Further Reading, Other Developments, and Coming Events (18 November)

Further Reading

  • Trump fires top DHS official who refuted his claims that the election was rigged” By Ellen Nakashima and Nick Miroff — The Washington Post. As rumored, President Donald Trump has decapitated the United States’ (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Director Christopher Krebs was fired via Twitter, after he had endorsed a letter by 59 experts on election security who said there was no fraud in the election. Trump tweeted: “The recent statement by Chris Krebs on the security of the 2020 Election was highly inaccurate, in that there were massive improprieties and fraud — including dead people voting, Poll Watchers not allowed into polling locations, ‘glitches’ in the voting machines which changed votes from Trump to Biden, late voting, and many more. Therefore, effective immediately, Chris Krebs has been terminated as Director of the Cybersecurity and Infrastructure Security Agency.” Of course, the statement CISA cosigned and issued last week asserting there was no evidence of fraud or wrongdoing in the election probably did not help his prospects. Additionally, CISA Deputy Director Matthew Travis was essentially forced out when he was informed the normal succession plan would be ignored and he would not become the acting head of CISA. A CISA senior civil servant, Brandon Wales, will helm the agency in an acting basis. Last week, CISA’s Assistant Director for Cybersecurity Bryan Ware was forced out.
  • NSA Spied On Denmark As It Chose Its Future Fighter Aircraft: Report” By Thomas Newdick — The Drive. A Danish media outlet is claiming the United States U.S. National Security Agency (NSA) spied Denmark’s Ministry of Finance, the Ministry of Foreign Affairs, and the defense firm Terma in order to help Lockheed Martin’s bid to sell F-35 Joint Strike Fighters to Denmark. Eurofighter GmbH and Saab were offering their Typhoon and Gripen fighters to replace Denmark’s F-16s. Reportedly, the NSA used an existing arrangement with Denmark to obtain information from a program allowing the NSA access to fiber optics cables in the country. It is likely Denmark did not have such surveillance in mind when it struck this agreement with the U.S. Two whistleblowers reports have been filed with the Forsvarets Efterretningstjeneste (FE), Denmark’s Defense Intelligence Service, and there are allegations that the U.S. surveillance was illegal. However, the surveillance appears not to have influenced the Danish government, which opted for the F-35. Earlier this year, there were allegations the FE was improperly sharing Danish cables containing information on Danish citizens improperly.
  • Facebook Knows That Adding Labels To Trump’s False Claims Does Little To Stop Their Spread” By Craig Silverman and Ryan Mac — BuzzFeed News. These reporters must know half of Facebook’s staff because they always see what is going on internally with the company. In this latest scoop, they say they have seen internal numbers showing that labeling President Donald Trump’s false tweets have done little to slow their spread. In fact, labelling may only slow their spread by 8%. This outcome is contrary to a practice Facebook employed in 2017 under which fact checkers would label untrue posts as false. This reduced their virality by 80%.
  • Apple Halves Its App Store Fee for the Smaller Companies” By Jack Nicas — The New York Times. The holiday spirit must already be afoot in Cupertino, California, for small app developers will now only pay Apple 15% of in-app purchases for the privilege of being in the App Store. Of course, this decision has nothing to do with the antitrust pressure the company is facing in the European Union and United States (U.S.) and will have very little impact on their bottom line since app developers with less than $1 million in revenue (i.e., those entitled to a reduction) account for 2% of App Store revenue. It does give Apple leadership and executive some great talking points when pressed by antitrust investigators, legislators, and the media.
  • Inside the behind-the-scenes fight to convince Joe Biden about Silicon Valley” By Theodore Schleifer — recode. The jockeying among factions in the Democratic party and other stakeholders is fierce and will only grow fiercer when it comes to who will serve where in a Biden Administration. Silicon Valley and those who would reform tech are fighting to get people amenable to their policy goals placed in the new Administration. President-elect Joe Biden and his campaign were ambiguous on many tech policy issues and have flexibility which has been further helped by appointing people respected in both camps like new White House Chief of Staff Ron Klain.
  • Group of 165 Google critics calls for swift EU antitrust action – letter” By Foo Yun Chee — Reuters. A wide-ranging group of companies and industry associations are urging the European Union to investigate and punish what they see as Google’s anti-competitive dominance of online search engines, especially the One Box that now appears at the top of search results that points people to Google sites and products.

