Further Reading, Other Developments, and Coming Events (15 August)

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” By 21 August, the FTC “is seeking comment on a range of issues including:
    • How are companies currently implementing data portability? What are the different contexts in which data portability has been implemented?
    • What have been the benefits and costs of data portability? What are the benefits and costs of achieving data portability through regulation?
    • To what extent has data portability increased or decreased competition?
    • Are there research studies, surveys, or other information on the impact of data portability on consumer autonomy and trust?
    • Does data portability work better in some contexts than others (e.g., banking, health, social media)? Does it work better for particular types of information over others (e.g., information the consumer provides to the business vs. all information the business has about the consumer, information about the consumer alone vs. information that implicates others such as photos of multiple people, comment threads)?
    • Who should be responsible for the security of personal data in transit between businesses? Should there be data security standards for transmitting personal data between businesses? Who should develop these standards?
    • How do companies verify the identity of the requesting consumer before transmitting their information to another company?
    • How can interoperability among services best be achieved? What are the costs of interoperability? Who should be responsible for achieving interoperability?
    • What lessons and best practices can be learned from the implementation of the data portability requirements in the GDPR and CCPA? Has the implementation of these requirements affected competition and, if so, in what ways?”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The Global Engagement Center (GEC) at the U.S. Department of State published the “GEC Special Report: Pillars of Russia’s Disinformation and Propaganda Ecosystem” The GEC drew on “on publicly available reporting to provide an overview of Russia’s disinformation and propaganda ecosystem.”  The GEC identified the five pillars of Russia’s Disinformation and Propaganda Ecosystem:
    • official government communications;
    • state-funded global messaging;
    • cultivation of proxy sources;
    • weaponization of social media; and
    • cyber-enabled disinformation.
    • The GEC stated
      • This report provides a visual representation of the ecosystem described above, as well as an example of the media multiplier effect it enables. This serves to demonstrate how the different pillars of the ecosystem play distinct roles and feed off of and bolster each other. The report also includes brief profiles of select proxy sites and organizations that occupy an intermediate role between the pillars of the ecosystem with clear links to Russia and those that are meant to be fully deniable. The emphasis on these proxy sites is meant to highlight the important role they play, which can be overlooked given the attention paid to official Russian voices on one end of the spectrum, and the social media manipulation and cyber-enabled threats on the other.
  • The United States (U.S.) Department of Veterans Affairs (VA) has restarted its process for rolling out its new electronic health record (EHR) and announced it has “revised its previous schedule to convert facilities to its new HER capabilities with updated timelines for deployments in August in Columbus, Ohio, and October in Spokane, Washington.” The VA opted to replace its Veterans Health Information Systems and Technology Architecture (VistA) with a commercial off-the-shelf system the U.S. Department of Defense has chosen, Cerner Millennium. However, this $16 billion acquisition has encountered numerous difficulties and delays, which has caught he continued attention of Congress.
    • The VA claimed “The new timeline will preserve the 10-year implementation schedule and the overall cost estimates of VA’s EHR modernization program…[and] [a]fter the conversion at these sites, VA will bring other select facilities forward in the timeline.”
    • In June 2020, the U.S. Government Accountability Office (GAO) found:
      • VA met its schedule for making the needed system configuration decisions that would enable the department to implement its new EHR system at the first VA medical facility, which was planned for July 2020. In addition, VA has formulated a schedule for making the remaining EHR system configuration decisions before implementing the system at additional facilities planned for fall 2020.
      • VA’s Electronic Health Record Modernization (EHRM) program was generally effective in establishing decision-making procedures that were consistent with applicable federal standards for internal control. However, VA did not always ensure the involvement of relevant stakeholders, including medical facility clinicians and staff, in the system configuration decisions. Specifically, VA did not always clarify terminology and include adequate detail in descriptions of local workshop sessions to medical facility clinicians and staff to ensure relevant representation at local workshop meetings. Participation of such stakeholders is critical to ensuring that the EHR system is configured to meet the needs of clinicians and support the delivery of clinical care.
  • The United States (U.S.) Government Accountability Office (GAO) studied and reported on privacy and accuracy issues related to the use of facial recognition technology requested by the chairs of the House Judiciary and Oversight and Reform Committees. This report updates a 2015 report on the same issues and renews the agency’s call first made in 2013 that Congress “strengthen[] the current consumer privacy framework to reflect the effects of changes in technology and the marketplace—particularly in relation to consumer data used for marketing purposes—while also ensuring that any limitations on data collection and sharing do not unduly inhibit the economic and other benefits to industry and consumers that data sharing can accord.”
    • In the new report, the GAO explained that “[s]takeholders we interviewed identified additional activities that companies could improve the use of facial recognition technology. These activities include
      • defining the purpose for the technology’s use and clearly notifying consumers how companies are using the technology—such as surveillance or marketing;
      • identifying risks and limitations associated with using the technology and prohibiting certain uses (e.g., those with discriminatory purposes); and
      • providing guidance or training related to these issues.
