Further Reading, Other Developments, and Coming Events (11 November)

Further Reading

  • ICE, IRS Explored Using Hacking Tools, New Documents Show” By Joseph Cox — Vice. Federal agencies other than the Federal Bureau of Investigation (FBI) and the Intelligence Community (IC) appear to be interesting in utilizing some of the capabilities offered by the private sector to access devices or networks in the name of investigating cases.
  • China’s tech industry relieved by Biden win – but not relaxed” By Josh Horwitz and Yingzhi Yang — Reuters. While a Biden Administration will almost certainly lower the temperature between Beijing and Washington, the People’s Republic of China is intent on addressing the pressure points used by the Trump Administration to inflict pain on its technology industry.
  • Trump Broke the Internet. Can Joe Biden Fix It?” By Gilad Edelman — WIRED. This piece provides a view of the waterfront in technology policy under a Biden Administration.
  • YouTube is awash with election misinformation — and it isn’t taking it down” By Rebecca Heilweil — Recode. For unexplained reasons, YouTube seems to have avoided the scrutiny facing Facebook and Twitter on their content moderation policies. Whether the lack of scrutiny is a reason is not clear, but the Google owned platform had much more election-related misinformation than the other social media platforms.
  • Frustrated by internet service providers, cities and schools push for more data” By Cyrus Farivar — NBC News. Internet service providers are not helping cities and states identify families eligible for low-cost internet to help children attend school virtually. They have claimed these data are proprietary, so jurisdictions have gotten creative about identifying such families.

Other Developments

  • The Consumer Product Safety Commission’s (CPSC) Office of the Inspector General (OIG) released its annual Federal Information Security Modernization Act (FISMA) audit and found “that although management continues to make progress in implementing the FISMA requirements much work remains to be done.” More particularly, it was “determined that the CPSC has not implemented an effective information security program and practices in accordance with FISMA requirements.” The OIG asserted:
    • The CPSC information security program was not effective because the CPSC has not developed a holistic formal approach to manage information security risks or to effectively utilize information security resources to address previously identified information security deficiencies. Although the CPSC has begun to develop an Enterprise Risk Management (ERM) program to guide risk management practices at the CPSC, explicit guidance and processes to address information security risks and integrate those risks into the broader agency-wide ERM program has not been developed.
    • In addition, the CPSC has not leveraged the relevant information security risk management guidance prescribed by NIST to develop an approach to manage information security risk.
    • Further, as asserted by CPSC personnel, the CPSC has limited resources to operate the information security program and to address the extensive FISMA requirements and related complex cybersecurity challenges.
    • Therefore, the CPSC has not dedicated the resources necessary to fully address these challenges and requirements. The CPSC began addressing previously identified information security deficiencies but was not able to address all deficiencies in FY 2020.
  • The United States (U.S.) Department of Justice (DOJ) announced the seizure of 27 websites allegedly used by Iran’s Islamic Revolutionary Guard Corps (IRGC) “to further a global covert influence campaign…in violation of U.S. sanctions targeting both the Government of Iran and the IRGC.” The DOJ contended:
    • Four of the domains purported to be genuine news outlets but were actually controlled by the IRGC and targeted audiences in the United States, to covertly influence United States policy and public opinion, in violation of the Foreign Agents Registration Act (FARA). The remainder targeted audiences in other parts of the world.  This seizure warrant follows an earlier seizure of 92 domains used by the IRGC for similar purposes.
  • The United Nations (UN) Special Rapporteur on the right to privacy Joseph Cannataci issued his annual report that “constitutes  a  preliminary  assessment  as  the  evidence  base required to reach definitive conclusions on whether privacy-intrusive, anti-COVID-19 measures are necessary and proportionate in a democratic society is not yet available.” Cannataci added “[a] more definitive report is planned for mid-2021, when 16 months of evidence will be available to allow a more accurate assessment.” He “addresse[d]  two  particular  aspects  of  the impact of COVID-19 on the right to privacy: data protection and surveillance.” The Special Rapporteur noted:
    • While the COVID-19 pandemic has generated much debate about the value of contact tracing and reliance upon technology that track citizens and those they encounter, the use of information and technology is not new in managing public health emergencies. What is concerning in some States are reports of how technology is being used and the degree of intrusion and control being exerted over citizens –possibly to little public health effect.
    • The Special Rapporteur concluded:
      • It is far too early to assess definitively whether some COVID-19-related measures might be unnecessary or disproportionate. The Special Rapporteur will continue to monitor the impact of surveillance in epidemiology on the right to privacy and report to the General Assembly in 2021. The main privacy risk lies in the use of non-consensual methods, such as those outlined in the section on hybrid systems of surveillance, which could result in function creep and be used for other purposes that may be privacy intrusive.
      • Intensive and omnipresent technological surveillance is not the panacea for pandemic situations such as COVID-19. This has been especially driven home by those countries in which the use of conventional contact-tracing methods, without recourse to smartphone applications, geolocation or other technologies, has proven to be most effective in countering the spread of COVID-19.
      • If a State decides that technological surveillance is necessary as a response to the global COVID-19 pandemic, it must make sure that, after proving both the necessity and proportionality of the specific measure, it has a law that explicitly provides for such surveillance measures (as in the example of Israel).
      • A State wishing to introduce a surveillance measure for COVID-19 purposes, should not be able to rely on a generic provision in law, such as one stating that the head of the public health authority may “order such other action be taken as he [or she] may consider appropriate”. That does not provide explicit and specific safeguards which are made mandatory both under the provisions of Convention 108 and Convention 108+, and based on the jurisprudence of the European Court of Human Rights. Indeed, if the safeguard is not spelled out in sufficient detail, it cannot be considered an adequate safeguard.
  • The University of Toronto’s Citizen Lab issued its submission to the Government of Canada’s “public consultation on the renewal of its Responsible Business Conduct (RBC) strategy, which is intended to provide guidance to the Government of Canada and Canadian companies active abroad with respect to their business activities.” Citizen Lab addressed “Canadian technology companies and the threat they pose to human rights abroad” and noted two of its reports on Canadian companies whose technologies were used to violate human rights:
    • In 2018, the Citizen Lab released a report documenting Netsweeper installations on public IP networks in ten countries that each presented widespread human rights concerns. This research revealed that Netsweeper technology was used to block: (1) political content sites, including websites linked to political groups, opposition groups, local and foreign news, and regional human rights issues in Bahrain, Kuwait, Yemen, and UAE; (2) LGBTQ content as a result of Netsweeper’s pre-defined ‘Alternative Lifestyles’ content category, as well as Google searches for keywords relating to LGBTQ content (e.g., the words “gay” or “lesbian”) in the UAE, Bahrain, and Yemen; (3) non-pornographic websites under the mis-categorization of sites like the World Health Organization and the Center for Health and Gender Equity as “pornography”; (4) access to news reporting on the Rohingya refugee crisis and violence against Muslims from multiple news outlets for users in India; (5) Blogspot-hosted websites in Kuwait by categorizing them as “viruses” as well as a range of political content from local and foreign news and a website that monitors human rights issues in the region; and (6) websites like Date.com, Gay.com (the Los Angeles LGBT Center), Feminist.org, and others through categorizing them as “web proxies.” 
    • In 2018, the Citizen Lab released a report documenting the use of Sandvine/Procera devices to redirect users in Turkey and Syria to spyware, as well as the use of such devices to hijack the Internet users’ connections in Egypt, redirecting them to revenue-generating content. These examples highlight some of the ways in which this technology can be used for malicious purposes. The report revealed how Citizen Lab researchers identified a series of devices on the networks of Türk Telekom—a large and previously state-owned ISP in Turkey—being used to redirect requests from users in Turkey and Syria who attempted to download certain common Windows applications like antivirus software and web browsers. Through the use of Sandvine/Procera technology, these users were instead redirected to versions of those applications that contained hidden malware. 
    • Citizen Lab made a number of recommendations:
      • Reform Canadian export law:  
        • Clarify that all Canadian exports are subject to the mandatory analysis set out in section 7.3(1) and section 7.4 of the Export and Import Permits Act (EIPA). 
        • Amend section 3(1) the EIPA such that the human rights risks of an exported good or technology provide an explicit basis for export control.
        • Amend the EIPA to include a ‘catch-all’ provision that subjects cyber-surveillance technology to export control, even if not listed on the Export Control List, when there is evidence that the end-use may be connected with internal repression and/or the commission of serious violations of international human rights or international humanitarian law. 
      • Implement mandatory human rights due diligence legislation:
        • Similar to the French duty of vigilance law, impose a human rights due diligence requirement on businesses such that they are required to perform human rights risk assessments, develop mitigation strategies, implement an alert system, and develop a monitoring and public reporting scheme. 
        • Ensure that the mandatory human rights due diligence legislation provides a statutory mechanism for liability where a company fails to conform with the requirements under the law. 
      • Expand and strengthen the Canadian Ombudsperson for Responsible Enterprise (CORE): 
        • Expand the CORE’s mandate to cover technology sector businesses operating abroad.
        • Expand the CORE’s investigatory mandate to include the power to compel companies and executives to produce testimony, documents, and other information for the purposes of joint and independent fact-finding.
        • Strengthen the CORE’s powers to hold companies to account for human rights violations abroad, including the power to impose fines and penalties and to impose mandatory orders.
        • Expand the CORE’s mandate to assist victims to obtain legal redress for human rights abuses. This could include the CORE helping enforce mandatory human rights due diligence requirements, imposing penalties and/or additional statutory mechanisms for redress when requirements are violated.
        • Increase the CORE’s budgetary allocations to ensure that it can carry out its mandate.
  • A week before the United States’ (U.S.) election, the White House’s Office of Science and Technology Policy (OSTP) issued a report titled “Advancing America’s Global Leadership in Science and Technology: Trump Administration Highlights from the Trump Administration’s First Term: 2017-2020,” that highlights the Administration’s purported achievements. OSTP claimed:
    • Over the past four years, President Trump and the entire Administration have taken decisive action to help the Federal Government do its part in advancing America’s global science and technology (S&T) preeminence. The policies enacted and investments made by the Administration have equipped researchers, health professionals, and many others with the tools to tackle today’s challenges, such as the COVID-19 pandemic, and have prepared the Nation for whatever the future holds.