Other Developments

  • The European Union (EU) announced a revision of its export control process for allowing the export of dual use items, including cyber surveillance tools. The European Commission (EC) asserted “[t]hanks to the new Regulation, the EU can now effectively protect its interests and values and, in particular, address the risk of violations of human rights associated with trade in cyber-surveillance technologies without prior agreement at multilateral level…[and] also enhances the EU’s capacity to control trade flows in sensitive new and emerging technologies. The EC explained “[t]he new Regulation includes many of the Commission proposals for a comprehensive “system upgrade”, and will make the existing EU Export control system more effective by:
    • introducing a novel ‘human security’ dimension so the EU can respond to the challenges posed by emerging dual-use technologies – especially cyber-surveillance technologies – that pose a risk to national and international security, including protecting human rights;
    • updating key notions and definitions (e.g. definition of an “exporter” to apply to natural persons and researchers involved in dual-use technology transfers);
    • simplifying and harmonising licensing procedures and allowing the Commission to amend – by ‘simplified’ procedure, i.e. delegated act – the list of items or destinations subject to specific forms of control, thereby making the export control system more agile and able to evolve and adjust to circumstances;
    • enhancing information-exchange between licensing authorities and the Commission with a view to increasing transparency of licensing decisions;
    • coordination of, and support for, robust enforcement of controls, including enhancing secure electronic information-exchange between licensing and enforcement agencies;
    • developing an EU capacity-building and training programme for Member States’ licensing and enforcement authorities;
    • outreach to industry and transparency with stakeholders, developing a structured relationship with the private sector through specific consultations of stakeholders by the relevant Commission group of Member-State experts, and;
    • setting up a dialogue with third countries and seeking a level playing field at global level.
    • The European Parliament contended:
      • The reviewed rules, agreed by Parliament and Council negotiators, govern the export of so-called dual use goods, software and technology – for example, high-performance computers, drones and certain chemicals – with civilian applications that might be repurposed to be used in ways which violate human rights.
      • The current update, made necessary by technological developments and growing security risks, includes new criteria to grant or reject export licenses for certain items.
      • The Parliament added its negotiators
        • got agreement on setting up an EU-wide regime to control cyber-surveillance items that are not listed as dual-use items in international regimes, in the interest of protecting human rights and political freedoms;
        • strengthened member states’ public reporting obligations on export controls, so far patchy, to make the cyber-surveillance sector in particular more transparent;
        • increased the importance of human rights as licensing criterion; and
        • agreed on rules to swiftly include emerging technologies in the regulation.
  • The United States House of Representatives passed three technology bills by voice vote yesterday. Two of these bills would address in different ways the United States’ (U.S.) efforts to make up ground on the People’s Republic of China in the race to roll out 5G networks. It is possible but not foreseeable whether the Senate will take up these bills before year’s end and send them to the White House. It is possible given how discrete the bills are in scope. The House Energy and Commerce Committee provided these summaries:
    • The “Utilizing Strategic Allied (USA) Telecommunications Act of 2020” (H.R.6624) creates a new grant program through the National Telecommunications and Information Administration (NTIA) to promote technology that enhances supply chain security and market competitiveness in wireless communications networks.
      • One of the bill’s sponsors, House Energy and Commerce Committee Chair Frank Pallone Jr (D-NJ) stated:
        • Earlier this year, the House passed, and the President signed, my Secure and Trusted Communications Networks Act to create a program to fund the replacement of suspect network equipment. Suspect equipment, including that produced by Huawei and ZTE, could allow foreign adversaries to surveil Americans at home or, worse, disrupt our communications systems.
        • While we are still pushing for Congress to appropriate funds to that end, it is important to recognize that my legislation was only half the battle, even when it is funded. We also need to create and foster competition for trusted network equipment that uses open interfaces so that the United States is not beholden to a market for network equipment that is becoming less competitive. This bill before us today, the Utilizing Strategic Allied Telecommunications Act, or the USA Telecommunications Act, does just that.
        • The bipartisan legislation creates a grant program and authorizes $750 million in funding for the National Telecommunications and Information Administration to help promote and deploy Open Radio Access Network technologies that can spur that type of competition. We must support alternatives to companies like Huawei and ZTE…
    • The “Spectrum IT Modernization Act of 2020” (H.R.7310) requires NTIA – in consultation with the Policy and Plans Steering Group – to submit to Congress a report on its plans to modernize agency information technology systems relating to managing the use of federal spectrum. 
      • A sponsor of the bill, House Energy and Commerce Committee Ranking Member Greg Walden (R-OR) explained:
      • H.R. 7310 would require NTIA to establish a process to upgrade their spectrum management infrastructure for the 21st century. The bill would direct the policy coordination arm of NTIA to submit a plan to Congress as to how they will standardize the data collection across agencies and then directs agencies with Federal spectrum assignments from NTIA to issue an implementation plan to interoperate with NTIA’s plan.
      • This is a good-government bill–it really is–and with continued support and oversight from Congress, we can continue the United States’ leadership in making Federal spectrum available for flexible use by the private sector.
    • The “Reliable Emergency Alert Distribution Improvement (READI) Act of 2020” (H.R.6096) amends the Warning, Alert, and Response Network Act to classify emergency alerts from the Federal Emergency Management Agency as a type of alert that commercial mobile service providers may not allow subscribers to block from their devices. The bill also directs the Federal Communications Commission (FCC) to adopt regulations to facilitate coordination with State Emergency Communications Committees in developing and modernizing State Emergency Alert System plans. Finally, the READI Act directs the FCC to examine the feasibility of modernizing the Emergency Alert System by expanding alert distribution to the internet and streaming services.  
  • The same privacy activists that brought the suits that resulted in the striking down of the Safe Harbor and Privacy Shield agreements have filed complaints in Spain and Germany that Apple has violated the European Union’s (EU) e-Privacy Directive and laws in each nation through its use of IDFA (Apple’s Identifier for Advertisers). Because the General Data Protection Regulation (GDPR) is not the grounds for the complaints, each nation could act without needing to consult other EU nations. Moreover, a similar system used by Google is also being investigated for possible violations. The group none of your business (noyb) asserted:
    • IDFA – the cookie in every iPhone user’s pocket. Each iPhone runs on Apple’s iOS operating system. By default, iOS automatically generates a unique “IDFA” (short for Identifier for Advertisers) for each iPhone. Just like a license plate this unique string of numbers and characters allows Apple and other third parties to identify users across applications and even connect online and mobile behaviour (“cross device tracking”).
    • Tracking without user consent. Apple’s operating system creates the IDFA without user’s knowledge or consent. After its creation, Apple and third parties (e.g. applications providers and advertisers) can access the IDFA to track users’ behaviour, elaborate consumption preferences and provide personalised advertising. Such tracking is strictly regulated by the EU “Cookie Law” (Article 5(3) of the e-Privacy Directive) and requires the users’ informed and unambiguous consent.
    • Insufficient “improvement” on third-party access. Recently Apple announced plans for future changes to the IDFA system. These changes seem to restrict the use of the IDFA for third parties (but not for Apple itself). Just like when an app requests access to the camera or microphone, the plans foresee a new dialog that asks the user if an app should be able to access the IDFA. However, the initial storage of the IDFA and Apple’s use of it will still be done without the users’ consent and therefore in breach of EU law. It is unclear when and if these changes will be implemented by the company.
    • No need for EU cooperation. As the complaint is based on Article 5(3) of the e-Privacy Directive and not the GDPR, the Spanish and German authorities can directly fine Apple, without the need for cooperation among EU Data Protection Authorities as under GDPR.
  • The Federal Trade Commission (FTC) Chair made remarks at antitrust conference on how antitrust law should view “an acquisition of a nascent competitive threat by a monopolist when there is reason to think that the state of competition today may not tell the whole story.” Chair Joseph Simons views are timely for a number of reasons, particularly the extent to which large technology firms have sought and bought smaller, newer companies. Obviously, the acquisitions of WhatsApp and Instagram by Facebook and YouTube and AdSense by Google come to mind as the sorts of acquisitions United States (U.S.) regulators approved, possibly without much thought given to what a future market may look like for competition if the larger, dominant company is allowed to proceed. Simons suggested regulators and courts would be wise to give this aspect of antitrust mush more thought, which could theoretically inform the approach the Biden Department of Justice and FTC take. Simons stated:
    • And if firms are looking to the future, then antitrust enforcers should too. We must be willing and able to recognize that harm to competition might not be obvious from looking at the marketplace as it stands. If we confine ourselves to examining a static picture of the market at the moment we investigate a practice or transaction, without regard to the dynamic business realities at work, then we risk forfeiting the benefits of competition that could arise in the future to challenge the dominant firm, even when this future competition is to some extent uncertain.
    • Simons asserted:
      • A merger or acquisition can of course constitute anticompetitive conduct for purposes of Section 2 [of the Sherman Act]
      • From a competition perspective, a monopolist can “squash” a nascent competitor by buying it, not just by targeting it with anticompetitive actions as Microsoft did. In fact, from the monopolist’s perspective, it may be easier and more effective to buy the nascent threat (even if only to keep it out of the hands of others) than to target it with other types of anticompetitive conduct.
      • A central issue in potential competition cases is the nature and strength of evidence that the parties will become actual competitors in the future. Some cases have applied Section 7 [of the Clayton Act] narrowly in this context: too narrowly, I think, given that the purpose of Section 7 is to prohibit acquisitions that “may” substantially lessen competition or “tend” to create a monopoly.
    • Simons concluded:
      • But uncertainty has always been a feature of the competitive process, even in markets that appear to be simple or traditional, and dealing with uncertainty is all in a day’s work for an antitrust enforcer. I have referred to the Microsoft case repeatedly today, so, in closing, let me remind everyone that there was some uncertainty about the future in Microsoft as well. The court, in holding that the plaintiff does not and should not bear the burden of “reconstruct[ing] a product’s hypothetical development,” observed that the defendant should appropriately be “made to suffer the uncertain consequences of its own undesirable conduct.” The same holds when the monopolist has simply chosen to acquire the threat.
  • The National Institute of Standards and Technology’s (NIST) National Initiative for Cybersecurity Education (NICE) revised the Workforce Framework for Cybersecurity (NICE Framework) that “improves communications about how to identify, recruit, develop, and retain cybersecurity talent ­ – offering a common, consistent lexicon that categorizes and describes cybersecurity work.” NIST explained:
    • The NICE Framework assists organizations with managing cybersecurity risks by providing a way to discuss the work and learners associated with cybersecurity. These cybersecurity risks are an important input into enterprise risk decisions as described in NIST Interagency Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM).
    • NIST stated “[r]evisions to the NICE Framework (NIST Special Publication 800-181) provide:
      • A streamlined set of “building blocks” comprised of Task, Knowledge, and Skill Statements;
      • The introduction of Competencies as a mechanism for organizations to assess learners; and
      • A reference to artifacts, such as Work Roles and Knowledge Skills and Abilities statements, that will live outside of the publication to enable a more fluid update process.
  • A left center think tank published a report on how the United States (U.S.) and likeminded nations can better fight cybercrime. In the report addressed to President-elect Joe Biden and Vice President-elect Kamala Harris, the Third Way presented the results of a “multiyear effort to define concrete steps to improve the government’s ability to tackle the scourge of cybercrime by better identifying unlawful perpetrators and imposing meaningful consequences on them and those behind their actions.” In “A Roadmap to Strengthen US Cyber Enforcement: Where Do We Go From Here?,” the Third Way made a list of detailed recommendations on how the Biden Administration could better fight cybercrime, but in the cover letter to the report, there was a high level summary of these recommendations:
    • In this roadmap, we identify the challenges the US government faces in investigating and prosecuting these crimes and advancing the level of international cooperation necessary to do so. Cyberattackers take great pains to hide their identity, using sophisticated tools that require technical investigative and forensic expertise to attribute the attacks. The attacks are often done at scale, where perpetrators prey on multiple victims across many jurisdictions and countries, requiring coordination across criminal justice agencies. The skills necessary to investigate these crimes are in high demand in the private sector, making it difficult to retain qualified personnel. A number of diplomatic barriers make cross-border cooperation difficult, a challenge exacerbated often by blurred lines line between state and non-state actors in perpetrating these crimes.
    • This roadmap recommends actions that your administration can take to develop a comprehensive strategy to reduce cybercrime and minimize its impact on the American people by identifying the perpetrators and imposing meaningful consequences on them. We propose you make clear at the outset to the American public and global partners that cyber enforcement will be a top priority for your administration. In reinstating a White House cybersecurity position, we have extensive recommendations on how that position should address cybercrime. And, to make policy from an intelligence baseline, we believe you should request a National Intelligence Estimate on the linkages between cybercrime and nation-state cyber actors to understand the scope of the problem.
    • Our law enforcement working group has detailed recommendations to improve and modernize law enforcement’s ability to track and respond to cybercrime. And our global cooperation working group has detailed recommendations on creating a cohesive international cyber engagement strategy; assessing and improving the capacity of foreign partners on cybercrime; and improving the process for cross-border data requests that are critical to solving these crimes. We believe that with these recommendations, you can make substantial strides in bringing cybercriminals to justice and deterring future cybercriminals from victimizing Americans.

