Further Reading, Other Developments, and Coming Events (7 September)

Here is today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • The United States-China Economic and Security Review Commission will hold a hearing on 9 September on “U.S.-China Relations in 2020: Enduring Problems and Emerging Challenges” to “evaluate key developments in China’s economy, military capabilities, and foreign relations, during 2020.”
  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • A federal appeals court found that the National Security Agency (NSA) exceeded it lawful remit in operating the bulk collection of metadata program former contractor Edward Snowden exposed. Even though the United States Court of Appeals for the Ninth Circuit did not reverse the convictions of four Somalis convicted of providing assistance to terrorists, the court did find the telephony metadata program exceeded Congress’ authorization provided in the Foreign Surveillance Intelligence Act (FISA). The court also suggested the NSA may have also violated the Fourth Amendment’s ban on unreasonable searches without deciding the question. The NSA closed the program in 2015 and had a great deal of difficulty with a successor program authorized the same year that was also shut down in 2018. However, the Trump Administration has asked for a reauthorization of the most recent version even though it has admitted it has no plans to restart the program in the immediate future.
  • The top Democrats on five House and Senate committees wrote the new Director of National Intelligence (DNI) calling on him to continue briefing committees of jurisdiction on intelligence regarding election interference. Reportedly, DNI John Ratcliffe wrote these committees in late August, stating his office would still provide Congress written briefings but would no longer conduct in-person briefings because of alleged leaking by Democrats. However, the chair of the Senate Intelligence Committee claimed his committee would still be briefed in person.
    • In an interview, Ratcliffe explained his rationale for ending in person briefings:
      • I reiterated to Congress, look, I’m going to keep you fully and currently informed, as required by the law. But I also said, we’re not going to do a repeat of what happened a month ago, when I did more than what was required, at the request of Congress, to brief not just the Oversight Committees, but every member of Congress. And yet, within minutes of that — one of those briefings ending, a number of members of Congress went to a number of different publications and leaked classified information, again, for political purposes, to create a narrative that simply isn’t true, that somehow Russia is a greater national security threat than China.
    • Senate Rules Committee Ranking Member Amy Klobuchar (D-MN), House Administration Committee Chair Zoe Lofgren (D-CA), Senate Judiciary Committee Ranking Member Dianne Feinstein (D-CA), House Judiciary Committee Chair Jerrold Nadler (D-NY), and House Homeland Security Committee Chair Bennie Thompson (D-MS) expressed “serious alarm regarding your decision to stop providing in-person election security briefings to Congress, and to insist that you immediately reschedule these critical briefings ahead of the November general election.” They added
      • The important dialogue that comes from a briefing cannot be understated, as you’re well aware. This is why the Intelligence Community (IC) has for decades arranged for senior members of every administration to have intelligence briefers who provide regular, often daily, briefings, rather than simply sending written products to review. Intelligence memos are not a substitute for full congressional briefings. It is also unacceptable to fully brief only one Committee on matters related to federal elections.
      • As Members of the House and Senate with jurisdiction over federal elections, we call on you to immediately resume in-person briefings. We also remind you that the ODNI does not own the intelligence it collects on behalf of the American people, it is a custodian of the information. In addition to the power to establish and fund the ODNI, Congress has the power to compel information from it.
    • In his statement, acting Senate Intelligence Committee Chair Marco Rubio (R-FL) asserted
      • Intelligence agencies have a legal obligation to keep Congress informed of their activities. And Members of Congress have a legal obligation to not divulge classified information. In my short time as Acting Chair of the Senate Select Committee on Intelligence, I have witnessed firsthand how this delicate balance has been destroyed.
      • Divulging access to classified information in order to employ it as a political weapon is not only an abuse, it is a serious federal crime with potentially severe consequences on our national security. This situation we now face is due, in no small part, to the willingness of some to commit federal crimes for the purpose of advancing their electoral aims.
      • Yet, this grotesque criminal misconduct does not release the Intelligence Community from fulfilling its legal requirements to respond to Congressional oversight committees and to keep Members of Congress fully informed of relevant information on a timely basis. I have spoken to Director Ratcliffe who stated unequivocally that he will continue to fulfill these obligations. In particular, he made explicitly clear that the Senate Select Committee on Intelligence will continue receiving briefings on all oversight topics, including election matters. 
    • In early August, National Counterintelligence and Security Center (NCSC) Director William Evanina issued an update to his late July statement “100 Days Until Election 2020” through “sharing additional information with the public on the intentions and activities of our adversaries with respect to the 2020 election…[that] is being released for the purpose of better informing Americans so they can play a critical role in safeguarding our election.” Evanina offered more in the way of detail on the three nations identified as those being most active in and capable of interfering in the November election: the Russian Federation, the People’s Republic of China (PRC), and Iran. This additional detail may well have been provided given the pressure Democrats in Congress to do just this. Members like Speaker of the House Nancy Pelosi (D-CA) argued that Evanina was not giving an accurate picture of the actions by foreign nations to influence the outcome and perception of the 2020 election. Republicans in Congress pushed back, claiming Democrats were seeking to politicize the classified briefings given by the Intelligence Community (IC).
