Further Reading, Other Developments, and Coming Events (6 October)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The European Union Agency for Cybersecurity (ENISA), Europol’s European Cybercrime Centre (EC3) and the Computer Emergency Response Team for the EU Institutions, Bodies and Agencies (CERT-EU) will hold the 4th annual IoT Security Conference series “to raise awareness on the security challenges facing the Internet of Things (IoT) ecosystem across the European Union:”
    • Operational IoT – 7 October at 15:00 to 16:30 CET
    • Artificial Intelligence – 14 October at 15:00 to 16:30 CET
    • Supply Chain for IoT – 21 October at 15:00 to 16:30 CET
  • The Federal Communications Commission (FCC) will hold an open commission meeting on 27 October, but the agenda has not yet been announced.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that a “malicious cyber actor” had penetrated an unnamed federal agency and “implanted sophisticated malware—including multi-stage malware that evaded the affected agency’s anti-malware protection—and gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agency’s firewall.” Since CISA said it became aware of the penetration via EINSTEIN, it is likely a civilian agency that was compromised. The actor used “compromised credentials” to get into the agency, but “CISA analysts were not able to determine how the cyber threat actor initially obtained the credentials.” It is not clear whether this is a nation state or sophisticated hackers working independently.
    • It should be noted that last month, the Department of Veterans Affairs (VA) revealed it had been breached and “the personal information of approximately 46,000 Veterans” has been compromised. This announcement came the same day as an advisory issued by CISA that Chinese Ministry of State Security (MSS)-affiliated cyber threat actors have been targeting and possibly penetrating United States (U.S.) agency networks. 
  • Senators Ron Wyden (D-OR) and Jeff Merkley (D-OR) and Representatives Earl Blumenauer (D-OR) and Suzanne Bonamici (D-OR) wrote the Department of Homeland Security (DHS) regarding a report in The Nation alleging the DHS and Department of Justice (DOJ) surveilled the phones of protestors in Portland, Oregon in possible violation of United States (U.S.) law. These Members asked DHS to respond to the following questions by October 9:
    • During a July 23, 2020, briefing for Senate intelligence committee staff, Brian Murphy, then the Acting Under Secretary for Intelligence and Analysis (I&A) stated that DHS I&A had neither collected nor exploited or analyzed information obtained from the devices or accounts of protesters or detainees. On July 31, 2020, Senator Wyden and six other Senators on the Senate Select Committee on Intelligence wrote to Mr. Murphy to confirm the statement he had made to committee staff. DHS has yet to respond to that letter. Please confirm whether or not Mr. Murphy’s statement during the July 23, 2020, briefing was accurate at the time, and if it is still   
    • accurate.
    • Has DHS, whether directly, or with the assistance of any other government agency, obtained or analyzed data collected through the surveillance of protesters’ phones, including tracking their locations or intercepting communications content or metadata? If yes, for each phone that was surveilled, did the government obtain prior authorization from a judge before conducting this surveillance?
    • Has DHS used commercial data sources, including open source intelligence products, to investigate, identify, or track protesters or conduct network analysis? If yes, please identify each commercial data source used by DHS, describe the information DHS obtained, how DHS used it, whether it was subsequently shared with any other government agency, and whether DHS sought and obtained authorization from a court before querying the data source.
  • The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has published for comment the “Securing Data Integrity Against Ransomware Attacks: Using the NIST Cybersecurity Framework and NIST Cybersecurity Practice Guides” that provides an overview of [NCCoE and NIST’s]  Data Integrity projects…a high-level explanation of the architecture and capabilities, and how these projects can be brought together into one comprehensive data integrity solution…[that] can then be integrated into a larger security picture to address all of an organization’s data security needs.” Comments are due by 13 November. NCCoE and NIST explained:
    • This guide is designed for organizations that are not currently experiencing a loss of data integrity event (ransomware or otherwise). This document prepares an organization to adequately address future data integrity events. For information on dealing with a current attack, please explore guidance from organizations like the Federal Bureau of Investigation the United States Secret Service, or other pertinent groups or government bodies.
    • Successful ransomware impacts data’s integrity, yet ransomware is just one of many potential vectors through which an organization could suffer a loss of data integrity. Integrity is part of the CIA security triad which encompasses Confidentiality, Integrity, and Availability. As the CIA triad is applied to data security, data integrity is defined as “the property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner.” An attack against data integrity can cause corruption, modification, and/or destruction of the data which ultimately results in a loss in trust in the data.
