Bill To Reform IOT Security in U.S. Passes Congress

A long awaited bill to revamp how the U.S. government secures its IOT is on its way to the White House.

Last night, the Senate agreed to a House passed bill that would remake how the United States (U.S.) government buys Internet of Things (IOT) items, with the idea that requiring security standards in government IOT will drive greater security across the U.S. IOT market. Of course, such legislation, if implemented as intended, would also have the salutary effect of strengthening government networks. Incidentally, there is language in the bill that would seem to give the White House additional muscle to drive better information security across the civilian government.

The effort to pass this bill started in the last Congress and continued into this Congress. The bill will require the Office of Management and Budget (OMB) to set standards and practices that private sector contractors will need to meet in selling IOT to federal agencies. The OMB’s work is to be based on a series of IOT guidance documents the National Institute of Standards and Technology (NIST) has issued.

In September, the United States House of Representatives took up and passed a revised version of “Internet of Things Cybersecurity Improvement Act of 2020” (H.R. 1668) by voice vote. As noted, the United States Senate passed the same bill by unanimous consent yesterday, sending the legislation to the White House. While OMB did not issue a Statement of Administration Policy on H.R. 1668 or any of its previous iterations, Senate Republicans, particularly Majority Leader Mitch McConnell (R-KY), have not shown a willingness to even consider any bill the White House has not greenlit. Therefore, it may be reasonable to assume the President will sign this bill into law.

H.R. 1668 requires NIST to publish “standards and guidelines for the Federal Government on the appropriate use and management by agencies of Internet of Things devices owned or controlled by an agency and connected to information systems owned or controlled by an agency, including minimum information security requirements for managing cybersecurity risks associated with such devices.” These standards and guidelines are to be consistent with existing NIST standards and guidance on IOT, and the agency has issued a series of such documents described in some detail later in this article.

Six months after NIST issues such standards and guidelines, OMB must judge current agency standards and practices with IOT against NIST’s (excepting “national security systems, meaning almost all the Department of Defense and Intelligence Community). OMB is required to then issue policies and principles necessary to rectify shortcomings in agency IOT security after consulting with the United States’ (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). At least once every five years after the initial policies and procedures are issued, OMB must revisit, assess, and adjust them as needed. Moreover, U.S. acquisition regulations must be amended to implement these standards and guidelines, meaning these would be binding in the purchase and use of IOT by civilian agencies.

NIST must also create and operate a system under which vulnerabilities and fixes in agency owned or operated IOT can be reported. OMB would oversee the establishment of this process, and DHS would administer the guidelines, possibly through its powers to issue Binding Operational Directives to federal civilian agencies.

Now, we come to a curious section of H.R.1668 that may well have implications for government bought or used technology beyond just IOT. Within two years of becoming law, OMB, in consultation with DHS, must “develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems (including Internet of Things devices) (emphasis added.) This is a seemingly open-ended grant of authority for OMB to put in place binding policies and procedures for all information systems, a very broad term that encompasses information technology and other resources, across federal agencies. OMB already possesses power and means to do much of this, begging the question why such authority was needed. The bill is not clear on this point, and OMB may well use this additional authority in areas not strictly pertaining to IOT.

And now the hammer to drive better IOT security. Civilian agencies will not be able to buy or use IOT until its Chief Information Officer (CIO) has certified such IOT meets the aforementioned standards developed along the dual tracks the bill requires. There are, of course, loopholes to this requirement since industry and agency stakeholders likely insisted on them. First, any purchase below the simplified acquisition threshold (which is currently $250,000) would be exempt from this requirement, and the agency could waive the need for the CIO to agree if

  • the waiver is necessary in the interest of national security;
  • procuring, obtaining, or using such device is necessary for research purposes; or
  • such device is secured using alternative and effective methods appropriate to the function of such device.

And so, these three grounds for waivers may be the exceptions that eat the rule. Time will tell.

In June, the Senate and House committees of jurisdictions marked up their versions of the “Internet of Things (IOT) Cybersecurity Improvement Act of 2020” (H.R. 1668/S. 734). The bill text as released in March 2019 for both bills was identical signaling agreement between the two chambers’ sponsors, but the process of marking up the bills resulted in different versions, requiring negotiation on a final bill. The House Oversight and Reform Committee marked up and reported out H.R. 1668 after adopting an amendment in the nature of a substitute that narrowed the scope of the bill and is more directive than the bill initially introduced in March. The Senate Homeland Security Committee marked up S. 734 a week later, making their own changes from the March bill. The March version of the legislation unified two similar bills from the 115th Congress of the same title: the “Internet of Things (IOT) Cybersecurity Improvement Act of 2017” (S. 1691) and the “Internet of Things (IOT) Federal Cybersecurity Improvement Act of 2018” (H.R. 7283).

Per the Committee Report for S. 734, the purpose of bill

is to proactively mitigate the risks posed by inadequately-secured Internet of Things (IOT) devices through the establishment of minimum security standards for IOT devices purchased by the Federal Government. The bill codifies the ongoing work of the NIST to develop standards and guidelines, including minimum-security requirements, for the use of IOT devices by Federal agencies. The bill also directs OMB, in consultation with DHS, to issue the necessary policies and principles to implement the NIST standards and guidelines on IOT security and management. Additionally, the bill requires NIST, in consultation with cybersecurity researchers and industry experts, to publish guidelines for the reporting, coordinating, publishing, and receiving of information about Federal agencies’ security vulnerabilities and the coordinate resolutions of the reported vulnerabilities. OMB will provide the policies and principles and DHS will develop and issue the procedures necessary to implement NIST’s guidelines on coordinated vulnerability disclosure for Federal agencies. The bill includes a provision allowing Federal agency heads to waive the IOT use and management requirements issued by OMB for national security, functionality, alternative means, or economic reasons.