    • In a statement, Pelosi and House Intelligence Committee Chair Adam Schiff (D-CA) expressed gratitude for the additional detail but took issue with the statement for implying through its structure that the risks each nation presents are equal. It would seem to make sense that Pelosi and Schiff are arguing that the Russian Federation is the biggest threat in light of its history in successfully spreading disinformation and misinformation in 2016 to benefit then candidate Donald Trump and harm former Secretary of State Hillary Clinton. This assertion would also serve to rebut the notion that the PRC is the top threat given its placement as the first nation mentioned and Trump Administration rhetoric to this effect.
  • The Federal Acquisition Security Council (FASC) has released an interim regulation that took effect upon being published, but the body will be accepting comments on a still-to-be drafted final regulation. This entire effort is aimed at helping the United States government identify and remove risky and untrustworthy information technology from its systems. However, the FASC is some nine months late in issuing this rule, suggesting that some of the same troubles that have slowed other Trump Administration efforts to secure the federal government’s information and communications technology supply chain delayed this rule. Other efforts have been slowed by industry stakeholder pushback because a number of American multinationals have supply chains in the People’s Republic of China (PRC) and have resisted efforts to decrease sourcing from that country. This rulemaking was required by the “Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act” (SECURE Technology Act) (P.L. 115-390). The council has one year to fashion and release a final rule.
    • FASC explained that the interim final rule “implement[s] the requirements of the laws that govern the operation of the FASC, the sharing of supply chain risk information, and the exercise of its authorities to recommend issuance of removal and exclusion orders to address supply chain security risks…[and] [w]ritten comments must be received on or before November 2, 2020.”
    • FASC stated
      • Information and communications technology and services (ICTS) are essential to the proper functioning of U.S. government information systems. The U. S. government’s efforts to evaluate threats to and vulnerabilities in ICTS supply chains have historically been undertaken by individual or small groups of agencies to address specific supply chain security risks. Because of the scale of supply chain risks faced by government agencies, and the need for better coordination among a broader group of agencies, there was an organized effort within the executive branch to support Congressional efforts in 2018 to pass new legislation to improve executive branch coordination, supply chain information sharing, and actions to address supply chain risks.
    • FASC explained the interim rule is divided into three parts:
      • Subpart A explains the scope of this IFR, provides definitions for relevant terms, and establishes the membership of the FASC. Subpart B establishes the role of the FASC’s Information Sharing Agency (ISA). DHS, acting primarily through the Cybersecurity and Infrastructure Security Agency, will serve as the ISA. The ISA will standardize processes and procedures for submission and dissemination of supply chain information, and will facilitate the operations of a Supply Chain Risk Management (SCRM) Task Force under the FASC. This FASC Task Force (hereafter referred to as “Task Force”) will be comprised of designated technical experts that will assist the FASC in implementing its information sharing, risk analysis, and risk assessment functions. Subpart B also prescribes mandatory and voluntary information sharing criteria and associated information protection requirements. Subpart C provides the criteria and procedures by which the FASC will evaluate supply chain risk from sources and covered articles and recommend issuance of orders requiring removal of covered articles from executive agency information systems (removal orders) and orders excluding sources or covered articles from future procurements (exclusion orders). Subpart C also provides the process for issuance of removal orders and exclusion orders and agency requests for waivers from such orders.
    • The FASC noted it was required to select “an appropriate executive agency—the FASC’s Information Sharing Agency (ISA)—to perform the administrative information sharing functions on behalf of the FASC,” and it has chosen the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA).
  • The Federal Communications Commission (FCC) released “the results of its efforts to identify use of Huawei and ZTE equipment and services in U.S. telecommunications networks that receive support from the federal Universal Service Fund.” The FCC initiated this proceeding with its the 2019 Supply Chain Order, 85 FR 230, and then Congress came behind the agency and enacted the “Secure and Trusted Communications Networks Act of 2019” (Secure Networks Act) (P.L. 116-124), which authorized in law much of what the FCC was doing. However, this statute did not appropriate any funds for the FCC to implement the identification and removal of Huawei and ZTE equipment from U.S. telecommunications networks. It is possible Congress could provide these funds in an annual appropriations bill for the coming fiscal year.
    • The FCC stated
      • Based on data Commission staff collected through the information collection, all filers report it could cost an estimated $1.837 billion to remove and replace Huawei and ZTE equipment in their networks. Of that total, filers that appear to initially qualify for reimbursement under the Secure and Trusted Communications Network Act of 2019 report it could require approximately $1.618 billion to remove and replace such equipment. Other providers of advanced communications service may not have participated in the information collection and yet still be eligible for reimbursement under the terms of that Act.
  • Australia’s government has released “a voluntary Code of Practice to improve the security of the Internet of Things (IoT),” “a first step in the Australian Government’s approach to improve the security of IoT devices in Australia.” These standards are optional but may foretell future mandatory requirements. The Department of Home Affairs and the Australian Signals Directorate’s Australian Cyber Security Centre developed the Code and explained:
    • This Code of Practice is a voluntary set of measures the Australian Government recommends for industry as the minimum standard for IoT devices. The Code of Practice will also help raise awareness of security safeguards associated with IoT devices, build greater consumer confidence in IoT technology and allow Australia to reap the benefits of greater IoT adoption.
    • The Code of Practice is designed for an industry audience and comprises 13 principles. The Australian Government recommends industry prioritise the top three principles because action on default passwords, vulnerability disclosure and security updates will bring the largest security benefits in the short term.
    • In acknowledgement of the global nature of this issue, the Code of Practice aligns with and builds upon guidance provided by the United Kingdom and is consistent with other international standards. The principles will help inform domestic and international manufacturers about the security features expected of devices available in Australia.
  • The Office of the Privacy Commissioner of Canada (OPC) issued “Privacy guidance for manufacturers of Internet of Things devices” intended to provide “practical information to help ensure that your business practices and the devices you make are privacy protective and compliant with the “Personal Information Protection and Electronic Documents Act” (PIPEDA). The OPC cautioned “[i]f your IoT device is collecting, using or disclosing personal data in the course of commercial activity, then you are subject to PIPEDA and must follow the principles set out in Schedule 1 of PIPEDA…[and] [t]hese principles…are rooted in international data protection standards and reflect the Canadian Standards Association’s Model Privacy Code for the Protection of Personal Information.” OPC offered this checklist:
    • What you must do to fulfill your responsibilities under PIPEDA:
      • Be accountable by instituting practices that protect the personal information under the control of your organization
      • Before collecting personal information, identify the purposes for its collection
      • Obtain informed and meaningful consent from the individual whose personal information is collected, used or disclosed
      • Design your devices to limit collection to that which is necessary to fulfil their stated purposes
      • Use and disclose personal information only for the purpose for which it was collected
      • Ensure that personal information is as accurate, up-to-date and complete as is necessary for the purposes for which it is to be used, especially when making a decision about individuals or when sharing it with others
      • Ensure the personal information you are accountable for is appropriately safeguarded
      • Inform individuals about your policies and practices for information management
      • Give individuals the ability to access and correct their information
      • Provide recourse to individuals by developing complaint procedures
      • Limit what you collect, use, share and retain about your customers, including children
      • Protect personal information through technological safeguards such as encryption and password protection
    • What you should do to supplement your responsibilities under the law:
      • Create device specific privacy policies to improve the transparency of your information practices. For example, include a list of every sensor a device possesses in your policy’s section on disclosures and state the minimum length of time these devices will receive security updates
      • Consider periodically notifying users when the device is collecting data and give consumers greater control to limit the collection.
      • Perform privacy and security risk assessments that help identify and mitigate risks associated with the device and your personal information handling practices
      • Design your devices to have consumers use of strong and unique passwords
      • Provide consumers with user-friendly options to permanently delete information you hold about them and inform them of how to do so
      • Ensure that the end user can patch or update the firmware on the device
  • The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM) published a joint technical alert “about an ongoing automated teller machine (ATM) cash-out scheme by North Korean government cyber actors – referred to by the U.S. government as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.” The agencies asserted
    • [The Democratic People’s Republic of Korea’s (DPRK)] intelligence apparatus controls a hacking team dedicated to robbing banks through remote internet access. To differentiate methods from other North Korean malicious cyber activity, the U.S. Government refers to this team as BeagleBoyz, who represent a subset of HIDDEN COBRA activity. The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as Lazarus, Advanced Persistent Threat 38 (APT38), Bluenoroff, and Stardust Chollima and are responsible for the FASTCash ATM cash outs reported in October 2018, fraudulent abuse of compromised bank-operated SWIFT system endpoints since at least 2015, and lucrative cryptocurrency thefts. This illicit behavior has been identified by the United Nations (UN) DPRK Panel of Experts as evasion of UN Security Council resolutions, as it generates substantial revenue for North Korea. North Korea can use these funds for its UN-prohibited nuclear weapons and ballistic missile programs. Additionally, this activity poses significant operational risk to the Financial Services sector and erodes the integrity of the financial system.
  • In a short statement released late on a Friday heading into the Labor Day three day weekend, the Department of Defense (DOD) signaled the end of “its comprehensive re-evaluation of the Joint Enterprise Defense Infrastructure (JEDI) Cloud proposals and determined that Microsoft’s proposal continues to represent the best value to the Government.” Microsoft bested Amazon for the contract in late 2019, but the latter’s court challenge alleged bias against the company as evidenced by comments from President Donald Trump. This case is ongoing, and Amazon will almost certainly challenge this award, too. In a blog posting, Amazon declared “we will not back down in the face of targeted political cronyism or illusory corrective actions, and we will continue pursuing a fair, objective, and impartial review.” The DOD explained that the potentially $10 billion contract “will make a full range of cloud computing services available to the DOD.” The Pentagon conceded that “[w]hile contract performance will not begin immediately due to the Preliminary Injunction Order issued by the Court of Federal Claims on February 13, 2020, DOD is eager to begin delivering this capability to our men and women in uniform.”

