Further Reading, Other Developments, and Coming Events (31 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 31 July, the House Intelligence Committee will mark up its Intelligence Authorization Act.
  • On 31 July the Select Committee on the Modernization of Congress will hold a business meeting “to consider proposed recommendations.”
  • On 3 August the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)
  • The National Institute of Standards and Technology (NIST) will hold the “Exploring Artificial Intelligence (AI) Trustworthiness: Workshop Series Kickoff Webinar,” “a NIST initiative involving private and public sector organizations and individuals in discussions about building blocks for trustworthy AI systems and the associated measurements, methods, standards, and tools to implement those building blocks when developing, using, and testing AI systems” on 6 August.
  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”

Other Developments

  • The European Commission (EC) released a report on the status of efforts across the European Union (EU) to implement the EU Toolbox on 5G Cybersecurity, the bloc’s approach to navigating security issues presented by equipment and services offered by companies from the People’s Republic of China such as Huawei. The EC concluded
    • All  Member  States  reported  that  concrete  steps  have  been  taken  to  implement  the  Toolbox.  Most  Member  States  carried  out  a  gap  analysis  and  launched  a  process  to  review  and  upgrade  existing security measures and enforcement mechanisms. Many Member States have already adopted or are well advanced in the preparation of more advanced security measures on 5G cybersecurity.
    • However,  work  is  still  ongoing  in  many  Member  States  on  defining  the  content  and  scope  of  the  measures and in some cases, political decisions still need to be made in this regard. In addition, even where  measures  are  in  progress  or  being  planned,  not  all  Member  States  have  shared  detailed information about every measure, due to diverse stages in the national implementation processor for national security reasons. Nevertheless, a number of findings can be formulated based on the analysis presented  in  this  report as  regards  the  implementation  of  the  Toolbox  and  areas  where  specific  attention  is  needed  in  the  next  phases  of  the  implementation  of  the  Toolbox  at  national  and/or  EU  level.
  • The United States (US) and Australia released this joint statement after this week’s Australia-United States Ministerial Consultations (AUSMIN) after the heads of their defense and foreign ministries met in Washington DC. The two countries listed a number of steps and initiatives designed to counter the People’s Republic of China (PRC). Among other developments:
    • The US and Australia signed a classified Statement of Principles on Alliance Defense Cooperation and Force Posture Priorities in the Indo-Pacific.
    • The two nations “plan to continue to counter these threats vigorously, including through collaboration with international partners, and through a new working group between the Department of Foreign Affairs and Trade and the Department of State, which will monitor and respond to disinformation efforts.”
    • The US and Australia “expressed deep concern that the targeting of intellectual property and sensitive business information, including information relating to the development of vaccines and treatments for pandemic response, presents an increasing threat to the global economy, and they committed to holding malicious actors accountable.”
    • The countries “noted the role of 5G network security best practices, such as the Prague Proposals, and expressed their intent to work with like-minded partners to develop end-to-end technical solutions for 5G that use trusted vendors….[and] [a]cknowledging that 5G is only the starting point, the two nations also reaffirm their commitment to lifting the security of critical and emerging technologies that will be vital to our nations’ prosperity.”
    • The US and Australia “welcomed the announcement that Lynas has signed a Phase 1 contract with the U.S. Department of Defense for an engineering and market feasibility study for the design of a heavy rare earth separation facility in the United States” and “the continued development of a U.S.-Australia Critical Minerals Plan of Action to improve the security of critical minerals in the United States and Australia.” 
  • The United Kingdom’s National Cyber Security Centre (NCSC) has issued a report titled “The Cyber Threat to Sports Organisations” “to demystify the cyber threat to sports organisations by highlighting the cyber security issues that affect the sector on a daily basis: business email compromise, digital fraud, and venue security.” The NCSC asserted
    • cyber attacks against sports organisations are very common, with 70% of those surveyed experiencing at least one attack per annum. This is significantly higher than the average across UK business.
    • The primary cyber threat comes from cyber criminals with a financial motive. Criminal attacks typically take advantage of poor implementation of technical controls and normal human traits such as trust and ineffective password policies.
    • There have been a small number of Hostile Nation-state attacks against sports organisations; typically, these attacks have exploited the same vulnerabilities used by criminals.
    • The most common outcome of cyber attacks is unauthorised access to email accounts (Business Email Compromise) leading to fraud. Ransomware is also a significant issue in the sector.
  • Top Republicans on one of the committees with jurisdiction over technology have written Google and Apple regarding their “app store and the policies you have in place to ensure apps are appropriately vetted, particularly those with close ties to China and the Chinese Communist Party (CCP).” House Energy and Commerce Committee Ranking Member Greg Walden (R-OR) and Consumer Protection and Commerce Subcommittee Ranking Member Cathy McMorris Rodgers (R-WA) are asking the companies to respond by 12 August to a series of questions. They asserted
    • As with any crisis, there are those that seek to exploit opportunities for their own malicious intent. We believe that bad actors may be taking advantage of the American people’s trust in your brand, which likely extends to apps available through your store. While we want an open and transparent marketplace that does not limit innovators outside your company, we know there are those that seek to use apps as a means to push through pop-up ads or hijack devices to make it a tool for eavesdropping.
    • The level of permissions that these apps require may include access to camera, microphone, and contacts, as well as functionality to load other malware for bad actors to control a device even after the original app has been removed. This is especially alarming when it comes from companies with direct or indirect links to the CCP.
  • A Washington DC think tank published a report written in part with Representatives Robin Kelly (D-IL) and Will Hurd (R-TX) titled “AI and the Workforce.” The Bipartisan Policy Center explained that “[b]ased on our discussions with stakeholders, we have identified the following key principles:
    • 1. The United States should embrace and take a leadership role in the AI-driven economy by filling the AI talent gap and preparing the rest of the workforce for the jobs of the future. However, in doing so, policymakers should make inclusivity and equal opportunity a priority.
    • 2. Closing the AI talent gap requires a targeted approach to training, recruiting, and retaining skilled workers. This AI talent should ideally have a multi-disciplinary skill set that includes ethics.
    • 3. The AI talent gap is not the only challenge of the AI-driven economy, so the federal government should focus more broadly on the jobs of the future and skills that are complemented by AI technology. Additionally, encouraging workers to develop basic AI and technological literacy can help them better determine how to complement AI systems.
    • 4. The educational system from kindergarten through post-college is not yet designed for the AI-driven economy and should be modernized.
    • 5. The skills that will be in demand in the future will continuously change, so lifelong learning and ways to help displaced and mid-career workers transition into new jobs is critical for the workforce of the future.
    • In September 2018, Kelly and Hurd released a white paper detailing the “lessons learned from the Subcommittee’s oversight and hearings on AI and sets forth recommendations for moving forward.” 
  • The National Cyber Security Centre (NCSC) updated its “Mobile Device Guidance” regarding “Windows 10, Android and VPNs. The NCSC stated “[o]ver the next few months, we’ll be bringing our Chrome OS and Ubuntu Linux guidance up to date and into the new format.”
  • Cybersecurity company FireEye released a report on a new type of Russian disinformation campaign where hackers are gaining access to legitimate news sources and planting fake stories that are subsequently amplified on social media.
    • FireEye explained it
      • has tied together several information operations that we assess with moderate confidence comprise part of a broader influence campaign, ongoing since at least March 2017, aligned with Russian security interests. The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe, occasionally leveraging other themes such as anti-U.S. and COVID-19-related narratives as part of this broader anti-NATO agenda. We have dubbed this campaign “Ghostwriter.”
    • FireEye added
      • Many, though not all, of the incidents we suspect to be part of the Ghostwriter campaign appear to have leveraged website compromises or spoofed email accounts to disseminate fabricated content, including falsified news articles, quotes, correspondence and other documents designed to appear as coming from military officials and political figures in the target countries. This falsified content has been referenced as source material in articles and op-eds authored by at least 14 inauthentic personas posing as locals, journalists, and analysts within those countries.