  • As referenced in media reports, Graphika released a report on a newly discovered Russian disinformation efforts that led to the creation and propagation of propaganda to appeal to the right wing in the United States (U.S.) In “Step into My Parler: Suspected Russian Operation Targeted Far-Right American Users on Platforms Including Gab and Parler, Resembled Recent IRA-Linked Operation that Targeted Progressives,” Graphika explained:
    • Russian operators ran a far-right website and social media accounts that targeted American users with pro-Trump and anti-Biden messaging, according to information from Reuters and Graphika’s investigation. This included the first known Russian activity on the platforms Gab and Parler. The operation appeared connected to a recent Russian website that targeted progressives in America with anti-Biden messaging.
    • The far-right “Newsroom for American and European Based Citizens,” naebc[.]com, pushed the opposite end of the political spectrum from the ostensibly progressive PeaceData site, but the two assets showed such a strong family resemblance that they appear to be two halves of the same operation. Both ran fake editorial personas whose profile pictures were generated by artificial intelligence; both claimed to be young news outlets based in Europe; both made language errors consistent with Russian speakers; both tried to hire freelance writers to provide their content; and, oddly enough, both had names that translate to obscenities in Russian.
    • Reuters first tipped Graphika off to the existence of the NAEBC website and its likely relationship to PeaceData. U.S. law enforcement originally alerted the social media platforms to the existence of PeaceData. On September 1, Facebook attributed PeaceData to “individuals associated with past activity by the Russian Internet Research Agency (IRA).” Twitter attributed it to Russian state actors. Social media platforms (Facebook, Twitter, LinkedIn) have taken similar action to stop activity related to NAEBC on their platforms. To date, Parler and Gab have not taken action on their platforms.
  • The Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint Ransomware Guide “meant to be a one-stop resource for stakeholders on how to be proactive and prevent these attacks from happening and also a detailed approach on how to respond to an attack and best resolve the cyber incident.” The organizations explained:
    • First, the guide focuses on best practices for ransomware prevention, detailing practices that organizations should continuously do to help manage the risk posed by ransomware and other cyber threats. It is intended to enable forward-leaning actions to successfully thwart and confront malicious cyber activity associated with ransomware. Some of the several CISA and MS-ISAC preventive services that are listed are Malicious Domain Blocking and Reporting, regional CISA Cybersecurity Advisors, Phishing Campaign Assessment, and MS-ISAC Security Primers on ransomware variants such as Ryuk.
    • The second part of this guide, response best practices and services, is divided up into three sections: (1) Detection and Analysis, (2) Containment and Eradication, and (3) Recovery and Post-Incident Activity. One of the unique aspects that will significantly help an organization’s leadership as well as IT professional with response is a comprehensive, step-by-step checklist. With many technical details on response actions and lists of CISA and MS-ISAC services available to the incident response team, this part of the guide can enable a methodical, measured and properly managed approach.  
  • The Government Accountability Office (GAO) released a guide on best practices for agile software development for federal agencies and contracting officers. The GAO stated:
    • The federal government spends at least $90 billion annually on information technology (IT) investments. In our January 2019 High Risk List report, GAO reported on 35 high risk areas, including the management of IT acquisitions and operations. While the executive branch has undertaken numerous initiatives to help agencies better manage their IT investments, these programs frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related outcomes.
    • GAO has found that the Office of Management and Budget (OMB) continues to demonstrate its leadership commitment by issuing guidance for covered departments and agencies to implement statutory provisions commonly referred to as Federal Information Technology Acquisition Reform Act (FITARA.) However, application of FITARA at federal agencies has not been fully implemented. For example, as we stated in the 2019 High Risk report, none of the 24 major federal agencies had IT management policies that fully addressed the roles of their Chief Information Officers (CIO) consistent with federal laws and guidance.
    • This Agile Guide is intended to address generally accepted best practices for Agile adoption, execution, and control. In this guide, we use the term best practice to be consistent with the use of the term in GAO’s series of best practices guides.

Further Reading

  • GOP lawmaker: Democrats’ tech proposals will include ‘non-starters for conservatives’” By Cristiano Lima — Politico. Representative Ken Buck (R-CO) is quoted extensively in this article about Republican concerns that the House Judiciary Committee’s antitrust recommendations may include policy changes he and other GOP Members of the committee will not be able to go along with. Things like banning mandatory arbitration clauses and changing evidentiary burdens (i.e. rolling back court decisions that have made antitrust actions harder to mount) are not acceptable to Republicans who apparently agree in the main that large technology companies do indeed have too much market power. Interestingly, Buck and others think the solution is more resources for the Department of Justice and the Federal Trade Commission (FTC), which is rapidly becoming a favored policy prescription for federal privacy legislation, too. However, even with a massive infusion of funding, the agencies could not act in all cases, and, in any event, would need to contend with a more conservative federal judiciary unlikely to change the antitrust precedents that have reduced the ability of these agencies to take action in the first place. Nonetheless, Republicans may join the report if the recommendations are changed. Of course, the top Republican on the committee, Representative Jim Jordan (R-OH), is allegedly pressuring Republicans not to join the report.