Further Reading

  • Race for Coronavirus Vaccine Pits Spy Against Spy” By Julian E. Barnes and Michael Venutolo-Mantovani – The New York Times. Reportedly, hackers from the People’s Republic of China (PRC), Russian Federation, and the Islamic Republic of Iran have widened their list of targets to include research universities in the United States (U.S.) working on COVID-19 vaccine research. Officials quoted in the piece explain the likely motivations as being knowing what the U.S. is up to considering their research capabilities are not as good, “checking” their own research against the U.S., and possibly even prestige if they can leverage the intelligence gained into a viable vaccine more quickly than the U.S. or other western nations. Perhaps there is an even more basic motivation: they want a vaccine as fast as possible and are willing to steal one to save their citizens. Nonetheless, this article follows the announcements during the summer by Five Eyes security services that the three nations were targeting pharmaceutical companies and seems to be of the same piece. The article only hints at the possibility that the U.S. and its allies may be doing exactly the same to those nations to monitor their efforts as well. One final interesting strand. Russia seems to be gearing up for a major influence campaign to widen the split in U.S. society about the proper response to COVID-19 by sowing doubt about vaccinations generally.
  • Forget TikTok. China’s Powerhouse App Is WeChat, and Its Power Is Sweeping.” By Paul Mozur – The New York Times. This article delves deeply into WeChat the do-all app most people inside and from the People’s Republic of China (PRC) have on their phone. It is a combination WhatsApp, Amazon, Apple Pay, Facebook, and other functionality that has become indispensable to those living in the PRC. One person who lived in Canada and returned wishes she could dispense with the app that has become central to Beijing’s efforts to censor and control its people. The PRC employs algorithms and human monitoring to ensure nothing critical of the government is posted or disseminated. One user in North America was shocked to learn the depiction of Donald Trump on the app as being deeply respected be everyone in the United States (U.S.) was wrong when talking to others. A few of the experts quoted expressed doubt that banning the app in the U.S. will change much.
  • U.S. considers cutting trade with China’s biggest semiconductor manufacturer” By Jeanne Whalen – The Washington Post; “Trump administration weighs blacklisting China’s chipmaker SMIC” by Idrees Ali, Alexandra Alper, and Karen Freifeld – Reuters.
  •  The People’s Republic of China’s (PRC) biggest semiconductor maker may be added to the United States’ (U.S.) no-trade list soon in what may be another move to further cut Huawei’s access to crucial western technology. Ostensibly, the Semiconductor Manufacturing International Corp. (SMIC) is being accused of having ties that too close with the PRC’s military. However, the company rejected this allegation in its statement: “The company manufactures semiconductors and provides services solely for civilian and commercial end-users and end-uses. We have no relationship with the Chinese military.” A different PRC chip maker was added to the list in 2018: Fujian Jinhua Integrated Circuit Co.
  • Pasco’s sheriff created a futuristic program to stop crime before it happens. It monitors and harasses families across the county.” By Kathleen Mcgrory and Neil Bedi – Tampa Bay Times. Eevn though most of the truly alarming aspects of this sheriff’s office are human based, the notion that using technology and intelligence methods will allow someone to predict crime are dystopian and disconcerting. What this sheriff’s department has done to mostly minors guilty of at most petty misdemeanors should give anyone pause about employing technology to predict crime and criminals.
  • DHS, FBI rebut reports about hacked voter data on Russian forum” By Tim Starks – Politico. The United States Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) and Federal Bureau of Investigation rebutted claims made by journalist Julia Ioffe that Michigan voter data were in the hands of Russian hackers. However, statements by CISA, the FBI, and the state of Michigan explained there has been no hack, and that these data may have been obtained through a Freedom of Information Act request.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Republica from Pixabay

Further Reading, Other Developments, and Coming Events (15 August)