Coming Events

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (11 November)

Further Reading

  • ICE, IRS Explored Using Hacking Tools, New Documents Show” By Joseph Cox — Vice. Federal agencies other than the Federal Bureau of Investigation (FBI) and the Intelligence Community (IC) appear to be interesting in utilizing some of the capabilities offered by the private sector to access devices or networks in the name of investigating cases.
  • China’s tech industry relieved by Biden win – but not relaxed” By Josh Horwitz and Yingzhi Yang — Reuters. While a Biden Administration will almost certainly lower the temperature between Beijing and Washington, the People’s Republic of China is intent on addressing the pressure points used by the Trump Administration to inflict pain on its technology industry.
  • Trump Broke the Internet. Can Joe Biden Fix It?” By Gilad Edelman — WIRED. This piece provides a view of the waterfront in technology policy under a Biden Administration.
  • YouTube is awash with election misinformation — and it isn’t taking it down” By Rebecca Heilweil — Recode. For unexplained reasons, YouTube seems to have avoided the scrutiny facing Facebook and Twitter on their content moderation policies. Whether the lack of scrutiny is a reason is not clear, but the Google owned platform had much more election-related misinformation than the other social media platforms.
  • Frustrated by internet service providers, cities and schools push for more data” By Cyrus Farivar — NBC News. Internet service providers are not helping cities and states identify families eligible for low-cost internet to help children attend school virtually. They have claimed these data are proprietary, so jurisdictions have gotten creative about identifying such families.