  • Why Is Amazon Tracking Opioid Use All Over the United States?” By Lauren Kaori Gurley — Motherboard. The online shopping giant is apparently tracking a range of data related to opioid usage for reasons that are not entirely clear. To be fair, the company tracks all sort of data.
  • As QAnon grew, Facebook and Twitter missed years of warning signs about the conspiracy theory’s violent nature” By Craig Timberg and Elizabeth Dwoskin — The Washington Post. This article traces the history of how Facebook and Twitter opted not to act against QAnon while other platforms like Reddit did, quite possibly contributing the rise and reach of the conspiracy. However, they were afraid of angering some on the right wing given the overlap between some QAnon supports and some Trump supporters.
  • Democratic Party leaders are “banging their head against the wall” after private meetings with Facebook on election misinformation” By Shirin Ghaffary — recode. Democratic officials who have been on calls with Facebook officials are saying the platform is not doing enough to combat disinformation and lies about the election. Facebook, of course, disputes this assessment. Democratic officials are especially concerned about the period between election day and when results are announced and think Facebook is not ready to handle the predicted wave of disinformation.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Bermix Studio on Unsplash

Further Reading and Other Developments (20 June)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Other Developments

  • The House Financial Services Committee’s National Security, International Development, and Monetary Policy Subcommittee held a virtual hearing titled “Cybercriminals and Fraudsters: How Bad Actors Are Exploiting the Financial System During the COVID-19 Pandemic.”
  • The Senate Appropriations Committee’s Financial Services and General Government Subcommittee held a hearing titled “Oversight of FCC Spectrum Auctions Program.”
  • The Commerce, Science, and Transportation Committee held a hearing on a number of nominations, including a re-nomination of Federal Communications Commission Commissioner Michael O’Reilly for another full term.
  • The Department of Commerce’s Industry and Security Bureau released an interim final rule to amend “the Export Administration Regulations (EAR) to authorize the release of certain technology to Huawei and its affiliates on the Entity List without a license if such release is made for the purpose of contributing to the revision or development of a “standard” in a “standards organization.” The Department added in its press release “The rule returns U.S. industry to the status quo ante, from an Entity List perspective, with respect to disclosures of such technology to Huawei and its affiliates in legitimate standards development contexts only, and not for commercial purposes. Disclosures for commercial purposes remain “subject to the EAR” and are still subject to recordkeeping and all other applicable EAR requirements.” Comments are due on 17 August 2020.
  • The National Transportation Safety Board (NTSB) released its “Safety Recommendation Report” that “called for a change in air cargo shipping requirements for some types of lithium-ion batteries” following its investigation “into the shipment of lithium-ion batteries that ignited while in transport on a delivery truck in Canada.” The NTSB recommended that the Pipeline and Hazardous Materials Safety Administration:
    • Propose to the International Civil Aviation Organization to remove its special provision A88 from its Technical Instructions for the Safe Transport of Dangerous Goods by Air allowing special permits for low-production or prototype lithium-ion cells or batteries shipped by airplane and eliminate any exceptions to the testing of United Nations Manual of Tests and Criteria, Part III, Sub-section 38.3 requirements for all lithium-ion batteries before transport by air.( A-20-31)
    • Once the International Civil Aviation Organization removes special provision A88 from the Technical Instructions for the Safe Transport of Dangerous Goods by Air, remove the exemption from United Nations Manual of Tests and Criteria, Part III, Sub-section 38.3 testing from Title 49 Code of Federal Regulations 173.185(e) for low-production or prototype lithium-ion batteries, when transported by air. (A-20-32)
  • The Carnegie Endowment for International Peace’s Partnership for Countering Influence Operations (PCIO) released “The Challenges of Countering Influence Operations” with these “Key Takeaways:”
    • Influence operations defy easy categorization. Influence operations often fail to fit neatly into boxes outlined by individual policies or legislation. They are run in a complex environment where actors overlap, borders are easily crossed and blurred, and motives are mixed—making enforcement challenging. In this case study, actors share highly politicized online content but also appear to benefit financially from their actions, making it difficult to ascertain whether their motives are primarily political, commercial, or both.