According to a staff memorandum, H.R. 1668

would require the NIST to develop guidelines for managing cybersecurity risks of IOT devices by June 30, 2020. The bill would require OMB to issue standards for implementing those guidelines by December 31, 2020. The bill also would require similar guidelines from NIST and standards from OMB on reporting, coordinating, and publishing security vulnerabilities of IOT devices.

As noted earlier, NIST has worked on and published a suite of guidance documents on IOT. In June, NIST published final guidance as part of its follow up to A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats and NIST’s Botnet Roadmap. Neither document is binding on federal agencies or private sector entities, but given the respect the agency enjoys, these will likely become referenced extensively by other standards.

NIST explained in a blog post:

In NISTIR 8259A, NIST explained the purpose of the publication as defining an “IOT device cybersecurity capability core baseline, which is a set of device capabilities generally needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems.” NIST stated “[t]he purpose of this publication is to provide organizations a starting point to use in identifying the device cybersecurity capabilities for new IOT devices they will manufacture, integrate, or acquire…[and] can be used in conjunction with NISTIR 8259, Foundational Cybersecurity Activities for IOT Device Manufacturers.”

NIST further explained how the core baseline was developed:

  • The IOT device cybersecurity capability core baseline (core baseline) defined in this publication is a set of device capabilities generally needed to support commonly used cybersecurity controls that protect devices as well as device data, systems, and ecosystems.
  • The core baseline has been derived from researching common cybersecurity risk management approaches and commonly used capabilities for addressing cybersecurity risks to IOT devices, which were refined and validated using a collaborative public-private process to incorporate all viewpoints.
  • Regardless of an organization’s role, this baseline is intended to give all organizations a starting point for IOT device cybersecurity risk management, but the implementation of all capabilities is not considered mandatory. The individual capabilities in the baseline may be implemented in full, in part, or not at all. It is left to the implementing organization to understand the unique risk context in which it operates and what is appropriate for its given circumstance.

NIST 8259 is designed “give manufacturers recommendations for improving how securable the IOT devices they make are…[and] [t]his means the IOT devices offer device cybersecurity capabilities—cybersecurity features or functions the devices provide through their own technical means (i.e., device hardware and software)—that customers, both organizations and individuals, need to secure the devices when used within their systems and environments.”

NIST stated “[t]his publication describes six recommended foundational cybersecurity activities that manufacturers should consider performing to improve the securability of the new IOT devices they make…[and] [f]our of the six activities primarily impact decisions and actions performed by the manufacturer before a device is sent out for sale (pre-market), and the remaining two activities primarily impact decisions and actions performed by the manufacturer after device sale (post-market).” NIST claimed “[p]erforming all six activities can help manufacturers provide IOT devices that better support the cybersecurity-related efforts needed by IOT device customers, which in turn can reduce the prevalence and severity of IOT device compromises and the attacks performed using compromised IOT devices.” NIST asserted “[t]hese activities are intended to fit within a manufacturer’s existing development process and may already be achieved in whole or part by that existing process.”

In June 2019, NIST issued “Considerations for Managing Internet of Things (IOT) Cybersecurity and Privacy Risks” (NISTIR 8228) which is designed “to help organizations better understand and manage the cybersecurity and privacy risks associated with individual IOT devices throughout the devices’ lifecycles.” The agency claims the publication “provides insights to inform organizations’ risk management processes and “[a]fter reading this publication, an organization should be able to improve the quality of its risk assessments for IOT devices and its response to the identified risk through the lens of cybersecurity and privacy.” It bears note that from the onset of tackling IOT standards that NIST paired cybersecurity and privacy unlike its Cybersecurity Framework which addresses privacy as an important but ancillary concern to cybersecurity.

NIST explained that NIST Interagency or Internal Report 8228: Considerations for Managing Internet of Things (IOT) Cybersecurity and Privacy Risks is aimed at “personnel at federal agencies with responsibilities related to managing cybersecurity and privacy risks for IOT devices, although personnel at other organizations may also find value in the content.” NIST stated that “[t]his publication emphasizes what makes managing these risks different for IOT devices in general, including consumer, enterprise, and industrial IOT devices, than conventional information technology (IT) devices…[and] omits all aspects of risk management that are largely the same for IOT and conventional IT, including all aspects of risk management beyond the IOT devices themselves, because these are already addressed by many other risk management publications.”

NIST explained that “[t]his publication identifies three high-level considerations that may affect the management of cybersecurity and privacy risks for IOT devices as compared to conventional IT devices:

1. Many IOT devices interact with the physical world in ways conventional IT devices usually do not. The potential impact of some IOT devices making changes to physical systems and thus affecting the physical world needs to be explicitly recognized and addressed from cybersecurity and privacy perspectives. Also, operational requirements for performance, reliability, resilience, and safety may be at odds with common cybersecurity and privacy practices for conventional IT devices.

2. Many IOT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can. This can necessitate doing tasks manually for large numbers of IOT devices, expanding staff knowledge and tools to include a much wider variety of IOT device software, and addressing risks with manufacturers and other third parties having remote access or control over IOT devices.

3. The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IOT devices than conventional IT devices. This means organizations may have to select, implement, and manage additional controls, as well as determine how to respond to risk when sufficient controls for mitigating risk are not available.

NIST laid out “[c]ybersecurity and privacy risks for IOT devices can be thought of in terms of three high-level risk mitigation goals:

1. Protect device security. In other words, prevent a device from being used to conduct attacks, including participating in distributed denial of service (DDoS) attacks against other organizations, and eavesdropping on network traffic or compromising other devices on the same network segment. This goal applies to all IOT devices.

2. Protect data security. Protect the confidentiality, integrity, and/or availability of data (including personally identifiable information [PII]) collected by, stored on, processed by, or transmitted to or from the IOT device. This goal applies to each IOT device except those without any data that needs protection.