Coming Events

  • On 17 November, the Senate Judiciary Committee will reportedly hold a hearing with Facebook CEO Mark Zuckerberg and Twitter CEO Jack Dorsey on Section 230 and how their platforms chose to restrict The New York Post article on Hunter Biden.
  • On 18 November, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Modernizing the 5.9 GHz Band. The Commission will consider a First Report and Order, Further Notice of Proposed Rulemaking, and Order of Proposed Modification that would adopt rules to repurpose 45 megahertz of spectrum in the 5.850-5.895 GHz band for unlicensed operations, retain 30 megahertz of spectrum in the 5.895-5.925 GHz band for the Intelligent Transportation Systems (ITS) service, and require the transition of the ITS radio service standard from Dedicated Short-Range Communications technology to Cellular Vehicle-to-Everything technology. (ET Docket No. 19-138)
    • Further Streamlining of Satellite Regulations. The Commission will consider a Report and Order that would streamline its satellite licensing rules by creating an optional framework for authorizing space stations and blanket-licensed earth stations through a unified license. (IB Docket No. 18-314)
    • Facilitating Next Generation Fixed-Satellite Services in the 17 GHz Band. The Commission will consider a Notice of Proposed Rulemaking that would propose to add a new allocation in the 17.3-17.8 GHz band for Fixed-Satellite Service space-to-Earth downlinks and to adopt associated technical rules. (IB Docket No. 20-330)
    • Expanding the Contribution Base for Accessible Communications Services. The Commission will consider a Notice of Proposed Rulemaking that would propose expansion of the Telecommunications Relay Services (TRS) Fund contribution base for supporting Video Relay Service (VRS) and Internet Protocol Relay Service (IP Relay) to include intrastate telecommunications revenue, as a way of strengthening the funding base for these forms of TRS and making it more equitable without increasing the size of the Fund itself. (CG Docket Nos. 03-123, 10-51, 12-38)
    • Revising Rules for Resolution of Program Carriage Complaints. The Commission will consider a Report and Order that would modify the Commission’s rules governing the resolution of program carriage disputes between video programming vendors and multichannel video programming distributors. (MB Docket Nos. 20-70, 17-105, 11-131)
    • Enforcement Bureau Action. The Commission will consider an enforcement action.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Brett Sayles from Pexels

OIG Finds DHS Election Security Efforts Improved But Still Lacking

The OIG found issues with how CISA provided assistance on election cybersecurity and found a complete lack of planning or assistance on physical safety, terrorism, and violence issues.

The United States’ (U.S.) Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) released its second assessment in the last two years of the Cybersecurity and Infrastructure Security Agency’s (CISA) efforts to secure the U.S.’ election systems. The OIG lauded CISA’s progress in laying plans and taking precautions to secure U.S. election systems themselves but found room for CISA to improve its oversight and safeguarding the overall system. However, the OIG acknowledged the progress the agency has made since the February 2019 evaluation that was more critical of CISA’s efforts to date. But the OIG intimated that given the churn at the top of DHS over the last few years and the federal election system the U.S. has, CISA may be able to do only so much. In any event, the next few days may lead the OIG to rethink some of its assessment depending on how CISA performs.

The OIG summarized the scope of challenge before CISA:

  • As of September 2020, according to the Cybersecurity and Infrastructure Security Agency (CISA), there were 7,997 election administration jurisdictions in the country. The sizes of these jurisdictions vary dramatically, with the smallest towns having only a few hundred registered voters, while the largest jurisdiction in the country has more than 4.7 million.
  • The diversity in voting systems and software across the Nation presents considerable cybersecurity challenges. For example, there are 67 different types of voting machines manufactured by 7 different companies currently certified for use in any of the election administration jurisdictions across the United States. The election infrastructure’s reliance on technology for efficiency and convenience introduces even greater cybersecurity risks. Moreover, state and local jurisdictions may have different requirements for securing their systems, such as configuration settings, audit logging, intrusion detection capability, and patch management.

Nonetheless, beyond the effect of four different DHS heads since the beginning of the Trump Administration, the OIG pointed at CISA’s “protracted reorganization” since it was renamed and remade from its forerunner agency, the National Protection and Programs Directorate (NPPD). The OIG said CISA could not even produce an organizational chart, suggesting the possibility of dysfunction inside the agency. For example, the OIG noted:

For example, [Office of Intelligence and Analysis] officials told us in March 2020, the National Cybersecurity and Communications Integration Center (NCCIC) was recently re-organized. However, when we reached out to CISA officials for confirmation in April 2020, they dismissed this notion. According to CISA officials, the confusion may arise when some people refer to NCCIC according to its statutory authority while others refer to the organizational body (i.e., the Cybersecurity Division) that carries out the functions described in the statute.

