybersecurity conference held in Saudi Arabia. In a blog posting, Microsoft stated “we’re sharing that we have detected and worked to stop a series of cyberattacks from the threat actor Phosphorus masquerading as conference organizers to target more than 100 high-profile individuals.” Microsoft claimed that “Phosphorus, an Iranian actor, has targeted with this scheme potential attendees of the upcoming Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia.”
    • Microsoft contended:
      • The attackers have been sending possible attendees spoofed invitations by email. The emails use near-perfect English and were sent to former government officials, policy experts, academics and leaders from non-governmental organizations. Phosphorus helped assuage fears of travel during the Covid-19 pandemic by offering remote sessions.
      • We believe Phosphorus is engaging in these attacks for intelligence collection purposes. The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries.

Coming Events

  • On 10 November, the Senate Commerce, Science, and Transportation Committee will hold a hearing to consider nominations, including Nathan Simington’s to be a Member of the Federal Communications Commission.
  • On 17 November, the Senate Judiciary Committee will reportedly hold a hearing with Facebook CEO Mark Zuckerberg and Twitter CEO Jack Dorsey on Section 230 and how their platforms chose to restrict The New York Post article on Hunter Biden.
  • On 18 November, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Modernizing the 5.9 GHz Band. The Commission will consider a First Report and Order, Further Notice of Proposed Rulemaking, and Order of Proposed Modification that would adopt rules to repurpose 45 megahertz of spectrum in the 5.850-5.895 GHz band for unlicensed operations, retain 30 megahertz of spectrum in the 5.895-5.925 GHz band for the Intelligent Transportation Systems (ITS) service, and require the transition of the ITS radio service standard from Dedicated Short-Range Communications technology to Cellular Vehicle-to-Everything technology. (ET Docket No. 19-138)
    • Further Streamlining of Satellite Regulations. The Commission will consider a Report and Order that would streamline its satellite licensing rules by creating an optional framework for authorizing space stations and blanket-licensed earth stations through a unified license. (IB Docket No. 18-314)
    • Facilitating Next Generation Fixed-Satellite Services in the 17 GHz Band. The Commission will consider a Notice of Proposed Rulemaking that would propose to add a new allocation in the 17.3-17.8 GHz band for Fixed-Satellite Service space-to-Earth downlinks and to adopt associated technical rules. (IB Docket No. 20-330)
    • Expanding the Contribution Base for Accessible Communications Services. The Commission will consider a Notice of Proposed Rulemaking that would propose expansion of the Telecommunications Relay Services (TRS) Fund contribution base for supporting Video Relay Service (VRS) and Internet Protocol Relay Service (IP Relay) to include intrastate telecommunications revenue, as a way of strengthening the funding base for these forms of TRS and making it more equitable without increasing the size of the Fund itself. (CG Docket Nos. 03-123, 10-51, 12-38)
    • Revising Rules for Resolution of Program Carriage Complaints. The Commission will consider a Report and Order that would modify the Commission’s rules governing the resolution of program carriage disputes between video programming vendors and multichannel video programming distributors. (MB Docket Nos. 20-70, 17-105, 11-131)
    • Enforcement Bureau Action. The Commission will consider an enforcement action.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

“Awareness is Key” by Abraham Pena is licensed under CC BY 4.0

U.S. Alleges Russian and Iranian Election Interference

U.S. security services called out Russian and Iranian efforts to hack and disrupt the U.S. election. There was a split between the DNI’s view and those in the intelligence agencies, however.

The United States (U.S.) government announced that the Russian Federation and Iran have undertaken operations to disrupt and undermine next month’s U.S. election. The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a pair of advisories about Russian and Iranian attempts to interfere with the election. It appears U.S. intelligence community agencies and their partners want to avoid a repeat of 2016 when they were often behind the curve on Russian interference and failed to alert the public to what they knew.

Email sent to Democratic voters supposedly by the Proud Boys, a white supremacist group that supports President Donald Trump, was actually sent by Iran. These emails warned people in three swing states to vote for Trump or “we will come after you” because the group is “in possession of all your information.” According to media accounts, the day the Department of Homeland Security (DHS) identified Iran as the culprit, the Director of National Intelligence (DNI) John Ratcliffe decided to disclose this information at a hastily called press conference with Federal Bureau of Investigation (FBI) Director Christopher Wray.

In Ratcliffe’s remarks, he put Iran before Russia as has been the wont of the Trump Administration to make it seem as if Russia’s capabilities and intentions are matched by two other adversaries of the U.S. Moreover, the Trump Administration has placed more emphasis generally on the dangers posed by Tehran than Moscow, particularly in light of the nuclear agreement from which the U.S. withdrew. Ratcliffe asserted:

  • we would like to alert the public that we have identified that two foreign actors – Iran and Russia – have taken specific actions to influence public opinion relating to our elections.
  • First, we have confirmed that some voter registration information has been obtained by Iran, and separately, by Russia. This data can be used by foreign actors to attempt to communicate false information to registered voters that they hope will cause confusion, sow chaos, and undermine your confidence in American democracy.
  • To that end, we have already seen Iran sending “spoofed” emails designed to intimidate voters, incite social unrest, and damage President Trump. You may have seen some reporting on this in the last 24 hours, or you may have been one of the recipients.
  • Additionally, Iran is distributing other content, to include a video that implies that individuals could cast fraudulent ballots, even from overseas. This video – and any claims about such allegedly fraudulent ballots – are not true.
  • These actions are desperate attempts by desperate adversaries. Even if the adversaries pursue further attempts to intimidate or attempt to undermine voter confidence, know that our election systems are resilient, and you can be confident your votes are secure.
  • Although we have not seen the same actions from Russia, we are aware that they have obtained some voter information, just as they did in 2016.

Unnamed U.S. intelligence officials shortly thereafter disagreed with Ratcliffe’s emphasis on Iran when they think the evidence clearly shows Russia to be the more dangerous threat. Some speculated Ratcliffe was improperly political given the DNI is supposed to be non-partisan.

In contrast, Wray sought to tamp down alarm about interference:

  • We’re not going to tolerate foreign interference in our elections or any criminal activity that threatens the sanctity of your vote or undermines public confidence in the outcome of the election.
  • When we see indications of foreign interference or federal election crimes, we’re going to aggressively investigate and work with our partners, to quickly take appropriate action.
  • We’re also coordinating with the private sector—both technology and social media companies—to make sure that their platforms are not used by foreign adversaries to spread disinformation and propaganda.
  • We’ve been working for years as a community to build resilience in our election infrastructure—and today that infrastructure remains resilient.
  • You should be confident that your vote counts.

Following Wray’s remarks, there were leaks to the media that Trump wants to remove him and Attorney General William Barr from office after the election. During “repeated” discussion on the removal of two of the U.S.’ two top law enforcement officials, Trump and top Administration officials have apparently decried Wray’s disinclination to announce an investigation of former Vice President Joe Biden and his son in a reprise of former FBI Director James Comey’s announcement days before the 2016 election he would reopen the investigation into former Secretary of State Hillary Clinton’s email. Moreover, the FBI also declined to support Ratcliffe’s public assertions that Russia had nothing to do with the purported email and data of Hunter Biden being portrayed as evidence of the corruption of the Biden family. In a letter to Senate Homeland Security & Governmental Affairs Committee Chair Ron Johnson (R-WI), the FBI referenced the Inspector General’s findings about the impropriety of Comey’s remarks so close to an election as a significant reason why it would neither confirm nor deny any such inquiry.

