Further Reading, Other Developments, and Coming Events (21 September)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” The agency has released its agenda and explained:
    • The workshop will also feature four panel discussions that will focus on: case studies on data portability rights in the European Union, India, and California; case studies on financial and health portability regimes; reconciling the benefits and risks of data portability; and the material challenges and solutions to realizing data portability’s potential.
  • The Senate Judiciary Committee’s Intellectual Property Subcommittee will hold a hearing on 23 September titled “Examining Threats to American Intellectual Property: Cyber-attacks and Counterfeits During the COVID-19 Pandemic” with these witnesses:
    • Adam Hickey, Deputy Assistant Attorney General National Security Division, Department of Justice
    • Clyde Wallace, Deputy Assistant Director Cyber Division, Federal Bureau of Investigation
    • Steve Francis, Assistant Director, HSI Global Trade Investigations Division Director, National Intellectual Property Rights Center, U.S. Immigration and Customs Enforcement, Department of Homeland Security
    • Bryan S. Ware, Assistant Director for Cybersecurity Cyber Security and Infrastructure Security Agency, Department of Homeland Security
  • On 23 September, the Commerce, Science, and Transportation Committee will hold a hearing titled “Revisiting the Need for Federal Data Privacy Legislation,” with these witnesses:
    • The Honorable Julie Brill, Former Commissioner, Federal Trade Commission
    • The Honorable William Kovacic, Former Chairman and Commissioner, Federal Trade Commission
    • The Honorable Jon Leibowitz, Former Chairman and Commissioner, Federal Trade Commission
    • The Honorable Maureen Ohlhausen, Former Commissioner and Acting Chairman, Federal Trade Commission
  • The House Energy and Commerce Committee’s Consumer Protection and Commerce Subcommittee will hold a virtual hearing “Mainstreaming Extremism: Social Media’s Role in Radicalizing America” on 23 September with these witnesses:
    • Marc Ginsburg, President, Coalition for a Safer Web
    • Tim Kendall, Chief Executive Officer, Moment
    • Taylor Dumpson, Hate Crime Survivor and Cyber-Harassment Target
    • John Donahue, Fellow, Rutgers University Miler Center for Community Protection and Resiliency, Former Chief of Strategic Initiatives, New York City Police Department
  • On 23 September, the Senate Homeland Security and Governmental Affairs will hold a hearing to consider the nomination of Chad Wolf to be the Secretary of Homeland Security.
  • The Senate Armed Services Committee will hold a closed briefing on 24 September “on Department of Defense Cyber Operations in Support of Efforts to Protect the Integrity of U.S. National Elections from Malign Actors” with:
    • Kenneth P. Rapuano, Assistant Secretary of Defense for Homeland Defense and Global Security
    • General Paul M. Nakasone, Commander, U.S. Cyber Command and Director, National Security Agency / Chief, Central Security Service
  • On 24 September, the Homeland Security and Governmental Affairs will hold a hearing on “Threats to the Homeland” with:
    • Christopher A. Wray, Director, Federal Bureau of Investigation
    • Christopher Miller, Director, National Counterterrorism Center
    • Kenneth Cuccinelli, Senior Official Performing the Duties of the Deputy Secretary of Homeland Security
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled “Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.

Other Developments

  • The Court of Justice of the European Union (CJEU) ruled for the first time on the European Union’s (EU) open internet access rules, Regulation 2015/2120, “which enshrines the fundamental principle of an open internet (more colloquially known as ‘net neutrality’)” according to the court’s summary of its decision. The CJEU found that a zero rating plan offered by a Hungarian telecommunications carrier that provided preference to certain apps and websites even when users had exhausted their data allowances was counter to these regulations. Moreover, the CJEU found it is not necessary to show that other apps and websites are being harmed or effected in order to punish a violator. This ruling puts the EU at odds with the United States in terms of policy, for the Federal Communications Commission (FCC) rescinded Obama Administration net neutrality regulations and tried to preempt state net neutrality measures. However, a Biden Administration FCC may reinstall such regulations.  
  • The United States Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released an alert finding that:
    • Chinese Ministry of State Security (MSS)-affiliated cyber threat actors use open-source information to plan and conduct cyber operations.