    • Relevant policies by social media platforms tend to be a patchwork of community standards that apply to individual activities of an influence campaign, not the operation as a whole. Policies published by social media companies often focus on individual components of influence operations. This approach attempts to neatly categorize and distinguish actors (foreign versus domestic), motives (political influence and profit), activities (including misrepresentation, fraud, and spamming behavior), and content (such as misinformation, hate speech, and abuse). This piecemeal approach to enforcement raises questions about whether officials within social media platforms fully understand how influence operations work and how such campaigns are more than the individual behaviors that compose them.
    • Social media networks have more opportunities to counter influence operations through their platform policies than governments do with existing legislation. Social media companies have implemented various policies to govern how their platforms are used, providing opportunities for combating influence operations. They also have greater access to information about how their platforms are used and have domain-specific expertise that allows them to create more tailored solutions. Fewer avenues exist for countering such influence operations using government-led legal mechanisms. This is not only because of the relative paucity of laws that govern online activity but also because law enforcement requires attribution before they can act, and such attribution can be difficult to ascertain in these cases. This means that governments have generally done little to help private industry actors determine what kinds of influence operations are unacceptable and should be combated. In the absence of such guidance, industry actors are de facto drawing those lines for society. Governments could do more to help guide industry players as they determine the boundaries of acceptable behavior by participating in multi-stakeholder efforts—some of which have been set up by think tanks and nonprofits—and by considering legal approaches that emphasize transparency rather than criminalization.
    • The influence operations uncovered by media scrutiny are not always as easy to counter as those writing about them might hope. Savvy influence operators understand how to evade existing rules, so that their activities and content do not breach known policies or legislation. Media coverage that showcases examples of influence operations seldom explains whether and how these operators violate existing platform policies or legislation. This is a problem because distasteful influence operations do not always overtly violate existing policies or laws—raising questions about where the lines are (and should be) between what is tolerable and what is not, and, moreover, who should be determining those lines. Even when existing policies clearly do apply, these questions persist. Stakeholders should more clearly assess what constitutes problematic behavior before rushing to demand enforcement.
  • A number of privacy and civil liberties groups released “principles to protect the civil rights and privacy of all persons, especially those populations who are at high risk for the virus and communities of color, when considering the deployment of technological measures in response to the COVID-19 crisis.” These groups also sent these principles in letters to both the House and the Senate.
  • The Technology Coalition, formed 15 years ago “when industry leaders came together to fight online child sexual exploitation and abuse (CSEA),” announced “Project Protect: A plan to combat online child sexual abuse – a renewed investment and ongoing commitment to our work seeking to prevent and eradicate online CSEA” with these elements:
    • Execute a Strategic “Five Pillar” Plan to reinforce the cross-industry approach to combating CSEA, putting in place the structure, membership models, and staffing needed to support the Technology Coalition’s long term objectives.
    • Establish a multi-million dollar Research and Innovation Fund to build crucial technological tools needed to more effectively prevent and work to eradicate CSEA.
    • Commit to publishing an Annual Progress Report on industry efforts to combat CSEA.
    • Create an annual Forum for CSEA experts bringing together industry, governments, and civil society to share best practices and drive collective action.
  • Amnesty International’s Security Lab named Bahrain, Kuwait and Norway as having “some of the most invasive COVID-19 contact tracing apps around the world, putting the privacy and security of hundreds of thousands of people at risk.”
  • The Knight Foundation and Gallup released “Free Expression, Harmful Speech, and Censorship in a Digital World,” “a study to gauge Americans’ opinions on [social media companies, the internet, and the role of government], delving specifically into two potential paths forward — amending Section 230 of the Communications Decency Act, which largely shields internet companies from legal liability for content shared on their sites, and the relatively new notion of content oversight boards” with these topline findings:
    • Americans prefer social media apps and sites to be places of open expression.
    • Even as Americans voice a preference for open expression, there are several forms of online content that many say should be restricted or never allowed
    • Many Americans have personally been targeted by harmful online behavior.
    • Americans are somewhat divided on Section 230 of the Communications Decency Act, which largely shields major internet companies from liability for content posted on their websites and apps by third parties.
    • A majority of Americans do not trust social media companies to make the right decisions about what content appears on their sites or apps.
    • Despite misgivings about major internet companies making the right decisions related to harmful online content, Americans are more likely to favor the companies, rather than government, setting policies to regulate such content
    • Americans’ opinions of content oversight boards are largely favorable, tending to prefer them to social media companies or the government to make decisions about what can and cannot appear on social media websites and apps. 
    • Americans’ favorability toward content oversight boards increases when they know more about them.
    • The most important content oversight board attributes for Americans are transparency and diversity, followed closely by independence — i.e., who appoints board members. Less valuable is the board’s ability to compel social media companies to enact its decisions or guidelines.