The FBI and CISA issued a pair of joint advisories:

  • Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets that “updates joint CISA-FBI cybersecurity advisory AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations.” The agencies asserted:
    • Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets. The Russian state- sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.
    • The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:
      • Sensitive network configurations and passwords.
      • Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
      • IT instructions, such as requesting password resets.
      • Vendors and purchasing information.
      • Printing access badges.
    • To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.
    • As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised. Due to the heightened awareness surrounding elections infrastructure and the targeting of SLTT government networks, the FBI and CISA will continue to monitor this activity and its proximity to elections infrastructure.
  • Iranian State-Sponsored Advanced Persistent Threat Actors Threaten Election-Related Systems in which the FBI and CISA “warn[] that Iranian advanced persistent threat (APT) actors are likely intent on influencing and interfering with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process.” They added:
    • The APT actors are creating fictitious media sites and spoofing legitimate media sites to spread obtained U.S. voter-registration data, anti-American propaganda, and misinformation about voter suppression, voter fraud, and ballot fraud.
    • The APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of- service (DDoS) attacks, structured query language (SQL) injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Nikita Karimov on Unsplash

Further Reading, Other Developments, and Coming Events (14 October)

Further Reading

  •  “The Man Who Speaks Softly—and Commands a Big Cyber Army” By Garrett Graff — WIRED. A profile of General Paul Nakasone, the leader of both the United States’ National Security Agency (NSA) and Cyber Command, who has operated mostly in the background during the tumultuous Trump Administration. He has likely set the template for both organizations going forward for some time. A fascinating read chock with insider details.
  • Facebook Bans Anti-Vaccination Ads, Clamping Down Again” by Mike Isaac — The New York Times. In another sign of the social media platform responding to pressure in the United States and Europe, it was announced that anti-vaccination advertisements would no longer be accepted. This follows bans on Holocaust denial and QAnon material. Of course, this newest announcement is a classic Facebook half-step. Only paid advertisements will be banned, but users can continue to post about their opposition to vaccination.
  • To Mend a Broken Internet, Create Online Parks” By Eli Pariser — WIRED. An interesting argument that a public online space maintained by the government much like parks or public libraries may be just what democracies across the globe need to roll back the tide of extremism and division.
  • QAnon is tearing families apart” By Travis Andrews — The Washington Post. This is a terrifying tour through the fallout of the QAnon conspiracy that sucks some in so deeply they are marginally connected to reality in many ways.
  • AT&T has trouble figuring out where it offers government-funded Internet” By John Brodkin — Ars Technica.  So, yeah, about all that government cash given to big telecom companies that was supposed to bring more broadband coverage. Turns out, they definitely took the cash. The broadband service has been a much more elusive thing to verify. In one example, AT&T may or may not have provided service to 133,000 households in Mississippi after receiving funds from the Federal Communications Commission (FCC). Mississippi state authorities are arguing most of the service is non-existent. AT&T is basically saying it’s all a misunderstanding.

Other Developments

  • The California Attorney General’s Office (AG) has released yet another revision of the regulations necessary to implement the “California Consumer Privacy Act” (CCPA) (AB 375) and comments are due by 28 October. Of course, if Proposition 24 passes next month, the “California Privacy Rights Act” will largely replace the CCPA, requiring the drafting of even more regulations. Nonetheless, what everyone thought was the final set of CCPA regulations took effect on 14 August, but in the notice from the Office of Administrative Law was notice that the AG had withdrawn four portions of the proposed regulations. In the new draft regulations, the AG explained:
    • Proposed section 999.306, subd. (b)(3), provides examples of how businesses that collect personal information in the course of interacting with consumers offline can provide the notice of right to opt-out of the sale of personal information through an offline method.
    • Proposed section 999.315, subd. (h), provides guidance on how a business’s methods for submitting requests to opt-out should be easy and require minimal steps. It provides illustrative examples of methods designed with the purpose or substantial effect of subverting or impairing a consumer’s choice to opt-out.
    • Proposed section 999.326, subd. (a), clarifies the proof that a business may require an authorized agent to provide, as well as what the business may require a consumer to do to verify their request.
    • Proposed section 999.332, subd. (a), clarifies that businesses subject to either section 999.330, section 999.331, or both of these sections are required to include a description of the processes set forth in those sections in their privacy policies.
  • Facebook announced an update to its “hate speech policy to prohibit any content that denies or distorts the Holocaust.” Facebook claimed:
    • Following a year of consultation with external experts, we recently banned anti-Semitic stereotypes about the collective power of Jews that often depicts them running the world or its major institutions.  
    • Today’s announcement marks another step in our effort to fight hate on our services. Our decision is supported by the well-documented rise in anti-Semitism globally and the alarming level of ignorance about the Holocaust, especially among young people. According to a recent survey of adults in the US aged 18-39, almost a quarter said they believed the Holocaust was a myth, that it had been exaggerated or they weren’t sure.
  • In a 2018 interview, Facebook CEO Mark Zuckerberg asserted:
    • I find that deeply offensive. But at the end of the day, I don’t believe that our platform should take that down because I think there are things that different people get wrong. I don’t think that they’re intentionally getting it wrong…
    • What we will do is we’ll say, “Okay, you have your page, and if you’re not trying to organize harm against someone, or attacking someone, then you can put up that content on your page, even if people might disagree with it or find it offensive.” But that doesn’t mean that we have a responsibility to make it widely distributed in News Feed.
    • He clarified in a follow up email:
      • I personally find Holocaust denial deeply offensive, and I absolutely didn’t intend to defend the intent of people who deny that.
      • Our goal with fake news is not to prevent anyone from saying something untrue — but to stop fake news and misinformation spreading across our services. If something is spreading and is rated false by fact checkers, it would lose the vast majority of its distribution in News Feed. And of course if a post crossed line into advocating for violence or hate against a particular group, it would be removed. These issues are very challenging but I believe that often the best way to fight offensive bad speech is with good speech.
  • The Government Accountability Office (GAO) issued an evaluation of the Trump Administration’s 5G Strategy and found more processes and actions are needed if this plan to vault the United States (U.S.) ahead of other nations will come to fruition. Specifically, “report examines the extent to which the Administration has developed a national strategy on 5G that address our six desirable characteristics of an effective national strategy.” The GAO identified the six desirable characteristics: (1) purpose, scope, and methodology; (2) problem definition and risk assessment; (3) goals, subordinate objectives, activities, and performance measures; (4) resources, investments, and risk management; (5) organizational roles, responsibilities, and coordination; and (6) integration and implementation. However, this assessment is necessarily limited, for National Security Council staff took the highly unusual approach of not engaging with the GAO, which may be another norm broken by the Trump Administration. The GAO stated “[t]he March 2020 5G national strategy partially addresses five of our desirable characteristics of an effective national strategy and does not address one, as summarized in table 1:
    • The GAO explained:
      • According to National Telecommunications and Information Administration (NTIA) and Office of Science and Technology Policy (OSTP) officials, the 5G national strategy was intentionally written to be at a high level and as a result, it may not include all elements of our six desirable characteristics of national strategies. These officials stated that the 5G implementation plan required by the Secure 5G and Beyond Act of 2020 is expected to include specific details, not covered in the 5G national strategy, on the U.S. government’s response to 5G risks and challenges. The implementation plan is expected to align and correspond to the lines of effort in the 5G national strategy. NTIA officials told us that the implementation plan to the 5G national strategy would be finalized by the end of October 2020. However, the officials we spoke to were unable to provide details on the final content of the implementation plan such as whether the plan would include all elements of our six desirable characteristics of national strategies given that it was not final. National strategies and their implementation plans should include all elements of the six desirable characteristics to enhance their usefulness as guidance and to ensure accountability and coordinate investments. Until the administration ensures that the implementation plan includes all elements of the six desirable characteristics, the guidance the plan provides decision makers in allocating resources to address 5G risks and challenges will likely be limited.
  • The Irish Council for Civil Liberties (ICCL) wrote the European Commission (EC) to make the case the United Kingdom (UK) is not deserving of an adequacy decision after Brexit because of institutional and cultural weaknesses at the Information Commissioner’s Office (ICO). The ICCL made the case that the ICO has been one of the most ineffectual enforcers of the General Data Protection Regulation (GDPR), especially with respect to what the ICCL called the largest data infringement under the GDPR and the largest data breach of all time: Real-Time Bidding. The ICCL took the ICO to task with having not followed through on fining companies for GDPR violations and having a tiny staff dedicated to data protection and technology issues. The ICCL invoked Article 45 of the GDPR to encourage the EC to deny the UK the adequacy decision it would need in order to transfer the personal data of EU residents to the UK.
  • In an unrelated development, the Information Commissioner’s Office (ICO) wrapped up its investigation into Facebook and Cambridge Analytica and detailed its additional findings in a letter to the Digital, Culture and Media and Sport Select Committee in the House of Commons. ICO head Elizabeth Denham asserted:
    • [w]e concluded that SCL Elections Ltd and Cambridge Analytica (SCL/CA) were purchasing significant volumes of commercially available personal data (at one estimate over 130 billion data points), in the main about millions of US voters, to combine it with the Facebook derived insight information they had obtained from an academic at Cambridge University, Dr Aleksandr Kogan, and elsewhere. In the main their models were also built from ‘off the shelf’ analytical tools and there was evidence that their own staff were concerned about some of the public statements the leadership of the company were making about their impact and influence.
    • From my review of the materials recovered by the investigation I have found no further evidence to change my earlier view that SCL/CA were not involved in the EU referendum campaign in the UK -beyond some initial enquiries made by SCL/CA in relation to UKIP data in the early stages of the referendum process. This strand of work does not appear to have then been taken forward by SCL/CA
    • I have concluded my wider investigations of several organisations on both the remain and the leave side of the UK’s referendum about membership of the EU. I identified no significant breaches of the privacy and electronic marketing regulations and data protection legislation that met the threshold for formal regulatory action. Where the organisation continued in operation, I have provided advice and guidance to support better future compliance with the rules.
    • During the investigation concerns about possible Russian interference in elections globally came to the fore. As I explained to the sub-committee in April 2019, I referred details of reported possible Russia-located activity to access data linked to the investigation to the National Crime Agency. These matters fall outside the remit of the ICO. We did not find any additional evidence of Russian involvement in our analysis of material contained in the SCL / CA servers we obtained.
  • The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint cybersecurity advisory regarding “recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability.” CISA and the FBI revealed that that these tactics have penetrated systems related to elections but claimed there has been no degrading of the integrity of electoral systems.
  • The agencies stated:
    • The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application. 
    • This recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.
    • CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised.
  • Canada’s Privacy Commissioner Daniel Therrien released the “2019-2020 Annual Report to Parliament on the Privacy Act and Personal Information Protection and Electronic Documents Act” and asserted:
    • Technologies have been very useful in halting the spread of COVID-19 by allowing essential activities to continue safely. They can and do serve the public good.
    • At the same time, however, they raise new privacy risks. For example, telemedicine creates risks to doctor-patient confidentiality when virtual platforms involve commercial enterprises. E-learning platforms can capture sensitive information about students’ learning disabilities and other behavioural issues.
    • As the pandemic speeds up digitization, basic privacy principles that would allow us to use public health measures without jeopardizing our rights are, in some cases, best practices rather than requirements under the existing legal framework.
    • We see, for instance, that the law has not properly contemplated privacy protection in the context of public-private partnerships, nor does it mandate app developers to consider Privacy by Design, or the principles of necessity and proportionality.
    • The law is simply not up to protecting our rights in a digital environment. Risks to privacy and other rights are heightened by the fact that the pandemic is fueling rapid societal and economic transformation in a context where our laws fail to provide Canadians with effective protection.
    • In our previous annual report, we shared our vision of how best to protect the privacy rights of Canadians and called on parliamentarians to adopt rights-based privacy laws.
    • We noted that privacy is a fundamental human right (the freedom to live and develop free from surveillance). It is also a precondition for exercising other human rights, such as equality rights in an age when machines and algorithms make decisions about us, and democratic rights when technologies can thwart democratic processes.
    • Regulating privacy is essential not only to support electronic commerce and digital services; it is a matter of justice.