Other Developments

  • The Consumer Product Safety Commission’s (CPSC) Office of the Inspector General (OIG) released its annual Federal Information Security Modernization Act (FISMA) audit and found “that although management continues to make progress in implementing the FISMA requirements much work remains to be done.” More particularly, it was “determined that the CPSC has not implemented an effective information security program and practices in accordance with FISMA requirements.” The OIG asserted:
    • The CPSC information security program was not effective because the CPSC has not developed a holistic formal approach to manage information security risks or to effectively utilize information security resources to address previously identified information security deficiencies. Although the CPSC has begun to develop an Enterprise Risk Management (ERM) program to guide risk management practices at the CPSC, explicit guidance and processes to address information security risks and integrate those risks into the broader agency-wide ERM program has not been developed.
    • In addition, the CPSC has not leveraged the relevant information security risk management guidance prescribed by NIST to develop an approach to manage information security risk.
    • Further, as asserted by CPSC personnel, the CPSC has limited resources to operate the information security program and to address the extensive FISMA requirements and related complex cybersecurity challenges.
    • Therefore, the CPSC has not dedicated the resources necessary to fully address these challenges and requirements. The CPSC began addressing previously identified information security deficiencies but was not able to address all deficiencies in FY 2020.
  • The United States (U.S.) Department of Justice (DOJ) announced the seizure of 27 websites allegedly used by Iran’s Islamic Revolutionary Guard Corps (IRGC) “to further a global covert influence campaign…in violation of U.S. sanctions targeting both the Government of Iran and the IRGC.” The DOJ contended:
    • Four of the domains purported to be genuine news outlets but were actually controlled by the IRGC and targeted audiences in the United States, to covertly influence United States policy and public opinion, in violation of the Foreign Agents Registration Act (FARA). The remainder targeted audiences in other parts of the world.  This seizure warrant follows an earlier seizure of 92 domains used by the IRGC for similar purposes.
  • The United Nations (UN) Special Rapporteur on the right to privacy Joseph Cannataci issued his annual report that “constitutes  a  preliminary  assessment  as  the  evidence  base required to reach definitive conclusions on whether privacy-intrusive, anti-COVID-19 measures are necessary and proportionate in a democratic society is not yet available.” Cannataci added “[a] more definitive report is planned for mid-2021, when 16 months of evidence will be available to allow a more accurate assessment.” He “addresse[d]  two  particular  aspects  of  the impact of COVID-19 on the right to privacy: data protection and surveillance.” The Special Rapporteur noted:
    • While the COVID-19 pandemic has generated much debate about the value of contact tracing and reliance upon technology that track citizens and those they encounter, the use of information and technology is not new in managing public health emergencies. What is concerning in some States are reports of how technology is being used and the degree of intrusion and control being exerted over citizens –possibly to little public health effect.
    • The Special Rapporteur concluded:
      • It is far too early to assess definitively whether some COVID-19-related measures might be unnecessary or disproportionate. The Special Rapporteur will continue to monitor the impact of surveillance in epidemiology on the right to privacy and report to the General Assembly in 2021. The main privacy risk lies in the use of non-consensual methods, such as those outlined in the section on hybrid systems of surveillance, which could result in function creep and be used for other purposes that may be privacy intrusive.
      • Intensive and omnipresent technological surveillance is not the panacea for pandemic situations such as COVID-19. This has been especially driven home by those countries in which the use of conventional contact-tracing methods, without recourse to smartphone applications, geolocation or other technologies, has proven to be most effective in countering the spread of COVID-19.
      • If a State decides that technological surveillance is necessary as a response to the global COVID-19 pandemic, it must make sure that, after proving both the necessity and proportionality of the specific measure, it has a law that explicitly provides for such surveillance measures (as in the example of Israel).
      • A State wishing to introduce a surveillance measure for COVID-19 purposes, should not be able to rely on a generic provision in law, such as one stating that the head of the public health authority may “order such other action be taken as he [or she] may consider appropriate”. That does not provide explicit and specific safeguards which are made mandatory both under the provisions of Convention 108 and Convention 108+, and based on the jurisprudence of the European Court of Human Rights. Indeed, if the safeguard is not spelled out in sufficient detail, it cannot be considered an adequate safeguard.
  • The University of Toronto’s Citizen Lab issued its submission to the Government of Canada’s “public consultation on the renewal of its Responsible Business Conduct (RBC) strategy, which is intended to provide guidance to the Government of Canada and Canadian companies active abroad with respect to their business activities.” Citizen Lab addressed “Canadian technology companies and the threat they pose to human rights abroad” and noted two of its reports on Canadian companies whose technologies were used to violate human rights:
    • In 2018, the Citizen Lab released a report documenting Netsweeper installations on public IP networks in ten countries that each presented widespread human rights concerns. This research revealed that Netsweeper technology was used to block: (1) political content sites, including websites linked to political groups, opposition groups, local and foreign news, and regional human rights issues in Bahrain, Kuwait, Yemen, and UAE; (2) LGBTQ content as a result of Netsweeper’s pre-defined ‘Alternative Lifestyles’ content category, as well as Google searches for keywords relating to LGBTQ content (e.g., the words “gay” or “lesbian”) in the UAE, Bahrain, and Yemen; (3) non-pornographic websites under the mis-categorization of sites like the World Health Organization and the Center for Health and Gender Equity as “pornography”; (4) access to news reporting on the Rohingya refugee crisis and violence against Muslims from multiple news outlets for users in India; (5) Blogspot-hosted websites in Kuwait by categorizing them as “viruses” as well as a range of political content from local and foreign news and a website that monitors human rights issues in the region; and (6) websites like Date.com, Gay.com (the Los Angeles LGBT Center), Feminist.org, and others through categorizing them as “web proxies.” 
    • In 2018, the Citizen Lab released a report documenting the use of Sandvine/Procera devices to redirect users in Turkey and Syria to spyware, as well as the use of such devices to hijack the Internet users’ connections in Egypt, redirecting them to revenue-generating content. These examples highlight some of the ways in which this technology can be used for malicious purposes. The report revealed how Citizen Lab researchers identified a series of devices on the networks of Türk Telekom—a large and previously state-owned ISP in Turkey—being used to redirect requests from users in Turkey and Syria who attempted to download certain common Windows applications like antivirus software and web browsers. Through the use of Sandvine/Procera technology, these users were instead redirected to versions of those applications that contained hidden malware. 
    • Citizen Lab made a number of recommendations:
      • Reform Canadian export law:  
        • Clarify that all Canadian exports are subject to the mandatory analysis set out in section 7.3(1) and section 7.4 of the Export and Import Permits Act (EIPA). 
        • Amend section 3(1) the EIPA such that the human rights risks of an exported good or technology provide an explicit basis for export control.
        • Amend the EIPA to include a ‘catch-all’ provision that subjects cyber-surveillance technology to export control, even if not listed on the Export Control List, when there is evidence that the end-use may be connected with internal repression and/or the commission of serious violations of international human rights or international humanitarian law. 
      • Implement mandatory human rights due diligence legislation:
        • Similar to the French duty of vigilance law, impose a human rights due diligence requirement on businesses such that they are required to perform human rights risk assessments, develop mitigation strategies, implement an alert system, and develop a monitoring and public reporting scheme. 
        • Ensure that the mandatory human rights due diligence legislation provides a statutory mechanism for liability where a company fails to conform with the requirements under the law. 
      • Expand and strengthen the Canadian Ombudsperson for Responsible Enterprise (CORE): 
        • Expand the CORE’s mandate to cover technology sector businesses operating abroad.
        • Expand the CORE’s investigatory mandate to include the power to compel companies and executives to produce testimony, documents, and other information for the purposes of joint and independent fact-finding.
        • Strengthen the CORE’s powers to hold companies to account for human rights violations abroad, including the power to impose fines and penalties and to impose mandatory orders.
        • Expand the CORE’s mandate to assist victims to obtain legal redress for human rights abuses. This could include the CORE helping enforce mandatory human rights due diligence requirements, imposing penalties and/or additional statutory mechanisms for redress when requirements are violated.
        • Increase the CORE’s budgetary allocations to ensure that it can carry out its mandate.
  • A week before the United States’ (U.S.) election, the White House’s Office of Science and Technology Policy (OSTP) issued a report titled “Advancing America’s Global Leadership in Science and Technology: Trump Administration Highlights from the Trump Administration’s First Term: 2017-2020,” that highlights the Administration’s purported achievements. OSTP claimed:
    • Over the past four years, President Trump and the entire Administration have taken decisive action to help the Federal Government do its part in advancing America’s global science and technology (S&T) preeminence. The policies enacted and investments made by the Administration have equipped researchers, health professionals, and many others with the tools to tackle today’s challenges, such as the COVID-19 pandemic, and have prepared the Nation for whatever the future holds.