3. Protect individuals’ privacy. Protect individuals’ privacy impacted by PII processing beyond risks managed through device and data security protection. This goal applies to all IOT devices that process PII or that directly or indirectly impact individuals.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Free Creative Stuff from Pexels

Further Reading, Other Developments, and Coming Events (16 September)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The House Homeland Security Committee will hold a hearing titled “Worldwide Threats to the Homeland” on 17 September with the following witnesses:
    • Chad Wolf, Department of Homeland Security
    • Christopher Wray, Director, Federal Bureau of Investigation
    • Christopher Miller, Director, National Counterterrorism Center (NCTC)
  • On 17 September, the House Energy and Commerce Committee’s Communications & technology Subcommittee will hold a hearing titled “Trump FCC: Four Years of Lost Opportunities.”
  • The House Armed Services Committee’s Intelligence and Emerging Threats and Capabilities Subcommittee will hold a hearing’ titled “Interim Review of the National Security Commission on Artificial Intelligence Effort and Recommendations” on 17 September with these witnesses:
    • Dr. Eric Schmidt , Chairman, National Security Commission on Artificial Intelligence 
    • HON Robert Work, Vice Chairman, National Security Commission on Artificial Intelligence, HON Mignon Clyburn, Commissioner, National Security Commission on Artificial Intelligence 
    • Dr. José-Marie Griffiths, Commissioner, National Security Commission on Artificial Intelligence
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” The agency has released its agenda and explained:
    • The workshop will also feature four panel discussions that will focus on: case studies on data portability rights in the European Union, India, and California; case studies on financial and health portability regimes; reconciling the benefits and risks of data portability; and the material challenges and solutions to realizing data portability’s potential.
  • The Senate Judiciary Committee’s Intellectual Property Subcommittee will hold a hearing “Examining Threats to American Intellectual Property: Cyber-attacks and Counterfeits During the COVID-19 Pandemic” with these witnesses:
    • Adam Hickey, Deputy Assistant Attorney General National Security Division, Department of Justice
    • Clyde Wallace, Deputy Assistant Director Cyber Division, Federal Bureau of Investigation
    • Steve Francis, Assistant Director, HSI Global Trade Investigations Division Director, National Intellectual Property Rights Center, U.S. Immigration and Customs Enforcement, Department of Homeland Security
    • Bryan S. Ware, Assistant Director for Cybersecurity Cyber Security and Infrastructure Security Agency, Department of Homeland Security
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled “Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.