Coming Events

  • The European Union Agency for Cybersecurity (ENISA), Europol’s European Cybercrime Centre (EC3) and the Computer Emergency Response Team for the EU Institutions, Bodies and Agencies (CERT-EU) will hold the 4th annual IoT Security Conference series “to raise awareness on the security challenges facing the Internet of Things (IoT) ecosystem across the European Union:”
    • Artificial Intelligence – 14 October at 15:00 to 16:30 CET
    • Supply Chain for IoT – 21 October at 15:00 to 16:30 CET
  • The House Intelligence Committee will conduct a virtual hearing titled “Misinformation, Conspiracy Theories, and ‘Infodemics’: Stopping the Spread Online.”
  • The Federal Communications Commission (FCC) will hold an open commission meeting on 27 October, and the agency has released a tentative agenda:
    • Restoring Internet Freedom Order Remand – The Commission will consider an Order on Remand that would respond to the remand from the U.S. Court of Appeals for the D.C. Circuit and conclude that the Restoring Internet Freedom Order promotes public safety, facilitates broadband infrastructure deployment, and allows the Commission to continue to provide Lifeline support for broadband Internet access service. (WC Docket Nos. 17-108, 17-287, 11- 42)
    • Establishing a 5G Fund for Rural America – The Commission will consider a Report and Order that would establish the 5G Fund for Rural America to ensure that all Americans have access to the next generation of wireless connectivity. (GN Docket No. 20-32)
    • Increasing Unlicensed Wireless Opportunities in TV White Spaces – The Commission will consider a Report and Order that would increase opportunities for unlicensed white space devices to operate on broadcast television channels 2-35 and expand wireless broadband connectivity in rural and underserved areas. (ET Docket No. 20-36)
    • Streamlining State and Local Approval of Certain Wireless Structure Modifications – The Commission will consider a Report and Order that would further accelerate the deployment of 5G by providing that modifications to existing towers involving limited ground excavation or deployment would be subject to streamlined state and local review pursuant to section 6409(a) of the Spectrum Act of 2012. (WT Docket No. 19-250; RM-11849)
    • Revitalizing AM Radio Service with All-Digital Broadcast Option – The Commission will consider a Report and Order that would authorize AM stations to transition to an all-digital signal on a voluntary basis and would also adopt technical specifications for such stations. (MB Docket Nos. 13-249, 19-311)
    • Expanding Audio Description of Video Content to More TV Markets – The Commission will consider a Report and Order that would expand audio description requirements to 40 additional television markets over the next four years in order to increase the amount of video programming that is accessible to blind and visually impaired Americans. (MB Docket No. 11-43)
    • Modernizing Unbundling and Resale Requirements – The Commission will consider a Report and Order to modernize the Commission’s unbundling and resale regulations, eliminating requirements where they stifle broadband deployment and the transition to next- generation networks, but preserving them where they are still necessary to promote robust intermodal competition. (WC Docket No. 19-308)
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”
  • The Senate Commerce, Science, and Transportation Committee will reportedly hold a hearing on 29 October regarding 47 U.S.C. 230 with testimony from:
    • Jack Dorsey, Chief Executive Officer of Twitter;
    • Sundar Pichai, Chief Executive Officer of Alphabet Inc. and its subsidiary, Google; and 
    • Mark Zuckerberg, Chief Executive Officer of Facebook.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Thanks for your Like • donations welcome from Pixabay

Homeland Threat Assessment Finally Released

After a whistleblower filed a complaint, DHS released its assessment of threats to the U.S. and there is a gap between the acting Secretary’s views and the report itself on domestic violence and Russian interference with the election.

The United States Department of Homeland Security (DHS) has released its first Homeland Threat Assessment (HTA) that covers the gamut of groups, individuals, and trends posing risks to the United States (U.S.) As cybersecurity and terrorism are in the DHS portfolio, both figure prominently in the report. However, the HTA has been the object of controversy arising from a DHS whistleblower who claimed about a month ago that DHS leadership, including acting Secretary Chad Wolf, urged the downplaying of Russian election interference and white supremacist violence in order to please the White House. The HTA had been completed in March, and the official in charge of intelligence and analysis refused multiple requests to change the conclusions in these aspects. Consequently, the document released by the agency seems to have been prompted by the filing of the whistleblower complaint and has a foreword ostensibly written by Wolf that emphasizes a narrative aligned with the White House’s while the body of the report draws different conclusions.

In early September, former Principal Deputy Under Secretary in the Office of Intelligence and Analysis Brian Murphy filed a whistleblower reprisal complaint against DHS for providing intelligence analysis the Trump White House and DHS did not want, mainly for political reasons, and then refusing to make alterations to fit the Administration’s chosen narrative on issues, especially on the Russian Federation’s interference in the 2020 Election. Murphy alleges “he was retaliatorily demoted to the role of Assistant to the Deputy Under Secretary for the DHS Management Division” because he refused to comply with orders from Wolf. Specifically, he claims:

  • In mid-May 2020, Mr. Wolf instructed Mr. Murphy to cease providing intelligence assessments on the threat of Russian interference in the United States, and instead start reporting on interference activities by China and Iran. Mr. Wolf stated that these instructions specifically originated from White House National Security Advisor Robert O’Brien. Mr. Murphy informed Mr. Wolf he would not comply with these instructions, as doing so would put the country in substantial and specific danger.