Coming Events

  • On 17 November, the Senate Judiciary Committee will reportedly hold a hearing with Facebook CEO Mark Zuckerberg and Twitter CEO Jack Dorsey on Section 230 and how their platforms chose to restrict The New York Post article on Hunter Biden.
  • On 18 November, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Modernizing the 5.9 GHz Band. The Commission will consider a First Report and Order, Further Notice of Proposed Rulemaking, and Order of Proposed Modification that would adopt rules to repurpose 45 megahertz of spectrum in the 5.850-5.895 GHz band for unlicensed operations, retain 30 megahertz of spectrum in the 5.895-5.925 GHz band for the Intelligent Transportation Systems (ITS) service, and require the transition of the ITS radio service standard from Dedicated Short-Range Communications technology to Cellular Vehicle-to-Everything technology. (ET Docket No. 19-138)
    • Further Streamlining of Satellite Regulations. The Commission will consider a Report and Order that would streamline its satellite licensing rules by creating an optional framework for authorizing space stations and blanket-licensed earth stations through a unified license. (IB Docket No. 18-314)
    • Facilitating Next Generation Fixed-Satellite Services in the 17 GHz Band. The Commission will consider a Notice of Proposed Rulemaking that would propose to add a new allocation in the 17.3-17.8 GHz band for Fixed-Satellite Service space-to-Earth downlinks and to adopt associated technical rules. (IB Docket No. 20-330)
    • Expanding the Contribution Base for Accessible Communications Services. The Commission will consider a Notice of Proposed Rulemaking that would propose expansion of the Telecommunications Relay Services (TRS) Fund contribution base for supporting Video Relay Service (VRS) and Internet Protocol Relay Service (IP Relay) to include intrastate telecommunications revenue, as a way of strengthening the funding base for these forms of TRS and making it more equitable without increasing the size of the Fund itself. (CG Docket Nos. 03-123, 10-51, 12-38)
    • Revising Rules for Resolution of Program Carriage Complaints. The Commission will consider a Report and Order that would modify the Commission’s rules governing the resolution of program carriage disputes between video programming vendors and multichannel video programming distributors. (MB Docket Nos. 20-70, 17-105, 11-131)
    • Enforcement Bureau Action. The Commission will consider an enforcement action.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Brett Sayles from Pexels