    • The GAO asserted
      • However, these voluntary privacy frameworks and suggested activities that could help address privacy concerns or improve the use of facial recognition technology are not mandatory. Furthermore, as discussed earlier, in most contexts facial recognition technology is not currently covered by federal privacy law. Accordingly, we reiterate our 2013 suggestion that Congress strengthen the current consumer privacy framework to reflect the effects of changes in technology and the marketplace.
  • The United States Department of Justice (DOJ) “announced the dismantling of three terrorist financing cyber-enabled campaigns, involving the al-Qassam Brigades, Hamas’s military wing, al-Qaeda, and Islamic State of Iraq and the Levant (ISIS)…the government’s largest-ever seizure of cryptocurrency in the terrorism context.”
    • The DOJ claimed
      • These three terror finance campaigns all relied on sophisticated cyber-tools, including the solicitation of cryptocurrency donations from around the world.  The action demonstrates how different terrorist groups have similarly adapted their terror finance activities to the cyber age.  Each group used cryptocurrency and social media to garner attention and raise funds for their terror campaigns.  Pursuant to judicially-authorized warrants, U.S. authorities seized millions of dollars, over 300 cryptocurrency accounts, four websites, and four Facebook pages all related to the criminal enterprise.
  • The United States (U.S.) National Counterintelligence and Security Center (NCSC) revealed it has “has been providing classified briefings and other assistance to federal procurement executives, chief information officers and chief information security officers from across the U.S. Government on supply chain threats and risks stemming from contracting with five Chinese companies.” The NCSC explained the “supply chain security briefings are designed to assist federal agencies implement” Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232).
    • The NCSC stated:
      • One provision of the NDAA prohibits the U.S. Government from directly using goods and services from five specified Chinese companies — Huawei, ZTE Corporation, Hytera Communications, Hanghzou Hikvision and Dahua Technology Company.
      • Another, broader, provision of Section 889 prohibits federal agencies from contracting with any company that uses goods and services from these five Chinese firms. This particular prohibition takes effect on August 13, 2020, unless a federal agency authorizes a waiver for a specific company, which can only be granted by the agency head after receiving NCSC supply chain security guidance.
  • The Federal Communications Commission (FCC) denied two petitions to stay an April 2020 rulemaking that would make the 6Ghz band of spectrum available to users other than the incumbents. The FCC noted “wo parties—Edison Electric Institute (EEI) and Association of Public-Safety Communications Officials-International, Inc. (APCO)—petitioned to stay the Order:
    • EEI, a trade association representing investor-owned electric utilities, seeks only to stay the effectiveness of the rules that apply to low-power indoor devices. 
    • APCO, a non-profit association of persons who manage and operate public-safety communications systems, seeks to stay the rules for both standard-power and low-power indoor operations.
    • In the rule and order, the FCC explained
      • We authorize two different types of unlicensed operations—standard-power and indoor low-power operations. We authorize standard-power access points using an automated frequency coordination (AFC) system. These access points can be deployed anywhere as part of hotspot networks, rural broadband deployments, or network capacity upgrades where needed. We also authorize indoor low-power access points across the entire 6 GHz band. These access points will be ideal for connecting devices in homes and businesses such smartphones, tablet devices, laptops, and Internet-of-things (IoT) devices to the Internet. As has occurred with Wi-Fi in the 2.4 GHz and 5 GHz bands, we expect that 6 GHz unlicensed devices will become a part of most peoples’ everyday lives. The rules we are adopting will also play a role in the growth of the IoT; connecting appliances, machines, meters, wearables, and other consumer electronics as well as industrial sensors for manufacturing.
  • In a speech, the Australian Competition and Consumer Commission (ACCC) Chair Rod Sims laid out the status of his agency’s actions against Google, Facebook, and other large technology platforms flowing from its final report in its “Digital Platforms Inquiry” that “proposes specific recommendations aimed at addressing some of the actual and potential negative impacts of digital platforms in the media and advertising markets, and also more broadly on consumers,” including:
    • The ACCC recently launched an action against Google regarding misleading representations it made to consumers to obtain their consent to expand the scope of personal information it collected and used about its’ users online activities.
    • In another case, which we brought against Google last year, we allege that Google misled consumers into sharing location data with Google. We contend Google did not clearly inform consumers using Android mobile devices that a particular account setting allowed Google to collect location data. We assert that many consumers may have unknowingly provided more of their personal location data to Google than they intended. Google then used consumers’ location data to enhance the value of its advertising services to prospective advertisers. This case is currently in Court with a hearing scheduled in late November.
    • Currently the ACCC is considering the acquisition by Google and Facebook of Fitbit and Giphy, respectively. We are considering questions such as whether they have the ability to give themselves advantages by favouring their own products, or whether these acquisitions are raising barriers to entry for other competitors.
    • In April 2020 the Federal Government directed the ACCC to develop a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms. We recently published the draft legislation for the code.
  • A British appeals court overturned a decision that found that a police force’s use of facial recognition technology in a pilot program that utilized live footage to be legal. The appeals court found the use of this technology by the South Wales Police Force a violation of “the right to respect for private life under Article 8 of the European  Convention  on  Human  Rights,  data  protection  legislation,  and  the  Public  Sector Equality Duty (“PSED”) under section 149 of the Equality Act 2010.”