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” By 21 August, the FTC “is seeking comment on a range of issues including:
    • How are companies currently implementing data portability? What are the different contexts in which data portability has been implemented?
    • What have been the benefits and costs of data portability? What are the benefits and costs of achieving data portability through regulation?
    • To what extent has data portability increased or decreased competition?
    • Are there research studies, surveys, or other information on the impact of data portability on consumer autonomy and trust?
    • Does data portability work better in some contexts than others (e.g., banking, health, social media)? Does it work better for particular types of information over others (e.g., information the consumer provides to the business vs. all information the business has about the consumer, information about the consumer alone vs. information that implicates others such as photos of multiple people, comment threads)?
    • Who should be responsible for the security of personal data in transit between businesses? Should there be data security standards for transmitting personal data between businesses? Who should develop these standards?
    • How do companies verify the identity of the requesting consumer before transmitting their information to another company?
    • How can interoperability among services best be achieved? What are the costs of interoperability? Who should be responsible for achieving interoperability?
    • What lessons and best practices can be learned from the implementation of the data portability requirements in the GDPR and CCPA? Has the implementation of these requirements affected competition and, if so, in what ways?”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The Global Engagement Center (GEC) at the U.S. Department of State published the “GEC Special Report: Pillars of Russia’s Disinformation and Propaganda Ecosystem” The GEC drew on “on publicly available reporting to provide an overview of Russia’s disinformation and propaganda ecosystem.”  The GEC identified the five pillars of Russia’s Disinformation and Propaganda Ecosystem:
    • official government communications;
    • state-funded global messaging;
    • cultivation of proxy sources;
    • weaponization of social media; and
    • cyber-enabled disinformation.
    • The GEC stated
      • This report provides a visual representation of the ecosystem described above, as well as an example of the media multiplier effect it enables. This serves to demonstrate how the different pillars of the ecosystem play distinct roles and feed off of and bolster each other. The report also includes brief profiles of select proxy sites and organizations that occupy an intermediate role between the pillars of the ecosystem with clear links to Russia and those that are meant to be fully deniable. The emphasis on these proxy sites is meant to highlight the important role they play, which can be overlooked given the attention paid to official Russian voices on one end of the spectrum, and the social media manipulation and cyber-enabled threats on the other.
  • The United States (U.S.) Department of Veterans Affairs (VA) has restarted its process for rolling out its new electronic health record (EHR) and announced it has “revised its previous schedule to convert facilities to its new HER capabilities with updated timelines for deployments in August in Columbus, Ohio, and October in Spokane, Washington.” The VA opted to replace its Veterans Health Information Systems and Technology Architecture (VistA) with a commercial off-the-shelf system the U.S. Department of Defense has chosen, Cerner Millennium. However, this $16 billion acquisition has encountered numerous difficulties and delays, which has caught he continued attention of Congress.
    • The VA claimed “The new timeline will preserve the 10-year implementation schedule and the overall cost estimates of VA’s EHR modernization program…[and] [a]fter the conversion at these sites, VA will bring other select facilities forward in the timeline.”
    • In June 2020, the U.S. Government Accountability Office (GAO) found:
      • VA met its schedule for making the needed system configuration decisions that would enable the department to implement its new EHR system at the first VA medical facility, which was planned for July 2020. In addition, VA has formulated a schedule for making the remaining EHR system configuration decisions before implementing the system at additional facilities planned for fall 2020.
      • VA’s Electronic Health Record Modernization (EHRM) program was generally effective in establishing decision-making procedures that were consistent with applicable federal standards for internal control. However, VA did not always ensure the involvement of relevant stakeholders, including medical facility clinicians and staff, in the system configuration decisions. Specifically, VA did not always clarify terminology and include adequate detail in descriptions of local workshop sessions to medical facility clinicians and staff to ensure relevant representation at local workshop meetings. Participation of such stakeholders is critical to ensuring that the EHR system is configured to meet the needs of clinicians and support the delivery of clinical care.
  • The United States (U.S.) Government Accountability Office (GAO) studied and reported on privacy and accuracy issues related to the use of facial recognition technology requested by the chairs of the House Judiciary and Oversight and Reform Committees. This report updates a 2015 report on the same issues and renews the agency’s call first made in 2013 that Congress “strengthen[] the current consumer privacy framework to reflect the effects of changes in technology and the marketplace—particularly in relation to consumer data used for marketing purposes—while also ensuring that any limitations on data collection and sharing do not unduly inhibit the economic and other benefits to industry and consumers that data sharing can accord.”
    • In the new report, the GAO explained that “[s]takeholders we interviewed identified additional activities that companies could improve the use of facial recognition technology. These activities include
      • defining the purpose for the technology’s use and clearly notifying consumers how companies are using the technology—such as surveillance or marketing;
      • identifying risks and limitations associated with using the technology and prohibiting certain uses (e.g., those with discriminatory purposes); and
      • providing guidance or training related to these issues.
    • The GAO asserted