Further Reading, Other Developments, and Coming Events (29 September)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • September 30 the House Veterans’ Affairs Committee’s Technology Modernization Subcommittee will meet for an oversight hearing titled “Examining VA’s Ongoing Efforts in the Electronic Health Record Modernization Program.”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.
  • On October 1, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing as part of its series on online competition at which it may unveil its proposal on how to reform antitrust enforcement for the digital age. The hearing is titled “Proposals to Strengthen the Antitrust Laws and Restore Competition Online.”
  • On 1 October, the Senate Commerce, Science, and Transportation Committee may hold a markup to authorize subpoenas to compel the attendance of the technology CEOs for a hearing on 47 U.S.C. 230 (aka Section 230). Ranking Member Maria Cantwell (D-WA) has said:
    • Taking the extraordinary step of issuing subpoenas is an attempt to chill the efforts of these companies to remove lies, harassment, and intimidation from their platforms. I will not participate in an attempt to use the committee’s serious subpoena power for a partisan effort 40 days before an election,” indicating a vote, should one occur, may well be along party lines.
    • Nonetheless, the Committee may subpoena the following CEOs:
      • Mr. Jack Dorsey, Chief Executive Officer, Twitter
      • Mr. Sundar Pichai, Chief Executive Officer, Alphabet Inc., Google
      • Mr. Mark Zuckerberg, Chief Executive Officer, Facebook
  • The Senate Judiciary Committee will markup the “Online Content Policy Modernization Act” (S.4632), a bill to reform 47 U.S.C. 230 (aka Section 230) that provides many technology companies with protection from lawsuits for third party content posted on their platforms and for moderating and removing such content.
  • On October 1, the Senate Armed Services Committee’s Readiness and Management Support Subcommittee will hold a hearing on supply chain integrity with Under Secretary of Defense for Acquisition and Sustainment Ellen Lord testifying. Undoubtedly, implementation of the ban on Huawei, ZTE, and other People’s Republic of China (PRC) equipment and services as required by Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) will be discussed. Also, the Cybersecurity Maturity Model Certification (CMMC) program will also likely be discussed.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • The Senate passed an extension of the “Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act of 2006” (U.S.  SAFE  WEB  Act) (H.R.4779), sending the bill to the White House. The Senate did not alter the bill the House sent to it in December. The House Energy and Commerce Committee explained in its committee report:
    • Enacted into law on December 22, 2006, the U.S. SAFE WEB Act amended the Federal Trade Commission Act (FTC Act) to improve the FTC’s ability to combat unfair or deceptive acts or practices that are international in scope. Specifically, U.S. SAFE WEB Act: (1) affirms the FTC’s cross-border enforcement authority; (2) authorizes collaboration with foreign law enforcement in the form of investigative assistance3and information sharing, provided certain statutory factors are met; (3) bolsters the FTC’s ability to receive information from foreign counterparts by allowing confidential treatment of information received; and (4) promotes relation-ship building through staff exchanges with foreign counterparts.
    • H.R. 4779 would ensure that the FTC continues to have the cross-border enforcement authority and international cooperation tools it needs to protect American consumers from unfair or deceptive acts or practices that originate abroad. This program provides a sound foundation for related issues of protecting and preserving cross-border data flows that are essential for Privacy Shield and other such agreements. Such legislation helps promote our leader ship  on  artificial  intelligence,  autonomous  vehicles,  quantum  computing, and other emerging technologies.
  • The Department of Veterans Affairs (VA) revealed it had been breached and “the personal information of approximately 46,000 Veterans” has been compromised. This announcement came the same day as an advisory issued by the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) that Chinese Ministry of State Security (MSS)-affiliated cyber threat actors have been targeting and possibly penetrating United States (U.S.) agency networks. The two events may not be linked, however. And yet, what is linked to the breach is an August VA request for information (RFI) for an entity “provide cyber security audit services support,” as confirmed by an agency spokesperson. The VA has experienced long running problems with information technology (IT) and cybersecurity as evidenced by this Government Accountability Office (GAO) testimony released a few weeks ago. In the notice of the breach, the VA explained:
    • The Financial Services Center (FSC) determined one of its online applications was accessed by unauthorized users to divert payments to community health care providers for the­ medical treatment of Veterans. The FSC took the application offline and reported the breach to VA’s Privacy Office. A preliminary review indicates these unauthorized users gained access to the application to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols. To prevent any future improper access to and modification of information, system access will not be reenabled until a comprehensive security review is completed by the VA Office of Information Technology. 
  • The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued Emergency Directive 20-04, “Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday” that directs United States’ (U.S.) agencies to act with respect to “non-national security systems,” meaning civilian agencies, to “immediately apply the Windows Server August 2020 security update to all domain controllers.” This most recent Emergency Directive follows two earlier ones this year (found here and here.)
  • The United States Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) announced a trio of enforcement actions for violations of HHS regulations on healthcare information these entities failed to properly protect. Specifically, these entities failed to meet their obligations under the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. OCR released these summaries of the actions:
    • Premera Blue Cross (PBC) has agreed to pay $6.85 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 10.4 million people. This resolution represents the second-largest payment to resolve a HIPAA investigation in OCR history. PBC operates in Washington and Alaska, and is the largest health plan in the Pacific Northwest, serving more than two million people.
      • On March 17, 2015, PBC filed a breach report on behalf of itself and its network of affiliates stating that cyber-attackers had gained unauthorized access to its information technology (IT) system.  The hackers used a phishing email to install malware that gave them access to PBC’s IT system in May 2014, which went undetected for nearly nine months until January 2015.  This undetected cyberattack, otherwise known as an advanced persistent threat, resulted in the disclosure of more than 10.4 million individuals’ protected health information including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information. 
      • OCR’s investigation found systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.
    •  CHSPSC LLC, (“CHSPSC”) has agreed to pay $2,300,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over six million people.  CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee.
      • In April 2014, the Federal Bureau of Investigation (FBI) notified CHSPSC that it had traced a cyberhacking group’s advanced persistent threat to CHSPSC’s information system. Despite this notice, the hackers continued to access and exfiltrate the protected health information (PHI) of 6,121,158 individuals until August 2014. The hackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network. 
      • OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.
    • Athens Orthopedic Clinic PA (“Athens Orthopedic”) has agreed to pay $1,500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Athens Orthopedic is located in Georgia and provides orthopedic services to approximately 138,000 patients annually.
      • On June 26, 2016, a journalist notified Athens Orthopedic that a database of their patient records may have been posted online for sale. On June 28, 2016, a hacker contacted Athens Orthopedic and demanded money in return for a complete copy of the database it stole. Athens Orthopedic subsequently determined that the hacker used a vendor’s credentials on June 14, 2016, to access their electronic medical record system and exfiltrate patient health data. The hacker continued to access protected health information (PHI) for over a month until July 16, 2016.
      • On July 29, 2016, Athens Orthopedic filed a breach report informing OCR that 208,557 individuals were affected by this breach, and that the PHI disclosed included patients’ names, dates of birth, social security numbers, medical procedures, test results, and health insurance information.
      • OCR’s investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules by Athens Orthopedic including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.
  • The Department of the Treasury published a final rule that changes the Committee on Foreign Investment in the United States (CFIUS) regulations with respect to mandatory filings for future deals in which foreign companies are investing in United States (U.S.) firms producing “critical technologies.” Previously, the trigger was if there was a nexus between the U.S. entity and certain industries. But now, the filing requirement will be triggered if “certain U.S. government authorizations would be required to export, reexport, transfer (in-country), or retransfer the critical technology or technologies produced, designed, tested, manufactured, fabricated, or developed by the U.S. business to certain transaction parties and foreign persons in the ownership chain.” The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) (P.L. 115-232) required the agency to make this, among many other changes, in the CFIUS regime. What constitutes “critical technologies” is defined in FIRRMA and includes all sorts of military, commercial items with military applications, and “emerging and foundational technologies.” The final rule also “makes amendments to the definition of the term “substantial interest” and a related provision, and makes one technical revision.”
  • The Government Accountability Office (GAO) has assessed how well the Department of the Treasury is doing in its role as the overseer of cybersecurity for the United States (U.S.) financial services industry. The GAO found Treasury’s efforts lacking, especially with respect in implementing the recommendations the GAO has previously made. The GAO concluded:
    • Increased access to financial services sector systems, combined with the potential for monetary gains and economic disruptions, poses significant information security risks to the sector’s systems and to the critical operations and infrastructures they support. The financial services sector faces several different types of cyber-related risks, including ensuring adequate security for service providers traditionally considered external to the sector, an increased interconnectivity between sector entities that could result in simpler attack vectors, and the potential introduction of malware such as ransomware through social engineering techniques, such as spear phishing, or insider access. The sector has also faced an increase in attacks from well-organized attackers with significant resources.
    • The financial services industry, including firms and sectorwide groups set up to assist firms in ensuring the cybersecurity and resilience of the sector, have undertaken a series of risk mitigation efforts, in areas such as coordination and information sharing between organizations, development of guidance and training for members, and sectorwide incident response exercises. However, industry firms also pointed to challenge areas for assistance from regulators and policymakers. The most common of these areas were improved information sharing of actionable data after a cyber incident; improved harmonization among regulators, such as minimizing differences in use of state versus national requirements; establishing clearer guidance regarding regulation of the sector’s third-party service providers; and increasing cybersecurity training to firm employees.
    •  Federal agencies are conducting risk mitigation efforts intended to support private industry in improving cybersecurity of the financial services sector. These efforts, including regular outreach by the designated financial sector-specific agency, Treasury, generally meet responsibilities laid out in policy. However, Treasury does not prioritize or track the progress of sectorwide risk mitigation efforts, and does not explicitly link sector efforts to the goals in the sector specific plan, which is the primary sector planning document. Furthermore, the plan is out of date and does not include information on how the sector plans to implement recently required efforts. The plan also does not identify ways to measure sector progress, such as explicit metrics for determining the progress of risk mitigation efforts to enhance the cybersecurity and resilience of the sector. Unless Treasury undertakes tracking and prioritization of efforts based on metrics that reflect sector planning documents, the sector will remain unable to determine the effectiveness of its efforts, which could leave the sector insufficiently prepared to deal with primary sector risks.
    • The GAO made two recommendations to Treasury:
      • Regarding financial sector cyber risk mitigation efforts, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, track the content and progress of sectorwide cyber risk mitigation efforts, and prioritize their completion according to sector goals and priorities in the sector-specific plan. (Recommendation 1)
      • Regarding the financial sector-specific plan, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, update the financial services sector-specific plan to include specific metrics for measuring the progress of risk mitigation efforts and information on how the sector’s ongoing and planned risk mitigation efforts will meet sector goals and requirements, such as requirements for the financial services sector in the National Cyber Strategy Implementation Plan. (Recommendation 2)
  • The Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) published its review of a May 2019 breach of a U.S. Customs and Border Protection (CBP) subcontractor that resulted in “CBP data, including traveler images from CBP’s facial recognition pilot, appear[ing] on the dark web.” The OIG explained that “CBP selected Unisys Corporation to design, develop, and install a biometric entry-exit solution that would verify and confirm the arrival and departures of passengers. In turn, Unisys Corporation hired Perceptics, LLC, as a subcontractor to install its proprietary facial image capture solution.” Perceptics then proceeded to violate DHS security and privacy protocols by transferring these data to its systems, but the agency did not store the personally identifiable information (PII) in an encrypted form. Consequently, when Perceptics was hit with a ransomware attack, “more than 184,000 traveler facial image files, as well as 105,000 license plate images from prior pilot work, were stored on the subcontractor’s network at the time of the ransomware attack.” The hackers also “stole an array of contractual documents, program management documents, emails, system configurations, schematics, and implementation documentation related to CBP license plate reader programs.” Worse still, CBP was notified of the breach through a media article instead of by either the prime or subcontractor even thought Perceptics informed Unisys, which opted against informing CBP in violation of its contractual duties.
  • The OIG summarized the facts of the case:
    • CBP did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot (known as the Vehicle Face System). A subcontractor working on this effort, Perceptics, LLC, transferred copies of CBP’s biometric data, such as traveler images, to its own company network. The subcontractor obtained access to this data between August 2018 and January 2019 without CBP’s authorization or knowledge. Later in 2019, the Department of Homeland Security experienced a major privacy incident, as the subcontractor’s network was subjected to a malicious cyber attack.
    • DHS requires subcontractors to protect personally identifiable information (PII) from identity theft or misuse. However, in this case, Perceptics staff directly violated DHS security and privacy protocols when they downloaded CBP’s sensitive PII from an unencrypted device and stored it on their own network. Given Perceptics’ ability to take possession of CBP-owned sensitive data, CBP’s information security practices during the pilot were inadequate to prevent the subcontractor’s actions.
    • This data breach compromised approximately 184,000 traveler images from CBP’s facial recognition pilot; at least 19 of the images were posted to the dark web. This incident may damage the public’s trust in the Government’s ability to safeguard biometric data and may result in travelers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry.
  • The OIG made 3 recommendations to CBP:
    • Recommendation 1: We recommend CBP’s Assistant Commissioner for the Office of Information and Technology implement all mitigation and policy recommendations to resolve the 2019 data breach identified in CBP’s Security Threat Assessments, including implementing USB device restrictions and applying enhanced encryption methods.
    • Recommendation 2: We recommend the Deputy Executive Assistant Commissioner, Office of Field Operations coordinate with the CBP Office of Information and Technology to ensure that all additional security controls are implemented on relevant devices at all existing Biometric Entry-Exit program pilot locations.
    • Recommendation 3: We recommend the Deputy Executive Assistant Commissioner, Office of Field Operations establish a plan for the Biometric Entry-Exit Program to routinely assess third-party equipment supporting biometric data collection to ensure partners’ compliance with Department security and privacy standards.