Further Reading

  • North Korean Hacking Group Attacks Israeli Defense Industry” by Ronen Bergman and Nicole Perlroth – The New York Times. Israel is denying the claims of a cybersecurity firm that hackers from the Democratic People’s Republic of Korea (DPRK) deeply penetrated its defense industry. Through the use of sophisticated phishing, including fake LinkedIn accounts and fluent English speakers, employees at Israeli defense companies were tricked into stalling spyware on these personal computers and then the hackers allegedly eventually accessed classified Israeli networks. The attacks show growing sophistication from DPRK hackers and that those looking to penetrate networks will always seek out weak spots.
  • Pentagon Requests More Time to Review JEDI Cloud Contract Bids” by Frank Konkel – Nextgov. The United States Department of Defense (DOD) has asked for yet more time to resolve who will win the second round of the Joint Enterprise Defense Infrastructure (JEDI) cloud contract that may prove worth more than $10 billion to the winner. The Pentagon had told the court it was on schedule to make an award ion the rebid of the contract that Microsoft had won over Amazon. The latter claimed political interference from the White House violated federal contract law, among other claims, resulting in this lawsuit.
  • Google rival’s study urges letting mobile users pick search defaults” by Ashley Gold – Axios. DuckDuckGo, a search engine, claims in newly released research that permitting Android users to choose their search engine would decrease Google’s market share by 20%. This could be relevant to the United States (U.S.) Department of Justice’s (DOJ) antitrust investigation. As a point of reference, in the U.S., the United Kingdom, and Australia, Google’s share of the mobile search engine market is 95%, 98% and 98%. DOJ may seriously look at this remedy as the European Commission (EC) imposed this as part of its antitrust case against Google, resulting in a record €4.34 billion fine.
  • Facial Recognition Start-Up Mounts a First Amendment Defense” By Kashmir Hill – The New York Times. Clearview AI has retained legendary First Amendment lawyer Floyd Abrams to make the argument that its collection, use, and dissemination of publicly photos scraped from the internet is protected as free speech. Abrams is quoting as saying that while privacy is, of course, an important right, the First Amendment to the United States Constitution would trump any such rights. It is expected that this argument will be employed in the myriad suits against the facial recognition technology firm in the range of suits against the company.
  • An advanced group specializing in corporate espionage is on a hacking spree” By Jeff Stone – cyberscoop. A new hacking group, RedCurl, has gone on a worldwide hacking campaign that broke into businesses in the United Kingdom, Canada, and other places. The hackers phished a number of businesses successfully by impersonating someone from the human resources in he organization.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

White House and Trump Administration Sending Different Messages On Election Interference

While the President and close advisors keep downplaying Russian interference in the 2020 U.S. election while U.S. intelligence agencies are issuing muted warnings many Democrats think have been tempered to please the White House.

The Trump Administration has been sending mixed messages on the security of and risks to the 2020 election in the United States (U.S.) While the President and the White House have largely been silent on Russian Federation activities, they have accused the People’s Republic of China (PRC) of a range of activities to interfere with the election. However, U.S. intelligence agencies have been flagging the activities of the Russian Federation, the PRC, Iran, North Korea, and others, but many Democrats and subject matter experts are arguing these public warnings are not accurately portraying the scope of activities and possible effects. Republican leadership in Congress are, in turn, claiming Democrats are politicizing the issue. The ongoing effect may be to desensitize the American public to interference and to further divide the electorate.

At the White House’s COVID-19 briefing on 10 August, when asked about Russian interference, Trump responded:

The other day they said the three countries; they said China and Russia and Iran and some reporter got up and said, Russia is meddling. I said, well, didn’t it mention China and Iran? Why didn’t you mention them, too?

National Counterintelligence and Security Center (NCSC) Director William Evanina issued an update to his late July statement “100 Days Until Election 2020” through “sharing additional information with the public on the intentions and activities of our adversaries with respect to the 2020 election…[that] is being released for the purpose of better informing Americans so they can play a critical role in safeguarding our election.” Evanina offered more in the way of detail on the three nations identified as those being most active in and capable of interfering in the November election: the Russian Federation, the PRC, and Iran. This additional detail may well have been provided given the pressure Democrats in Congress to do just this. Members like Speaker of the House Nancy Pelosi (D-CA) argued that Evanina was not giving an accurate picture of the actions by foreign nations to influence the outcome and perception of the 2020 election. Republicans in Congress pushed back, claiming Democrats were seeking to politicize the classified briefings given by the Intelligence Community (IC).

Evanina asserted

Ahead of the 2020 U.S. elections, foreign states will continue to use covert and overt influence measures in their attempts to sway U.S. voters’ preferences and perspectives, shift U.S. policies, increase discord in the United States, and undermine the American people’s confidence in our democratic process. They may also seek to compromise our election infrastructure for a range of possible purposes, such as interfering with the voting process, stealing sensitive data, or calling into question the validity of the election results. However, it would be difficult for our adversaries to interfere with or manipulate voting results at scale.