      • However, these voluntary privacy frameworks and suggested activities that could help address privacy concerns or improve the use of facial recognition technology are not mandatory. Furthermore, as discussed earlier, in most contexts facial recognition technology is not currently covered by federal privacy law. Accordingly, we reiterate our 2013 suggestion that Congress strengthen the current consumer privacy framework to reflect the effects of changes in technology and the marketplace.
  • The United States Department of Justice (DOJ) “announced the dismantling of three terrorist financing cyber-enabled campaigns, involving the al-Qassam Brigades, Hamas’s military wing, al-Qaeda, and Islamic State of Iraq and the Levant (ISIS)…the government’s largest-ever seizure of cryptocurrency in the terrorism context.”
    • The DOJ claimed
      • These three terror finance campaigns all relied on sophisticated cyber-tools, including the solicitation of cryptocurrency donations from around the world.  The action demonstrates how different terrorist groups have similarly adapted their terror finance activities to the cyber age.  Each group used cryptocurrency and social media to garner attention and raise funds for their terror campaigns.  Pursuant to judicially-authorized warrants, U.S. authorities seized millions of dollars, over 300 cryptocurrency accounts, four websites, and four Facebook pages all related to the criminal enterprise.
  • The United States (U.S.) National Counterintelligence and Security Center (NCSC) revealed it has “has been providing classified briefings and other assistance to federal procurement executives, chief information officers and chief information security officers from across the U.S. Government on supply chain threats and risks stemming from contracting with five Chinese companies.” The NCSC explained the “supply chain security briefings are designed to assist federal agencies implement” Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232).
    • The NCSC stated:
      • One provision of the NDAA prohibits the U.S. Government from directly using goods and services from five specified Chinese companies — Huawei, ZTE Corporation, Hytera Communications, Hanghzou Hikvision and Dahua Technology Company.
      • Another, broader, provision of Section 889 prohibits federal agencies from contracting with any company that uses goods and services from these five Chinese firms. This particular prohibition takes effect on August 13, 2020, unless a federal agency authorizes a waiver for a specific company, which can only be granted by the agency head after receiving NCSC supply chain security guidance.
  • The Federal Communications Commission (FCC) denied two petitions to stay an April 2020 rulemaking that would make the 6Ghz band of spectrum available to users other than the incumbents. The FCC noted “wo parties—Edison Electric Institute (EEI) and Association of Public-Safety Communications Officials-International, Inc. (APCO)—petitioned to stay the Order:
    • EEI, a trade association representing investor-owned electric utilities, seeks only to stay the effectiveness of the rules that apply to low-power indoor devices. 
    • APCO, a non-profit association of persons who manage and operate public-safety communications systems, seeks to stay the rules for both standard-power and low-power indoor operations.
    • In the rule and order, the FCC explained
      • We authorize two different types of unlicensed operations—standard-power and indoor low-power operations. We authorize standard-power access points using an automated frequency coordination (AFC) system. These access points can be deployed anywhere as part of hotspot networks, rural broadband deployments, or network capacity upgrades where needed. We also authorize indoor low-power access points across the entire 6 GHz band. These access points will be ideal for connecting devices in homes and businesses such smartphones, tablet devices, laptops, and Internet-of-things (IoT) devices to the Internet. As has occurred with Wi-Fi in the 2.4 GHz and 5 GHz bands, we expect that 6 GHz unlicensed devices will become a part of most peoples’ everyday lives. The rules we are adopting will also play a role in the growth of the IoT; connecting appliances, machines, meters, wearables, and other consumer electronics as well as industrial sensors for manufacturing.
  • In a speech, the Australian Competition and Consumer Commission (ACCC) Chair Rod Sims laid out the status of his agency’s actions against Google, Facebook, and other large technology platforms flowing from its final report in its “Digital Platforms Inquiry” that “proposes specific recommendations aimed at addressing some of the actual and potential negative impacts of digital platforms in the media and advertising markets, and also more broadly on consumers,” including:
    • The ACCC recently launched an action against Google regarding misleading representations it made to consumers to obtain their consent to expand the scope of personal information it collected and used about its’ users online activities.
    • In another case, which we brought against Google last year, we allege that Google misled consumers into sharing location data with Google. We contend Google did not clearly inform consumers using Android mobile devices that a particular account setting allowed Google to collect location data. We assert that many consumers may have unknowingly provided more of their personal location data to Google than they intended. Google then used consumers’ location data to enhance the value of its advertising services to prospective advertisers. This case is currently in Court with a hearing scheduled in late November.
    • Currently the ACCC is considering the acquisition by Google and Facebook of Fitbit and Giphy, respectively. We are considering questions such as whether they have the ability to give themselves advantages by favouring their own products, or whether these acquisitions are raising barriers to entry for other competitors.
    • In April 2020 the Federal Government directed the ACCC to develop a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms. We recently published the draft legislation for the code.
  • A British appeals court overturned a decision that found that a police force’s use of facial recognition technology in a pilot program that utilized live footage to be legal. The appeals court found the use of this technology by the South Wales Police Force a violation of “the right to respect for private life under Article 8 of the European  Convention  on  Human  Rights,  data  protection  legislation,  and  the  Public  Sector Equality Duty (“PSED”) under section 149 of the Equality Act 2010.”