    • Chinese MSS-affiliated cyber threat actors use readily available exploits and exploit toolkits to quickly engage target networks.
    • Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks.
    • If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.
    • This Advisory identifies some of the more common—yet most effective— tactics, techniques, and procedures (TTPs) employed by cyber threat actors, including Chinese MSS-affiliated cyber threat actors.
    • CISA and the FBI added:
      • The continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks. In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits. Widespread implementation of robust configuration and patch management programs would greatly increase network security. It would also reduce the speed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools.
  • As requested by the chair and ranking members of the House Oversight Committee and its Government Operations Subcommittee, the Government Accountability Office (GAO) investigated and reported on “essential mission-critical information technology (IT) acquisitions across the federal government and determine their key attributes.” The GAO noted “[e]leven of the 16 selected acquisitions were rebaselined during their development, meaning that the project’s cost, schedule, or performance goals were modified to reflect new circumstances.” The GAO stated “[t]en agencies reported delays in defining the cost, schedule, and scope; one agency reported budget cuts and hiring freezes; four agencies reported technical challenges; and five agencies reported changes in development approach as a cause for rebaselining.” The GAO reported “[t]he amount agencies expect to spend on the selected acquisitions vary greatly depending on their scope and complexity, as well as the extent of transformation and modernization that agencies envision once the acquisitions are fully deployed.” The GAO stated “[a]gencies reported potential cost savings associated with 13 of the 16 mission-critical acquisitions after deployment.”
    • The GAO added
      • In general, these agencies reported that they expect cost savings and cost avoidance due to a number of factors. Six agencies reported expected cost savings as a result of multiple legacy systems being shut down, and two agencies reported expected cost savings from the use of cloud-based capabilities. Seven agencies cited improved efficiencies in streamlined processes as an expected savings in costs, while three agencies cited the elimination of physical paper processing as the source of expected cost savings. Three agencies also reported that they expected cost savings through improving security, monitoring, and management.
  • The United Kingdom announced a “National Data Strategy” that “will put data at the heart of the country’s recovery from the pandemic so companies and organisations can use it to drive digital transformation, innovate and boost growth across the economy.” The Department for Digital, Culture, Media & Sport explained the new strategy “asks fundamental questions about what data should and should not be made available…[and] sets out how to maintain a regulatory regime that is not too burdensome for smaller business and supports responsible innovation…through five priority missions:
    • Unlocking the value of data across the economy
    • Securing a pro-growth and trusted data regime
    • Transforming government’s use of data to drive efficiency and improve public services
    • Ensuring the security and resilience of the infrastructure on which data relies
    • Championing the international flow of data
  • The United States Department of Homeland Security’s the Cybersecurity and Infrastructure Security Agency (CISA), with contributions from the Federal Bureau of Investigation (FBI), issued an alert titled “Iran-Based Threat Actor Exploits VPN Vulnerabilities” regarding “an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks.” The agencies stated
    • Analysis of the threat actor’s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence.
  • Senator Mike Lee (R-UT) released a statement after big technology companies responded to his letter “asking each company to justify anti-conservative bias in their content moderation process.” Lee asserted:
    • The responses received from the tech companies about bias against conservatives at their firms were completely unpersuasive. I continue to be concerned about the ideological discrimination going on at these firms and I believe further oversight will be necessary in order to obtain the facts and answers that the American people deserve.
  • The Government Accountability Office (GAO) issued a report in response to a provision in the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) on defense “contractors’ independent R&D projects fit into the [Department of Defense’s] technology goals.” The report was sent to the chairs and ranking members of the Armed Services Committees and Appropriations Committees’ Defense Subcommittees. The GAO concluded:
    • DOD’s investments in research and development, particularly science and technology, are key to maintaining our military’s technological superiority over potential adversaries. However, the growing capability needs of the military departments, coupled with modest increases in DOD’s science and technology budget, threaten to erode this superiority. DOD has taken initial steps to confront this imbalance, including strategic planning to identify its top modernization priorities. Nonetheless, the DOD instruction that guides this planning does not require DOD to account for the billions of dollars that industry invests in IR&D projects annually at industry’s own discretion—nor the innovation outcomes that industry obtains from these IR&D projects. Although the Independent Research and Development (IR&D) statute and policy prohibit DOD from requiring what IR&D projects contractors undertake, they require DOD to communicate its science and technology needs to industry. Correspondingly, our analysis of IR&D project data covering a single year showed that industry has responded to the modernization priorities DOD set forth in 2018 by investing almost 40 percent of its IR&D funding on related technologies. However, the extent to which this will continue in future years is not something we can forecast. DOD can achieve this visibility by initiating its own annual reviews of IR&D project data. Such assessments would provide DOD with important information needed to develop more comprehensive strategic plans for defense science and technology investment.