Further Reading

  • Rite Aid deployed facial recognition systems in hundreds of U.S. stores” by Jeffrey Dastin– Reuters. A major United States retailer was using facial recognition technology mostly at stores in poorer, more ethnically diverse areas that seems connected to a company in the People’s Republic of China. Rite Aid has ceased use of this system that was implemented to address shoplifting and other crime and guards and other personnel were supposed to act when the system turned up a hit on a person in the store who had committed a crime or made trouble in another location. Given the accuracy of this sort of technology, there were a range of false positives. Additionally, locations in New York City that had similar crime profiles in majority white, affluent areas were much less likely to have this system. The company, DeepCamLLC, providing the technology appears intimately connected to a Chinese firm, Shenzhen Shenmu, that appears funded by a Beijing run venture capital/investment fund.
  • Facebook Wins Temporary Halt to EU Antitrust Data Demands” by Stephanie Bodoni – Bloomberg. In a setback for the European Commission’s (EC) investigation, the European Union General Court has temporarily blocked data and document requests in a pair of rulings. The court ruled for Facebook in finding the EC’s request “may unavoidably include personal information” and so “it is important to ensure that confidential treatment of such information is safeguarded, especially when the information does, at first sight, not appear to have any link with the subject matter of the commission’s investigation.” A Facebook attorney claimed the requests were going to net “highly sensitive personal information such as employees’ medical information, personal financial documents, and private information about family members of employees.” The court is expected to issue a final decision on the data requests, which has obvious implications for the EC’s investigation of Facebook.
  • Google’s Top Search Result? Surprise! It’s Google” By Adrianne Jeffries and Leon Yin – The Markup. Google’s search results have changed tremendously over the last 15 years from showing the top organic results to now reserving the 50% of the page for Google results and products. As a result a number of online businesses that compete with Google products have withered and some have died. Google denies abusing its market power, but competitors and possibly some regulators think otherwise, possibly foreshadowing future anti-competitive enforcement actions.
  • Five Eyes alliance could expand in scope to counteract China” by Patrick Wintour – The Guardian. The United States, United Kingdom, Canada, New Zealand, and Australia may expand both the scope of heir Five Eyes arrangement and the membership as a means of pushing back on Chinese policies and actions. Japan could possibly join the alliance and perhaps it serves as the basis for a trade agreement to address Beijing.
  • Huawei to double down on HSBC as legal battle over extradition of Meng Wanzhou intensifies” by Zhou Xin – South China Morning Post. As the daughter of Huawei’s founder continues to be held in Canada facing possible extradition to the United States (US) to be tried on charges of violating US sanctions on Iran. Meng Wanzhou’s lawyers are focusing on the evidence provided by Hong Kong based bank HSBC to the US Department of Justice as being deficient in a number of ways. The People’s Republic of China is still holding two Canadians incommunicado who were arrested and charged with espionage after Meng was detained in British Columbia.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (30 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 30 July, the Senate Commerce, Science, and Transportation Committee’s Security Subcommittee will hold a hearing titled “The China Challenge: Realignment of U.S. Economic Policies to Build Resiliency and Competitiveness” with these witnesses:
    • The Honorable Nazak Nikakhtar, Assistant Secretary for Industry and Analysis, International Trade Administration, U.S. Department of Commerce
    • Dr. Rush Doshi, Director of the Chinese Strategy Initiative, The Brookings Institution
    • Mr. Michael Wessel, Commissioner, U.S. – China Economic and Security Review Commission
  • On 30 July, the House Armed Services Committee’s Intelligence and Emerging Threats and Capabilities Subcommittee will hold a hearing titled “Review of the Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus King (I-ME), Chairman, Cyberspace Solarium Commission
    • Representative Mike Gallagher (R-WI), Chairman, Cyberspace Solarium Commission
    • The Honorable Patrick Murphy, Commissioner, Cyberspace Solarium Commission
    • Mr. Frank Cilluffo, Commissioner, Cyberspace Solarium Commission
  • On 31 July, the House Intelligence Committee will mark up its Intelligence Authorization Act.
  • On 31 July the Select Committee on the Modernization of Congress will hold a business meeting “to consider proposed recommendations.”
  • On 3 August the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)
  • The National Institute of Standards and Technology (NIST) will hold the “Exploring Artificial Intelligence (AI) Trustworthiness: Workshop Series Kickoff Webinar,” “a NIST initiative involving private and public sector organizations and individuals in discussions about building blocks for trustworthy AI systems and the associated measurements, methods, standards, and tools to implement those building blocks when developing, using, and testing AI systems” on 6 August.
  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”