    • Americans’ trust in a social media company will not automatically increase solely because the company adopts a content oversight board. Rather, trust can be gained based on the board’s features relating to its independence, transparency, diversity and ability to enforce decisions.
  • Graphika released a report titled “Exposing Secondary Infektion: Forgeries, interference, and attacks on Kremlin critics across six years and 300 sites and platforms,” “a long-running Russian information operation, encompassing multiple campaigns on social media run by a central entity, which was already active in 2014 and that was still running in early 2020.”
  • The University of Toronto’s Citizen Lab and Amnesty International released a report on “nine Indian lawyers, activists, and journalists….targeted in 2019 in a coordinated malware campaign” with “NetWire, a commercially available spyware.”

Further Reading

  • The Economy Is Reeling. The Tech Giants Spy Opportunity.” – The New York Times. All of the large technology companies are continuing the same pace of acquisition and product roll outs as last year. Critics fear that companies’ expansion through buying new businesses, technologies, and platforms will further cement their dominance of the United States (US) and world economies. Moreover, these companies have also been rolling out new services to compete with upstarts (e.g. Google’s meeting service to try to grab market share from Zoom.) It remains to be seen whether antitrust and anti-competitive actions in the US, European Union and elsewhere will stop or even reverse the continued growth of Google, Apple, Amazon, and others.
  • Amazon’s Ring has 29 new police agreements since the killing of George Floyd” – Protocol. In spite of its pledge to hold off on selling its facial recognition technology to police departments for a year, Amazon has continued to sign up local law enforcement for participation in partnerships using its Ring and Neighbors technology platforms. These systems make available to police footage from the camera/doorbell system Amazon is marketing as a security must have. Critics of the system and how Amazon operates it argue it has already disproportionately affected African Americans and other minorities in gentrifying areas and offers a workaround to warrant requirements for officers would not need to go to court to obtain this footage since private parties are not bound by the Fourth Amendment like government agencies.
  • Big Tech’s Pandemic Power Grab” – The Atlantic. This article foresees government regulation of large technology companies in the United States (US) that solidifies their preeminence, in large part, because these companies have been partnering with and working for the US government. And, in making this bargain, these companies are using every lever and all the leverage at their disposal to strike the type of bargain they want. There may be pushback against this impulse to grow, but it is worth keeping in mind that the trustbusting era in the US may have divided up corporate giants like Standard Oil but their progeny are still very powerful (e.g. Exxon Mobil.)
  • New York lawmakers want to outlaw geofence warrants as protests grow” – Protocol. A bill introduced in April to address the law enforcement practice of requesting geofencing data from technology companies receives renewed scrutiny in the New York State legislature in the midst of protests against racism and police violence in the United States. The article cites a Google filing in a Virginia lawsuit alleging “Between 2017 and 2018, Google saw a 1,500% increase in geofence requests…[and] [b]etween 2018 and 2019, that figure shot up another 500%.” Technology companies with troves of data on where people are at virtually every hour of the day are treading carefully as critics of geofence requests and warrants are pushing to ban law enforcement agencies from using these data.
  • Australian leader says unnamed state increasing cyberattacks” – Associated Press. Australia’s Prime Minister Scott Morrison told reporters “Australian organizations are currently being targeted by a sophisticated state-based cyber actor.” He contended “[t]his activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure.” In concert with Morrison’s statement, the Australian Cyber Security Centre (ACSC) and the Department of Home Affairs issued an advisory describing “the tactics, techniques and procedures (TTPs) identified during the ACSC’s investigation of a cyber campaign targeting Australian networks.” Some experts are saying it must be the People’s Republic of China (PRC), especially after Canberra named the PRC as the entity that hacked into Parliament.
  • Eric Schmidt: Huawei has engaged in unacceptable practices” – BBC News. The former Google head claims the People’s Republic of China (PRC) has accessed Huawei’s routers to exfiltrate information. Schmidt conceded that Huawei’s products are superior to other offerings on the market, which poses a challenge for networks and nations. He also flagged the research and development budgets Huawei and other PRC companies have that eclipse other multinationals.
  • French Court Strikes Down Most of Online Hate Speech Law” – The New York Times. A French court struck down the core of President Emmanuel Macron’s new statute to police offensive online speech, finding two provisions would impinge freedom of expression. Macron’s party has vowed to take another run at such legislation.
  • Europe threatens digital taxes without global deal, after U.S. quits talks” – Reuters. After the United States withdrew from Organisation for Economic Cooperation and Development (OECD) talks on digital taxes, prompting promises from the European Union to proceed with such taxes.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.