Other Developments

  • The United States House of Representatives took up and passed two technology bills on 14 September. One of the bills, “Internet of Things (IoT) Cybersecurity Improvement Act of 2020” (H.R. 1668), was discussed in yesterday’s Technology Policy Update as part of an outlook on Internet of Things (IoT) legislation (see here for analysis). The House passed a revised version by voice vote, but its fate in the Senate may lie with the Senate Homeland Security & Governmental Affairs Committee, whose chair, Senator Ron Johnson (R-WI), has blocked a number of technology bills during his tenure to the chagrin of some House stakeholders. The House also passed the “AI in Government Act of 2019” (H.R.2575) that would establish an AI Center of Excellence within the General Services Administration that would
    • “(1) advise and promote the efforts of the Federal Government in developing innovative uses of artificial intelligence by the Federal Government to the benefit of the public; and
    • (2) improve cohesion and competency in the use of artificial intelligence.”
    • Also, this bill would direct the Office of Management and Budget (OMB) to “issue a memorandum to the head of each agency that shall—
      • inform the development of artificial intelligence governance approaches by those agencies regarding technologies and applications that—
        • are empowered or enabled by the use of artificial intelligence within that agency; and
        • advance the innovative use of artificial intelligence for the benefit of the public while upholding civil liberties, privacy, and civil rights;
      • consider ways to reduce barriers to the use of artificial intelligence in order to promote innovative application of those technologies for the benefit of the public, while protecting civil liberties, privacy, and civil rights;
      • establish best practices for identifying, assessing, and mitigating any bias on the basis of any classification protected under Federal nondiscrimination laws or other negative unintended consequence stemming from the use of artificial intelligence systems; and
      • provide a template of the required contents of the agency Governance Plans
    • The House Energy and Commerce Committee marked up and reported out more than 30 bills last week including:
      • The “Consumer Product Safety Inspection Enhancement Act” (H.R. 8134) that “would amend the Consumer Product Safety Act to enhance the Consumer Product Safety Commission’s (CPSC) ability to identify unsafe consumer products entering the United States, especially e-commerce shipments entering under the de minimis value exemption. Specifically, the bill would require the CPSC to enhance the targeting, surveillance, and screening of consumer products. The bill also would require electronic filing of certificates of compliance for all consumer products entering the United States.
      • The bill directs the CPSC to: 1) examine a sampling of de minimis shipments and shipments coming from China; 2) detail plans and timelines to effectively address targeting and screening of de minimis shipments; 3) establish metrics by which to evaluate the effectiveness of the CPSC’s efforts in this regard; 4) assess projected technology, resources, and staffing necessary; and 5) submit a report to Congress regarding such efforts. The bill further directs the CPSC to hire at least 16 employees every year until staffing needs are met to help identify violative products at ports.
      • The “AI for Consumer Product Safety Act” (H.R. 8128) that “would direct the Consumer Product Safety Commission (CPSC) to establish a pilot program to explore the use of artificial intelligence for at least one of the following purposes: 1) tracking injury trends; 2) identifying consumer product hazards; 3) monitoring the retail marketplace for the sale of recalled consumer products; or 4) identifying unsafe imported consumer products.” The revised bill passed by the committee “changes the title of the bill to the “Consumer Safety Technology Act”, and adds the text based on the Blockchain Innovation Act (H.R. 8153) and the Digital Taxonomy Act (H.R. 2154)…[and] adds sections that direct the Department of Commerce (DOC), in consultation with the Federal Trade Commission (FTC), to conduct a study and submit to Congress a report on the state of blockchain technology in commerce, including its use to reduce fraud and increase security.” The revised bill “would also require the FTC to submit to Congress a report and recommendations on unfair or deceptive acts or practices relating to digital tokens.”
      • The “American Competitiveness Of a More Productive Emerging Tech Economy Act” or the “American COMPETE Act” (H.R. 8132) “directs the DOC and the FTC to study and report to Congress on the state of the artificial intelligence, quantum computing, blockchain, and the new and advanced materials industries in the U.S…[and] would also require the DOC to study and report to Congress on the state of the Internet of Things (IoT) and IoT manufacturing industries as well as the three-dimensional printing industry” involving “among other things:1) listing industry sectors that develop and use each technology and public-private partnerships focused on promoting the adoption and use of each such technology; 2) establishing a list of federal agencies asserting jurisdiction over such industry sectors; and 3) assessing risks and trends in the marketplace and supply chain of each technology.
      • The bill would direct the DOC to study and report on the effect of unmanned delivery services on U.S. businesses conducting interstate commerce. In addition to these report elements, the bill would require the DOC to examine safety risks and effects on traffic congestion and jobs of unmanned delivery services.
      • Finally, the bill would require the FTC to study and report to Congress on how artificial intelligence may be used to address online harms, including scams directed at senior citizens, disinformation or exploitative content, and content furthering illegal activity.
  • The National Institute of Standards and Technology (NIST) issued NIST Interagency or Internal Report 8272 “Impact Analysis Tool for Interdependent Cyber Supply Chain Risks” designed to help public and private sector entities better address complicated, complex supply chain risks. NIST stated “[t]his publication de-scribes how to use the Cyber Supply Chain Risk Management (C-SCRM) Interdependency Tool that has been developed to help federal agencies identify and assess the potential impact of cybersecurity events in their interconnected supply chains.” NIST explained
    • More organizations are becoming aware of the importance of identifying cybersecurity risks associated with extensive, complicated supply chains. Several solutions have been developed to help manage supply chains; most focus on contract management or compliance. There is a need to provide organizations with a systematic and more usable way to evaluate the potential impacts of cyber supply chain risks relative to an organization’s risk appetite. This is especially important for organizations with complex supply chains and highly interdependent products and suppliers.
    • This publication describes one potential way to visualize and measure these impacts: a Cyber Supply Chain Risk Management (C-SCRM) Interdependency Tool (hereafter “Tool”), which is designed to provide a basic measurement of the potential impact of a cyber supply chain event. The Tool is not intended to measure the risk of an event, where risk is defined as a function of threat, vulnerability, likelihood, and impact. Research conducted by the authors of this publication found that, at the time of publication, existing cybersecurity risk tools and research focused on threats, vulnerabilities, and likelihood, but impact was frequently overlooked. Thus, this Tool is intended to bridge that gap and enable users and tool developers to create a more complete understanding of an organization’s risk by measuring impact in their specific environments.
    • The Tool also provides the user greater visibility over the supply chain and the relative importance of particular projects, products, and suppliers (hereafter referred to as “nodes”) compared to others. This can be determined by examining the metrics that contribute to a node’s importance, such as the amount of access a node has to the acquiring organization’s IT network, physical facilities, and data. By understanding which nodes are the most important in their organization’s supply chain, the user can begin to understand the potential impact a disruption of that node may cause on business operations. The user can then prioritize the completion of risk mitigating actions to reduce the impact a disruption would cause to the organization’s supply chain and overall business.
  • In a blog post, Microsoft released its findings on the escalating threats to political campaigns and figures during the run up to the United States’ (U.S.) election. This warning also served as an advertisement for Microsoft’s security products. But, be that as it may, these findings echo what U.S. security services have been saying for months. Microsoft stated
    • In recent weeks, Microsoft has detected cyberattacks targeting people and organizations involved in the upcoming presidential election, including unsuccessful attacks on people associated with both the Trump and Biden campaigns, as detailed below. We have and will continue to defend our democracy against these attacks through notifications of such activity to impacted customers, security features in our products and services, and legal and technical disruptions. The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated, and is consistent with what the U.S. government and others have reported. We also report here on attacks against other institutions and enterprises worldwide that reflect similar adversary activity.
    • We have observed that:
      • Strontium, operating from Russia, has attacked more than 200 organizations including political campaigns, advocacy groups, parties and political consultants
      • Zirconium, operating from China, has attacked high-profile individuals associated with the election, including people associated with the Joe Biden for President campaign and prominent leaders in the international affairs community
      • Phosphorus, operating from Iran, has continued to attack the personal accounts of people associated with the Donald J. Trump for President campaign
    • The majority of these attacks were detected and stopped by security tools built into our products. We have directly notified those who were targeted or compromised so they can take action to protect themselves. We are sharing more about the details of these attacks today, and where we’ve named impacted customers, we’re doing so with their support.
    • What we’ve seen is consistent with previous attack patterns that not only target candidates and campaign staffers but also those they consult on key issues. These activities highlight the need for people and organizations involved in the political process to take advantage of free and low-cost security tools to protect themselves as we get closer to election day. At Microsoft, for example, we offer AccountGuard threat monitoring, Microsoft 365 for Campaigns and Election Security Advisors to help secure campaigns and their volunteers. More broadly, these attacks underscore the continued importance of work underway at the United Nations to protect cyberspace and initiatives like the Paris Call for Trust and Security in Cyberspace.
  • The European Data Protection Supervisor (EDPS) has reiterated and expanded upon his calls for caution, prudence, and adherence to European Union (EU) law and principles in the use of artificial intelligence, especially as the EU looks to revamp its approach to AI and data protection. In a blog post, EDPS Wojciech Wiewiórowski stated:
    • The expectations of the increasing use of AI and the related economic advantages for those who control the technologies, as well as its appetite for data, have given rise to fierce competition about technological leadership. In this competition, the EU strives to be a frontrunner while staying true to its own values and ideals.
    • AI comes with its own risks and is not an innocuous, magical tool, which will heal the world harmlessly. For example, the rapid adoption of AI by public administrations in hospitals, utilities and transport services, financial supervisors, and other areas of public interest is considered in the EC White Paper ‘essential’, but we believe that prudency is needed. AI, like any other technology, is a mere tool, and should be designed to serve humankind. Benefits, costs and risks should be considered by anyone adopting a technology, especially by public administrations who process great amounts of personal data.
    • The increase in adoption of AI has not been (yet?) accompanied by a proper assessment of what the impact on individuals and on our society as a whole will likely be. Think especially of live facial recognition (remote biometric identification in the EC White Paper). We support the idea of a moratorium on automated recognition in public spaces of human features in the EU, of faces but also and importantly of gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals.
    • Let’s not rush AI, we have to get it straight so that it is fair and that it serves individuals and society at large.
    • The context in which the consultation for the Data Strategy was conducted gave a prominent place to the role of data in matters of public interest, including combating the virus. This is good and right as the GDPR was crafted so that the processing of personal data should serve humankind. There are existing conditions under which such “processing for the public good” could already take place, and without which the necessary trust of data subjects would not be possible.
    • However, there is a substantial persuasive power in the narratives nudging individuals to ‘volunteer’ their data to address highly moral goals. Concepts such as ‘Data altruism”, or ‘Data donation” and their added value are not entirely clear and there is a need to better define and lay down their scope, and possible purposes, for instance, in the context of scientific research in the health sector. The fundamental right to the protection of personal data cannot be ‘waived’ by the individual concerned, be it through a ‘donation’ or through a ‘sale’ of personal data. The data controller is fully bound by the personal data rules and principles, such as purpose limitation even when processing data that have been ‘donated’ i.e. when consent to the processing had been given by the individual.