The OIG flatly declared that until DHS and CISA get solid leadership and are properly organized, the assistance that can be provided to the election sector will be limited. As DHS is the sector-specific agency for a number of other sectors, this conclusion may also have repercussions in the following sectors:

  • Chemical Sector
  • Commercial Facilities Sector
  • Communications Sector
  • Critical Manufacturing Sector
  • Dams Sector
  • Emergency Services Sector
  • Information Technology Sector
  • Nuclear Reactors, Materials, and Waste Sector
  • Transportation Systems Sector (shared with the Department of Transportation)

To wit, the OIG asserted

Amid the leadership vacancies and repeated turnover, within DHS, CISA has not sufficiently prioritized key activities or established effective performance measures to monitor its progress in accomplishing its mission and goals of securing the Nation’s election infrastructure. Without DHS senior leadership guidance as a foundation, CISA cannot work successfully with sector representatives to develop the plans and strategies needed to secure the election infrastructure.

The under and unaddressed risks the OIG identified are “physical security risks, terrorism threats, and targeted violence.” The OIG speculated (correctly, I think) that after the 2016 election CISA was very focused on cybersecurity even though its remit over this subsector of a critical infrastructure sector also includes physical security:

Further, when assisting state and local election officials, CISA has primarily focused on the cybersecurity of election systems instead of broader election infrastructure aspects including related storage facilities, polling places, and centralized vote tabulation locations used to support the election process. CISA’s focus on cybersecurity may be attributed to reported cybersecurity threats and misinformation campaigns from foreign nations during the 2016 and 2018 elections. While beneficial, CISA’s primary focus on cybersecurity has limited DHS’ ability to provide the strategic direction needed to secure the election infrastructure from broader types of potential risks.

Given the protests and counter-protests this year related to Black Lives Matter, which has bled into the Presidential election campaign, CISA’s failure to focus on physical security, terrorism and violence may have left the election system susceptible. The OIG contended:

While attacks on physical election infrastructure locations and assets are rare, CISA should consider both physical and cyber threats as part of a comprehensive understanding of the threat and incorporate them in its election security and resilience planning. For example, an individual drove a van into a voter registration tent manned by campaign volunteers in February 2020. CISA cannot effectively secure the election infrastructure or manage risk to the Nation’s critical infrastructure based on the 2013 National Infrastructure Protection Plan by focusing on cybersecurity alone. A clear roadmap, sufficiently addressing broader risks, is needed to better guide DHS efforts and help achieve its goals of securing the election infrastructure. Moreover, the OIG found the quality fo the information provided by CISA to state and local election officials of questionable value. This is not surprising given the recent audit that found DHS’ cyber information sharing program was not providing quality information to the private sector. Based on our interviews with selected CISA regional staff, the cyber threat information CISA and I&A shared with election stakeholders was not always considered useful.

Based on our interviews with selected CISA regional staff, the cyber threat information CISA and I&A shared with election stakeholders was not always considered useful. DHS is required to maintain situational awareness of threats, and improve the sharing of threat intelligence with stakeholders to better prepare and protect election infrastructure. However, according to selected CISA regional staff, the information was over-classified, not tailored to election stakeholders needs, and could be obtained elsewhere. According to our interviews with CISA’s regional staff 12 Cybersecurity Advisors, 15 Protective Security Advisors, and 10 Regional Directors, the following are opportunities to improve the quality of information shared with stakeholders:

  • 8 (22 percent) of 37 CISA regional staff stated the information was overly classified.
  • 8 (22 percent) of 37 CISA regional staff stated briefings were not tailored to stakeholders needs.
  • 7 (19 percent) of 37 CISA regional staff stated the information could be obtained from public sources. In one example, by the time the cyber threat information was declassified for sharing with election stakeholders, they had already learned about it through the news media.
  • 5 (14 percent) of 37 CISA regional staff stated that after attending briefings, election officials could not share the information with their information technology staff and county clerks to remediate vulnerabilities as they did not possess the proper clearances.
  • 1 (3 percent) of 37 CISA regional staff stated some briefings were repetitive.
  • 7 (19 percent) of 37 CISA regional staff stated Fusion Centers were too far away and not convenient.

Representatives of other Federal agencies also told us about their work with CISA to secure the election infrastructure. One Federal agency representative discussed receiving duplicative election infrastructure threat information from CISA and DHS’ I&A. Another Federal agency official stated, “I cannot think of a single thing in a classified briefing that I have not read from the media,” indicating he had received complaints from others about DHS’ intelligence briefings not being helpful.

Worse still, when a state or local election authority requested that CISA perform an assessment of their systems or processes, the agency was often tardy in doing so. For example, the OIG found:

  • A Secretary of State initially requested a Phishing Campaign Assessment in October 2017. However, CISA did not begin the assessment until June 2018. CISA’s records show NCCIC did not complete the assessment until January 2019, more than a year after the request was made.
  • Another State Board of Elections requested CISA perform a Risk and Vulnerability Assessment in July 2018. The assessment did not begin until July 2019. NCCIC ultimately completed the testing in September 2019, more than a year after the initial request.

Staffing was also an issue. The OIG’s survey of CISA regional staff resulted in 73% of those interviewed saying “CISA needed more Cybersecurity Advisors to help private sector entities and state, local, territorial, and tribal governments prepare for and protect themselves against cybersecurity threats.”

The OIG made these recommendations to CISA:

  • Recommendation 1: Coordinate with the Office of the Secretary to revise the National Infrastructure Protection Plan and other planning documents to incorporate current and evolving risks as well as mitigation strategies needed to secure the Nation’s election infrastructure.
  • Recommendation 2: Improve the collaboration between I&A and CISA, which can help to enhance the quality and reduce the redundancy of information DHS shares with Federal agencies and state and local election officials.
  • Recommendation 3: Assign the staff resources needed to conduct timely cybersecurity and physical assessments to assist states and localities with securing the election infrastructure.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Free-Photos from Pixabay

Further Reading, Other Developments, and Coming Events (28 October)

Further Reading

  •  “Administration officials alarmed by White House push to fast track lucrative 5G spectrum contract, sources say” By Jake Tapper — CNN. A company with Karl Rove as its lobbyist may be poised to win a no-bid contract with the Department of Defense (DOD) for the commercial use of its highly sought-after mid-band spectrum ideal for 5G. Reportedly, White House Chief of Staff Mark Meadows has been pressing the DOD to hurry the process of making this spectrum available with many Administration officials having reservations about the seeming push to allow one company with little to no experience, Rivada, to have the whole chunk of spectrum. One official claimed if Rivada gets this contract it would be “the biggest handoff of economic power to a single entity in history.” Rove denied the company would accept a sole-source contract. There is strong bipartisan opposition on Capitol Hill, likely fanned by lobbyists from the companies apt to lose out if Rivada secures a winner-takes-all contract. Incidentally, in Jamaica where I live, the United States (U.S.) government has apparently pitched Rivada as a no-cost option to build out the island’s 5G network with Rivada collecting revenue from the operation of the system. The U.S. Ambassador has pitched the deal to Prime Minister Andrew Holness. And, while this could be seen as another U.S. effort to block the People’s Republic of China (PRC), which has done extensive development in Jamaica, it has the appearance of impropriety on the U.S.’ end, at the very least.
  • Remote learning is deepening the divide between rich and poor” By Lucien O. Chauvin and Anthony Faiola — The Washington Post. The digital divide is, if anything, even more pronounced in the Third World where the pandemic and underlying economic and societal conditions threaten to erase anti-poverty gains and the education and future of a generation.
  • Big Tech’s biggest critics are racing to raise money for Biden’s campaign” By Tony Romm — The Washington Post. In the last days of the campaign, a number of “Big Tech” critics are hosting or intensifying fund raising efforts for the Biden Campaign in the hopes of shaping its policies towards Silicon Valley. Those on the left favor dramatic action in a new administration while Biden’s centrist history may argue against significant change. Also, Silicon Valley as a whole has showered donations on the Biden Campaign, which may be a potent counterweight.
  • State, federal antitrust charges against Facebook could come as soon as November, sources say” By Tony Romm — The Washington Post. The Federal Trade Commission (FTC) and a group of state attorneys general may be filing their anti-trust suits as early as next month against Facebook for its dominance of the social messaging market. The suits would likely focus on Facebook’s acquisitions of potential rivals WhatsApp and Instagram.
  • Facebook touts free speech. In Vietnam, it’s aiding in censorship” By David Cloud and Shashank Bengali — Los Angeles Times. Despite Facebook’s talk of supporting free speech in western nations, it apparently complies to pressure from authoritarian regimes like Vietnam’s to block posts and close down accounts of dissidents.