Further Reading

  • Revealed: Trump campaign strategy to deter millions of Black Americans from voting in 2016” — Channel 4 News. The same British news organization that broke the Cambridge Analytica story is back with another article on the mining and use of personal data in microtargeting voters in the 2016 presidential election. Despite repeated denials, it appears the Trump Campaign in concert with Cambridge Analytica and the Republican National Committee targeted African Americans with messages on Facebook to keep them home on election day, possibly swinging a few keys states Trump could not have won the Electoral College without.
  • Why the right wing has a massive advantage on Facebook” By Alex Thompson — Politico. This piece lays the responsibility for the advantage in popularity conservative political posts and content on human nature, arguing that right-wing populism will always be more viscerally appealing to people than left-wing populism. The company also seems to be laying what many are calling its malign effects on human nature, too.  
  • Foreign Hackers Cripple Texas County’s Email System, Raising Election Security Concerns” By Jack Gillum, Jessica Huseman, Jeff Kao and Derek Willis — ProPublica. In an article based on information provided on a small Texas County’s breach, light is shined on how unprepared many localities and jurisdictions against common cyber threats. In this case, a common ransomware malware was placed successfully on the county’s system rending it unusable. It appears this, and other counties, have disregarded the cybersecurity advice furnished by the Department of Homeland Security in the hopes that the United States’ (U.S.) systems will be secure against election day hacks. With minimal effort, a sophisticated entity can wreak havoc in contested states this election.
  • TikTok was just the beginning: Trump administration is stepping up scrutiny of past Chinese tech investments” By Jeanne Whalen — The Washington Post. To no great surprise, the Trump Administration is looking to use the Committee on Foreign Investment in the United States (CFIUS) process. The Department of the Treasury’s Office of Investment Security Monitoring & Enforcement has been sending letters to technology companies since the early spring inquiring about foreign investment. The companies being targeted tend to collect, process, and store a lot of personal data or are pioneering or producing cutting edge technology considered vital for national security like electric batteries. This new office is reportedly looking back at transactions completed more than ten years ago. Already the scrutiny is having its intended effect as entities from the People’s Republic of China (PRC) have invested less this year in Silicon Valley than they have in six years.
  • China chip giant SMIC shares sink on US export controls” By Jerome Taylor — AFP; “U.S. sanctions on chipmaker SMIC hit at the very heart of China’s tech ambitions” By Arjun Kharpal — CNBC. The United States (U.S.) Department of Commerce has reportedly informed U.S. chipmakers and others that they must stop selling equipment to the People’s Republic of China’s (PRC) Semiconductor Manufacturing International Corp (SMIC) unless they get an export license. This latest move tightens further the chokehold the U.S. has placed on Huawei and other PRC firms that require U.S. technology to make their products. While SMIC has made strides in developing chips, it is still dependent on foreign technology. SMIC told western media outlets we “no relationship with the Chinese military and does not manufacture for any military end-users or end-uses.”
  • Activists slam Palantir for its work with ICE ahead of market debut” By Tonya Riley and Cat Zakrzewski — The Washington Post. Ahead of tomorrow’s initial public offering, human rights advocates are pressing investors to forego Palantir or to buy the stock and demand changes. These activists are arguing that the Peter Thiel launched company has worked with the United States government and others in violation of human rights.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Daniel Falcao on Unsplash

Further Reading, Other Developments, and Coming Events (2 September)