Further Reading

  • Peter Thiel Met With The Racist Fringe As He Went All In On Trump” By Rosie Gray and Ryan Mac — BuzzFeed News. A fascinating article about one of the technology world’s more interesting figures. As part of his decision to ally himself with Donald Trump when running for president, Peter Thiel also met with avowed white supremacists. However, it appears that the alliance is no longer worthy of his financial assistance or his public support as he supposedly was disturbed about the Administration’s response to the pandemic. However, Palantir, his company has flourished during the Trump Administration and may be going public right before matters may change under a Biden Administration.
  • TikTok’s Proposed Deal Seeks to Mollify U.S. and China” By David McCabe, Ana Swanson and Erin Griffith — The New York Times. ByteDance is apparently trying to mollify both Washington and Beijing in bringing Oracle onboard as “trusted technology partner,” for the arrangement may be acceptable to both nations under their export control and national security regimes. Oracle handling and safeguarding TikTokj user data would seem to address the Trump Administration’s concerns, but not selling the company nor permitting Oracle to access its algorithm for making recommendations would seem to appease the People’s Republic of China (PRC). Moreover, United States (U.S.) investors would hold control over TikTok even though PRC investors would maintain their stakes. Such an arrangement may satisfy the Committee on Foreign Investment in the United States (CFIUS), which has ordered ByteDance to sell the app that is an integral part of TikTok. The wild card, as always, is where President Donald Trump ultimately comes out on the deal.
  • Oracle’s courting of Trump may help it land TikTok’s business and coveted user data” By Jay Greene and Ellen Nakashima — The Washington Post. This piece dives into why Oracle, at first blush, seems like an unlikely suitor to TikTok, but it’s eroding business position visa vis cloud companies like Amazon explains its desire to diversify. Also, Oracle’s role as a data broker makes all the user data available from TikTok very attractive.
  • Chinese firm harvests social media posts, data of prominent Americans and military” By Gerry Shih — The Washington Post. Another view on Shenzhen Zhenhua Data Technology, the entity from the People’s Republic of China (PRC) exposed for collecting the personal data of more than 2.4 million westerners, many of whom hold positions of power and influence. This article quotes a number of experts allowed to look at what was leaked of the data base who are of the view the PRC has very little in the way of actionable intelligence, at this point. The country is leveraging publicly available big data from a variety of sources and may ultimately makes something useful from these data.
  • “‘This is f—ing crazy’: Florida Latinos swamped by wild conspiracy theories” By Sabrina Rodriguez and Marc Caputo — Politico. A number of sources are spreading rumors about former Vice President Joe Biden and the Democrats generally in order to curb support among a key demographic the party will need to carry overwhelmingly to win Florida.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Alexander Sinn on Unsplash

Pending Legislation In U.S. Congress, Part V

Congress may well pass IoT legislation this year, and the two bills under consideration take different approaches.

Continuing our look at bills Congress may pass this year leads us to an issue area that has received attention but no legislative action; the Internet of Things (IoT). Many Members are aware and concerned about the lax or nonexistent security standards for many such devices, which leaves them open to attack or being used as part of a larger bot network to attack other internet connected devices. There are two bills with significant odds of being enacted, one better than the other, for it is a more modest bill and it is attached to the Senate’s FY 2021 National Defense Authorization Act. However, the other bill is finally coming to the House floor today, which may shake loose its companion bill in the Senate.

As the United States (U.S.) Departments of Commerce and Homeland Security explained in “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats, insecure IoT poses huge threats to the rest of the connected world:

The Distributed Denial of Service (DDoS) attacks launched from the Mirai botnet in the fall of 2016, for example, reached a level of sustained traffic that overwhelmed many common DDoS mitigation tools and services, and even disrupted a Domain Name System (DNS) service that was a commonly used component in many DDoS mitigation strategies. This attack also highlighted the growing insecurities in—and threats from—consumer-grade IoT devices. As a new technology, IoT devices are often built and deployed without important security features and practices in place. While the original Mirai variant was relatively simple, exploiting weak device passwords, more sophisticated botnets have followed; for example, the Reaper botnet uses known code vulnerabilities to exploit a long list of devices, and one of the largest DDoS attacks seen to date recently exploited a newly discovered vulnerability in the relatively obscure MemCacheD software.