Evanina stated “[m]any foreign actors have a preference for who wins the election, which they express through a range of overt and private statements; covert influence efforts are rarer…[and] [w]e are primarily concerned about the ongoing and potential activity by China, Russia, and Iran.

  • CHINA – We assess that China prefers that President Trump – whom Beijing sees as unpredictable – does not win reelection. China has been expanding its influence efforts ahead of November 2020 to shape the policy environment in the United States, pressure political figures it views as opposed to China’s interests, and deflect and counter criticism of China. Although China will continue to weigh the risks and benefits of aggressive action, its public rhetoric over the past few months has grown increasingly critical of the current Administration’s COVID-19 response, closure of China’s Houston Consulate, and actions on other issues. For example, it has harshly criticized the Administration’s statements and actions on Hong Kong, TikTok, the legal status of the South China Sea, and China’s efforts to dominate the 5G market. Beijing recognizes that all of these efforts might affect the presidential race.
  • RUSSIA – We assess that Russia is using a range of measures to primarily denigrate former Vice President Biden and what it sees as an anti-Russia “establishment.” This is consistent with Moscow’s public criticism of him when he was Vice President for his role in the Obama Administration’s policies on Ukraine and its support for the anti-Putin opposition inside Russia. For example, pro-Russia Ukrainian parliamentarian Andriy Derkach is spreading claims about corruption – including through publicizing leaked phone calls – to undermine former Vice President Biden’s candidacy and the Democratic Party. Some Kremlin-linked actors are also seeking to boost President Trump’s candidacy on social media and Russian television.
  • IRAN – We assess that Iran seeks to undermine U.S. democratic institutions, President Trump, and to divide the country in advance of the 2020 elections. Iran’s efforts along these lines probably will focus on on-line influence, such as spreading disinformation on social media and recirculating anti-U.S. content. Tehran’s motivation to conduct such activities is, in part, driven by a perception that President Trump’s reelection would result in a continuation of U.S. pressure on Iran in an effort to foment regime change.

Evanina vowed to update Americans through future statements as needed.

In a statement, Pelosi and House Intelligence Committee Chair Adam Schiff (D-CA) expressed gratitude for the additional detail but took issue with the statement for implying through its structure that the risks each nation presents are equal. It would seem to make sense that Pelosi and Schiff are arguing that the Russian Federation is the biggest threat in light of its history in successfully spreading disinformation and misinformation in 2016 to benefit Trump and harm former Secretary of State Hillary Clinton. This assertion would also serve to rebut the notion that the PRC is the top threat given its placement as the first nation mentioned and Trump Administration rhetoric to this effect. Pelosi and Schiff asserted:

  • Today’s statement improves on the last by including more detail that American voters deserve to know, including about the actions of Kremlin-linked actors seeking to undermine Vice President Biden, and seeking to help President Trump. These details should help the public, Congress, and the presidential campaigns guard against foreign disinformation. And we are pleased that Mr. Evanina heeded our call to make additional details public about Russia’s malign interference campaign and Mr. Derkach’s role.
  • Unfortunately, today’s statement still treats three actors of differing intent and capability as equal threats to our democratic elections. Members of Congress have now been briefed on the specific threats facing the 2020 election, and we have been clear with the Intelligence Community that the American people must be provided with specific information that would allow voters to appraise for themselves the respective threats posed by these foreign actors, and distinguish these actors’ different and unequal aims, current actions, and capabilities. All of this can be done consistent with the need to protect sources and methods.

Unlike the first statement by Evanina on the 2020 election, Senate Intelligence Committee acting Chair Marco Rubio (R-FL) and Ranking Member Mark Warner (D-VA) released a joint statement in which they remarked:

  • NCSC Director Evanina’s statement today builds on and provides additional context to his previous statement two weeks ago. We thank him for providing this additional information to the American people, and we look forward to his continued engagement, along with other members of the Intelligence Community and the Administration, with the public over the next 87 days.
  • Evanina’s statement highlights some of the serious and ongoing threats to our election from China, Russia, and Iran. Everyone — from the voting public, local officials, and members of Congress — needs to be aware of these threats. And all of us should endeavor to prevent outside actors from being able to interfere in our elections, influence our politics, and undermine confidence in our democratic institutions.
  • In recent weeks, Evanina, other parts of the Intelligence Community, the FBI, and DHS have provided additional information and briefings to most members of Congress. We thank them for that engagement and encourage them to continue to make this information available. We believe more of the information that was made available in these briefings can, and at the appropriate time should, be shared with the voting public, and we encourage the Intelligence Community to do so in a manner that protects the sources and methods used to collect such information.
  • And we encourage political leaders on all sides to refrain from weaponizing intelligence matters for political gain, as this only furthers the divisive aims of our adversaries.