Other Developments

  • Senate Armed Services Committee Chair James Inhofe (R-OK) has publicly placed a hold on the re-nomination of Federal Communications Commission member over the agency’s April decision to permit Ligado to proceed with its plan “to deploy a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz bands that will primarily support Internet of Things (IoT) services.” This is the latest means of pressing the FCC Inhofe and allies on Capitol Hill and in the Trump Administration have taken. In the recently passed “National Defense Authorization Act (NDAA) for Fiscal Year 2021” (S.4049) there is language requiring “the Secretary of Defense to enter into an agreement with the National Academies of Science, Engineering, and Medicine to conduct an independent technical review of the Order and Authorization adopted by the FCC on April 19, 2020 (FCC 20–48). The independent technical review would include a comparison of the two different approaches used for evaluation of potential harmful interference. The provision also would require the National Academies of Science, Engineering, and Medicine to submit a report on the independent technical review.” This provision may make it into the final FY 2021 NDAA, which would stop Ligado from proceeding before the conclusion of the study.
  • Senator Josh Hawley (R-MO) has released yet another bill amending 47 USC 230 (aka Section 230), the “Behavioral Advertising Decisions Are Downgrading Services (BAD ADS) Act,” that “remove Section 230 immunity from Big Tech companies that display manipulative, behavioral ads or provide data to be used for them.” Considering that targeting advertising forms a significant part of the revenue stream for such companies, this seems to be of a piece with other bills of Hawley’s and others to pressure social media platforms. Hawley noted he “has been a leading critic of Section 230’s protection of Big Tech firms and recently called for Twitter to lose immunity if it chooses to editorialize on political speech.”
  • The United States National Counterintelligence and Security Center (US NCSC) issued a statement on election security on the 100th day before the 2020 Presidential Election. US NCSC Director William Evanina described the risks facing the US heading into November but did not detail US efforts to address and counter the efforts of foreign nations to influence and disrupt Presidential and Congressional elections this fall. The US NCSC explained it is working with other federal agencies and stakeholders, however.
    • US NCSC Director William Evanina explained the purpose of the press release is to “share insights with the American public about foreign threats to our election and offer steps to citizens across the country to build resilience and help mitigate these threats…[and] to update Americans on the evolving election threat landscape, while also safeguarding our intelligence sources and methods.” Evanina noted “Office of the Director of National Intelligence (ODNI) has been providing robust intelligence-based briefings on election security to the presidential campaigns, political committees, and Congressional audiences.” Including the assertion “[i]n leading these classified briefings, I have worked to ensure fidelity, accountability, consistency and transparency with these stakeholders and presented the most timely and accurate information we have to offer” may be Evanina’s way of pushing back on concerns that the White House has placed people loyal to the President at the top of some IC entities who may lack independence. Top Democrats
    • The US NCSC head asserted “[e]lection security remains a top priority for the Intelligence Community and we are committed in our support to the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), given their leadership roles in this area.”
    • Evanina claimed “[a]t this time, we’re primarily concerned with China, Russia and Iran — although other nation states and non-state actors could also do harm to our electoral process….[and] [o]ur insights and judgments will evolve as the election season progresses:
      • China is expanding its influence efforts to shape the policy environment in the United States, pressure political figures it views as opposed to China’s interests, and counter criticism of China. Beijing recognizes its efforts might affect the presidential race.
      • Russia’s persistent objective is to weaken the United States and diminish our global role. Using a range of efforts, including internet trolls and other proxies, Russia continues to spread disinformation in the U.S. that is designed to undermine confidence in our democratic process and denigrate what it sees as an anti-Russia “establishment” in America.
      • Iran seeks to undermine U.S. democratic institutions and divide the country in advance of the elections. Iran’s efforts center around online influence, such as spreading disinformation on social media and recirculating anti-U.S. content.
    • Speaker of the House Nancy Pelosi (D-CA), Senate Minority Leader Chuck Schumer (D-NY), House Intelligence Committee Chair Adam Schiff (D-CA), and Senate Intelligence Committee Ranking Member Mark Warner (D-VA) released their response to the NCSC statement:
      • The statement just released by NCSC Director William Evanina does not go nearly far enough in arming the American people with the knowledge they need about how foreign powers are seeking to influence our political process. The statement gives a false sense of equivalence to the actions of foreign adversaries by listing three countries of unequal intent, motivation and capability together. The statement, moreover, fails to fully delineate the goal, nature, scope and capacity to influence our election, information the American people must have as we go into November. To say without more, for example, that Russia seeks to ‘denigrate what it sees as an anti-Russia ‘establishment’ in America’ is so generic as to be almost meaningless. The statement omits much on a subject of immense importance.
      • “In our letter two weeks ago, we called on the FBI to provide a defensive briefing to the entire Congress about specific threats related to a concerted foreign disinformation campaign, and this is more important than ever.  But a far more concrete and specific statement needs to be made to the American people, consistent with the need to protect sources and methods.  We can trust the American people with knowing what to do with the information they receive and making those decisions for themselves. But they cannot do so if they are kept in the dark about what our adversaries are doing, and how they are doing it.  When it comes to American elections, Americans must decide.”
    • Senate Majority Leader Mitch McConnell (R-KY) and Senate Intelligence Committee Chair Marco Rubio (R-FL) issued their own statement:
      • We are disappointed by the statement from Senator Schumer, Senator Warner, Speaker Pelosi, and Representative Schiff about Bill Evanina, the Director of the National Counterintelligence and Security Center. Evanina is a career law enforcement and intelligence professional with extensive experience in counterintelligence. His reputation as a straight-shooter immune from politics is well-deserved. It is for this reason that Evanina received overwhelming support from the Senate when he was confirmed to be Director of the NCSC and again when the Administration tapped him to lead the nation’s efforts to protect the 2020 elections from foreign interference.
      • We believe the statement baselessly impugns his character and politicizes intelligence matters. Their manufactured complaint undercuts Director Evanina’s nonpartisan public outreach to increase Americans’ awareness of foreign influence campaigns right at the beginning of his efforts.