Other Developments

  • The Presidency of the Council of the European Union (EU), currently held by Germany, released “Conclusions on the Charter of Fundamental Rights in the Context of Artificial Intelligence and Digital Change,” which laid out the EU’s views on how to develop and deploy artificial intelligence (AI).
    • The Presidency stated:
      • The COVID-19 pandemic has shown more clearly than ever that Europe must achieve digital sovereignty in order to be able to act with self-determination in the digital sphere and to foster the resilience of the European Union. We therefore want to work together on European responses for digital technologies, such as artificial intelligence (AI). We want to ensure that the design, development, deployment and use of new technologies uphold and promote our common values and the fundamental rights guaranteed by the EU Charter of Fundamental Rights (hereinafter ‘the Charter’), while increasing our competitiveness and prosperity. High levels of IT security must be maintained within a framework that is open to innovation.
      • We are committed to the responsible and human-centric design, development, deployment, use and evaluation of AI. We should harness the potential of this key technology in promoting economic recovery in all sectors in a spirit of European solidarity, uphold and promote fundamental rights, democracy and the rule of law and maintain high legal and ethical standards.
  • A United States’ (U.S.) Defense Science Board (DSB) Task Force published the executive summary of its “Final Report on Counter Autonomy,” “a strategic assessment of U.S. counter autonomy capabilities today and 30 years from now across all domains (land, sea, undersea, air, space, and cyberspace).” The DSB is an advisory body of the Department of Defense (DOD) that has proven influential in shaping DOD and U.S. policy. The Task Force stated:
    • The Task Force found a heavy focus across the whole-of-government on fielding U.S. autonomous systems with very little attention given to countering autonomous systems deployed by adversaries. One major exception is the U.S. government’s many programs focused on the counter unmanned aerial system (c-UAS) mission. Although c-UAS is critical to ensuring the safety and security of U.S. forces, allies, and the homeland, the DOD must adopt a broader view of counter autonomy or it will not be prepared to effectively defeat future adversary systems.
    • Like the introduction of cyberspace, the growth of autonomy and artificial intelligence (AI) will bring new capability to the public and private sector, but it will also introduce vulnerabilities to current and future capabilities. Therefore, the Task Force felt it necessary to not only develop recommendations aimed at counter autonomy but also counter-counter autonomy. The integrity of each component used to develop a physical or digital autonomous capability must be considered across the entire lifecycle of a system to maintain confidence in its efficacy and reliability.
    • The Task Force has provided a series of recommendations that, if implemented, will effectively aid the DOD and the wider U.S. government in developing a full-scope counter autonomy capability, strengthen U.S. autonomous systems, and result in a more resilient and lethal force.
    • The Task Force made these recommendations:
      • Recommendation 1: Leadership
        • The Under Secretary of Defense, Research and Engineering (USD(R&E)) create a single senior focal point for counter autonomy separate from autonomy leadership but of equal authority to ensure independent thinking
        • USD(R&E) champion a DOD-wide autonomy/counter autonomy community modeled on the existing low observable/counter low observable (LO/CLO) community
      • Recommendation 2: Capability and Operational Development
        • C. Military Departments (Secretaries) charter the following in order to develop robust fielded counter autonomy capabilities
        • Assess, fund, and deploy modifications needed to existing conventional capabilities
        • Create a robust Opposing force (OPFOR) that mimics adversary autonomy
        • Establish multi-domain Counter autonomy (CA) Red Teams
        • Develop CA requirements, concepts, and Tactics, techniques, and procedures (TTPs)/ Concept of operations (CONOPS)
        • D. Direct Service labs and DARPA to create CA
      • R&D Recommendation 3: Intelligence
        • Sensitive content – N/A
      • Recommendation 4: Assurance
        • Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)) establish and enforce AI-enabled autonomous system resilience guidelines to mitigate AI-specific vulnerabilities
        • Developmental test and evaluation (DT&E)/ Operational test and evaluation (OT&E) establish testing and evaluation guidance for development, fielding and sustainment to assure resilience of AI-enabled autonomous systems against counter autonomy attack over lifecycle
      • Recommendation 5: Policy
        • The Office of the Under Secretary of Defense for Policy (OUSD(P)) develop policy to provide appropriate defense of U.S. autonomous weapon systems, support autonomy exports, and ensure safety and security of imports
      • Recommendation 6: Talent
        • The Office of the Secretary of Defense (OSD) and Military Departments significantly expand autonomy/AI talent through aggressive recruiting, hiring, career path, and retention actions:
        • −  Upskill talent with AI skills through incentives and innovative methods such as free or affordable online training (e.g., edX, Coursera, Udacity)
        • −  Military Departments establish, promote, and incentivize autonomy/AI career paths for civilian and military personnel
        • o Service Academies, including Air Force Institute of Technology and Naval Postgraduate School, include counter autonomy in curriculum and research
        • −  Expand the use of innovative staffing (e.g., IPA, HQE, SMART), and build a national talent pipeline at the graduate level with focused DOD funding
        • −  Fully leverage Section 1107(c) Direct Hiring Authority and request Congress authorize the limitation be raised from 5 percent to 10 percent of the workforce
        • Defense Counterintelligence and Security Agency (DCSA) accelerate clearance adjudication for candidates with critical skills (AI/machine learning (ML), robotics, cyber, etc.)
  • The Center for a New American Security (CNAS), a center-left Washington, D.C. national security think tank that may prove as influential in a Biden Administration as it did during the Obama Administration, released “Common Code: An Alliance Framework for Democratic Technology Policy,” that argued for the most technologically advanced democracies to band together and cooperate so that democratic ideals and principles will inform the development of the coming technology. CNAS explained that “[t]he Technology Alliance project and this report were made possible by a grant from Schmidt Futures,” a philanthropic venture started and funded by former Google and Alphabet CEO Eric Schmidt. CNAS stated:
    • Technological leadership by the world’s major liberal-democratic nations will be essential to safeguarding democratic institutions, norms, and values, and will contribute to global peace and prosperity. A unified approach by like-minded nations also is needed to counteract growing investments in and deployments of emerging technologies by authoritarian, revisionist powers.
    • Many have made the case for such a grouping, most notably the United Kingdom’s recent call for a “Democracy 10” to tackle 5G and other technology issues. Similarly, former U.S. government officials have advocated for the creation of a “Tech 10.” Despite this interest in a new coordination mechanism for multilateral technology policy, the work needed to create it has been elusive.
    • CNAS explained:
      • This document lays out what that alliance framework should look like, the opening chapter of a new, multilateral techno-democratic statecraft strategy for the 21st century. It answers the key questions needed to move from concept to an actionable blueprint necessary to tackle the 21st century technology competition:
        • What countries should be members of the technology alliance, and why?
        • Should the alliance be able to collaborate with non-members, and why?
        • Should the alliance grow, and how?
        • How should the alliance be organized and structured?
        • What is the ideal voting system?
        • How should the alliance engage with stakeholders from industry and civil society?
        • What is the best meeting structure and frequency?
      • After detailing recommendations for creating the technology alliance itself, the blueprint addresses the new organization’s top priorities, areas where the project leads identified both a common code between the proposed member countries and an urgent need for improved coordination:
        • Restructure supply chains with a focus on security and diversity
        • Safeguard competitive technological advantages with tailored multilateral export controls and by curbing unwanted technology transfers
        • Fund and build secure digital infrastructure by creating new investment mechanisms
        • Craft standards and norms for a beneficial technology future.
      • The technology alliance’s longer-term agenda should include efforts to:
        • Pursue joint R&D
        • Engage in technology forecasting
        • Focus on data flows
        • Promote technology interoperability
        • Counter disinformation and other illiberal uses of technology
        • Maximize human capital.
  • The National Institute of Standards and Technology (NIST) published a notice in the Federal Register inviting “organizations to provide products and technical expertise to support and demonstrate security platforms for the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project.” NIST explained this “is the initial step for the National Cybersecurity Center of Excellence (NCCoE) in collaborating with technology companies to address cybersecurity challenges identified under the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project.” NIST explained:
    • Since late 2018, NIST and NCCoE cybersecurity researchers have had the opportunity to work closely with the Federal Chief Information Officer (CIO) Council, federal agencies, and industry to address the challenges and opportunities for implementing zero trust architectures across U.S. government networks. This work resulted in publication of NIST Special Publication (SP) 800-207, Zero Trust Architecture
    • In November 2019, the NCCoE and the Federal CIO Council cohosted a Zero Trust Architecture Technical Exchange Meeting that brought together zero trust vendors and practitioners from government and industry to share successes, best practices, and lessons learned in implementing zero trust in the federal government and the commercial sector.
    • The NCCoE project builds on this body of knowledge as we seek to build out and document an example zero trust architecture that aligns to the concepts and principles in NIST SP 800-207 and using commercially available products.
  • The United States (U.S.) Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) evaluated DHS’ information security for FY 2019 and found serious problems. The OIG “reviewed DHS’ information security program for compliance with Federal Information Security Modernization Act requirements.” The OIG found serious deficiencies with the Cybersecurity and Infrastructure Security Agency, ostensibly the entity in the U.S. government charged with helping civilian agencies secure and defend their networks. The OIG found:
    • DHS’ information security program was not effective for FY 2019 because the Department earned a maturity rating of “Ad Hoc” (Level 1) in three of five functions, compared to last year’s higher overall rating of “Managed and Measurable” (Level 4). We rated DHS’ information security program according to five functions outlined in the 2019 reporting instructions:
      • Identify: DHS received a Level 1 rating because it did not have an effective strategy or department-wide approach to manage risks for all of its systems.
      • Protect: DHS achieved Level 4 as it was rated Level 4 in three of the four domains essential to this function.
      • Detect: DHS received a Level 1 rating due to the lack of a comprehensive strategy and organization-wide continuous monitoring approach to address all requirements and activities at each organizational tier.
      • Respond: DHS received a Level 1 rating because the Coast Guard had not reported its cybersecurity incidents to DHS since 2012.
      • Recover: DHS received Level 3 because it had not made progress since prior years [REDACTED]
    • According to FY 2019 reporting metrics, our independent contractor rated component information security programs effective for Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE) as both components achieved the targeted “Level 4 – Managed and Measurable” or higher in four of five functions. The Cybersecurity and Infrastructure Security Agency (CISA) overall information security program was not effective because it achieved “Level 1 – Ad-hoc,” which is below the targeted Level 4 in three of five functions. Because the Department performs several security functions on CISA’s behalf, CISA has not yet developed component specific policies, procedures, and business processes as required by DHS policy.