Regarding the HTA, Murphy claimed (and I know it’s a long excerpt but worth your time to read):

  • In March 2020, Mr. Murphy’s team at DHS I&A completed a HTA. Completion of the HTA was a requirement set forth by Acting Secretary Kevin McCleenan prior to his departure from DHS. Mr. Murphy was intimately involved in the editing and crafting of the HTA. Following its completion, the HTA was distributed by Mr. Glawe to  Messrs. Wolf, Cuccinelli, and Gountanis. Shortly after the distribution, Mr. Glawe was informed that further distribution of the HTA was prohibited due to concerns raised by Messrs. Wolf and Cuccinelli regarding how the HTA would reflect upon President Trump. Two sections were specifically labeled as concerns: White Supremacy and Russian influence in the United States. Mr. Murphy stated to Mr. Glawe that this constituted an abuse of authority by Messrs. Wolf and Cuccinelli, and Mr. Glawe concurred with that assessment.
  • In May 2020, Mr. Glawe retired, and Mr. Murphy assumed the role of Acting Under Secretary. In May 2020 and June 2020, Mr. Murphy had several meetings with Mr. Cuccinelli regarding the status of the HTA. Mr. Cuccinelli stated that Mr. Murphy needed to specifically modify the section on White Supremacy in a manner that made the threat appear less severe, as well as include information on the prominence of violent “left-wing” groups. Mr. Murphy declined to make the requested modifications, and informed Mr. Cuccinelli that it would constitute censorship of analysis and the improper administration of an intelligence program.
  • On July 8, 2020, Mr. Murphy attended a meeting with Mr. Wolf and his Deputy Chief of Staff, Scott Erickson (“Mr. Erickson”). Mr. Murphy asked Mr. Wolf about the status of the HTA. Mr. Wolf relayed the concerns previously outlined by Mr. Cuccinelli regarding the sections on White Supremacy and Russian influence. Mr. Wolf asked for a copy of the HTA so it could be reviewed by policy officials, and so that information regarding the ongoing unrest in Portland, Oregon, could be added into the HTA. Mr. Wolf asked Mr. Murphy if he would accept his edits. Mr. Murphy responded that he would not concur with any edits that altered the underlying intelligence in the HTA, as any such action would constitute an abuse of authority and improper administration of an intelligence program. 
  • Completion of the HTA was subsequently handled by other DHS officials without consultation with Mr. Murphy. Another draft of the HTA was completed in August 2020:  Mr. Murphy did not work on that version of the HTA. On September 3, 2020, Mr. Murphy learned the new draft was provided to Mr. Wolf, who had ordered the HTA to be redesigned with the policy office completing the revisions. It is Mr. Murphy’s assessment that the final version of the HTA will more closely resemble a policy document with references to ANTIFA and “anarchist” groups than an intelligence document as originally formulated by DHS I&A.

As noted, Wolf’s foreword to the HTA reads more like standard Trump Administration talking points than the report itself. Wolf hints at groups other than white supremacists being responsible for domestic violence and terrorism and takes the approach that it is not Russia alone that threatens the 2020 Election.

However, the scrutiny created by Murphy’s complaint or infighting at DHS resulted in Wolf’s foreword not engaging in too much “both sides” claims with respect to domestic terrorism. For example, he argues DHS deigned its “programs to be threat agnostic – ensuring that we can combat a broad range of domestic threats” even though the body of the report makes clear that it is extremists on the right, mostly white supremacists, who are responsible for the spate of domestic terrorism and violence in the U.S. And yet, even in the report, there is no link between the white supremacists and coded language the Republican Party has used since President Richard Nixon’s Southern Strategy was built on wooing racist white Southerners from the Democratic Party that had championed the Civil Rights Act of 1964 among other legislation. In any event, Wolf asserted “I am particularly concerned about white supremacist violent extremists who have been exceptionally lethal in their abhorrent, targeted attacks in recent years.” It bears note Wolf seems only concerned about “white supremacist violent extremists” specifically and not “white supremacists” generally. Perhaps this is explained by Wolf’s nod to the First Amendment right to believe what one wants? Or, in light of Murphy’s whistleblower complaint, this is a softening of claims about white supremacists that dovetails with statements made by President Donald Trump after the white supremacists march and violence in Charlottesville, Virginia or in the first debate against Vice President Joe Biden.

But yet, Wolf’s next sentence is phrased weirdly and seemingly disconnected from his concern about white supremacists. He claimed that “I am proud of our work to prevent terrorizing tactics by domestic terrorists and violent extremists who seek to force ideological change in the United States through violence, death, and destruction.” He separates “domestic terrorists” from “violent extremists” and seemingly worries about “violence, death, and destruction.” It is this last word that seems to be a nod towards White House and Republican narratives that portray the ongoing protests against police killing African Americans without justification that do sometime involve property destruction as being an equal threat to white supremacists seeking to kill or intimidate these very protestors. In this same vein, Wolf contended:

During the course of developing the HTA we began to see a new, alarming trend of exploitation of lawful protests causing violence, death, and destruction in American communities. This anti-government, anti-authority and anarchist violent extremism was identified by DHS in September 2019 when we published our Strategic Framework for Countering Terrorism and Targeted Violence. As the date of publication of this HTA, we have seen over 100 days of violence and destruction in our cities. The co-opting of lawful protests led to destruction of government property and have turned deadly.

This seems very much in the vein of “there are fine people on both sides” (i.e. Trump’s remarks about Charlottesville) because it conflates the sources of the violence and equalizes the protestors and counter-protestors. This has been a policy viewpoint the Administration has trafficked in to make it seems as if the largely peaceful protestors around the U.S. are themselves inciting violence when it is often the case that it is white supremacists. Also, there is a conflation here of property damage and looting, which has definitely occurred at the hands of people protesting police killing of African Americans, and violence intended to suppress such protests. And, the reference to “government property” sure seems like a dog whistle about protestors vandalizing and toppling statutes and monuments to Confederate figures.

Moreover, there are no mentions of QAnon, a multi-headed conspiracy and movement with significant support from Trump loyalists and voters.

Wolf also references election interference. He asserted “[n]ation-states will continue to try to undermine American elections….like China, Russia, and Iran will try to use cyber capabilities or foreign influence to compromise or disrupt infrastructure related to the 2020 U.S. Presidential election, aggravate social and racial tensions, undermine trust in U.S. authorities,
and criticize our elected officials.” Putting the People’s Republic of China (PRC) before the Russian Federation is contrary to the body of the report:

Foreign influence activity will target U.S. foreign and domestic policy, international events such as COVID-19, and democratic processes and institutions, including the 2020 Presidential election. Russia is the likely primary covert influence actor and purveyor of disinformation and misinformation within the Homeland. We assess that Moscow’s primary objective is to increase its global standing and influence by weakening America—domestically and abroad—through efforts to sow discord, distract, shape public sentiment, and undermine trust in Western democratic institutions and processes.

Note that the PRC is not mentioned because apparently DHS staff do not consider them a threat on par with the Russian Federation. Seven paragraphs follow on the capabilities and goals of the Russians before the PRC is mentioned. It is safe to conclude Wolf chose to massage the findings and shoehorn them into a worldview the President and his advisors have been pedaling for months if not years. Likewise, in the subsection titled “2020 U.S. Presidential Election,” again, DHS analysts emphasize the considerable threat posed by Russian Federation, and it is paragraphs into this analysis before the PRC and Iran are mentioned.

From here on out, I’ll include key excerpts of the report itself:

  • Cyber threats to the Homeland from both nation-states and non-state actors will remain acute. U.S. critical infrastructure faces advanced threats of disruptive or destructive cyber-attacks. Federal, state, local, tribal and territorial governments, as well as the private sector, will experience an array of cyber-enabled threats designed to access sensitive information, steal money, and force ransom payments.
  • Russia—which possesses some of the most sophisticated cyber capabilities in the world—
    can disrupt or damage U.S. critical infrastructure networks via cyber-attacks. Russian state-affiliated actors will continue targeting U.S. industry and all levels of government with intrusive cyber espionage to access economic, policy, and national security information to further the Kremlin’s strategic interests.
    • Russia probably can conduct cyber-attacks that would result in at least localized effects over hours to days and probably is developing capabilities that would cause more debilitating effects.
    • We expect Russian cyber actors to use a range of capabilities including social engineering, publicly known software and hardware vulnerabilities, poorly configured networks, and sophisticated “zero-day” attacks that exploit security weaknesses in software.
    • Under Russian law, the Federal Security Service (FSB) can compel Russian rms doing business in the United States—or Russians working with U.S. rms—to comply with FSB information sharing and operational mandates, presenting additional routes for cyber espionage.
  • China already poses a high cyber espionage threat to the Homeland and Beijing’s cyber-attack capabilities will grow. Chinese cyber actors almost certainly will continue to engage in wide-ranging cyber espionage to steal intellectual property and personally identifiable information (PII) from U.S. businesses and government agencies to bolster their civil-military industrial development, gain an economic advantage, and support intelligence operations. China possesses an increasing ability to threaten and potentially disrupt U.S. critical infrastructure.
    • We expect China’s cyber operations against U.S. companies to focus on the critical manufacturing, defense industrial base, energy, healthcare, and transportation sectors.
    • Beijing has targeted information technology and communications rms whose products and services support government and private-sector networks worldwide, while concurrently advocating globally for Chinese information technology companies that could serve as espionage platforms.
    • Under China’s 2017 National Intelligence Law, Beijing can compel businesses based in China and Chinese citizens living abroad to provide intelligence to the Chinese government.
    • We remain concerned about China’s intent to compromise U.S. critical infrastructure in order to cause disruption or destruction.
    • China’s efforts to dominate the 5G world pose new challenges to U.S. efforts to national security, privacy, resistance to malign influence, and human rights. The exponential increases in speed, connectivity, and productivity could render American systems particularly vulnerable to Chinese cyber threats.
  • While Russia and China are the most capable nation-state cyber adversaries, Iranian and North Korean cyber actors also pose a threat to U.S. systems, networks, and information. Iran continues to present a cyber espionage threat and is developing access in the Homeland that could be repurposed for destructive cyber-attacks. North Korean cyber capabilities, while sophisticated, probably will remain confined to criminal generation of revenue. If Pyongyang’s intent changes, however, it probably could quickly build capabilities to conduct broader espionage activity or threaten infrastructure with disruptive cyber-attacks.
  • Cybercriminals increasingly will target U.S. critical infrastructure to generate pro t, whether through ransomware, e-mail impersonation fraud, social engineering3, or malware. Underground marketplaces that trade in stolen information and cyber tools will continue to thrive and serve as a resource, even for sophisticated foreign adversaries.
    • Ransomware attacks—which have at least doubled since 2017—often are directed against critical infrastructure entities at the state and local level by exploiting gaps in cybersecurity
    • Victims of cybercriminal activity in 2018 reported over $2.7 billion in losses—more than twice the amount lost in 2017. This figure does not represent the full scope of loss because some victims do not report incidents.
  • Foreign influence activity will target U.S. foreign and domestic policy, international events such as COVID-19, and democratic processes and institutions, including the 2020 Presidential election. Russia is the likely primary covert influence actor and purveyor of disinformation and misinformation within the Homeland. We assess that Moscow’s primary objective is to increase its global standing and influence by weakening America—domestically and abroad—through efforts to sow discord, distract, shape public sentiment, and undermine trust in Western democratic institutions and processes.
  • Russian influence actors will continue using overt and covert methods to aggravate social and racial tensions, undermine trust in U.S. authorities, stoke political resentment, and criticize politicians who Moscow views as anti-Russia. Although some of this activity might be framed in the context of the U.S. election—seemingly in support of or opposition to political candidates— we assess that Moscow’s overarching objective is to weaken the United States through discord, division, and distraction in hopes that America becomes less able to challenge Russia’s strategic objectives.
  • Russian influence actors will engage in media manipulation—across social media platforms, proxy websites4, and traditional media, to include state-controlled outlets—to exacerbate U.S. social, political, racial, and cultural fault lines.
  • Russian actors will attempt to undermine national unity and
    sow seeds of discord that exploit perceived grievances within minority communities, especially among African Americans. Russian influence actors often mimic target audiences and amplify both sides of divisive issues to maximize discord, tailoring messaging to specific communities to “push and pull” them in different ways.
  • The Russian government promulgates misinformation, threats, and narratives intended to incite panic or animosity among social and political groups. For example, Russian actors amplified narratives such as U.S. law enforcement ignoring ICE detention requests and releasing an illegal immigrant accused of rape; assaults on supporters and opponents of the President; and portrayals of U.S. law enforcement as racially biased. Russian influence actors also have exploited national tragedies, such as the 2017 mass shooting in Las Vegas, and protest movements—sometimes magnifying both a protest and a counter-protest—such as the 2017 protest activity in Charlottesville.
  • Chinese operatives probably are waging disinformation campaigns using overt and covert tactics—including social media trolls—to shift responsibility for the pandemic to other countries, including the United States. China might increase its influence activities in response to what it views as anti-China statements from the U.S. Government over China’s role in the pandemic.
    • Since August 2019, more than 10,000 suspected fake Twitter accounts have
      been involved in a coordinated influence campaign with suspected ties to the Chinese Government. Among these are hacked accounts from users around the world that post messaging and disinformation about the COVID-19 pandemic and other topics of interest to China.
    • China’s Foreign Ministry, state media, and official Twitter accounts promote overt narratives claiming the coronavirus may have originated in the United States, criticize the U.S. pandemic response, and publicize China’s COVID-19-related medical assistance to U.S. cities and states. China has doubled the number of official government posts disseminating false narratives about COVID-19 and has carried out persistent and large-scale disinformation and influence operations that correlate with diplomatic messaging.
    • China most likely will continue amplifying narratives supportive of its pandemic response while denigrating U.S. official criticism that Beijing views as tarnishing its global image.
  • China and Russia will continue to represent the top threats to U.S. supply chain security, given the sophisticated intelligence and cyber capabilities they can use to infiltrate trusted suppliers and vendors to target equipment and systems. Criminal actors also will engage in efforts to compromise supply chains, with such methods as inserting malicious code in a third party’s software to conduct operations against rms that use the software. Criminal and state actors also attempt to compromise supply chains through protectionist measures and by exploiting rapid procurement procedures at the local, state, and federal level during disasters.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Free-Photos from Pixabay

Further Reading, Other Developments, and Coming Events (8 October)