Later in the report, as part of one of the proposed goals, the departments asserted:

When market incentives encourage manufacturers to feature security innovations as a balanced complement to functionality and performance, it increases adoption of tools and processes that result in more secure products. As these security features become more popular, increased demand will drive further research.

However, I would argue there are no such market incentives at this point, for most people looking to buy and use IoT are not even thinking about security except in the most superficial ways. Moreover, manufacturers and developers of IoT have not experienced the sort of financial liability or regulatory action that might change the incentive structure. In May, the Federal Trade Commission (FTC) reached “a settlement with a Canadian company related to allegations it falsely claimed that its Internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data it collected from users.”

As mentioned, one of the two major IoT bills stands a better chance of enactment. The “Developing Innovation and Growing the Internet of Things Act” (DIGIT Act) (S. 1611) would establish the beginnings of a statutory regime for the regulation of IoT at the federal level. The bill is sponsored by Senators Deb Fischer (R-NE), Cory Gardner (R-CO), Brian Schatz (D-HI), and Cory Booker (D-NJ) and is substantially similar to legislation (S. 88) the Senate passed unanimously in the last Congress the House never took up. In January, the Senate passed the bill by unanimous consent but the House has yet to take up the bill. S.1611was then added as an amendment to the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) in July. Its inclusion in an NDAA passed by a chamber of Congress dramatically increases the chances of enactment. However, it is possible the stakeholders in the House that have stopped this bill from advancing may yet succeed in stripping it out of a final NDAA.

Under this bill, the Secretary of Commerce must “convene a working group of Federal stakeholders for the purpose of providing recommendations and a report to Congress relating to the aspects of the Internet of Things, including”

identify any Federal regulations, statutes, grant practices, budgetary or jurisdictional challenges, and other sector-specific policies that are inhibiting, or could inhibit, the development or deployment of the Internet of Things;

  • consider policies or programs that encourage and improve coordination among Federal agencies that have responsibilities that are relevant to the objectives of this Act;
  • consider any findings or recommendations made by the steering committee and, where appropriate, act to implement those recommendations;
  • examine—
    • how Federal agencies can benefit from utilizing the Internet of Things;
    • the use of Internet of Things technology by Federal agencies as of the date on which the working group performs the examination;
    • the preparedness and ability of Federal agencies to adopt Internet of Things technology as of the date on which the working group performs the examination and in the future; and
    • any additional security measures that Federal agencies may need to take to—
      • safely and securely use the Internet of Things, including measures that ensure the security of critical infrastructure; and
      • enhance the resiliency of Federal systems against cyber threats to the Internet of Things

S.1611 requires this working group to have representatives from specified agencies such as the National Telecommunications and Information Administration, the National Institute of Standards and Technology, the Department of Homeland Security, the Office of Management and Budget, the Federal Trade Commission, and others. Nongovernmental stakeholders would also be represented on this body. Moreover, a steering committee would be established inside the Department of Commerce to advise this working group on a range of legal, policy, and technical issues. Within 18 months of enactment of S.1611, the working group would need to submit its recommendations to Congress that would then presumably inform additional legislation regulating IoT.  Finally, the Federal Communications Commission (FCC) would report to Congress on “future spectrum needs to enable better connectivity relating to the Internet of Things” after soliciting input from interested parties.

As noted, there is another IoT bill in Congress that may make it to the White House. In June 2019 the Senate and House committees of jurisdictions marked up their versions of the “Internet of Things (IoT) Cybersecurity Improvement Act of 2019” (H.R. 1668/S. 734), legislation that would tighten the federal government’s standards with respect to buying and using IoT. In what may augur enactment of this legislation, the House will take up its version today. However, new language in the amended bill coming to the floor making clear that the IoT standards for the federal government would not apply to “national security systems” (i.e. most of the Department of Defense, Intelligence Community, and other systems) suggests the roadblock that may have stalled this legislation for 15 months. It is reasonable to deduce that the aforementioned agencies made their case to the bill’s sponsors or allies in Congress that these IoT standards would somehow harm national security if made applicable to the defense IoT.

The bill text as released in March for both bills was identical signaling agreement between the two chambers’ sponsors, but the process of marking up the bills has resulted in different versions, requiring negotiation on a final bill. The House Oversight and Reform Committee marked up and reported out H.R. 1668 after adopting an amendment in the nature of a substitute that narrowed the scope of the bill and is more directive than the bill initially introduced in March. The Senate Homeland Security and Governmental Affairs Committee marked up S. 734 a week later, making their own changes from the March bill. The March version of the legislation unified two similar bills from the 115th Congress of the same title: the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” (S. 1691) and the “Internet of Things (IoT) Federal Cybersecurity Improvement Act of 2018” (H.R. 7283).

Per the Committee Report for S. 734, the purpose of bill

is to proactively mitigate the risks posed by inadequately-secured IoT devices through the establishment of minimum security standards for IoT devices purchased by the Federal Government. The bill codifies the ongoing work of the National Institute of Standards and Technology (NIST) to develop standards and guidelines, including minimum-security requirements, for the use of IoT devices by Federal agencies. The bill also directs the Office of Management and Budget (OMB), in consultation with the Department of Homeland Security (DHS), to issue the necessary policies and principles to implement the NIST standards and guidelines on IoT security and management. Additionally, the bill requires NIST, in consultation with cybersecurity researchers and industry experts, to publish guidelines for the reporting, coordinating, publishing, and receiving of information about Federal agencies’ security vulnerabilities and the coordinate resolutions of the reported vulnerabilities. OMB will provide the policies and principles and DHS will develop and issue the procedures necessary to implement NIST’s guidelines on coordinated vulnerability disclosure for Federal agencies. The bill includes a provision allowing Federal agency heads to waive the IoT use and management requirements issued by OMB for national security, functionality, alternative means, or economic reasons.