Coming Events

  • On 29 October, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”
  • On 10 November, the Senate Commerce, Science, and Transportation Committee will hold a hearing to consider nominations, including Nathan Simington’s to be a Member of the Federal Communications Commission.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Computerizer from Pixabay

DHS OIG Sees More Progress Needed In Cyber Sharing

A five-year-old program to foster information sharing between the federal government and private sector barely got passing grades with plenty of room for improvement.

The Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) has issued its biannual report on how well DHS and the Cybersecurity Infrastructure Security Agency (CISA) are implementing the responsibilities and authorities bestowed on the agency by Congress in the “Cybersecurity Act of 2015” (P.L. 114-113), specifically the information sharing regime DHS was tasked with leading. While the OIG found progress, the quality of the cyber threat indicators and defensive measures continued to be lackluster and apparently of little value to private sector entities and federal agencies. The OIG lays out the various reasons CISA’s threat information has limited value, but until the agency starts providing useful and timely information, it is likely most potential recipients will either not opt to receive it or will discount the information they do receive. Moreover, while information sharing is probably not the silver bullet proponents of the legislation claimed, it does have obvious value in alerting organizations of cyber threats.

Apparently, CISA has not seen Field of Dreams because they thought stakeholders would just join even though what CISA was providing was of limited value. The OIG has a number of reasons for this, but it is somewhat astounding that DHS and CISA have had five years to implement perhaps the most anticipated change in United States (U.S.) cybersecurity policy and they are still muddling along. Of course, this lack of progress also begs the question of whether the conceptual framework that led to Title I of the “Cybersecurity Act of 2015” was as sound as advertised. Having lived through the marathon of bills, markups, negotiations, revised bills, amendments, etc., it is clear in my memory that private sector stakeholders insisted time and again before Congress that they could not share cyber information without liability protection because of the many lawsuits against them for doing just that (just kidding about that last part; no one ever said there was any actual litigation, but there might be.) It seemed dubious at the time to me, and still does, but they persuaded lawmakers and the Obama White House, and so it went into the bill. And yet, these entities are either not sharing information or not sharing it with the federal government.

However, aside and apart from the quality of the information CISA is providing, the OIG pointed out that CISA is receiving very little threat information from private sector partners. Why might this be? A lingering fear of litigation even though there is liability protection and such submissions cannot be released under Freedom of Information Act (FOIA) requests? Perhaps.

I also wonder if private sector entities are averse to sharing information because they fear regulation and enforcement may ensue even though the “Cybersecurity Act of 2015” has limits on how far federal agencies may go in doing either. I’m guessing that corporate counsel has argued and will continue to argue against private sector entities providing information for fear that somehow, someway it will boomerang back on companies. But, to be fair, the language in this provision relates to “lawful activities,” meaning illegal conduct that turns up in cybersecurity information shared with the federal government could be used to for an enforcement or regulatory action.