Coming Events

  • The European Union Agency for Cybersecurity (ENISA), Europol’s European Cybercrime Centre (EC3) and the Computer Emergency Response Team for the EU Institutions, Bodies and Agencies (CERT-EU) will hold the 4th annual IoT Security Conference series “to raise awareness on the security challenges facing the Internet of Things (IoT) ecosystem across the European Union:”
    • Artificial Intelligence – 14 October at 15:00 to 16:30 CET
    • Supply Chain for IoT – 21 October at 15:00 to 16:30 CET
  • The Federal Communications Commission (FCC) will hold an open commission meeting on 27 October, and the agency has released a tentative agenda:
    • Restoring Internet Freedom Order Remand – The Commission will consider an Order on Remand that would respond to the remand from the U.S. Court of Appeals for the D.C. Circuit and conclude that the Restoring Internet Freedom Order promotes public safety, facilitates broadband infrastructure deployment, and allows the Commission to continue to provide Lifeline support for broadband Internet access service. (WC Docket Nos. 17-108, 17-287, 11- 42)
    • Establishing a 5G Fund for Rural America – The Commission will consider a Report and Order that would establish the 5G Fund for Rural America to ensure that all Americans have access to the next generation of wireless connectivity. (GN Docket No. 20-32)
    • Increasing Unlicensed Wireless Opportunities in TV White Spaces – The Commission will consider a Report and Order that would increase opportunities for unlicensed white space devices to operate on broadcast television channels 2-35 and expand wireless broadband connectivity in rural and underserved areas. (ET Docket No. 20-36)
    • Streamlining State and Local Approval of Certain Wireless Structure Modifications –
    • The Commission will consider a Report and Order that would further accelerate the deployment of 5G by providing that modifications to existing towers involving limited ground excavation or deployment would be subject to streamlined state and local review pursuant to section 6409(a) of the Spectrum Act of 2012. (WT Docket No. 19-250; RM-11849)
    • Revitalizing AM Radio Service with All-Digital Broadcast Option – The Commission will consider a Report and Order that would authorize AM stations to transition to an all-digital signal on a voluntary basis and would also adopt technical specifications for such stations. (MB Docket Nos. 13-249, 19-311)
    • Expanding Audio Description of Video Content to More TV Markets – The Commission will consider a Report and Order that would expand audio description requirements to 40 additional television markets over the next four years in order to increase the amount of video programming that is accessible to blind and visually impaired Americans. (MB Docket No. 11-43)
    • Modernizing Unbundling and Resale Requirements – The Commission will consider a Report and Order to modernize the Commission’s unbundling and resale regulations, eliminating requirements where they stifle broadband deployment and the transition to next- generation networks, but preserving them where they are still necessary to promote robust intermodal competition. (WC Docket No. 19-308)
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • Harvard University’s Berkman Klein Center for Internet & Society published a study, “Mail-In Voter Fraud: Anatomy of a Disinformation Campaign,” which found a concerted, almost certainly coordinated campaign led by President Donald Trump, the Republican Party, and conservative media outlets to claim against all evidence that mail voting is rife with fraud. The study points to structural issues in the United States (U.S.) and the broader media that allow parties to disseminate disinformation and propaganda. The authors found the traditional print and television media more effective and complicit in spreading lies and disinformation than social media platforms like Facebook and Twitter. The Berkman Klein Center explained:
    • The claim that election fraud is a major concern with mail-in ballots has become the central threat to election participation during the Covid-19 pandemic and to the legitimacy of the outcome of the election across the political spectrum. President Trump has repeatedly cited his concerns over voter fraud associated with mail-in ballots as a reason that he may not abide by an adverse electoral outcome. Polling conducted in September 2020 suggests that nearly half of Republicans agree with the president that election fraud is a major concern associated with expanded mail-in voting during the pandemic. Few Democrats share that belief. Despite the consensus among independent academic and journalistic investigations that voter fraud is rare and extremely unlikely to determine a national election, tens of millions of Americans believe the opposite. This is a study of the disinformation campaign that led to widespread acceptance of this apparently false belief and to its partisan distribution pattern. Contrary to the focus of most contemporary work on disinformation, our findings suggest that this highly effective disinformation campaign, with potentially profound effects for both participation in and the legitimacy of the 2020 election, was an elite-driven, mass-media led process. Social media played only a secondary and supportive role.
    • Our results are based on analyzing over fifty-five thousand online media stories, five million tweets, and seventy-five thousand posts on public Facebook pages garnering millions of engagements. They are consistent with our findings about the American political media ecosystem from 2015-2018, published in  Network Propaganda , in which we found that Fox News and Donald Trump’s own campaign were far more influential in spreading false beliefs than Russian trolls or Facebook clickbait artists. This dynamic appears to be even more pronounced in this election cycle, likely because Donald Trump’s position as president and his leadership of the Republican Party allow him to operate directly through political and media elites, rather than relying on online media as he did when he sought to advance his then-still-insurgent positions in 2015 and the first half of 2016.
    • Our findings here suggest that Donald Trump has perfected the art of harnessing mass media to disseminate and at times reinforce his disinformation campaign by using three core standard practices of professional journalism. These three are: elite institutional focus (if the President says it, it’s news); headline seeking (if it bleeds, it leads); and  balance , neutrality, or the avoidance of the appearance of taking a side. He uses the first two in combination to summon coverage at will, and has used them continuously to set the agenda surrounding mail-in voting through a combination of tweets, press conferences, and television interviews on Fox News. He relies on the latter professional practice to keep audiences that are not politically pre-committed and have relatively low political knowledge confused, because it limits the degree to which professional journalists in mass media organizations are willing or able to directly call the voter fraud frame disinformation. The president is, however, not acting alone. Throughout the first six months of the disinformation campaign, the Republican National Committee (RNC) and staff from the Trump campaign appear repeatedly and consistently on message at the same moments, suggesting an institutionalized rather than individual disinformation campaign. The efforts of the president and the Republican Party are supported by the right-wing media ecosystem, primarily Fox News and talk radio functioning in effect as a party press. These reinforce the message, provide the president a platform, and marginalize or attack those Republican leaders or any conservative media personalities who insist that there is no evidence of widespread voter fraud associated with mail-in voting.
    • The primary cure for the elite-driven, mass media communicated information disorder we observe here is unlikely to be more fact checking on Facebook. Instead, it is likely to require more aggressive policing by traditional professional media, the Associated Press, the television networks, and local TV news editors of whether and how they cover Trump’s propaganda efforts, and how they educate their audiences about the disinformation campaign the president and the Republican Party have waged.
  • The Senate Minority Leader and the top Democrats on three committees sent a letter to the acting Secretary of Homeland Security asking him to “release a document that shows President Donald Trump’s attacks on American Elections are consistent with a foreign influence campaign.” Senate Minority Leader Chuck Schumer (D-NY), Senate Intelligence Committee Ranking Member Mark Warner (D-VA), Senate Rules Committee Ranking Member Amy Klobuchar (D-MN), Senate Homeland Security and Governmental Affairs Committee Ranking Member Gary Peters (D-MI), and Senator Ron Wyden (D-OR) wrote to acting Secretary of Homeland Security Chad Wolf:
    • We write to urge you to immediately release to the public a September 3, 2020, analysis produced by the Department’s Office of Intelligence and Analysis.  This document demonstrates that a foreign actor is attempting to undermine faith in the US electoral system, particularly vote-by-mail systems, in a manner that is consistent with the rhetoric being used by President Trump, Attorney General Barr, and others.
    • The document has been marked ‘Unclassified/For Official Use Only,’ meaning that its release would not pose a risk to sources and methods and that it has already been widely distributed around the country through unclassified channels. It is now critical and urgent that the American people have access to this document so that they can understand the context of Trump’s statements and actions.
  • Representatives Abigail Spanberger (D-VA) and John Katko (R-NY) introduced the “Foreign Agent Disclaimer Enhancement (FADE) Act” “to protect against the influence of foreign nations that seek to weaken the U.S. electoral system and sow division through online disinformation campaigns.” This bill would close a loophole in the Foreign Agents Registration Act (FARA) that does not require foreign agents to disclose social media posts intended to persuade Americans as they must for other forms of communication. They provided the context for the legislation:
    • This week, the Federal Bureau of Investigation alerted Twitter that accounts likely based in Iran attempted to spread disinformation during the U.S. presidential debate.
    • An April 2020 State Department report warned that China, Iran, and Russia are using the COVID-19 crisis to launch a propaganda and disinformation onslaught against the United States.
    • Spanberger and Katko summarized the bill in their press release:
      • The Foreign Agent Disclaimer Enhancement (FADE) Act would increase transparency by requiring disclaimers attributing political content to a foreign principal be embedded on the face of a social media post itself. With this new requirement, disclaimers would remain with a post whenever the post is subsequently shared. The FADE Act would also clarify that these disclaimer requirements apply to the internet and apply to any political communications directed at the United States — regardless of the foreign agent’s location around the world.
      • To ensure enforcement of these new transparency measures, the FADE Act would requirethe Department of Justice (DOJ) to notify online platforms if a foreign agent does not meet disclaimer requirements for posts on their platforms, and in these cases, require the platform to remove the materials and use reasonable efforts to inform recipients of the materials that the information they saw was disseminated by a foreign agent. Additionally, the bipartisan bill would requireDOJ to prepare a report to Congress on enforcement challenges.
  • Europol issued its annual “Internet Organised Crime Threat Assessment (IOCTA) 2020” that “provides a unique law enforcement- focused assessment of emerging challenges and key developments in the area of cybercrime” in the European Union (EU).
  • Europol highlighted its findings:
    • Cross-Cutting Crime Facilitators And Challenges To Criminal Investigations
      • Social engineering remains a top threat to facilitate other types of cybercrime.
      • Cryptocurrencies continue to facilitate payments for various forms of cybercrime, as developments evolve with respect to privacy- oriented crypto coins and services.
      • Challenges with reporting hinder the ability to create an accurate overview of crime prevalence across the EU.
    • Cyber-Dependent Crime
      • Ransomware remains the most dominant threat as criminals increase pressure by threatening publication of data if victims do not pay.
      • Ransomware on third-party providers also creates potential significant damage for other organisations in the supply chain and critical infrastructure.
      • Emotet is omnipresent given its versatile use and leads the way as the benchmark of modern malware.
      • The threat potential of Distributed Denial of Service (DDoS) attacks is higher than its current impact in the EU.
    • Child Sexual Exploitation Online
      • The amount of online Child sexual abuse material (CSAM) detected continues to increase, further exacerbated by the COVID-19 crisis, which has serious consequences for the capacity of law enforcement authorities.
      • The use of encrypted chat apps and industry proposals to expand this market pose a substantial risk for abuse and make it more difficult for law enforcement to detect and investigate online Child sexual exploitation (CSE) activities.
      • Online offender communities exhibit considerable resilience and are continuously evolving.
      • Livestreaming of child sexual abuse continues to increase and became even more prevalent during the COVID-19 crisis.
      • The commercialisation of online CSE is becoming a more widespread issue, with individuals uploading material to hosting sites and subsequently acquiring credit on the basis of the number of downloads.
    • Payment Fraud
      • SIM swapping is a key trend that allows perpetrators to take over accounts and has demonstrated a steep rise over the last year.
      • Business email compromise (BEC) remains an area of concern as it has increased, grown in sophistication, and become more targeted.
      • Online investment fraud is one of the fastest growing crimes, generating millions in losses and affecting thousands of victims.
      • Card-not-present (CNP) fraud continues to increase as criminals diversify in terms of target sectors and electronic skimming (e-skimming) modi operandi.
    • The Criminal Abuse Of The Darkweb
      • The Darkweb environment has remained volatile, lifecycles of Darkweb market places have shortened, and no clear dominant market has risen over the past year compared to previous years to fill the vacuum left by the takedowns in 2019.
      • The nature of the Darkweb community at administrator-level shows how adaptive it is under challenging times, including more effective cooperation in the search for better security solutions and safe Darkweb interaction.
      • There has been an increase in the use of privacy- enhanced cryptocurrencies and an emergence of privacy-enhanced coinjoin concepts, such as Wasabi and Samurai.
      • Surface web e-commerce sites and encrypted communication platforms offer an additional dimension to Darkweb trading to enhance the overall business model.
  • “43 center-right organizations, think tanks, and policy experts” wrote Senate Majority Whip John Thune (R-SD) “for his leadership and support for the American competitive approach to 5G deployment.” Last week, Thune and 18 Republican colleagues sent President Donald Trump a letter “to express our concerns about a Request For Information (RFI) released by the Department of Defense (DOD) that contradicts the successful free-market strategy you have embraced for 5G.” Late last month, the United States Department of Defense (DOD) released a  RFI on the possibility of the agency sharing its prized portions of electromagnetic spectrum with commercial providers to speed the development and adoption of 5G in the United States.
    • The 43 groups argued:
      • We too are concerned with the Department of Defense Request for Information on a government-managed process for 5G development and are alarmed with how quickly it is proceeding.  Even more disturbing are the rumors that the RFI was only for show and that the DoD already has an RFP it plans to greenlight. 
      • A government-run 5G backbone, wholesale network, or whatever name it goes by, is nationalization of private business. Spectrum sharing is something that must be considered as the nation moves forward with private networks, but it is not a reason for a government takeover. For a government-run network to happen, the federal government would have to either renege on licenses granted to private users or hoard spectrum at the expense of private industry. Either approach would upend well-established licensure policies at the FCC that establish certainty in operating and maintaining complex networks and create massive unnecessary delays to launching 5G networks. Moreover, the government should not be in the business of “competing” with private industry. That’s the business model of China and Russia, not the United States. 
  • The top Democrat on the Senate Intelligence Committee wrote Facebook, Twitter, and Google, urging the companies “to implement robust accountability and transparency standards ahead of the November election, including requirements outlined in the Honest Ads Act…to help prevent foreign interference in elections and improve the transparency of online political advertisements” according to his press release. Senator Mark Warner   (D-VA) asserted that “[i]n individual letters to FacebookGoogle, and Twitter, [he] detailed the various ways in which each company continues to contribute to the spread of disinformation, viral misinformation, and voter suppression efforts.” Warner “also warned about the imminent risk of bad actors once again weaponizing American-bred social media tools to undermine democracy ahead of the November election, and urged each company to take proactive measures to safeguard against these efforts.” Warner specified:
    • In his letter to Facebook, [he] criticized the platform’s efforts to label manipulated or synthetic content, describing these as “wholly inadequate.” He also raised alarm with instances of Facebook’s amplification of harmful content.
    • Similarly, in a letter to Google, [he] raised concern with the company’s efforts to combat harmful misinformation – particularly disinformation about voting, spread by right-leaning YouTube channels. He also criticized the comprehensiveness of Google’s ad archive, which presently excludes issue ads.
    • In his letter to Twitter, which has banned paid political content and placed restrictions on cause-based advertising, [he] noted that doctored political content continues to spread organically without adequate labeling that slows its spread or contextualizes it for users.
  • Representative Lauren Underwood (D-IL), the new Chair of the House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee, wrote Facebook, Twitter, and YouTube, urging them “to address ongoing reports of election-related disinformation targeting Black voters on their platforms” per her press release. She argued “[d]uring the 2016 election, social media platforms were used by malicious actors attempting to silence Black voters and sow racial division…[and] [f]our years later, social media companies have made too little progress toward containing this growing threat.” Underwood “requested information on the steps the companies are taking to prevent voter suppression, interference, and disinformation targeting Black voters.”