    • At the same time, the primary tool DOD relies on for IR&D project data—the DTIC IR&D database—has several limitations in terms of the data it captures. For instance, it does not identify, whether the IR&D project is linked to a DOD modernization priority or if it constitutes disruptive or incremental innovation. However, capturing additional data could place burdens on contractors. Determining whether to collect additional information on the billions of dollars contractors spend annually on IR&D projects falls squarely within OUSD (R&E)’s responsibility to oversee DOD’s strategic planning process for science and technology investments.
    • The GAO made two recommendations:
      • The Secretary of Defense should ensure that the Under Secretary of Defense for Research and Engineering revise its IR&D instruction to require USD (R&E) personnel to annually review defense industry IR&D investments to inform DOD’s science and technology strategic planning efforts. (Recommendation 1)
      • The Secretary of Defense should ensure that the Administrator, Defense Technical Information Center, assess and determine whether the DTIC IR&D database should require contractors to include additional information on IR&D projects, such as:
        • (a) The IR&D project’s linkage, if any, to DOD’s modernization priorities;
        • (b) The allowable category (basic research, applied research, technology development, or concept study) to which the IR&D project belongs;
        • (c) The nature of the project as either potentially disruptive or potentially incremental research and development; and
        • (d) The actual IR&D project costs when the project is completed. (Recommendation 2)

Further Reading

  • The Huawei Ban Could Crush U.S. Overseas Aid Efforts” By Colum Lynch — Foreign Policy. A possible unintended consequence to the ban on Huawei, ZTE, and other People’s Republic of China (PRC) in Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) is that United States foreign aid organizations may not be able to disburse funds or provide grants to organizations throughout the world using PRC technology. Given that much of Africa already has Huawei technology, organizations like United States Agency for International Development (USAID) were granted a waiver last month along with the Department of Defense by the Director of National Intelligence (DNI). The DNI is said to be considering another such waiver, and it may turn out Congress will revisit this requirement, making an explicit carveout for international aid work. Of course the proponents of a Huawei/ZTE ban may reasonably argue will bring out all sorts of private sector entities with their own cases as to why they, too, should be exempted.
  • Exclusive: Top Huawei executives had close ties to company at center of U.S. criminal case” By Steve Stecklow and Marcelo Rochabrun — Reuters. The news outlet has turned up even more evidence that Huawei controlled a company that sold United States (U.S.) telecommunications equipment to Iran in violation of U.S. sanctions between 2007 and 2014. This case is the one that caused Canada to detain Huawei CFO Meng Wanzhou at U.S. request. Reuters has discovered documents filed in Sao Paulo, Brazil showing that high ranking Huawei officials continued to have control over Skycom Tech, the entity it claims was sold in 2007.  These documents say otherwise, and it was this company that sold the U.S. gear in violations of sanctions.
  • It’s Impossible for You to Know Which Apps Sell Your Location Data to Trump” By Jason Koebler and Joseph Cox — Vice’s Motherboard. The Trump reelection campaign’s app is hoovering up the data of those who download and install it but also from all their contacts. This way, when combined with data from other sources, the Trump campaign can reach even more potentially supportive voters and target them with ads. The truly disturbing practice of the company they are working with is that this entity bids on and loses an advertising campaign, it still gets access to the people the campaign is targeting. There are legitimate concerns that given the fungibility of personal data, the Trump Administration is harvesting and processing data along the same lines as Cambridge Analytica in 2016
  • Labeled “Research” Chemicals, Doping Drugs Sold Openly on Amazon.com” By Annie Gilbertson and Jon Keegan — The Markup. The massive online marketplace removed potentially unsafe, illegal substances used for doping in athletics only after this media outlet presented evidence it was being sold. This article follows a string of articles on how Amazon is not policing the third-party sellers on its platform that may be selling defective, unsafe, or illegal goods. Nonetheless, Amazon has asserted Section 230 protects it from claims regarding items offered by third party sellers even though the provision pertains to moderation of online content and speech. The company may face defective productive suits in the future if a recent California state case is any indication.