Moreover, federal agencies may use such information to tailor their cybersecurity regulation, so companies and other private sector entities may want to avoid regulation above the largely voluntary regime most entities in critical infrastructure industries face (excepting heavily regulated field like electric and nuclear power, for example.) Also, there are incentives related to information asymmetry, as always. If Company A has invested the resources to have a first-rate cybersecurity regime, why would they help Company B by pointing out dangers by submitting information to CISA, especially if they share a market and compete.

Perhaps more simply, using Occam’s Razor, private sector entities want cyber threat information and do not want to go to the trouble and expense of submitting it to the federal government. There is almost no incentive for them to share information other than the good feeling associated with helping to protect the U.S. and doing one’s duty.

Finally, this blog posting from 2015 by a “white shoe” law firm succinctly provides the type of advice that would stop most companies from participating:

In determining what information to share, a company should evaluate whether a cyber threat indicator or defensive measure implicates sensitive business information, and exercise particular care in evaluating the costs and benefits of sharing this information. It bears emphasis that CISA imposes no requirement to share cyber information, and if a company does choose to share it is free to distinguish between different types of information. As compared to more generic threat information, disclosing information about a company’s own specific cyber vulnerabilities and incidents can carry legal, competitive, and reputational risks that are far greater if that information is learned by competitors and customers. In this regard, it will be important to understand the situations in which the federal government may share and make public information received under CISA, such as in the context of a criminal prosecution. For particularly sensitive information, companies will want to focus on the ability to share on an anonymous basis, such as through an ISAC or ISAO. Public companies will, among other things, need to assess how their decision to share information under CISA may interact with their disclosure decisions under the securities laws, given that sharing cyber information with the federal government could potentially be seen as an indicator of materiality requiring disclosure in a public filing.

Finally, the OIG did not investigate information sharing within the private sector. This is outside its remit, and I suspect the Government Accountability Office (GAO) would be a better entity to take on this issue. Given all the noise made by the private sector about liability protection, very few seem to be using it by submitting information to CISA. Perhaps the information sharing market is gangbusters for ISACs or ISAOs.

Nonetheless, the OIG explained:

The DHS has addressed the basic information sharing requirements of the Cybersecurity Act of 2015. To carry out its mandate, the Cybersecurity and Infrastructure Security Agency (CISA) within DHS, developed policies, procedures, and an automated capability, known as the Automated Indicator Sharing (AIS) program, to share cyber threat information between the Federal Government and the private sector. CISA increased the number of AIS participants as well as the volume of cyber threat indicators it has shared since the program’s inception in 2016. However, CISA made limited progress improving the overall quality of information it shares with AIS participants to effectively reduce cyber threats and protect against attacks.

The OIG contended “CISA’s lack of progress in improving the quality of information it shares can be attributed to a number of factors, such as limited numbers of AIS participants sharing cyber indicators with CISA, delays receiving cyber threat intelligence standards, and insufficient CISA office staff.’ The OIG asserted “[t]o be more effective, CISA should hire the staff it needs to provide outreach, guidance, and training.”

The OIG found:

  • While CISA has increased the number of cyber threat indicators and defensive measures shared with program participants, the AIS information did not contain enough detail to fully mitigate potential threats. Specifically, the AIS indicators shared with participants did not contain actionable information, including sufficient context or background details to effectively protect Federal and private networks. Examples of contextual information may include Internet Protocol addresses, domain names, or hash files, which may be helpful for determining the appropriate course of action to mitigate threats against networks.
  • To determine whether CISA had improved the quality of information it shared under the AIS program, we obtained feedback from 17 AIS participants (10 Federal agencies and 7 private sector entities). Although some participants conceded the accuracy and quality of the indicators were not high, they still found the information beneficial. The feedback we obtained is outlined as follows, and shown in Figure 4:
    • 11 of 17 participants (5 Federal and 6 private sector) said the indicators lacked contextual/background data for determining the appropriate course of action to mitigate threats against their networks. Additionally, some participants stated that some indicators received were false positives or unusable information.
    •  6 of 17 participants (3 Federal and 3 private sector) said they had to augment the AIS indicators with additional information from other third- party sources.12
    •  5 of 17 participants (4 Federal and 1 private sector) stated the AIS program was effective or helpful.
    •  1 Federal agency did not express an opinion on the usefulness of the program.
  • CISA’s lack of progress to improve the quality of the information shared under the AIS program can be attributed to multiple external and internal factors. External factors include the limited number of AIS participants sharing cyber indicators with CISA and the delays in receiving the cyber threat intelligence standards needed to upgrade the AIS capability. Internal factors include insufficient staffing in the CISA office to adequately support the AIS program. Collectively, these shortcomings have hindered CISA’s ability to improve the quality of AIS indicators and have thwarted outreach efforts to increase participation and the usefulness of the AIS program.

The OIG made four recommendations:

  • Develop an approach to encourage Federal and private sector participants to share information with the Department and become data producers under the AIS program.
  • Collaborate with the Organization for the Advancement of Structured Information Standards to expedite the approval of new standards so that the CISA can complete AIS upgrades.
  • Actively promote the AIS program through increased outreach, training, technical assistance, and information sharing forums for Federal and private sector entities.
  • Place priority on hiring administrative and operational staff needed to conduct outreach, training, and performance measurement to improve the AIS program’s operational effectiveness.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (29 September)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • September 30 the House Veterans’ Affairs Committee’s Technology Modernization Subcommittee will meet for an oversight hearing titled “Examining VA’s Ongoing Efforts in the Electronic Health Record Modernization Program.”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.
  • On October 1, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing as part of its series on online competition at which it may unveil its proposal on how to reform antitrust enforcement for the digital age. The hearing is titled “Proposals to Strengthen the Antitrust Laws and Restore Competition Online.”
  • On 1 October, the Senate Commerce, Science, and Transportation Committee may hold a markup to authorize subpoenas to compel the attendance of the technology CEOs for a hearing on 47 U.S.C. 230 (aka Section 230). Ranking Member Maria Cantwell (D-WA) has said:
    • Taking the extraordinary step of issuing subpoenas is an attempt to chill the efforts of these companies to remove lies, harassment, and intimidation from their platforms. I will not participate in an attempt to use the committee’s serious subpoena power for a partisan effort 40 days before an election,” indicating a vote, should one occur, may well be along party lines.
    • Nonetheless, the Committee may subpoena the following CEOs:
      • Mr. Jack Dorsey, Chief Executive Officer, Twitter
      • Mr. Sundar Pichai, Chief Executive Officer, Alphabet Inc., Google
      • Mr. Mark Zuckerberg, Chief Executive Officer, Facebook
  • The Senate Judiciary Committee will markup the “Online Content Policy Modernization Act” (S.4632), a bill to reform 47 U.S.C. 230 (aka Section 230) that provides many technology companies with protection from lawsuits for third party content posted on their platforms and for moderating and removing such content.
  • On October 1, the Senate Armed Services Committee’s Readiness and Management Support Subcommittee will hold a hearing on supply chain integrity with Under Secretary of Defense for Acquisition and Sustainment Ellen Lord testifying. Undoubtedly, implementation of the ban on Huawei, ZTE, and other People’s Republic of China (PRC) equipment and services as required by Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) will be discussed. Also, the Cybersecurity Maturity Model Certification (CMMC) program will also likely be discussed.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • The Senate passed an extension of the “Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act of 2006” (U.S.  SAFE  WEB  Act) (H.R.4779), sending the bill to the White House. The Senate did not alter the bill the House sent to it in December. The House Energy and Commerce Committee explained in its committee report:
    • Enacted into law on December 22, 2006, the U.S. SAFE WEB Act amended the Federal Trade Commission Act (FTC Act) to improve the FTC’s ability to combat unfair or deceptive acts or practices that are international in scope. Specifically, U.S. SAFE WEB Act: (1) affirms the FTC’s cross-border enforcement authority; (2) authorizes collaboration with foreign law enforcement in the form of investigative assistance3and information sharing, provided certain statutory factors are met; (3) bolsters the FTC’s ability to receive information from foreign counterparts by allowing confidential treatment of information received; and (4) promotes relation-ship building through staff exchanges with foreign counterparts.
    • H.R. 4779 would ensure that the FTC continues to have the cross-border enforcement authority and international cooperation tools it needs to protect American consumers from unfair or deceptive acts or practices that originate abroad. This program provides a sound foundation for related issues of protecting and preserving cross-border data flows that are essential for Privacy Shield and other such agreements. Such legislation helps promote our leader ship  on  artificial  intelligence,  autonomous  vehicles,  quantum  computing, and other emerging technologies.
  • The Department of Veterans Affairs (VA) revealed it had been breached and “the personal information of approximately 46,000 Veterans” has been compromised. This announcement came the same day as an advisory issued by the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) that Chinese Ministry of State Security (MSS)-affiliated cyber threat actors have been targeting and possibly penetrating United States (U.S.) agency networks. The two events may not be linked, however. And yet, what is linked to the breach is an August VA request for information (RFI) for an entity “provide cyber security audit services support,” as confirmed by an agency spokesperson. The VA has experienced long running problems with information technology (IT) and cybersecurity as evidenced by this Government Accountability Office (GAO) testimony released a few weeks ago. In the notice of the breach, the VA explained:
    • The Financial Services Center (FSC) determined one of its online applications was accessed by unauthorized users to divert payments to community health care providers for the­ medical treatment of Veterans. The FSC took the application offline and reported the breach to VA’s Privacy Office. A preliminary review indicates these unauthorized users gained access to the application to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols. To prevent any future improper access to and modification of information, system access will not be reenabled until a comprehensive security review is completed by the VA Office of Information Technology. 
  • The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued Emergency Directive 20-04, “Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday” that directs United States’ (U.S.) agencies to act with respect to “non-national security systems,” meaning civilian agencies, to “immediately apply the Windows Server August 2020 security update to all domain controllers.” This most recent Emergency Directive follows two earlier ones this year (found here and here.)
  • The United States Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) announced a trio of enforcement actions for violations of HHS regulations on healthcare information these entities failed to properly protect. Specifically, these entities failed to meet their obligations under the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. OCR released these summaries of the actions:
    • Premera Blue Cross (PBC) has agreed to pay $6.85 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 10.4 million people. This resolution represents the second-largest payment to resolve a HIPAA investigation in OCR history. PBC operates in Washington and Alaska, and is the largest health plan in the Pacific Northwest, serving more than two million people.
      • On March 17, 2015, PBC filed a breach report on behalf of itself and its network of affiliates stating that cyber-attackers had gained unauthorized access to its information technology (IT) system.  The hackers used a phishing email to install malware that gave them access to PBC’s IT system in May 2014, which went undetected for nearly nine months until January 2015.  This undetected cyberattack, otherwise known as an advanced persistent threat, resulted in the disclosure of more than 10.4 million individuals’ protected health information including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information. 
      • OCR’s investigation found systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.
    •  CHSPSC LLC, (“CHSPSC”) has agreed to pay $2,300,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over six million people.  CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee.
      • In April 2014, the Federal Bureau of Investigation (FBI) notified CHSPSC that it had traced a cyberhacking group’s advanced persistent threat to CHSPSC’s information system. Despite this notice, the hackers continued to access and exfiltrate the protected health information (PHI) of 6,121,158 individuals until August 2014. The hackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network. 
      • OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.
    • Athens Orthopedic Clinic PA (“Athens Orthopedic”) has agreed to pay $1,500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Athens Orthopedic is located in Georgia and provides orthopedic services to approximately 138,000 patients annually.
      • On June 26, 2016, a journalist notified Athens Orthopedic that a database of their patient records may have been posted online for sale. On June 28, 2016, a hacker contacted Athens Orthopedic and demanded money in return for a complete copy of the database it stole. Athens Orthopedic subsequently determined that the hacker used a vendor’s credentials on June 14, 2016, to access their electronic medical record system and exfiltrate patient health data. The hacker continued to access protected health information (PHI) for over a month until July 16, 2016.
      • On July 29, 2016, Athens Orthopedic filed a breach report informing OCR that 208,557 individuals were affected by this breach, and that the PHI disclosed included patients’ names, dates of birth, social security numbers, medical procedures, test results, and health insurance information.
      • OCR’s investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules by Athens Orthopedic including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.
  • The Department of the Treasury published a final rule that changes the Committee on Foreign Investment in the United States (CFIUS) regulations with respect to mandatory filings for future deals in which foreign companies are investing in United States (U.S.) firms producing “critical technologies.” Previously, the trigger was if there was a nexus between the U.S. entity and certain industries. But now, the filing requirement will be triggered if “certain U.S. government authorizations would be required to export, reexport, transfer (in-country), or retransfer the critical technology or technologies produced, designed, tested, manufactured, fabricated, or developed by the U.S. business to certain transaction parties and foreign persons in the ownership chain.” The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) (P.L. 115-232) required the agency to make this, among many other changes, in the CFIUS regime. What constitutes “critical technologies” is defined in FIRRMA and includes all sorts of military, commercial items with military applications, and “emerging and foundational technologies.” The final rule also “makes amendments to the definition of the term “substantial interest” and a related provision, and makes one technical revision.”
  • The Government Accountability Office (GAO) has assessed how well the Department of the Treasury is doing in its role as the overseer of cybersecurity for the United States (U.S.) financial services industry. The GAO found Treasury’s efforts lacking, especially with respect in implementing the recommendations the GAO has previously made. The GAO concluded:
    • Increased access to financial services sector systems, combined with the potential for monetary gains and economic disruptions, poses significant information security risks to the sector’s systems and to the critical operations and infrastructures they support. The financial services sector faces several different types of cyber-related risks, including ensuring adequate security for service providers traditionally considered external to the sector, an increased interconnectivity between sector entities that could result in simpler attack vectors, and the potential introduction of malware such as ransomware through social engineering techniques, such as spear phishing, or insider access. The sector has also faced an increase in attacks from well-organized attackers with significant resources.
    • The financial services industry, including firms and sectorwide groups set up to assist firms in ensuring the cybersecurity and resilience of the sector, have undertaken a series of risk mitigation efforts, in areas such as coordination and information sharing between organizations, development of guidance and training for members, and sectorwide incident response exercises. However, industry firms also pointed to challenge areas for assistance from regulators and policymakers. The most common of these areas were improved information sharing of actionable data after a cyber incident; improved harmonization among regulators, such as minimizing differences in use of state versus national requirements; establishing clearer guidance regarding regulation of the sector’s third-party service providers; and increasing cybersecurity training to firm employees.
    •  Federal agencies are conducting risk mitigation efforts intended to support private industry in improving cybersecurity of the financial services sector. These efforts, including regular outreach by the designated financial sector-specific agency, Treasury, generally meet responsibilities laid out in policy. However, Treasury does not prioritize or track the progress of sectorwide risk mitigation efforts, and does not explicitly link sector efforts to the goals in the sector specific plan, which is the primary sector planning document. Furthermore, the plan is out of date and does not include information on how the sector plans to implement recently required efforts. The plan also does not identify ways to measure sector progress, such as explicit metrics for determining the progress of risk mitigation efforts to enhance the cybersecurity and resilience of the sector. Unless Treasury undertakes tracking and prioritization of efforts based on metrics that reflect sector planning documents, the sector will remain unable to determine the effectiveness of its efforts, which could leave the sector insufficiently prepared to deal with primary sector risks.
    • The GAO made two recommendations to Treasury:
      • Regarding financial sector cyber risk mitigation efforts, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, track the content and progress of sectorwide cyber risk mitigation efforts, and prioritize their completion according to sector goals and priorities in the sector-specific plan. (Recommendation 1)
      • Regarding the financial sector-specific plan, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, update the financial services sector-specific plan to include specific metrics for measuring the progress of risk mitigation efforts and information on how the sector’s ongoing and planned risk mitigation efforts will meet sector goals and requirements, such as requirements for the financial services sector in the National Cyber Strategy Implementation Plan. (Recommendation 2)
  • The Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) published its review of a May 2019 breach of a U.S. Customs and Border Protection (CBP) subcontractor that resulted in “CBP data, including traveler images from CBP’s facial recognition pilot, appear[ing] on the dark web.” The OIG explained that “CBP selected Unisys Corporation to design, develop, and install a biometric entry-exit solution that would verify and confirm the arrival and departures of passengers. In turn, Unisys Corporation hired Perceptics, LLC, as a subcontractor to install its proprietary facial image capture solution.” Perceptics then proceeded to violate DHS security and privacy protocols by transferring these data to its systems, but the agency did not store the personally identifiable information (PII) in an encrypted form. Consequently, when Perceptics was hit with a ransomware attack, “more than 184,000 traveler facial image files, as well as 105,000 license plate images from prior pilot work, were stored on the subcontractor’s network at the time of the ransomware attack.” The hackers also “stole an array of contractual documents, program management documents, emails, system configurations, schematics, and implementation documentation related to CBP license plate reader programs.” Worse still, CBP was notified of the breach through a media article instead of by either the prime or subcontractor even thought Perceptics informed Unisys, which opted against informing CBP in violation of its contractual duties.
  • The OIG summarized the facts of the case:
    • CBP did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot (known as the Vehicle Face System). A subcontractor working on this effort, Perceptics, LLC, transferred copies of CBP’s biometric data, such as traveler images, to its own company network. The subcontractor obtained access to this data between August 2018 and January 2019 without CBP’s authorization or knowledge. Later in 2019, the Department of Homeland Security experienced a major privacy incident, as the subcontractor’s network was subjected to a malicious cyber attack.
    • DHS requires subcontractors to protect personally identifiable information (PII) from identity theft or misuse. However, in this case, Perceptics staff directly violated DHS security and privacy protocols when they downloaded CBP’s sensitive PII from an unencrypted device and stored it on their own network. Given Perceptics’ ability to take possession of CBP-owned sensitive data, CBP’s information security practices during the pilot were inadequate to prevent the subcontractor’s actions.
    • This data breach compromised approximately 184,000 traveler images from CBP’s facial recognition pilot; at least 19 of the images were posted to the dark web. This incident may damage the public’s trust in the Government’s ability to safeguard biometric data and may result in travelers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry.
  • The OIG made 3 recommendations to CBP:
    • Recommendation 1: We recommend CBP’s Assistant Commissioner for the Office of Information and Technology implement all mitigation and policy recommendations to resolve the 2019 data breach identified in CBP’s Security Threat Assessments, including implementing USB device restrictions and applying enhanced encryption methods.
    • Recommendation 2: We recommend the Deputy Executive Assistant Commissioner, Office of Field Operations coordinate with the CBP Office of Information and Technology to ensure that all additional security controls are implemented on relevant devices at all existing Biometric Entry-Exit program pilot locations.
    • Recommendation 3: We recommend the Deputy Executive Assistant Commissioner, Office of Field Operations establish a plan for the Biometric Entry-Exit Program to routinely assess third-party equipment supporting biometric data collection to ensure partners’ compliance with Department security and privacy standards.