Further Reading

  • North Korean Hacking Group Attacks Israeli Defense Industry” by Ronen Bergman and Nicole Perlroth – The New York Times. Israel is denying the claims of a cybersecurity firm that hackers from the Democratic People’s Republic of Korea (DPRK) deeply penetrated its defense industry. Through the use of sophisticated phishing, including fake LinkedIn accounts and fluent English speakers, employees at Israeli defense companies were tricked into stalling spyware on these personal computers and then the hackers allegedly eventually accessed classified Israeli networks. The attacks show growing sophistication from DPRK hackers and that those looking to penetrate networks will always seek out weak spots.
  • Pentagon Requests More Time to Review JEDI Cloud Contract Bids” by Frank Konkel – Nextgov. The United States Department of Defense (DOD) has asked for yet more time to resolve who will win the second round of the Joint Enterprise Defense Infrastructure (JEDI) cloud contract that may prove worth more than $10 billion to the winner. The Pentagon had told the court it was on schedule to make an award ion the rebid of the contract that Microsoft had won over Amazon. The latter claimed political interference from the White House violated federal contract law, among other claims, resulting in this lawsuit.
  • Google rival’s study urges letting mobile users pick search defaults” by Ashley Gold – Axios. DuckDuckGo, a search engine, claims in newly released research that permitting Android users to choose their search engine would decrease Google’s market share by 20%. This could be relevant to the United States (U.S.) Department of Justice’s (DOJ) antitrust investigation. As a point of reference, in the U.S., the United Kingdom, and Australia, Google’s share of the mobile search engine market is 95%, 98% and 98%. DOJ may seriously look at this remedy as the European Commission (EC) imposed this as part of its antitrust case against Google, resulting in a record €4.34 billion fine.
  • Facial Recognition Start-Up Mounts a First Amendment Defense” By Kashmir Hill – The New York Times. Clearview AI has retained legendary First Amendment lawyer Floyd Abrams to make the argument that its collection, use, and dissemination of publicly photos scraped from the internet is protected as free speech. Abrams is quoting as saying that while privacy is, of course, an important right, the First Amendment to the United States Constitution would trump any such rights. It is expected that this argument will be employed in the myriad suits against the facial recognition technology firm in the range of suits against the company.
  • An advanced group specializing in corporate espionage is on a hacking spree” By Jeff Stone – cyberscoop. A new hacking group, RedCurl, has gone on a worldwide hacking campaign that broke into businesses in the United Kingdom, Canada, and other places. The hackers phished a number of businesses successfully by impersonating someone from the human resources in he organization.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Executive Order on Securing the United States Bulk-Power System

A new EO will result in the systems and equipment from certain nations, most likely including China, being barred from the U.S. electric grid on account of the risk they pose to national security.  

Late last week, President Donald Trump signed an executive order (EO) that would direct the Secretary of Energy and other officials to take steps to ensure the United States’ bulk power sector is protected from the threats posed by the manufacture of components by foreign adversaries, most likely the People’s Republic of China (PRC). This EO is of a piece with two Administration priorities: desired changes in trade policies with the PRC and defending the United States from vulnerabilities arising from an information and communications technology (ICT) supply chain that largely originates in the PRC. Trump declared a national emergency with respect to the bulk power system, triggering a range of powers to address this situation. The EO would establish a blanket ban on bulk power utilities from buying systems and equipment from yet to be named foreign adversaries except if allowed by the Department of Energy along with required mitigations.

Even though the EO and related materials released by the Trump Administration do not spell out the predicate for this action, the likely policy background was informed by broader concerns about possibly compromised ICT coming from the PRC and possibly more specific information about such equipment, hardware, software, and systems.The EO is also of a piece with the Trump Administration’s aggressive policy initiatives to protect the U.S. and rebuff alleged Chinese efforts to lace U.S. supply chains and critical systems with compromised technology that could later be used for espionage or cyber-attack.

Over the last few years, the Trump Administration reported of intrusions and penetrations of the U.S. electric system by hackers sponsored by or related to the Russian government. In 2018, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released an advisory in which they “characterize[d] this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” DHS and the FBI stated, “[a]fter obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).” At about the same time, the Department of the Treasury announced sanctions against five Russian entities and 19 Russian nationals for “Russia’s continuing destabilizing activities” including “U.S. government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors” as detailed in “the recent technical alert issued by the Department of Homeland Security and Federal Bureau of Investigation.”

The year before, DHS and the FBI advised critical infrastructure operators of a penetration of a nuclear energy operator in Kansas and others throughout the U.S. The agencies jointly claimed, “[t]here is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.”

And yet, these forays could easily be precursors to the sorts of attacks Russia has waged against its neighbors. For example, in 2015, Russian hackers were identified as the culprits who compromised part of Ukraine’s electric grid, but it appears access was gained and havoc was wreaked through the acquisition of employees’ credentials and not likely through exploitation of weaknesses or backdoors in the utility’s systems. In the Director of National Intelligence’s public 2019 Worldwide Threat Assessment, it was claimed

Russia has the ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure—such as disrupting an electrical distribution network for at least a few hours—similar to those demonstrated in Ukraine in 2015 and 2016.Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.