      • Prior to their public statements, Director Evanina had previewed his efforts and already offered to provide another round of briefings to the Congress on the threat and steps the US government has taken over the last three and a half years to combat it. We believe the threat is real, and is more complex than many partisans may wish to admit. We welcome these briefings, and hope our colleagues will listen to the career professionals who have been given this mission.
      •  We will not discuss classified information in public, but we are confident that while the threat remains, we are far better prepared than four years ago. The intelligence community, law enforcement, election officials, and others involved in securing our elections are far better postured, and Congress dramatically better informed, than any of us were in 2016—and our Democrat colleagues know it.
  • The Australian Cyber Security Centre (ACSC) and the Digital Transformation Agency (DTA) issued “new Cloud Security Guidance co-designed with industry to support the secure adoption of cloud services across government and industry.” The agencies stated this new release “will guide organisations including government, Cloud Service Providers (CSP), and Information Security Registered Assessors Program (IRAP) assessors on how to perform a comprehensive assessment of a cloud service provider and its cloud services, so a risk-informed decision can be made about its suitability to handle an organisation’s data.” ACSC and DTA added “The Cloud Security Guidance is supported by forthcoming updates to the Australian Government Information Security Manual (ISM), the Attorney-General’s Protective Security Policy Framework (PSPF), and the DTA’s Secure Cloud Strategy.”
  • The National Institute of Standards and Technology (NIST) studied how well facial recognition technology and services could identify people wearing masks and, to no great surprise, the results were not good with respect to accuracy. NIST stressed that the facial recognition technology were not calibrated for masks in qualifying its results. In its Interagency Report NISTIR 8311, NIST found
    • Algorithm accuracy with masked faces declined substantially across the board. Using unmasked images, the most accurate algorithms fail to authenticate a person about 0.3% of the time. Masked images raised even these top algorithms’ failure rate to about 5%, while many otherwise competent algorithms failed between 20% to 50% of the time.
    • Masked images more frequently caused algorithms to be unable to process a face, technically termed “failure to enroll or template” (FTE). Face recognition algorithms typically work by measuring a face’s features — their size and distance from one another, for example — and then comparing these measurements to those from another photo. An FTE means the algorithm could not extract a face’s features well enough to make an effective comparison in the first place.
    • The more of the nose a mask covers, the lower the algorithm’s accuracy. The study explored three levels of nose coverage — low, medium and high — finding that accuracy degrades with greater nose coverage.
    • While false negatives increased, false positives remained stable or modestly declined. Errors in face recognition can take the form of either a “false negative,” where the algorithm fails to match two photos of the same person, or a “false positive,” where it incorrectly indicates a match between photos of two different people. The modest decline in false positive rates show that occlusion with masks does not undermine this aspect of security.
    • The shape and color of a mask matters. Algorithm error rates were generally lower with round masks. Black masks also degraded algorithm performance in comparison to surgical blue ones, though because of time and resource constraints the team was not able to test the effect of color completely.
    • NIST explained this report
      • is the first of a series of reports on the performance of face recognition algorithms on faces occluded by protective face masks [2] commonly worn to reduce inhalation of viruses or other contaminants. This study is being run under the Ongoing Face Recognition Vendor Test (FRVT) executed by the National Institute of Standards and Technology (NIST). This report documents accuracy of algorithms to recognize persons wearing face masks. The results in this report apply to algorithms provided to NIST before the COVID-19 pandemic, which were developed without expectation that NIST would execute them on masked face images.
  • The United States National Science Foundation (NSF) and the Office of Science and Technology Policy (OSTP) inside the White House announced the establishment of the Quantum Leap Challenges Institutes program and “$75 million for three new institutes designed to have a tangible impact in solving” problems associated with quantum information science and engineering. NSF added “Quantum Leap Challenge Institutes also form the centerpiece of NSF’s Quantum Leap, an ongoing, agency-wide effort to enable quantum systems research and development.” NSF and OSTP named the following institutes:
    • NSF Quantum Leap Challenge Institute for Present and Future Quantum Computing. Today’s quantum computing prototypes are rudimentary, error-prone, and small-scale. This institute, led by the University of California, Berkeley, plans to learn from these to design advanced, large-scale quantum computers, develop efficient algorithms for current and future quantum computing platforms, and ultimately demonstrate that quantum computers outperform even the best conceivable classical computers.
  • The United States Department of Energy (DOE) published its “Blueprint for the Quantum Internet” “that lays out a blueprint strategy for the development of a national quantum internet, bringing the United States to the forefront of the global quantum race and ushering in a new era of communications” and held an event to roll out the new document and approach. The Blueprint is part of the Administration’s effort to implement the “National Quantum Initiative Act” (P.L. 115-368), a bill “[t]o provide for a coordinated Federal program to accelerate quantum research and development for the economic and national security of the United States.” Under Secretary of Energy for Science Paul Dabbar explained in a blog post that “[t]he Blueprint lays out four priority research opportunities to make this happen:
    • Providing the foundational building blocks for Quantum Internet;
    • Integrating Quantum networking devices;
    • Creating repeating, switching, and routing technologies for Quantum entanglement;
    • Enabling error correction of Quantum networking functions.
  • The European Commission (EC) is requesting feedback until 10 September on its impact assessment for future European Union legislation on artificial intelligence (AI). The EC explained “the  overall  policy  objective  is  to  ensure  the  development  and  uptake  of lawful  and trustworthy  AI across the Single Market through the creation of an ecosystem of trust.” Earlier this year, as part of its Digital Strategy, the EC recently released a white paper earlier this year, “On Artificial Intelligence – A European approach to excellence and trust,” in which the Commission articulates its support for “a regulatory and investment oriented approach with the twin objective of promoting the uptake of AI and of addressing the risks associated with certain uses of this new technology.” The EC stated that “[t]he purpose of this White Paper is to set out policy options on how to achieve these objectives…[but] does not address the development and use of AI for military purposes.”