On 9 August, on Face The Nation, Trump’s National Security Adviser Robert O’Brien was asked about Evanina’s statement and claimed

it’s not just Russia…It’s- the Chinese don’t want the president re-elected. He’s been tougher on China than any president in history. And- and we’re standing up for the first time to the Chinese Communist Party and protecting Americans, protecting our IP, protecting our economy, protecting our- our vaccine data. And so there are a lot of people around the world that aren’t happy with America because they don’t share our values. And that shouldn’t be a surprise to anybody. And we’re going to take every action necessary to- to keep folks out, whether it’s China or Russia or Iran—

When asked about the assertion that the PRC wanted Trump to lose, O’Brien responded:

Well, well they- they’d like the- the president to lose. And- and China, like Russia, like Iran, have engaged in cyber-attacks and phishing and that sort of thing with respect to our election infrastructure, with respect to websites and that sort of thing. We’re- we’re aware of it and we’re- we’re taking steps to counter it. Whether it’s China or Russia or Iran, we’re not going to put up with it. And there will be severe consequences with any country that attempts to interfere with our free and fair elections, whether- whether their- their leaders prefer- prefer Joe Biden or prefer Donald Trump, it doesn’t matter. We’re Americans. We don’t- we’re not going to foreign countries deciding who our next president is going to be.

The U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released a risk assessment of mail-in voting “to support CISA efforts to help U.S., state, and local governments identify and mitigate vulnerabilities to mail-in voting infrastructure, and support physical security, cybersecurity, and operational resilience within the mail-in voting process.” CISA cautioned “[t]his document is not an endorsement of any election management practice.”

CISA reached these “key findings:”

  • All forms of voting –in this case mail-in voting –bring a variety of cyber and infrastructure risks. Risks to mail-in voting can be managed through various policies, procedures, and controls.
  • The outbound and inbound processing of mail-in ballots introduces additional infrastructure and technology, which increases the potential scalability of cyber attacks.Implementation of mail-in voting infrastructure and processes within a compressed timeline may also introduce new risk. To address this risk, election officials should focus on cyber risk management activities, including access controls and authentication best practices when implementing expanded mail-in voting.
  • Integrity attacks on voter registration data and systems represent a comparatively higher risk in a mail-in voting environment when compared to an in-person voting environment. This is because the voter is not present at the time of casting the ballot and cannot help to answer questions regarding their eligibility or identity verification.
  • Operational risk management responsibility differs with mail-in voting and in-person voting processes. For mail-in voting, some of the risk under the control of election officials during in-person voting shifts to outside entities, such as ballot printers, mail processing facilities, and the United States Postal Service (USPS).
  • Physical access at election offices and warehouses represents a risk in a mail-in voting environment. Completed ballots are returned to the election office and must be securely stored for days or weeks before processing through voter authentication and tabulation processes. Managing risks to these processes requires implementing secure procedures for storage, access controls, and chain of custody, such as ballot accounting.
  • Inbound mail-in ballot processes and tabulation take longer than in-person processing, causing tabulation of results to occur more slowly and resulting in more ballots to tabulate following election night. Media, candidates, and voters should expect less comprehensive results on election night, which creates additional risk of electoral uncertainty and confidence in results.
  • Disinformation risk to mail-in voting infrastructure and processes is similar to that of in-person voting while utilizing different content. Threat actors may leverage limited understanding regarding mail-in voting processes to mislead and confuse the public.

CISA noted

Currently, five states (Colorado, Hawaii, Oregon, Utah, and Washington) automatically send every registered voter a ballot by mail. At least 21 other states have laws that allow at least some elections to be conducted by mail. In addition to the five states that send every voter a ballot, five states (Arizona, California, Montana, Nevada, and New Jersey) and the District of Columbia (D.C.) allow a voter to apply to receive a mail-in ballot permanently, so that voters do not have to apply each election.1 Currently, 34 states and D.C. allow any registered voter to  request a mail-in ballot. T  here are 16 states that require voters to have an excuse such as temporary absence from the voting district,  illness, or disability or require voters to be of a certain age (typically 65+) to be eligible to receive a ballot by mail. Some states are recognizing COVID-19 as a valid excuse.

CISA’s risk assessment of mail-in voting is more positive than its judgment about online voting. In May, a version of CISA’s risk assessment of online voting was leaked that was more critical of state efforts to offer this form of voting in the 2020 election. The risk assessment CISA ultimately issued had softer language about the risks, but the leaked document still conveyed deeper reservations the agency harbored without these becoming its official position.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Tumisu from Pixabay

Further Reading, Other Developments, and Coming Events (30 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 30 July, the Senate Commerce, Science, and Transportation Committee’s Security Subcommittee will hold a hearing titled “The China Challenge: Realignment of U.S. Economic Policies to Build Resiliency and Competitiveness” with these witnesses:
    • The Honorable Nazak Nikakhtar, Assistant Secretary for Industry and Analysis, International Trade Administration, U.S. Department of Commerce
    • Dr. Rush Doshi, Director of the Chinese Strategy Initiative, The Brookings Institution
    • Mr. Michael Wessel, Commissioner, U.S. – China Economic and Security Review Commission
  • On 30 July, the House Armed Services Committee’s Intelligence and Emerging Threats and Capabilities Subcommittee will hold a hearing titled “Review of the Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus King (I-ME), Chairman, Cyberspace Solarium Commission
    • Representative Mike Gallagher (R-WI), Chairman, Cyberspace Solarium Commission
    • The Honorable Patrick Murphy, Commissioner, Cyberspace Solarium Commission
    • Mr. Frank Cilluffo, Commissioner, Cyberspace Solarium Commission
  • On 31 July, the House Intelligence Committee will mark up its Intelligence Authorization Act.
  • On 31 July the Select Committee on the Modernization of Congress will hold a business meeting “to consider proposed recommendations.”
  • On 3 August the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)
  • The National Institute of Standards and Technology (NIST) will hold the “Exploring Artificial Intelligence (AI) Trustworthiness: Workshop Series Kickoff Webinar,” “a NIST initiative involving private and public sector organizations and individuals in discussions about building blocks for trustworthy AI systems and the associated measurements, methods, standards, and tools to implement those building blocks when developing, using, and testing AI systems” on 6 August.
  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”