In general, this bill seeks to leverage the federal government’s ability to set standards through acquisition processes to ideally drive the development of more secure IoT across the U.S. The legislation would require the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB), and the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to work together to institute standards for IoT owned or controlled by most federal agencies. As mentioned, the latest version of this bill explicitly exclude “national security systems.” These standards would need to focus on secure development, identity management, patching, and configuration management and would be made part of Federal Acquisition Regulations (FAR), making them part of the federal government’s approach to buying and utilizing IoT. Thereafter, civilian federal agencies and contractors would need to use and buy IoT that meets the new security standards. Moreover, NIST would need to create and implement a process for the reporting of vulnerabilities in information systems owned or operated by agencies, including IoT naturally. However, the bill would seem to make contractors and subcontractors providing IoT responsible for sharing vulnerabilities upon discovery and then sending around fixes and patches when developed. And yet, this would seem to overlap with the recently announced Trump Administration vulnerabilities disclosure process (see here for more analysis) and language in the bill could be read as enshrining in statute the basis for the recently launched initiative even though future Administrations would have flexibility to modify or revamp as necessary.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by lea hope bonzer from Pixabay

Congressional Cybersecurity Commission Releases Annex To Final Report

A Congressional cyber panel is adding four recommendations to its comprehensive March report.  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On 2 June, the Cyberspace Solarium Commission (CSC) released an annex to its final report. The CSC was created by the National Defense Authorization Act for Fiscal Year 2019 (P.L. 115-232) to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” In mid-March, the CSC released its final report and made a range of recommendations, some of which were paired with legislative language the CSC has still not yet made available. However, Members of Congress who served on the CSC are working with the Armed Services Committees to get some of this language added to the FY 2021 National Defense Authorization Act (NDAA). See this issue of the Technology Policy Update for more detail on the CSC’s final report.

Per its grant of statutory authority, the CSC is set to terminate 120 days after the release of its final report, which will be next month. Nonetheless, the CSC has been holding a series of webinars to elucidate or explain various components of the final report, and the Commission began to consider cybersecurity through the lens of the current pandemic for parallels and practical effects. Consequently, the CSC added four new recommendations and renewed its call that recommendations in its final report related to the pandemic – in the view of the Commission – receive renewed attention and ideally action by Congress and the Executive Branch.

The CSC again called for the types of resources and reforms most policymakers have either not shown an appetite for or believe are a few bridges too far. Even though the CSC stated its intention to a “9/11 Commission without the 9/11 event,” it is unlikely such sweeping policy changes will be made in the absence of a crisis or event that fundamentally changes this status quo. Nevertheless, the CSC’s new recommendations are targeted and modest, one of which call for funneling more funds through an existing grant program to bolster private sector/non-profit efforts and another for a government agency to exercise previously granted authority. What’s more, the CSC could add the new recommendations to those shared in the form of legislative language with the Armed Services Committees in the hopes they are included in this year’s NDAA. Given that CSC co-chairs Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI) serve on their chambers’ Armed Services Committees as do the other two Members of Congress on the CSC, Senator Ben Sasse (R-NE) and Representative James Langevin (D-RI), the chances of some of the recommendations making it into statute are higher than they may be otherwise.

In its “White Paper #1: Cybersecurity Lessons from the Pandemic,” the CSC asserted:

The COVID-19 pandemic illustrates the challenge of ensuring resilience and continuity in a connected world. Many of the effects of this new breed of crisis can be significantly ameliorated through advance preparations that yield resilience, coherence, and focus as it spreads rapidly through the entire system, stressing everything from emergency services and supply chains to basic human needs and mental health. e pandemic produces cascading effects and high levels of uncertainty. It has undermined normal policymaking processes and, in the absence of the requisite preparedness, has forced decision makers to craft hasty and ad hoc emergency responses. Unless a new approach is devised, crises like COVID-19 will continue to challenge the modern American way of life each time they emerge. This annex collects observations from the pandemic as they relate to the security of cyberspace, in terms of both the cybersecurity challenges it creates and what it can teach the United States about how to prepare for a major cyber disruption. These insights and the accompanying recommendations, some of which are new and some of which appear in the original March 2020 report, are now more urgent than ever.

The CSC conceded that “[t]he lessons the country is learning from the ongoing pandemic are not perfectly analogous to a significant cyberattack, but they offer many illuminating parallels.

  • First, both the pandemic and a significant cyberattack can be global in nature, requiring that nations simultaneously look inward to manage a crisis and work across borders to contain its spread.
  • Second, both the COVID-19 pandemic and a significant cyberattack require a whole-of-nation response effort and are likely to challenge existing incident management doctrine and coordination mechanisms.
  • Third, when no immediate therapies or vaccines are available, testing and treatments emerge slowly; such circumstances place a premium on building systems that are agile, are resilient, and enable coordination across the government and private sector, much as is necessary in the cyber realm.
  • Finally, and perhaps most importantly, prevention is far cheaper and preestablished relationships far more effective than a strategy based solely on detection and response.

The CSC continued:

The COVID-19 pandemic is a call to action to ensure that the United States is better prepared to withstand shocks and crises of all varieties, especially those like cyber events that we can reasonably predict will occur, even if we do not know when. We, as a nation, must internalize the lessons learned from this emergency and move forward to strengthen U.S. national preparedness.  This means building structures in government now to ensure strategic leadership and coordination through a cyber crisis. It means driving down the vulnerability of the nation’s networks and technologies. And finally, it means investing in rigorously building greater resiliency in the government, in critical infrastructure, and in our citizenry. In the past several years, experts have sounded the alarm, ranking cyberattacks as one of the most likely causes of a crisis. As the COVID-19 crisis has unfolded, the United States has experienced a wake-up call, prompting a national conversation about disaster prevention, crisis preparedness, and incident response. While COVID-19 is the root cause of today’s crisis, a significant cyberattack could be the cause of the next. If that proves to be the case, history will surely note that the time to prepare was now.