Further Reading

  • Google Takes Aim at Amazon. Again.” – The New York Times. For the fifth time in the last decade, Google will try to take on Amazon, in part, because the latter’s dominance in online retailing is threatening the former’s dominance in online advertising. Google is offering a suite of inducements for retailers to use its platform, Google Shopping. One wonders if Google gains traction whether Amazon would point to the competition as proof it is not engaged in anti-competitive practices to regulators.
  • Twitter’s security woes included broad access to user accounts” – Ad Age. This piece details the years long tension inside the social media giant between strengthening internal security and developing features to make more money. Not surprisingly, the latter consideration almost always trumped the former, a situation exacerbated by Twitter’s growing use of third-party contractors to handle back end functions, including security. Apparently, many contractors would spy on celebrities’ accounts, sometimes using workarounds to defeat Twitter’s security. Even though this article claims it was only contractors, one wonders if some Twitter employees were doing the same. Whatever the case, Twitter’s board has been warned about weak security for years and opted against heeding this advice, a factor that likely allowed the platform to get hacked a few weeks ago. Worse still, the incentives do not seem aligned to drive better security in the future. 
  • We’re in the middle of the COVID-19 crisis. Big Tech is already preparing for the next one.” – Protocol. For people who think large technology companies have not had a prominent enough role during the current pandemic, this news will be reassuring. The Consumer Technology Association (CTA), a non-profit organized under Section 501(c)(6) of United States’ tax laws, has commenced with a “Public Health Tech Initiative” “[t]o ensure an effective public sector response to future pandemics like COVID-19.” This group “will explore and create recommendations for the use of technology in dealing with and recovering from future public health emergencies.”
  • Car Companies Want to Monitor Your Every Move With Emotion-Detecting AI” – Vice’s Motherboard. A number of companies are selling auto manufacturers on a suite of technology that could record everything that happens in your car, including facial analysis algorithms, for a variety of purposes with financial motives such as behavioral advertising, setting insurance rates, and others. The United States does not have any laws that directly regulate such practices whereas the European Union does, suggesting such technology would be deployed less in Europe.
  • Russian Intelligence Agencies Push Disinformation on Pandemic” – The New York Times. United States (US) intelligence agencies declassified and share intelligence with journalists purporting to show how Russian Federation intelligence agencies have adapted their techniques in their nonstop disinformation campaign against the US, the North Atlantic Treaty Organization, and others. As Facebook, Twitter, and others have grown adept at locating and removing content from obvious Russian outlets like RT and Sputnik, Russian agencies are utilizing more subtle techniques, aiming at the same goal of undermining confidence among Americans and elsewhere in the government.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (28 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 28 July, the House Rules Committee will consider the rule for and amendments to the H.R. 7617—Department of Defense Appropriations Act, 2021 [Defense, Commerce, Justice, Science, Energy and Water Development, Financial Services and General Government, Homeland Security, Labor, Health and Human Services, Education, Transportation, Housing, and Urban Development Appropriations Act, 2021].
  • On 28 July, the Senate Commerce, Science, and Transportation Committee’s Communications, Technology, Innovation, and the Internet Subcommittee will hold a hearing titled “The PACT Act and Section 230: The Impact of the Law that Helped Create the Internet and an Examination of Proposed Reforms for Today’s Online World.”
  • On 28 July the House Science, Space, and Technology Committee’s Investigations and Oversight and Research and Technology Subcommittees will hold a joint virtual hearing titled “The Role of Technology in Countering Trafficking in Persons” with these witnesses:
    • Ms. Anjana Rajan, Chief Technology Officer, Polaris
    • Mr. Matthew Daggett, Technical Staff, Humanitarian Assistance and Disaster Relief Systems Group, Lincoln Laboratory, Massachusetts Institute of Technology
    • Ms. Emily Kennedy, President and Co-Founder, Marinus Analytics
  • On  29 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” that will reportedly have the heads of the four companies as witnesses.
  • On 30 July the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 30 July, the Senate Commerce, Science, and Transportation Committee’s Security Subcommittee will hold a hearing titled “The China Challenge: Realignment of U.S. Economic Policies to Build Resiliency and Competitiveness” with these witnesses:
    • The Honorable Nazak Nikakhtar, Assistant Secretary for Industry and Analysis, International Trade Administration, U.S. Department of Commerce
    • Dr. Rush Doshi, Director of the Chinese Strategy Initiative, The Brookings Institution
    • Mr. Michael Wessel, Commissioner, U.S. – China Economic and Security Review Commission
  • On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)