  • US technology embargo list gives China a blueprint for home-grown innovation over the next decade, top science official says” By Frank Tang — South China Morning Post. The People’s Republic of China is asserting that the United States’ (U.S.) list of items banned for export is providing a roadmap to developing the technology necessary to surpass the U.S.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Markus Spiske on Unsplash

Further Reading, Other Developments, and Coming Events (19 August)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” By 21 August, the FTC “is seeking comment on a range of issues including:
    • How are companies currently implementing data portability? What are the different contexts in which data portability has been implemented?
    • What have been the benefits and costs of data portability? What are the benefits and costs of achieving data portability through regulation?
    • To what extent has data portability increased or decreased competition?
    • Are there research studies, surveys, or other information on the impact of data portability on consumer autonomy and trust?
    • Does data portability work better in some contexts than others (e.g., banking, health, social media)? Does it work better for particular types of information over others (e.g., information the consumer provides to the business vs. all information the business has about the consumer, information about the consumer alone vs. information that implicates others such as photos of multiple people, comment threads)?
    • Who should be responsible for the security of personal data in transit between businesses? Should there be data security standards for transmitting personal data between businesses? Who should develop these standards?
    • How do companies verify the identity of the requesting consumer before transmitting their information to another company?
    • How can interoperability among services best be achieved? What are the costs of interoperability? Who should be responsible for achieving interoperability?
    • What lessons and best practices can be learned from the implementation of the data portability requirements in the GDPR and CCPA? Has the implementation of these requirements affected competition and, if so, in what ways?”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The United States (U.S.) Department of Commerce tightened its chokehold on Huawei’s access to United States’ semiconductors and chipsets vital to its equipment and services. This rule follows a May rule that significantly closed off Huawei’s access to the point that many analysts are projecting the People’s Republic of China company will run out of these crucial technologies sometime next year without a suitable substitute, meaning the company may not be able to sell its smartphone and other leading products. In its press release, the department asserted the new rule “further restricts Huawei from obtaining foreign made chips developed or produced from U.S. software or technology to the same degree as comparable U.S. chips.”
    • Secretary of Commerce Wilbur Ross argued “Huawei and its foreign affiliates have extended their efforts to obtain advanced semiconductors developed or produced from U.S. software and technology in order to fulfill the policy objectives of the Chinese Communist Party.” He contended “[a]s we have restricted its access to U.S. technology, Huawei and its affiliates have worked through third parties to harness U.S. technology in a manner that undermines U.S. national security and foreign policy interests…[and] his multi-pronged action demonstrates our continuing commitment to impede Huawei’s ability to do so.”
    • The Department of Commerce’s Bureau of Industry and Security (BIS) stated in the final rule that it is “making three sets of changes to controls for Huawei and its listed non-U.S. affiliates under the Export Administration Regulations (EAR):
      • First, BIS is adding additional non-U.S. affiliates of Huawei to the Entity List because they also pose a significant risk of involvement in activities contrary to the national security or foreign policy interests of the United States.
      • Second, this rule removes a temporary general license for Huawei and its non-U.S. affiliates and replaces those provisions with a more limited authorization that will better protect U.S. national security and foreign policy interests.
      • Third, in response to public comments, this final rule amends General Prohibition Three, also known as the foreign-produced direct product rule, to revise the control over certain foreign-produced items recently implemented by BIS.”
    • BIS claimed “[t]hese revisions promote U.S. national security by limiting access to, and use of, U.S. technology to design and produce items outside the United States by entities that pose a significant risk of involvement in activities contrary to the national security or foreign policy interests of the United States.”