Further Reading

  • Judge Orders Twitter To Unmask FBI Impersonator Who Set Off Seth Rich Conspiracy” By Bobby Allyn — NPR. A magistrate judge in California denied Twitter’s motion to quash a subpoena in order to not reveal the account information of an anonymous user who spread lies about deceased Democratic National Committee staffer Seth Rich and his family regarding the Russian Federation’s interference in the 2016 election.
  • Justices wary of upending tech industry in Google v. Oracle Supreme Court fight” By Tucker Higgins — CNBC. This week, the Supreme Court of the United States heard oral arguments in the decade long legal war between Google and Oracle arising from the latter’s claim that the former infringed its ownership rights by using roughly 11,500 lines of code to create its Android operating system from an application programming interface developed by Sun Microsystems, a company bought by Oracle. This case could have huge ramifications for the technology industry if Oracle wins because it could make the development of new products and services much harder.
  • Facebook to temporarily halt political ads in U.S. after polls close Nov. 3, broadening earlier restrictions” By Elizabeth Dwoskin — The Washington Post. In its newest announcement, Facebook announced it will not accept political or issues advertising in the week after election day. This effort is the latest measure the platform has announced to address misinformation and disinformation. Facebook will also label efforts of candidates to claim an election has been decided if it, in fact, has not been. The platform will also remove posts that aim to intimidate voters or suppress the voting turnout.
  • Leaked: Confidential Amazon memo reveals new software to track unions” By Jason Del Rey and Shirin Ghaffary — recode. The tech giant is turning its data collection and analysis capabilities on its workforce in an effort to prevent unionizing at the United States’ (U.S.) second largest employer.
  • QAnon High Priest Was Just Trolling Away as a Citigroup Tech Executive” By William Turton and Joshua Brustein — Bloomberg. The fascinating if not horrifying story of how a seemingly, well-to-do mild-mannered tech specialist became one of the key figures in the QAnon conspiracy.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by John Mounsey from Pixabay