Moreover, risks to the energy sector have long been recognized. In a 2017 report prepared by the Idaho National Laboratory, “ICS   attacks   are   becoming   increasingly   more   targeted   and   sophisticated, with trusted communications  networks,  remote  access,  mobile  devices,  vendors,  and  supply  chains  are  the most likely routes of ingress.” In 2014, a U.S. think tank claimed

Vulnerabilities arise when utilities procure hardware and software from third-party vendors, including hardware or software that is intended to support smart grid and cybersecurity initiatives. New products and software may not be sufficiently secure in their design or implementation; they may be subject to malicious manipulation or be compromised by the use of counterfeit parts. Suppliers may not face market pressures or requirements to incorporate cybersecurity features in the design of their systems and devices. In some cases, products sold to the power sector may be insecure by design or insufficiently supported as new risks are identified. These issues are further complicated by the global nature of supply chains, which offer multiple possible entry points for cyber attacks. For example, numerous SCADA (supervisory control and data acquisition) devices are manufactured overseas, including in China, where external cyber threats have originated in the past.

In the EO, Trump found “that the unrestricted acquisition or use in the United States of bulk-power system electric equipment designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in bulk-power system electric equipment, with potentially catastrophic effects.” He added that “I therefore determine that the unrestricted foreign supply of bulk-power system electric equipment constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States, which has its source in whole or in substantial part outside the United States.” Trump wrote, “[t]o address this threat, additional steps are required to protect the security, integrity, and reliability of bulk-power system electric equipment used in the United States.” He declared that “[i]n light of these findings, I hereby declare a national emergency with respect to the threat to the United States bulk-power system.”

The EO would bar the purchase of “any bulk-power system electric equipment” from unspecified foreign nations if the transaction poses unacceptable risks to the U.S. electric grid specifically and the U.S. generally. The EO defines foreign adversary as a “foreign government or foreign non-government person engaged in a long‑term pattern or serious instances of conduct significantly adverse to the national security of the United States or its allies or the security and safety of United States persons.” Presumably countries that have well-developed offensive cyber capabilities like the PRC, Russia, Iran, and North Korea would be designated foreign adversaries.

However, the Secretary of Energy could identify and require the use of mitigation measures that could render otherwise banned equipment to be bought and used. The Department of Energy “may establish and publish criteria for recognizing particular equipment and particular vendors in the bulk-power system electric equipment market as pre-qualified for future transactions; and may apply these criteria to establish and publish a list of pre-qualified equipment and vendors.”

More broadly, the Secretary of Energy is directed to use the full authority conferred on his department by Congress and all the powers available under the International Emergency Economic Powers Act (IEEPA), the basis for Presidents to impose sanctions and other economic measures in peace time. Pursuant to the use of these powers, the Department of Energy will likely identify countries as foreign adversaries for purposes of the EO and the companies they own, control, or have a stake in. Furthermore, the Department should also identify those foreign adversaries or companies that deserve additional scrutiny and a licensing process for those transactions that would otherwise be banned under the EO but are allowed to proceed with mitigation measures.  The Department of Energy must also identify any existing bulk power system electric equipment that poses a threat to national or economic security and determine the means by which this equipment could be monitored, isolated, or replaced. The EO would also create a Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security (Task Force) that “shall work to protect the Nation from national security threats through the coordination of Federal Government procurement of energy infrastructure and the sharing of risk information and risk management practices to inform such procurement.”

Finally, regarding the thrust of the EO, it bears mention that the Federal Energy Regulatory Commission (FERC) granted a petition to “defer the implementation of several Commission-approved Reliability Standards that have effective dates or phased-in implementation dates that fall in the second half of 2020,” including CIP-013-1 (Cyber Security – Supply Chain Risk Management), which was designed “to help ensure that responsible entities establish organizationally-defined processes that integrate a cybersecurity risk management framework into the system development lifecycle.” The deferral of this and related standards was on account of the COVID-19 pandemic’s effect on the energy sector. When the rule was adopted, FERC explained “Reliability Standard CIP-013-1 addresses information system planning and vendor risk management and procurement controls by requiring that responsible entities develop and implement one or more documented supply chain cybersecurity risk management plan(s) for high and medium impact Bulk Electric System (BES) Cyber Systems. The required plans must address, as applicable, a baseline set of six security concepts: (1) Vendor security event notification; (2) coordinated incident response; (3) vendor personnel termination notification; (4) product/services vulnerability disclosures; (5) verification of software integrity and authenticity; and (6) coordination of vendor remote access controls.”

This EO could serve as a template for future actions to more tightly regulate other critical sectors. It is not hard to imagine Trump or a future president deciding that the threats posed by the PRC or other adversaries justifies a heavier role in the regulation of supply chains and even cybersecurity.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.