Further Reading

  • Revealed: Trump campaign strategy to deter millions of Black Americans from voting in 2016” — Channel 4 News. The same British news organization that broke the Cambridge Analytica story is back with another article on the mining and use of personal data in microtargeting voters in the 2016 presidential election. Despite repeated denials, it appears the Trump Campaign in concert with Cambridge Analytica and the Republican National Committee targeted African Americans with messages on Facebook to keep them home on election day, possibly swinging a few keys states Trump could not have won the Electoral College without.
  • Why the right wing has a massive advantage on Facebook” By Alex Thompson — Politico. This piece lays the responsibility for the advantage in popularity conservative political posts and content on human nature, arguing that right-wing populism will always be more viscerally appealing to people than left-wing populism. The company also seems to be laying what many are calling its malign effects on human nature, too.  
  • Foreign Hackers Cripple Texas County’s Email System, Raising Election Security Concerns” By Jack Gillum, Jessica Huseman, Jeff Kao and Derek Willis — ProPublica. In an article based on information provided on a small Texas County’s breach, light is shined on how unprepared many localities and jurisdictions against common cyber threats. In this case, a common ransomware malware was placed successfully on the county’s system rending it unusable. It appears this, and other counties, have disregarded the cybersecurity advice furnished by the Department of Homeland Security in the hopes that the United States’ (U.S.) systems will be secure against election day hacks. With minimal effort, a sophisticated entity can wreak havoc in contested states this election.
  • TikTok was just the beginning: Trump administration is stepping up scrutiny of past Chinese tech investments” By Jeanne Whalen — The Washington Post. To no great surprise, the Trump Administration is looking to use the Committee on Foreign Investment in the United States (CFIUS) process. The Department of the Treasury’s Office of Investment Security Monitoring & Enforcement has been sending letters to technology companies since the early spring inquiring about foreign investment. The companies being targeted tend to collect, process, and store a lot of personal data or are pioneering or producing cutting edge technology considered vital for national security like electric batteries. This new office is reportedly looking back at transactions completed more than ten years ago. Already the scrutiny is having its intended effect as entities from the People’s Republic of China (PRC) have invested less this year in Silicon Valley than they have in six years.
  • China chip giant SMIC shares sink on US export controls” By Jerome Taylor — AFP; “U.S. sanctions on chipmaker SMIC hit at the very heart of China’s tech ambitions” By Arjun Kharpal — CNBC. The United States (U.S.) Department of Commerce has reportedly informed U.S. chipmakers and others that they must stop selling equipment to the People’s Republic of China’s (PRC) Semiconductor Manufacturing International Corp (SMIC) unless they get an export license. This latest move tightens further the chokehold the U.S. has placed on Huawei and other PRC firms that require U.S. technology to make their products. While SMIC has made strides in developing chips, it is still dependent on foreign technology. SMIC told western media outlets we “no relationship with the Chinese military and does not manufacture for any military end-users or end-uses.”
  • Activists slam Palantir for its work with ICE ahead of market debut” By Tonya Riley and Cat Zakrzewski — The Washington Post. Ahead of tomorrow’s initial public offering, human rights advocates are pressing investors to forego Palantir or to buy the stock and demand changes. These activists are arguing that the Peter Thiel launched company has worked with the United States government and others in violation of human rights.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Daniel Falcao on Unsplash