Other Developments

  • The United States’ (US) Office of Management and Budget (OMB), an agency within the Executive Office of the President, has issued a memorandum in the same vein as other Trump Administration initiatives to increase the US government’s buying of goods and services produced domestically. Noting that 40% of the funds provided by Congress through annual legislation will be spent between 1 July and 30 September (roughly $200 billion), OMB urged federal agencies “to keep the following considerations in mind to support timely awards and maximize return on investment from each taxpayer dollar” among others:
    • Take full advantage of acquisition flexibilities and innovative tools. This week, the President’s Management Agenda unveiled a new cross-agency priority goal (CAP Goal) on “frictionless acquisition.” This CAP Goal creates a management platform to leverage modem buying strategies that have been shown to achieve just-in-time delivery with improved customer satisfaction and enable access to a broader and more innovative suite of companies and solutions. Agencies can review the resources on acquisition innovation and opportunities for collaboration by going to the frictionless CAP Goal on performance.gov.
      • The Goal Statement of this new CAP is “The Federal Government will deliver commercial items at the same speed as the market place & manage customers’ delivery expectations for acquisitions of non-commercial items by breaking down barriers to entry using modern business practices and technologies” as explained in a detailed presentation on frictionless acquisition released this month.
    • Use the resources of category management. As part of the ongoing transformation of federal acquisition, procurement involving common needs has been organized around categories of spending led by market experts who share business intelligence and help agencies avoid duplicative contracting work. This business structure has saved taxpayers more than $27 billion since FY 2016 and made it much easier for buyers to make rapid, well­ informed decisions on how best to acquire IT hardware, security, consulting services and many other every day needs that account for more than half of all contract spending. To stay current with market trends and available federal solutions, agencies should bookmark the category management dashboards on the acquisition gateway at https://hallways.cap.gsa.gov/app/#/.
    • Buy American. E.O. 13881 strengthens the general preference for American-made goods and, for the first time in 65 years, increases the percentage of U.S. manufactured content that must be in a product to qualify for the preference, including a very high standard for iron and steel. Agencies are encouraged to work with the Federal Acquisition Regulatory Council (FAR Council) to consider early implementation, as appropriate, while the rulemaking process proceeds.
    • In a related memorandum issued earlier this month, OMB asserted
      • Under the President’s Management Agenda and the leadership of OMB ‘s Office of Federal Procurement Policy (OFPP), the Administration has elevated the importance of acquisition innovation and category management as key pillars of a modernized procurement system. These pillars are proving to be critical assets in the face of market conditions that require heightened agility and the ongoing need r physical distancing as communities take steps to reopen. We are seeing smart use of existing contract vehicles and resources, supported by our category management market experts, such as for cleaning and distinction, information technology related to telework and healthcare, and enhanced entry screening services. We are also seeing growing examples of agencies leveraging innovative business practices, such as virtual acquisitions, that save time and enable acquisitions to continue where they might otherwise have been stopped.
      • OMB went on to detail best practices and examples in how agencies have adapted their procurement authority to the pandemic commensurate with ongoing Administration priorities such as category management
  • Senator Amy Klobuchar (D-MN) and some of her Democratic colleagues wrote Attorney General William Barr “to raise serious concerns regarding Google LLC’s (Google) proposed acquisition of Fitbit, Inc. (Fitbit)”. They stated
    • We are aware that the Antitrust Division of the Department of Justice is investigating this transaction and has issued a Second Request to gather additional information about the acquisition’s potential effects on competition. Amid reports that Google is offering modest, short-term concessions to overseas enforcers to avoid a full-scale investigation of the transaction in Europe, we write to urge the Division to continue with its efforts to conduct a thorough and comprehensive review of this proposed merger and to take any and all enforcement action warranted by the law and the evidence.
    • This letter comes at a time when the Department of Justice is considering Google’s potential antitrust practices and whether to file suit. The European Commission is also investigating the Google acquisition of FitBit.
    • Klobuchar is the Ranking Member of the Senate Judiciary Committee’s Antitrust, Competition Policy and Consumer Rights Subcommittee and was joined on the letter by Senators Richard Blumenthal (D-CT), Cory Booker (D-NJ), Mazie K. Hirono (D-HI), Sherrod Brown (D-OH), Mark Warner (D-VA), and Elizabeth Warren (D-MA).
  • Facebook and members of a class action and their attorneys have reached a second settlement in a suit brought under Illinois’ “Biometric Information Privacy Act” after a first settlement was rejected by the judge overseeing Patel, et al. v. Facebook, Inc.,. In January, the plaintiffs and Facebook agreed on a $550 million settlement to resolve claims the social media giant used and stored  people’s images contrary to the Illinois ban on such practices absent explicit consent. Facebook faced liability of up to $5000 per person affected and more than $40 billion in total potential liability. However, the judge thought the settlement was too low considering the Illinois legislature expressed its intention that violations would be punished more on the order of $1000 per person. Now, the parties have added $100 million, arriving at a $650 million settlement the judge will still need to bless.
  • Secretary of State Mike Pompeo made a speech at the Ronald Reagan Library “to make clear that the threats to Americans that President Trump’s China policy aims to address are clear and our strategy for securing those freedoms established.” Pompeo’s speech in the fourth in a series of Trump Administration officials making the Administration’s case against the People’s Republic of China (PRC), in some cases conflating PRC’s vying with the United States worldwide with the COVID-19 pandemic, suggesting the PRC is responsible for the course of the virus in the US and not Trump Administration policy.
  • The Department of Defense’s National Security Agency (NSA) and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) “released an advisory for critical infrastructure Operational Technology (OT) and Industrial Controls Systems (ICS) assets to be aware of current threats we observe, prioritize assessing their cybersecurity defenses and take appropriate action to secure their systems.” The agencies asserted “[d]ue to the increase in adversary capabilities and activities, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to harm to US interests or retaliate for perceived US aggression.”
  • The Secretary of Defense released a memorandum for Department of Defense (DOD) regarding “poor Proper Operations Security (OPSEC) practices within DOD in the past have resulted in the unauthorized disclosure or ” leaks” of controlled unclassified information (CUI), including information to be safeguarded under the CUI category for OPSEC, as well as classified national security information (together referred to here as “non-public information”). Secretary of Defense Mark Esper asserted “[o]ngoing reviews reveal a culture of insufficient OPSEC practices and habits within the DOD” and stated “[m]y goal, through an OPSEC campaign, is to change that culture across DOD by reminding DOD personnel.”
  • The United Kingdom’s Information Commissioner’s Office (ICO) published its annual report for 2019-2020, “covering what the Information Commissioner has called a “transformative period” for privacy and data protection and broader information rights.” The ICO offered these highlights:
    • Supporting and protecting the public and organisations
      • The Age Appropriate Design Code, introduced by the Data Protection Act 2018, was published in January. When it comes into full effect, it will help steer businesses to comply with current information rights legislation.
      • We intervened in the High Court case on the use of facial recognition technology by the South Wales Police as part of our work to ensure that the use of this technology does not infringe people’s rights.  As a response to the judgement, we issued the first Commissioner’s Opinion.
      • Our new freedom of information strategy was launched which sets out how we work to create a culture of openness in public authorities.  It also commits us to making the case for reform of the access to information law as set out previously in our Outsourcing Oversight report.
      • In figures:
        • We received 38,514 data protection complaints.
        • We closed 39,860 data protection cases (up from 34,684 in 2018/19) .
        • We received 6,367 freedom of information complaint cases.
    • Enforcement
      • We took regulatory action 236 times in response to breaches of the legislation that we regulate. That included 54 information notices, eight assessment notices, seven enforcement notices, four cautions, eight prosecutions and 15 fines.  
      • Over 2,100 investigations were conducted.
    • Innovation
      • Through our successful regulatory sandbox service, we have worked with a number of innovative organisations of all sizes to explore new data uses in a safe way while helping to ensure their customers’ privacy.
      • We also received additional resources from the government’s regulators innovation fund to set up a hub with other regulators to streamline and reduce burdens on businesses and public services using data.
      • In January, we launched our consultation on an AI framework to allow the auditing and assessment of the risk associated with AI applications and how to ensure their use is transparent, fair and accountable.
    • International
      • On a global scale, we continue to chair the Global Privacy Assembly, driving forward the development of the assembly into an international network that can have an impact on key data protection issues across the year. This helps to protect UK citizen’s personal data as it crosses borders and helps UK businesses operating internationally.
      • Due to the period covered by the report it does not reflect the impact of COVID-19 although, acknowledging the pandemic, Ms Denham said: ”The digital evolution of the past decade has accelerated at a dizzying speed in the past few months. Digital services are now central to how so many of us work, entertain ourselves and talk to friends and family.”