The CSC offered these four new recommendations:

  • Pass an Internet of Things Security Law: With a significant portion of the workforce working from home during the COVID-19 disruption, household internet of things (IoT) devices, particularly household routers, have become vulnerable but important pieces of our national cyber ecosystem and our adversary’s attack surface. To ensure that the manufacturers of IoT devices build basic security measures into the products they sell, Congress should pass an IoT security law. The law should focus on known challenges, like insecurity in Wi-Fi routers, and mandate that these devices have reasonable security measures, such as those outlined under the National Institute of Standards and Technology’s “Recommendations for IoT Device Manufacturers.” But it should be only modestly prescriptive, relying more heavily on outcome-based standards, because security standards change with technology over time. Nonetheless, the law should stress enduring standards both for authentication, such as requiring unique default passwords that a user must change to their own authentication mechanism upon first use, and for patching, such as ensuring that a device is capable of receiving a remote update. Congress should consider explicitly tasking the Federal Trade Commission with enforcement of the law on the basis of existing authorities under Section 5 of the Federal Trade Commission Act.
    • In a footnote, the CSC asserted “[t]he proposed Internet of Things (IoT) Cybersecurity Improvement Act of 2019 provides a viable model for a federal law that mandates that connected devices procured by the federal government have reasonable security measures in place, but should be expanded to cover all devices sold or offered for sale in the United States.
    • The initial draft of the “Internet of Things Cybersecurity Improvement Act of 2019” (H.R. 1668/S. 734) was a revised, unified version of two similar bills from the 115th Congress of the same title: the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” (S. 1691) and the “Internet of Things (IoT) Federal Cybersecurity Improvement Act of 2018” (H.R. 7283). However, during the process of consideration in both chambers, differences emerged that as of yet have not been reconciled. However, it is possible that a final version of this bill gets folded into the FY 2021 NDAA or is passed as standalone legislation in the waning days of this Congress.
    • However, the FTC already uses its Section 5 authorities to bring actions against IoT manufacturers. For example, last month, the agency announced a settlement with Tapplock regarding “allegations that it deceived consumers by falsely claiming that its Internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data it collected from users.”
  • Support Nonprofits that Assist Law Enforcement’s Cybercrime and Victim Support Efforts: Cyber-specific nonprofit organizations regularly collaborate with law enforcement in writing cybercrime reports, carrying out enforcement operations, and providing victim support services. As the COVID-19 pandemic has proven, trusted nonprofit organizations serve as critical law enforcement partners that can quickly mobilize to help identify and dismantle major online schemes. Such nonprofits have the expertise and flexibility to help and reinforce law enforcement efforts to disrupt cybercrime and assist victims. However, they often face financial challenges. Therefore, the Commission recommends that Congress provide grants through the Department of Justice’s Office of Justice Programs to help fund these essential efforts.
    • The portion of the Department of Justice’s Office of Justice Programs that makes grants was provided $1.892 billion in FY 2020, with large chunks being earmarked for state and local law enforcement agencies like the Edward Byrne Memorial Justice Assistance Grant program. Therefore, there would likely need to be additional funding provided for this program if there will be additional eligible recipients and additional purposes.
  • Establish the Social Media Data and Threat Analysis Center: Because major social media platforms are owned by private companies, developing a robust public-private partnership is essential to effectively combat disinformation. To this end, the Commission supports the provision in the FY2020 National Defense Authorization Act that authorizes the Office of the Director of National Intelligence to establish and fund a Social Media Data and Threat Analysis Center (DTAC), which would take the form of an independent, nonprofit organization intended to encourage public-private cooperation to detect and counter foreign influence operations against the United States. The center would serve as a public-private facilitator, developing information-sharing procedures and establishing—jointly with social media—the threat indicators that the center will be able to access and analyze. In addition, the DTAC would be tasked with informing the public about the criteria and standards for analyzing, investigating, and determining threats from malign influence operations. Finally, in order to strengthen a collective understanding of the threats, the center would host a searchable archive of aggregated information related to foreign influence and disinformation operations.
    • This is, obviously, not really a new recommendation, but rather a call for already granted authority to be used. The Director of National Intelligence was provided discretionary authority to establish the DTAC in P.L. 116-92 and has not chosen to do so yet. There are a number of existing entities that may qualify as the Atlantic Council’s Digital Forensics Research Lab or the Alliance for Securing Democracy. However, the issue may be resources in that the DNI was not provided any additional funding to stand up the DTAC.
  • Increase Nongovernmental Capacity to Identify and Counter Foreign Disinformation and Influence Campaigns: Congress should fund the Department of Justice to provide grants, in consultation with the Department of Homeland Security and the National Science Foundation, to nonprofit centers seeking to identify, expose, and explain malign foreign influence campaigns to the American public while putting those campaigns in context to avoid amplifying them. Such malign foreign influence campaigns can include covert foreign state and non-state propaganda, disinformation, or other inauthentic activity across online platforms, social networks, or other communities. These centers should analyze and monitor foreign influence operations, identify trends, put those trends into context, and create a robust, credible source of information for the American public. To ensure success, these centers should be well-resourced and coordinated with ongoing government efforts and international partners’ efforts.
    • It is not clear whether this program would be conducted through an existing DOJ program or a new one would be created. As with the DOJ’s Office of Justice Programs, funding may be an issue, and while the Armed Services Committees may be able to fold this into the FY 2021 (notwithstanding jurisdictional issues considering the DOJ is part of the Judiciary Committees’ purviews), but the Appropriations Committees would ultimately decide whether this would be funded.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.