Further Reading, Other Developments, and Coming Events (6 October)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The European Union Agency for Cybersecurity (ENISA), Europol’s European Cybercrime Centre (EC3) and the Computer Emergency Response Team for the EU Institutions, Bodies and Agencies (CERT-EU) will hold the 4th annual IoT Security Conference series “to raise awareness on the security challenges facing the Internet of Things (IoT) ecosystem across the European Union:”
    • Operational IoT – 7 October at 15:00 to 16:30 CET
    • Artificial Intelligence – 14 October at 15:00 to 16:30 CET
    • Supply Chain for IoT – 21 October at 15:00 to 16:30 CET
  • The Federal Communications Commission (FCC) will hold an open commission meeting on 27 October, but the agenda has not yet been announced.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that a “malicious cyber actor” had penetrated an unnamed federal agency and “implanted sophisticated malware—including multi-stage malware that evaded the affected agency’s anti-malware protection—and gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agency’s firewall.” Since CISA said it became aware of the penetration via EINSTEIN, it is likely a civilian agency that was compromised. The actor used “compromised credentials” to get into the agency, but “CISA analysts were not able to determine how the cyber threat actor initially obtained the credentials.” It is not clear whether this is a nation state or sophisticated hackers working independently.
    • It should be noted that last month, the Department of Veterans Affairs (VA) revealed it had been breached and “the personal information of approximately 46,000 Veterans” has been compromised. This announcement came the same day as an advisory issued by CISA that Chinese Ministry of State Security (MSS)-affiliated cyber threat actors have been targeting and possibly penetrating United States (U.S.) agency networks. 
  • Senators Ron Wyden (D-OR) and Jeff Merkley (D-OR) and Representatives Earl Blumenauer (D-OR) and Suzanne Bonamici (D-OR) wrote the Department of Homeland Security (DHS) regarding a report in The Nation alleging the DHS and Department of Justice (DOJ) surveilled the phones of protestors in Portland, Oregon in possible violation of United States (U.S.) law. These Members asked DHS to respond to the following questions by October 9:
    • During a July 23, 2020, briefing for Senate intelligence committee staff, Brian Murphy, then the Acting Under Secretary for Intelligence and Analysis (I&A) stated that DHS I&A had neither collected nor exploited or analyzed information obtained from the devices or accounts of protesters or detainees. On July 31, 2020, Senator Wyden and six other Senators on the Senate Select Committee on Intelligence wrote to Mr. Murphy to confirm the statement he had made to committee staff. DHS has yet to respond to that letter. Please confirm whether or not Mr. Murphy’s statement during the July 23, 2020, briefing was accurate at the time, and if it is still   
    • accurate.
    • Has DHS, whether directly, or with the assistance of any other government agency, obtained or analyzed data collected through the surveillance of protesters’ phones, including tracking their locations or intercepting communications content or metadata? If yes, for each phone that was surveilled, did the government obtain prior authorization from a judge before conducting this surveillance?
    • Has DHS used commercial data sources, including open source intelligence products, to investigate, identify, or track protesters or conduct network analysis? If yes, please identify each commercial data source used by DHS, describe the information DHS obtained, how DHS used it, whether it was subsequently shared with any other government agency, and whether DHS sought and obtained authorization from a court before querying the data source.
  • The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has published for comment the “Securing Data Integrity Against Ransomware Attacks: Using the NIST Cybersecurity Framework and NIST Cybersecurity Practice Guides” that provides an overview of [NCCoE and NIST’s]  Data Integrity projects…a high-level explanation of the architecture and capabilities, and how these projects can be brought together into one comprehensive data integrity solution…[that] can then be integrated into a larger security picture to address all of an organization’s data security needs.” Comments are due by 13 November. NCCoE and NIST explained:
    • This guide is designed for organizations that are not currently experiencing a loss of data integrity event (ransomware or otherwise). This document prepares an organization to adequately address future data integrity events. For information on dealing with a current attack, please explore guidance from organizations like the Federal Bureau of Investigation the United States Secret Service, or other pertinent groups or government bodies.
    • Successful ransomware impacts data’s integrity, yet ransomware is just one of many potential vectors through which an organization could suffer a loss of data integrity. Integrity is part of the CIA security triad which encompasses Confidentiality, Integrity, and Availability. As the CIA triad is applied to data security, data integrity is defined as “the property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner.” An attack against data integrity can cause corruption, modification, and/or destruction of the data which ultimately results in a loss in trust in the data.
  • As referenced in media reports, Graphika released a report on a newly discovered Russian disinformation efforts that led to the creation and propagation of propaganda to appeal to the right wing in the United States (U.S.) In “Step into My Parler: Suspected Russian Operation Targeted Far-Right American Users on Platforms Including Gab and Parler, Resembled Recent IRA-Linked Operation that Targeted Progressives,” Graphika explained:
    • Russian operators ran a far-right website and social media accounts that targeted American users with pro-Trump and anti-Biden messaging, according to information from Reuters and Graphika’s investigation. This included the first known Russian activity on the platforms Gab and Parler. The operation appeared connected to a recent Russian website that targeted progressives in America with anti-Biden messaging.
    • The far-right “Newsroom for American and European Based Citizens,” naebc[.]com, pushed the opposite end of the political spectrum from the ostensibly progressive PeaceData site, but the two assets showed such a strong family resemblance that they appear to be two halves of the same operation. Both ran fake editorial personas whose profile pictures were generated by artificial intelligence; both claimed to be young news outlets based in Europe; both made language errors consistent with Russian speakers; both tried to hire freelance writers to provide their content; and, oddly enough, both had names that translate to obscenities in Russian.
    • Reuters first tipped Graphika off to the existence of the NAEBC website and its likely relationship to PeaceData. U.S. law enforcement originally alerted the social media platforms to the existence of PeaceData. On September 1, Facebook attributed PeaceData to “individuals associated with past activity by the Russian Internet Research Agency (IRA).” Twitter attributed it to Russian state actors. Social media platforms (Facebook, Twitter, LinkedIn) have taken similar action to stop activity related to NAEBC on their platforms. To date, Parler and Gab have not taken action on their platforms.
  • The Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint Ransomware Guide “meant to be a one-stop resource for stakeholders on how to be proactive and prevent these attacks from happening and also a detailed approach on how to respond to an attack and best resolve the cyber incident.” The organizations explained:
    • First, the guide focuses on best practices for ransomware prevention, detailing practices that organizations should continuously do to help manage the risk posed by ransomware and other cyber threats. It is intended to enable forward-leaning actions to successfully thwart and confront malicious cyber activity associated with ransomware. Some of the several CISA and MS-ISAC preventive services that are listed are Malicious Domain Blocking and Reporting, regional CISA Cybersecurity Advisors, Phishing Campaign Assessment, and MS-ISAC Security Primers on ransomware variants such as Ryuk.
    • The second part of this guide, response best practices and services, is divided up into three sections: (1) Detection and Analysis, (2) Containment and Eradication, and (3) Recovery and Post-Incident Activity. One of the unique aspects that will significantly help an organization’s leadership as well as IT professional with response is a comprehensive, step-by-step checklist. With many technical details on response actions and lists of CISA and MS-ISAC services available to the incident response team, this part of the guide can enable a methodical, measured and properly managed approach.  
  • The Government Accountability Office (GAO) released a guide on best practices for agile software development for federal agencies and contracting officers. The GAO stated:
    • The federal government spends at least $90 billion annually on information technology (IT) investments. In our January 2019 High Risk List report, GAO reported on 35 high risk areas, including the management of IT acquisitions and operations. While the executive branch has undertaken numerous initiatives to help agencies better manage their IT investments, these programs frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related outcomes.
    • GAO has found that the Office of Management and Budget (OMB) continues to demonstrate its leadership commitment by issuing guidance for covered departments and agencies to implement statutory provisions commonly referred to as Federal Information Technology Acquisition Reform Act (FITARA.) However, application of FITARA at federal agencies has not been fully implemented. For example, as we stated in the 2019 High Risk report, none of the 24 major federal agencies had IT management policies that fully addressed the roles of their Chief Information Officers (CIO) consistent with federal laws and guidance.
    • This Agile Guide is intended to address generally accepted best practices for Agile adoption, execution, and control. In this guide, we use the term best practice to be consistent with the use of the term in GAO’s series of best practices guides.

Further Reading

  • GOP lawmaker: Democrats’ tech proposals will include ‘non-starters for conservatives’” By Cristiano Lima — Politico. Representative Ken Buck (R-CO) is quoted extensively in this article about Republican concerns that the House Judiciary Committee’s antitrust recommendations may include policy changes he and other GOP Members of the committee will not be able to go along with. Things like banning mandatory arbitration clauses and changing evidentiary burdens (i.e. rolling back court decisions that have made antitrust actions harder to mount) are not acceptable to Republicans who apparently agree in the main that large technology companies do indeed have too much market power. Interestingly, Buck and others think the solution is more resources for the Department of Justice and the Federal Trade Commission (FTC), which is rapidly becoming a favored policy prescription for federal privacy legislation, too. However, even with a massive infusion of funding, the agencies could not act in all cases, and, in any event, would need to contend with a more conservative federal judiciary unlikely to change the antitrust precedents that have reduced the ability of these agencies to take action in the first place. Nonetheless, Republicans may join the report if the recommendations are changed. Of course, the top Republican on the committee, Representative Jim Jordan (R-OH), is allegedly pressuring Republicans not to join the report.
  • Why Is Amazon Tracking Opioid Use All Over the United States?” By Lauren Kaori Gurley — Motherboard. The online shopping giant is apparently tracking a range of data related to opioid usage for reasons that are not entirely clear. To be fair, the company tracks all sort of data.
  • As QAnon grew, Facebook and Twitter missed years of warning signs about the conspiracy theory’s violent nature” By Craig Timberg and Elizabeth Dwoskin — The Washington Post. This article traces the history of how Facebook and Twitter opted not to act against QAnon while other platforms like Reddit did, quite possibly contributing the rise and reach of the conspiracy. However, they were afraid of angering some on the right wing given the overlap between some QAnon supports and some Trump supporters.
  • Democratic Party leaders are “banging their head against the wall” after private meetings with Facebook on election misinformation” By Shirin Ghaffary — recode. Democratic officials who have been on calls with Facebook officials are saying the platform is not doing enough to combat disinformation and lies about the election. Facebook, of course, disputes this assessment. Democratic officials are especially concerned about the period between election day and when results are announced and think Facebook is not ready to handle the predicted wave of disinformation.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Bermix Studio on Unsplash