    • One technology analyst claimed “[t]he U.S. moves represent a significant tightening of restrictions over Huawei’s ability to procure semiconductors…[and] [t]hat puts into significant jeopardy its ability to continue manufacturing smartphones and base stations, which are its core products.”
  • The Office of Management and Budget (OMB) and the Office of Science and Technology Policy (OSTP) have released their annual guidance to United States department and agencies to direct their budget requests for FY 2022 with respect to research and development (R&D). OMB explained:
  • For FY2022, the five R&D budgetary priorities in this memorandum ensure that America remains at the global forefront of science and technology (S&T) discovery and innovation. The Industries of the Future (IotF) -artificial intelligence (AI), quantum information sciences (QIS), advanced communication networks/5G, advanced manufacturing, and biotechnology-remain the Administration’s top R&D priority. This includes fulfilling President Trump’s commitment to double non-defense AI and QIS funding by FY2022:
    • American Public Health Security and Innovation
    • American Leadership in the Industries of the Future and Related Technologies
    • American Security
    • American Energy and Environmental Leadership
    • American Space Leadership
  • In light of the significant health and economic disruption caused by the COVID-19 pandemic, the FY2022 memorandum includes a new R&D priority aimed at American Public Health Security and Innovation. This priority brings under a single, comprehensive umbrella biomedical and biotechnology R&D aimed at responding to the pandemic and ensuring the U.S. S&T enterprise is maximally prepared for any health-related threats.
  • Lastly, this memorandum also describes/our high-priority crosscutting actions. These actions include research and related strategies that underpin the five R&D priorities and ensure departments and agencies deliver maximum return on investment to the American people:
    • Build the S&T Workforce of the Future
    • Optimize Research Environments and Results
    • Facilitate Multisector Partnerships and Technology Transfer
    • Leverage the Power of Data
  • Despite the Trump Administration touting its R&D priorities and achievements, the non-partisan Congressional Research Service noted
    • President Trump’s budget request for FY2021 includes approximately $142.2 billion for research and development (R&D) for FY 2021, $13.8 billion (8.8%) below the FY2020 enacted level of $156.0 billion. In constant FY 2020 dollars, the President’s FY 2021 R&D request would result in a decrease of $16.6 billion (10.6%) from the FY 2020 level.
  • Two key chairs of subcommittees of the Senate Commerce, Science, and Transportation Committee are pressing the Federal Trade Commission (FTC) to investigate TikTok’s data collection and processing practices. This Committee has primary jurisdiction over the FTC in the Senate and is a key stakeholder on data and privacy issues.
    • In their letter, Consumer Protection Subcommittee Chair Jerry Moran (R-KS) and Communications, Technology, Innovation Chair John Thune (R-SD) explained they are “are seeking specific answers from the FTC related to allegations from a Wall Street Journal article that described TikTok’s undisclosed collection and transmission of unique persistent identifiers from millions of U.S. consumers until November 2019…[that] also described questionable activity by the company as it relates to the transparency of these data collection activities, and the letter seeks clarity on these practices.”
    • Moran and Thune asserted “there are allegations that TikTok discretely collected media access control (MAC) addresses, commonly used for advertisement targeting purposes, through Google Android’s operating system under an “unusual layer of encryption” through November 2019.” They said “[g]iven these reports and their potential relevancy to the “Executive Order on Addressing the Threat Posed by TikTok,” we urge the Federal Trade Commission (FTC) to investigate the company’s consumer data collection and processing practices as they relate to these accusations and other possible harmful activities posed to consumers.”
    • If the FTC were to investigate, find wrongdoing, and seek civil fines against TikTok, the next owner may be left to pay as the White House’s order to ByteDance to sell the company within three months will almost certainly be consummated before any FTC action is completed.
  • Massachusetts Attorney General Maura Healey (D) has established a “Data Privacy and Security Division within her office to protect consumers from the surge of threats to the privacy and security of their data in an ever-changing digital economy.” Healey has been one of the United States’ more active attorneys general on data privacy and technology issues, including her suit and settlement with Equifax for its massive data breach.