Other Developments

  • Senate Armed Services Committee Chair James Inhofe (R-OK) has publicly placed a hold on the re-nomination of Federal Communications Commission member over the agency’s April decision to permit Ligado to proceed with its plan “to deploy a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz bands that will primarily support Internet of Things (IoT) services.” This is the latest means of pressing the FCC Inhofe and allies on Capitol Hill and in the Trump Administration have taken. In the recently passed “National Defense Authorization Act (NDAA) for Fiscal Year 2021” (S.4049) there is language requiring “the Secretary of Defense to enter into an agreement with the National Academies of Science, Engineering, and Medicine to conduct an independent technical review of the Order and Authorization adopted by the FCC on April 19, 2020 (FCC 20–48). The independent technical review would include a comparison of the two different approaches used for evaluation of potential harmful interference. The provision also would require the National Academies of Science, Engineering, and Medicine to submit a report on the independent technical review.” This provision may make it into the final FY 2021 NDAA, which would stop Ligado from proceeding before the conclusion of the study.
  • Senator Josh Hawley (R-MO) has released yet another bill amending 47 USC 230 (aka Section 230), the “Behavioral Advertising Decisions Are Downgrading Services (BAD ADS) Act,” that “remove Section 230 immunity from Big Tech companies that display manipulative, behavioral ads or provide data to be used for them.” Considering that targeting advertising forms a significant part of the revenue stream for such companies, this seems to be of a piece with other bills of Hawley’s and others to pressure social media platforms. Hawley noted he “has been a leading critic of Section 230’s protection of Big Tech firms and recently called for Twitter to lose immunity if it chooses to editorialize on political speech.”
  • The United States National Counterintelligence and Security Center (US NCSC) issued a statement on election security on the 100th day before the 2020 Presidential Election. US NCSC Director William Evanina described the risks facing the US heading into November but did not detail US efforts to address and counter the efforts of foreign nations to influence and disrupt Presidential and Congressional elections this fall. The US NCSC explained it is working with other federal agencies and stakeholders, however.
    • US NCSC Director William Evanina explained the purpose of the press release is to “share insights with the American public about foreign threats to our election and offer steps to citizens across the country to build resilience and help mitigate these threats…[and] to update Americans on the evolving election threat landscape, while also safeguarding our intelligence sources and methods.” Evanina noted “Office of the Director of National Intelligence (ODNI) has been providing robust intelligence-based briefings on election security to the presidential campaigns, political committees, and Congressional audiences.” Including the assertion “[i]n leading these classified briefings, I have worked to ensure fidelity, accountability, consistency and transparency with these stakeholders and presented the most timely and accurate information we have to offer” may be Evanina’s way of pushing back on concerns that the White House has placed people loyal to the President at the top of some IC entities who may lack independence. Top Democrats
    • The US NCSC head asserted “[e]lection security remains a top priority for the Intelligence Community and we are committed in our support to the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), given their leadership roles in this area.”
    • Evanina claimed “[a]t this time, we’re primarily concerned with China, Russia and Iran — although other nation states and non-state actors could also do harm to our electoral process….[and] [o]ur insights and judgments will evolve as the election season progresses:
      • China is expanding its influence efforts to shape the policy environment in the United States, pressure political figures it views as opposed to China’s interests, and counter criticism of China. Beijing recognizes its efforts might affect the presidential race.
      • Russia’s persistent objective is to weaken the United States and diminish our global role. Using a range of efforts, including internet trolls and other proxies, Russia continues to spread disinformation in the U.S. that is designed to undermine confidence in our democratic process and denigrate what it sees as an anti-Russia “establishment” in America.
      • Iran seeks to undermine U.S. democratic institutions and divide the country in advance of the elections. Iran’s efforts center around online influence, such as spreading disinformation on social media and recirculating anti-U.S. content.
    • Speaker of the House Nancy Pelosi (D-CA), Senate Minority Leader Chuck Schumer (D-NY), House Intelligence Committee Chair Adam Schiff (D-CA), and Senate Intelligence Committee Ranking Member Mark Warner (D-VA) released their response to the NCSC statement:
      • The statement just released by NCSC Director William Evanina does not go nearly far enough in arming the American people with the knowledge they need about how foreign powers are seeking to influence our political process. The statement gives a false sense of equivalence to the actions of foreign adversaries by listing three countries of unequal intent, motivation and capability together. The statement, moreover, fails to fully delineate the goal, nature, scope and capacity to influence our election, information the American people must have as we go into November. To say without more, for example, that Russia seeks to ‘denigrate what it sees as an anti-Russia ‘establishment’ in America’ is so generic as to be almost meaningless. The statement omits much on a subject of immense importance.
      • “In our letter two weeks ago, we called on the FBI to provide a defensive briefing to the entire Congress about specific threats related to a concerted foreign disinformation campaign, and this is more important than ever.  But a far more concrete and specific statement needs to be made to the American people, consistent with the need to protect sources and methods.  We can trust the American people with knowing what to do with the information they receive and making those decisions for themselves. But they cannot do so if they are kept in the dark about what our adversaries are doing, and how they are doing it.  When it comes to American elections, Americans must decide.”
    • Senate Majority Leader Mitch McConnell (R-KY) and Senate Intelligence Committee Chair Marco Rubio (R-FL) issued their own statement:
      • We are disappointed by the statement from Senator Schumer, Senator Warner, Speaker Pelosi, and Representative Schiff about Bill Evanina, the Director of the National Counterintelligence and Security Center. Evanina is a career law enforcement and intelligence professional with extensive experience in counterintelligence. His reputation as a straight-shooter immune from politics is well-deserved. It is for this reason that Evanina received overwhelming support from the Senate when he was confirmed to be Director of the NCSC and again when the Administration tapped him to lead the nation’s efforts to protect the 2020 elections from foreign interference.
      • We believe the statement baselessly impugns his character and politicizes intelligence matters. Their manufactured complaint undercuts Director Evanina’s nonpartisan public outreach to increase Americans’ awareness of foreign influence campaigns right at the beginning of his efforts.