Here is today’s Further Reading, Other Developments, and Coming Events

Coming Events

  • The United States-China Economic and Security Review Commission will hold a hearing on 9 September on “U.S.-China Relations in 2020: Enduring Problems and Emerging Challenges” to “evaluate key developments in China’s economy, military capabilities, and foreign relations, during 2020.”
  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The Department of Commerce’s Bureau of Industry and Security (BIS) released for comment an advanced notice of proposed rulemaking to implement a provision from a 2018 rewrite of the United States (U.S.) export control of certain technology, namely “foundational technology” in this case. The Export Control Reform Act (ECRA) (P.L. 115-232) required the Department of Commerce to establish “a regular, ongoing interagency process to identify emerging and foundational technologies,” and Commerce began the process with an advanced notice of proposed rulemaking to identify only emerging technologies in November 2018. Yet the agency has not followed up with draft regulations on managing the export control process for emerging technologies. BIS explained
    • Pursuant to the Export Control Reform Act of 2018, BIS and its interagency partners are engaged in a process to identify emerging and foundational technologies that are essential to the national security of the United States. Foundational technologies essential to the national security are those that may warrant stricter controls if a present or potential application or capability of that technology poses a national security threat to the United States. In order to determine if technologies are foundational, BIS will evaluate specific items, including items currently subject only to anti-terrorism (AT) controls on the CCL or those designated as EAR99.
    • Under ECRA, emerging and foundational technologies are those technologies that are essential to the national security of the United States and are not critical technologies described in Section 721(a)(6)(A)(i)-(v) of the Defense Production Act of 1950, as amended (DPA).
    • Section 1758 of ECRA requires that foundational technologies be identified, and that BIS establish appropriate controls for that technology under the EAR. At a minimum, such controls would apply to countries subject to an embargo, including an arms embargo, imposed by the United States.
    • ECRA also requires that the interagency process is to take into account:
      • The development of foundational technologies in foreign countries;
      • The effect export controls may have on the development of such technologies in the United States; and
      • The effectiveness of export controls imposed pursuant to ECRA on limiting the proliferation of foundational technologies to foreign countries.
  • The Privacy Commissioner of Canada Daniel Therrien responded to an inquiry from Members of Parliament “about the privacy implications of the federal government’s COVID-19 exposure notification application (COVID Alert) and the ArriveCAN application.” The OPC explained
    • Our review of the COVID Alert application highlighted serious weaknesses with our current federal privacy legislation. In this case, the government took the position that its privacy laws do not apply in light of its assertion that personal information is not collected by the application. Further, while the design of the application is good, and that the government has agreed to be subject to an independent review, the government was not bound to make these commitments. The government chose to respect the principles put forth in our guidance documents because public trust is vital to the application’s success. However, without robust laws, other programs and applications could be introduced in the future that are not so privacy-sensitive.
  • The Department of Commerce’s Bureau of Industry and Security (BIS) “added 24 Chinese companies to the Entity List for their role in helping the Chinese military construct and militarize the internationally condemned artificial islands in the South China Sea,” including a number of technology companies. BIS explained:
    • The Entity List is a tool utilized by BIS to restrict the export, re-export, and transfer (in-country) of items subject to the Export Administration Regulations (EAR) to persons (individuals, organizations, companies) reasonably believed to be involved, or to pose a significant risk of becoming involved, in activities contrary to the national security or foreign policy interests of the United States.
    • Additionally, in a related action, “the Department of State will begin imposing visa restrictions on People’s Republic of China (PRC) individuals responsible for, or complicit in, either the large-scale reclamation, construction, or militarization of disputed outposts in the South China Sea, or the PRC’s use of coercion against Southeast Asian claimants to inhibit their access to offshore resources.” The Department of State stated that “[t]hese individuals will now be inadmissible into the United States, and their immediate family members may be subject to these visa restrictions as well.”
  • The Trump Administration announced “more than $1 billion in awards for the establishment of 12 new AI and QIS research and development (R&D) institutes nationwide,” a substantial portion of which Congress would need to appropriate in future years. The White House claimed the National Science Foundation’s (NSF) Artificial Intelligence (AI) Research Institutes and the Department of Energy’s (DOE) quantum information science (QIS) Research Centers “will serve as national R&D hubs for these critical industries of the future, spurring innovation, supporting regional economic growth, and training our next generation workforce.”
  • The Trump Administration explained:
    • The National Science Foundation and additional Federal partners are awarding $140 million over five years to a total of seven NSF-led AI Research Institutes. These collaborative research and education institutes will focus on a range of AI R&D areas, such as machine-learning, synthetic manufacturing, precision agriculture, and forecasting prediction. Research will take place at universities around the country, including the University of Oklahoma at Norman, the University of Texas at Austin, the University of Colorado at Boulder, the University of Illinois at Urbana-Champaign, the University of California at Davis, and the Massachusetts Institute of Technology.
    • NSF anticipates making additional AI Research Institute awards in the coming years, with more than $300 million in total awards, including contributions from partner agencies, expected by next summer. Overall, NSF invests more than $500 million in artificial intelligence activities annually and is the largest Federal driver of nondefense AI R&D.
    • To establish the QIS Research Centers, DOE is announcing up to $625 million over five years to five centers that will be led by DOE National Laboratory teams at Argonne, Brookhaven, Fermi, Oak Ridge, and Lawrence Berkeley National Laboratories. Each QIS Center will incorporate a collaborative research team spanning multiple institutions as well as scientific and engineering disciplines. The private sector and academia will be providing another $300 million in contributions for the centers.

Further Reading

  • Facebook takes down Russian operation that recruited U.S. journalists, amid rising concerns about election misinformation” By Elizabeth Dwoskin and Craig Timberg – The Washington Post; “Russians Again Targeting Americans With Disinformation, Facebook and Twitter Say” By Sheera Frenkel and Julian E. Barnes; “Russian internet trolls hired U.S. journalists to push their news website, Facebook says” By Kevin Collier and Ken Dilanian – NBC News. In what is more evidence that the Russian Federation’s tactics have changed even though its goals have not, Facebook and Twitter announced the takedown of content written by Americans for a fake new source created and run by the Internet Research Agency. The purported online publications, Peace Data, has posted a number of articles aimed at turning far left voters off to the Biden-Harris campaign. In a sign of evolution, however, they hired freelance American journalists to write content that was then amplified elsewhere on the internet. A very curious aspect of this incident is why the FBI merely tipped off Facebook and Twitter instead of a more vigorous approach to addressing efforts to again create distrust and chaos in a U.S. election. One of the articles claims the FBI does not respond to state-sponsored influence operations as they may not be against U.S. law.
  • Big Tech Embraces New Cold War Nationalism” By JS Tan – Foreign Policy. This piece argues that Silicon Valley’s worldview and strategies have changed now in large part because of the rise of companies from the People’s Republic of China (PRC) like Huawei, TikTok, Tencent, and Alibaba. Now companies like Facebook and Google are discarding their internationalist, neoliberal approach and have aligned themselves with the United States (U.S.) government for a variety of reasons, including an inability to compete fairly inside the PRC. However, Silicon Valley and Washington’s interests on the PRC may be aligned, but in a number of other, very significant ways, especially with the current government, there are considerable differences.
  • Amazon Is Spying on Its Workers in Closed Facebook Groups, Internal Reports Show” By Lauren Kaori Gurley and Joseph Cox – Vice. Another article about the online giant’s distaste for unions and labor organizing activity. In this piece, we learn that Amazon is monitoring public posts by Amazon Flex drivers and possibly even penetrating closed or private groups on platforms like Facebook and hen reportedly extensively inside the company on The other day, Vice broke a story about Amazon posting two positions for intelligence analysts to help the company track labor organizing. The company took down the positions after the story was posted.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by WikiImages from Pixabay