    • Her office explained:
      • The Data Privacy and Security Division investigates online threats and the unfair or deceptive collection, use, and disclosure of consumers’ personal data through digital technologies. The Division aims to empower consumers in the digital economy, ensure that companies are protecting consumers’ personal data from breach, protect equal and open access to the internet, and protect consumers from data-driven technologies that unlawfully deny them fair access to socioeconomic opportunities. The Division embodies AG Healey’s commitment to continue and grow on this critical work and ensure that data-driven technologies operate lawfully for the benefit of all consumers.
  • A California appeals court ruled that Amazon can be held liable for defective products their parties sell on its website. The appellate court reversed the trial court which held Amazon could not be liable.
    • The appeals court recited the facts of the case:
      • Plaintiff Angela Bolger bought a replacement laptop computer battery on Amazon, the popular online shopping website operated by defendant Amazon.com, LLC. The Amazon listing for the battery identified the seller as “E-Life, ”a fictitious name used on Amazon by Lenoge Technology (HK) Ltd. (Lenoge). Amazon charged Bolger for the purchase, retrieved the laptop battery from its location in an Amazon warehouse, prepared the battery for shipment in Amazon-branded packaging, and sent it to Bolger. Bolger alleges the battery exploded several months later, and she suffered severe burns as a result.
      • Bolger sued Amazon and several other defendants, including Lenoge. She alleged causes of action for strict products liability, negligent products liability, breach of implied warranty, breach of express warranty, and “negligence/negligent undertaking.”
    • The appeals court continued:
      • Amazon moved for summary judgment. It primarily argued that the doctrine of strict products liability, as well as any similar tort theory, did not apply to it because it did not distribute, manufacture, or sell the product in question. It claimed its website was an “online marketplace” and E-Life (Lenoge) was the product seller, not Amazon. The trial court agreed, granted Amazon’s motion, and entered judgment accordingly.
      • Bolger appeals. She argues that Amazon is strictly liable for defective products offered on its website by third-party sellers like Lenoge. In the circumstances of this case, we agree.
  • The National Institute of Standards and Technology (NIST) issued Special Publication 800-207, “Zero Trust Architecture,” that posits a different conceptual model for an organization’s cybersecurity than perimeter security. NIST claimed:
    • Zero trust security models assume that an attacker is present in the environment and that an enterprise-owned environment is no different—or no more trustworthy—than any nonenterprise-owned environment. In this new paradigm, an enterprise must assume no implicit trust and continually analyze and evaluate the risks to its assets and business functions and then enact protections to mitigate these risks. In zero trust, these protections usually involve minimizing access to resources (such as data and compute resources and applications/services) to only those subjects and assets identified as needing access as well as continually authenticating and authorizing the identity and security posture of each access request.
    • A zero trust architecture (ZTA) is an enterprise cybersecurity architecture that is based on zero trust principles and designed to prevent data breaches and limit internal lateral movement. This publication discusses ZTA, its logical components, possible deployment scenarios, and threats. It also presents a general road map for organizations wishing to migrate to a zero trust design approach and discusses relevant federal policies that may impact or influence a zero trust architecture.
    • ZT is not a single architecture but a set of guiding principles for workflow, system design and operations that can be used to improve the security posture of any classification or sensitivity level [FIPS199]. Transitioning to ZTA is a journey concerning how an organization evaluates risk in its mission and cannot simply be accomplished with a wholesale replacement of technology. That said, many organizations already have elements of a ZTA in their enterprise infrastructure today. Organizations should seek to incrementally implement zero trust principles, process changes, and technology solutions that protect their data assets and business functions by use case. Most enterprise infrastructures will operate in a hybrid zero trust/perimeter-based mode while continuing to invest in IT modernization initiatives and improve organization business processes.
  • The United Kingdom’s Government Communications Headquarters’ (GCHQ) National Cyber Security Centre (NCSC) released “Cyber insurance guidance” “for organisations of all sizes who are considering purchasing cyber insurance…not intended to be a comprehensive cyber insurance buyers guide, but instead focuses on the cyber security aspects of cyber insurance.” The NCSC stated “[i]f you are considering cyber insurance, these questions can be used to frame your discussions…[and] [t]his guidance focuses on standalone cyber insurance policies, but many of these questions may be relevant to cyber insurance where it is included in other policies.”