Further Reading

  • The Twitter Hacks Have to Stop” – The Atlantic. Bruce Schneier makes the case that the United States and other western democracies must step in and regulate vital platforms like Twitter for security and size given the central role they play in most societies. Letting these companies implement their own security without oversight or transparency has led to a situation where the account of world leaders or government agencies are vulnerable to hacks and misinformation. Schneier thinks the size and dominance of Twitter, Facebook, etc is a major part of this problem that must also be addressed.
  • US and Australia set to launch campaign to counter disinformation” – Sydney Morning Herald. Two of the Five Eyes allies met in Washington on 27 July for their annual Australia-U.S. Ministerial Consultations (AUSMIN) and part of their planning on how to counter the People’s Republic of China (PRC) is working together on an effort to address the PRC’s disinformation campaigns. The already close relationship between Washington and Canberra has deepened as tensions between the United States (US) and PRC continue to escalate. However, the US and Australia are framing this initiative as aiming to counter all disinformation in the Indo-Pacific region, suggesting other nations may be waging disinformation campaigns of concern, including the Russian Federation and the Democratic People’s Republic of Korea.
  • Russia’s GRU Hackers Hit US Government and Energy Targets” – WIRED. Starting in December 2018, APT28 (aka Fancy Bear), a Russian hacking group, targeted and penetrated a number of United States (US) entities, including federal and state governments, educational institutions, and energy companies. APT28 is closely associated with Glavnoye razvedyvatel’noye upravleniye (GRU), the Main Directorate of the General Staff of the Armed Forces of the Russian Federation and is the entity behind the takedowns of Ukraine’s electrical grid in 2015 and 2016 among other high profile hacks and attacks. The timing of these attacks, sometimes executed as phishing attacks, is interesting for it comes after US Cyber Command and possibly the Central Intelligence Agency (CIA) took down Russia’s Internet Research Agency and other actions designed to deter Russian interference in the 2019 mid-term elections in November 2018.
  • “Hurting People  At Scale” – Facebook’s Employees Reckon With The Social Network They’ve Built” – BuzzFeed News. This article documents the dissent and turmoil inside the company about content moderation, which some see the social media giant doing dismally. Some employees and ex-employees are taking issue with how CEO Mark Zuckerberg and his leadership are acting or not to take down extreme and violent content.
  • Big Tech Funds a Think Tank Pushing for Fewer Rules. For Big Tech.” – The New York Times. The Global Antitrust Institute at George Mason University’s Antonin Scalia Law School has been pushing for less regulation of antitrust statutes and regulations, especially in “educating” antitrust officials at conferences. It has also been financially supported by large technology companies which benefit from these policies and has not been transparent about its funding or the extent to which these companies’ positions on antitrust inform its efforts and output. A similar New York Times investigation into other Washington DC think tanks exposed the transactional nature of some of these institutions, donors, and positions.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

UK Finally Releases Russia Report

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

A committee of the United Kingdom (UK) Parliament issued its report on its investigation into Russian interference and rendered a scathing indictment of disengagement by the British government on the challenges and threats posed by the Russian Federation going back to early this century. The Intelligence and Security Committee of Parliament (ISC), a joint body consisting of nine members of the House of Commons and the same number from the House of Lords, had been tasked with investigating the extent to which Russia has been interfering with the UK, including the Brexit vote in 2016. The ISC has returned with a record of half-measures, often uncoordinated between agencies and entities inside the British government, that have proved ineffective. The ISC is calling for a range of policy, strategic, and legislative changes to counter the threat posed by Russian activities, many of which occurred in cyberspace or digitally. Presumably, these changes would also help the UK deal with other nations that are aggressive in cyberspace, including the People’s Republic of China (PRC), the Democratic People’s Republic of Korea (DPRK), Iran, and others.

This report follows the four of five volume report the United States Senate Intelligence Committee has released on Russian interference with the 2016 US Presidential Election in favor of the Trump Campaign and to sow discord and distrust generally. In October 2019, the Committee transmitted its report to Prime Minister Boris Johnson who would “now consider whether there is any information in the report which, if published, would be prejudicial to the continued discharge of the functions of the security and intelligence Agencies.” In its press release today, the ISC stated “it is a matter of great regret that it was not published last November, ahead of the General Election.”

In the report, the ISC explained the report “covers aspects of the Russian threat to the UK (Cyber; Disinformation and Influence; and Russian Expatriates) followed by an examination of how the UK Government – in particular the Agencies and Defence Intelligence – has responded (Allocation of Effort; Strategy, Co-ordination and Tasking; A Hard Target; Legislation; International Partnerships; and Engagement with Russia).”

The previous ISC wrote the press release the current ISC issued:

ISC questions whether Government took its eye off the ball on Russia, finds that they underestimated the response required to the Russian threat and are still playing catch up:

  • Russian influence in the UK is the new normal. Successive Governments have welcomed the oligarchs and their money with open arms, providing them with a means of recycling illicit finance through the London ‘laundromat’, and connections at the highest levels with access to UK companies and political figures.
  • This has led to a growth industry of ‘enablers’ including lawyers, accountants, and estate agents who are – wittingly or unwittingly – de facto agents of the Russian state.
  • It clearly demonstrates the inherent tension between the Government’s prosperity agenda and the need to protect national security. While we cannot now shut the stable door, greater powers and transparency are needed urgently.
  • UK is clearly a target for Russian disinformation. While the mechanics of our paper-based voting system are largely sound, we cannot be complacent about a hostile state taking deliberate action with the aim of influencing our democratic processes.
  • Yet the defence of those democratic processes has appeared something of a ‘hot potato’, with no one organisation considering itself to be in the lead, or apparently willing to conduct an assessment of such interference. This must change.
  • Social media companies must take action and remove covert hostile state material: Government must ‘name and shame’ those who fail to act.
  • We need other countries to step up with the UK and attach a cost to Putin’s actions. Salisbury must not be allowed to become the high water mark in international unity over the Russia threat.
  • A number of issues addressed in this published version of the Russia Report are covered in more depth in the Classified Annex. We are not able to discuss these aspects on the grounds of national security.