      • Prior to their public statements, Director Evanina had previewed his efforts and already offered to provide another round of briefings to the Congress on the threat and steps the US government has taken over the last three and a half years to combat it. We believe the threat is real, and is more complex than many partisans may wish to admit. We welcome these briefings, and hope our colleagues will listen to the career professionals who have been given this mission.
      •  We will not discuss classified information in public, but we are confident that while the threat remains, we are far better prepared than four years ago. The intelligence community, law enforcement, election officials, and others involved in securing our elections are far better postured, and Congress dramatically better informed, than any of us were in 2016—and our Democrat colleagues know it.
  • The Australian Cyber Security Centre (ACSC) and the Digital Transformation Agency (DTA) issued “new Cloud Security Guidance co-designed with industry to support the secure adoption of cloud services across government and industry.” The agencies stated this new release “will guide organisations including government, Cloud Service Providers (CSP), and Information Security Registered Assessors Program (IRAP) assessors on how to perform a comprehensive assessment of a cloud service provider and its cloud services, so a risk-informed decision can be made about its suitability to handle an organisation’s data.” ACSC and DTA added “The Cloud Security Guidance is supported by forthcoming updates to the Australian Government Information Security Manual (ISM), the Attorney-General’s Protective Security Policy Framework (PSPF), and the DTA’s Secure Cloud Strategy.”
  • The National Institute of Standards and Technology (NIST) studied how well facial recognition technology and services could identify people wearing masks and, to no great surprise, the results were not good with respect to accuracy. NIST stressed that the facial recognition technology were not calibrated for masks in qualifying its results. In its Interagency Report NISTIR 8311, NIST found
    • Algorithm accuracy with masked faces declined substantially across the board. Using unmasked images, the most accurate algorithms fail to authenticate a person about 0.3% of the time. Masked images raised even these top algorithms’ failure rate to about 5%, while many otherwise competent algorithms failed between 20% to 50% of the time.
    • Masked images more frequently caused algorithms to be unable to process a face, technically termed “failure to enroll or template” (FTE). Face recognition algorithms typically work by measuring a face’s features — their size and distance from one another, for example — and then comparing these measurements to those from another photo. An FTE means the algorithm could not extract a face’s features well enough to make an effective comparison in the first place.
    • The more of the nose a mask covers, the lower the algorithm’s accuracy. The study explored three levels of nose coverage — low, medium and high — finding that accuracy degrades with greater nose coverage.
    • While false negatives increased, false positives remained stable or modestly declined. Errors in face recognition can take the form of either a “false negative,” where the algorithm fails to match two photos of the same person, or a “false positive,” where it incorrectly indicates a match between photos of two different people. The modest decline in false positive rates show that occlusion with masks does not undermine this aspect of security.
    • The shape and color of a mask matters. Algorithm error rates were generally lower with round masks. Black masks also degraded algorithm performance in comparison to surgical blue ones, though because of time and resource constraints the team was not able to test the effect of color completely.
    • NIST explained this report
      • is the first of a series of reports on the performance of face recognition algorithms on faces occluded by protective face masks [2] commonly worn to reduce inhalation of viruses or other contaminants. This study is being run under the Ongoing Face Recognition Vendor Test (FRVT) executed by the National Institute of Standards and Technology (NIST). This report documents accuracy of algorithms to recognize persons wearing face masks. The results in this report apply to algorithms provided to NIST before the COVID-19 pandemic, which were developed without expectation that NIST would execute them on masked face images.
  • The United States National Science Foundation (NSF) and the Office of Science and Technology Policy (OSTP) inside the White House announced the establishment of the Quantum Leap Challenges Institutes program and “$75 million for three new institutes designed to have a tangible impact in solving” problems associated with quantum information science and engineering. NSF added “Quantum Leap Challenge Institutes also form the centerpiece of NSF’s Quantum Leap, an ongoing, agency-wide effort to enable quantum systems research and development.” NSF and OSTP named the following institutes:
    • NSF Quantum Leap Challenge Institute for Present and Future Quantum Computing. Today’s quantum computing prototypes are rudimentary, error-prone, and small-scale. This institute, led by the University of California, Berkeley, plans to learn from these to design advanced, large-scale quantum computers, develop efficient algorithms for current and future quantum computing platforms, and ultimately demonstrate that quantum computers outperform even the best conceivable classical computers.
  • The United States Department of Energy (DOE) published its “Blueprint for the Quantum Internet” “that lays out a blueprint strategy for the development of a national quantum internet, bringing the United States to the forefront of the global quantum race and ushering in a new era of communications” and held an event to roll out the new document and approach. The Blueprint is part of the Administration’s effort to implement the “National Quantum Initiative Act” (P.L. 115-368), a bill “[t]o provide for a coordinated Federal program to accelerate quantum research and development for the economic and national security of the United States.” Under Secretary of Energy for Science Paul Dabbar explained in a blog post that “[t]he Blueprint lays out four priority research opportunities to make this happen:
    • Providing the foundational building blocks for Quantum Internet;
    • Integrating Quantum networking devices;
    • Creating repeating, switching, and routing technologies for Quantum entanglement;
    • Enabling error correction of Quantum networking functions.
  • The European Commission (EC) is requesting feedback until 10 September on its impact assessment for future European Union legislation on artificial intelligence (AI). The EC explained “the  overall  policy  objective  is  to  ensure  the  development  and  uptake  of lawful  and trustworthy  AI across the Single Market through the creation of an ecosystem of trust.” Earlier this year, as part of its Digital Strategy, the EC recently released a white paper earlier this year, “On Artificial Intelligence – A European approach to excellence and trust,” in which the Commission articulates its support for “a regulatory and investment oriented approach with the twin objective of promoting the uptake of AI and of addressing the risks associated with certain uses of this new technology.” The EC stated that “[t]he purpose of this White Paper is to set out policy options on how to achieve these objectives…[but] does not address the development and use of AI for military purposes.”