Further Reading

  • I downloaded Covidwise, America’s first Bluetooth exposure-notification app. You should, too.” By Geoffrey Fowler – The Washington Post. The paper’s technology columnist blesses the Apple/Google Bluetooth exposure app and claims it protects privacy. One person on Twitter pointed out the Android version will not work unless location services are turned on, which is contrary to the claims made by Google and Apple, an issue the New York Times investigated last month. A number of European nations have pressed Google to remove this feature, and a Google spokesperson claimed the Android Bluetooth tracing capability did not use location services, begging the question why the prompt appears. Moreover, one of the apps Fowler names has had its own privacy issues as detailed by The Washington Post in May. As it turns out Care19, a contact tracing app developed when the governor of North Dakota asked a friend who had designed a app for football fans to meet up, is violating its own privacy policy according to Jumbo, the maker of privacy software. Apparently, Care19 shares location and personal data with FourSquare when used on iPhones. Both Apple and state officials are at a loss to explain how this went unnoticed when the app was scrubbed for technical and privacy problems before being rolled out.
  • Truss leads China hawks trying to derail TikTok’s London HQ plan” By Dan Sabbagh – The Guardian. ByteDance’s plan to establish a headquarters in London is now under attack by members of the ruling Conservative party for the company’s alleged role in persecuting the Uighur minority in Xinjiang. ByteDance has been eager to move to London and also eager to avoid the treatment that another tech company from the People’s Republic of China has gotten in the United Kingdom (UK): Huawei. Nonetheless, this decision may turn political as the government’s reversal on Huawei and 5G did. Incidentally, if Microsoft does buy part of TikTok, it would be buying operations in four of the five Five Eyes nations but not the UK.
  • Human Rights Commission warns government over ‘dangerous’ use of AI” By Fergus Hunter – The Sydney Morning Herald. A cautionary tale regarding the use of artificial intelligence and algorithms in government decision-making. While this article nominally pertains to Australia’s Human Rights Commission advice to the country’s government, it is based, in large part, on a scandal in which an automated process illegally collected $721 million AUD from welfare beneficiaries. In the view of the Human Rights Commission, decision-making by humans is still preferable and more accurate than automated means.
  • The Attack That Broke Twitter Is Hitting Dozens of Companies” By Andy Greenberg – WIRED. In the never-ending permutations of hacking, the past has become the present because the Twitter hackers use phone calls to talk their way into gaining access to a number of high-profile accounts (aka phone spear phishing.) Other companies are suffering the same onslaught, proving the axiom that people may be the weakest link in cybersecurity. However, the phone calls are based on exacting research and preparation as hackers scour the internet for information on their targets and the companies themselves. A similar hack was reportedly executed by the Democratic People’s Republic of Korea (DPRK) against Israeli defense firms.
  • Miami Police Used Facial Recognition Technology in Protester’s Arrest” By Connie Fossi and Phil Prazan – NBC Miami. The Miami Police Department used Clearview AI to identify a protestor that allegedly injured an officer but did not divulge this fact to the accused or her attorney. The department’s policy on facial recognition technology bars officers from making arrests solely on the basis of identification through such a system. Given the error rates many facial recognition systems have experienced with identifying minorities and the use of masks during the pandemic, which further decreases accuracy, it is quite likely people will be wrongfully accused and convicted using this technology.
  • Big Tech’s Domination of Business Reaches New Heights” By Peter Eavis and Steve Lohr – The New York Times. Big tech has gotten larger, more powerful, and more indispensable in the United States (U.S.) during the pandemic, and one needs to go back to the railroads in the late 19th Century to find comparable companies. It is an open question whether their size and influence will change much no matter who is president of the U.S. next year.
  • License plate tracking for police set to go nationwide” By Alfred Ng – c/net. A de facto national license plate reader may soon be activated in the United States (U.S.). Flock Safety unveiled the “Total Analytics Law Officers Network,” (TALON) that will link its systems of cameras in more than 700 cities, allowing police departments to track cars across multiple jurisdictions. As the U.S. has no national laws regulating the use of this and other similar technologies, private companies may set policy for the country in the short term.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.