Further Reading

  • Google Takes Aim at Amazon. Again.” – The New York Times. For the fifth time in the last decade, Google will try to take on Amazon, in part, because the latter’s dominance in online retailing is threatening the former’s dominance in online advertising. Google is offering a suite of inducements for retailers to use its platform, Google Shopping. One wonders if Google gains traction whether Amazon would point to the competition as proof it is not engaged in anti-competitive practices to regulators.
  • Twitter’s security woes included broad access to user accounts” – Ad Age. This piece details the years long tension inside the social media giant between strengthening internal security and developing features to make more money. Not surprisingly, the latter consideration almost always trumped the former, a situation exacerbated by Twitter’s growing use of third-party contractors to handle back end functions, including security. Apparently, many contractors would spy on celebrities’ accounts, sometimes using workarounds to defeat Twitter’s security. Even though this article claims it was only contractors, one wonders if some Twitter employees were doing the same. Whatever the case, Twitter’s board has been warned about weak security for years and opted against heeding this advice, a factor that likely allowed the platform to get hacked a few weeks ago. Worse still, the incentives do not seem aligned to drive better security in the future. 
  • We’re in the middle of the COVID-19 crisis. Big Tech is already preparing for the next one.” – Protocol. For people who think large technology companies have not had a prominent enough role during the current pandemic, this news will be reassuring. The Consumer Technology Association (CTA), a non-profit organized under Section 501(c)(6) of United States’ tax laws, has commenced with a “Public Health Tech Initiative” “[t]o ensure an effective public sector response to future pandemics like COVID-19.” This group “will explore and create recommendations for the use of technology in dealing with and recovering from future public health emergencies.”
  • Car Companies Want to Monitor Your Every Move With Emotion-Detecting AI” – Vice’s Motherboard. A number of companies are selling auto manufacturers on a suite of technology that could record everything that happens in your car, including facial analysis algorithms, for a variety of purposes with financial motives such as behavioral advertising, setting insurance rates, and others. The United States does not have any laws that directly regulate such practices whereas the European Union does, suggesting such technology would be deployed less in Europe.
  • Russian Intelligence Agencies Push Disinformation on Pandemic” – The New York Times. United States (US) intelligence agencies declassified and share intelligence with journalists purporting to show how Russian Federation intelligence agencies have adapted their techniques in their nonstop disinformation campaign against the US, the North Atlantic Treaty Organization, and others. As Facebook, Twitter, and others have grown adept at locating and removing content from obvious Russian outlets like RT and Sputnik, Russian agencies are utilizing more subtle techniques, aiming at the same goal of undermining confidence among Americans and elsewhere in the government.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.