The previous ISC continued in its press release:

  • [T]his Inquiry found it surprisingly difficult to establish who has responsibility: the defence of the UK’s democratic processes has appeared to be something of a ‘hot potato’, with no single organisation identifying itself as having an overall lead. We understand the nervousness around any suggestion that the intelligence Agencies might be involved in the mechanics of the democratic process, but that does not apply when it comes to the protection of those processes. And without seeking to imply that those organisations currently responsible are not capable, the Committee have questioned whether DCMS and the Electoral Commission have the weight and access required to tackle a major hostile state threat. Democracy is intrinsic to our country’s success and well-being. Protecting it must be a ministerial priority, with the Office for Security and Counter-Terrorism taking the policy lead and the operational role sitting with MI5.
  • In terms of responsibility, it was noted that – as with so many other issues currently – it is the social media companies who hold the key but are failing to play their part. The Government must establish a protocol with these companies to ensure that they take covert hostile state use of their platforms seriously, with agreed deadlines within which such material will be removed, and Government should ‘name and shame’ those which fail to act.
  • There have been widespread allegations that Russia sought to influence voters in the 2016 referendum on the UK’s membership of the EU: studies have pointed to the preponderance of pro-Brexit or anti-EU stories on RT and Sputnik, and the use of ‘bots’ and ‘trolls’, as evidence. The actual impact of such attempts on the result itself would be difficult – if not impossible – to prove. However what is clear is that the Government was slow to recognise the existence of the threat – only understanding it after the ‘hack and leak’ operation against the Democratic National Committee, when it should have been seen as early as 2014. As a result the Government did not take action to protect the UK’s process in 2016. The Committee has not been provided with any post-referendum assessment – in stark contrast to the US response to reports of interference in the 2016 presidential election. In our view there must be an analogous assessment of Russian interference in the EU referendum.
  • What is clear is that Russian influence in the UK is ‘the new normal’: successive Governments have welcomed the Russian oligarchy with open arms, and there are a lot of Russians with very close links to Putin who are well integrated into the UK business, political and social scene – in ‘Londongrad’ in particular. Yet few, if any, questions have been asked regarding the provenance of their considerable wealth and this ‘open door’ approach provided ideal mechanisms by which illicit finance could be recycled through the London ‘laundromat’. It is not just the oligarchs either – the arrival of Russian money has resulted in a growth industry of ‘enablers’: lawyers, accountants, and estate agents have all played a role, wittingly or unwittingly, and formed a “buffer” of Westerners who are de facto agents of the Russian state.
  • There is an obvious inherent tension between the Government’s prosperity agenda and the need to protect national security. To a certain extent, this cannot be untangled and the priority now must be to mitigate the risk, and ensure that where hostile activity is uncovered, the proper tools exist to tackle it at source and to challenge the impunity of Putin-linked elites. It is notable, for example, that a number of Members of the House of Lords have business interests linked to Russia, or work directly for major Russian companies linked to the Russian state – these relationships should be carefully scrutinised, given the potential for the Russian state to exploit them.
  • In addition to the Putin-linked elites, the UK is also home to a number of Putin’s critics who have sought sanctuary in the UK fearing politically-motivated charges and harassment, and the events of 4 March 2018 showed the vulnerability of former Russian intelligence officers who have settled in the UK – one of the issues we address in the Classified Annex to our Report.
  • It has been clear for some time that Russia under Putin has moved from potential partner to established threat, fundamentally unwilling to adhere to international law – the murder of Alexander Litvinenko in 2006 and the annexation of Crimea in 2014 were stark indicators of this. We therefore question whether the Government took its eye off the ball because of its focus on counter-terrorism: it was the opinion of the Committee that until recently the Government had badly underestimated the response required to the Russian threat –and is still playing catch up. Russia poses a tough intelligence challenge and our intelligence Agencies must have the tools they need to tackle it. In particular, new legislation must be introduced to tackle foreign spies: the Official Secrets Act is not fit for purpose and while this goes unrectified the UK intelligence community’s hands are tied.
  • More broadly, we need a continuing international consensus against Russian aggressive action. Effective constraint of nefarious Russian activities in the future will rely on making sure that the price the Russians pay for such interference is sufficiently high: the West is strongest when it acts collectively, and the UK has shown it can lead the international response. The expulsion of 153 ‘diplomats’ from 29 countries and NATO following the use of chemical weapons on UK soil in the Salisbury attack was unprecedented and, together with the subsequent exposure of the GRU agents responsible, sent a strong message that such actions would not be tolerated. But Salisbury must not be allowed to become the high water mark in international unity over the Russia threat: we must build on this effort to ensure momentum is not lost.

In the report, the ISC explained

As a result of our scrutiny, we have reached conclusions as to what is working well, where there is a need for more, or different, effort, or where a strategy may need updating, and we have commissioned a number of actions. These are embedded throughout the Report. We note here, however, that there have been a number of cross-cutting themes which have emerged during the course of our work:

  • Most surprising, perhaps, was the extent to which much of the work of the Intelligence Community is focused on ***. We had, at the outset of our Inquiry, believed they would be taking a rather broader view, given that it is clearly acknowledged that the Russians use a whole-of-state approach.
  • This focus has led us to question who is responsible for broader work against the Russian threat and whether those organisations are sufficiently empowered to tackle a hostile state threat such as Russia. In some instances, we have therefore recommended a shift in responsibilities. In other cases, we have recommended a simplification: there are a number of unnecessarily complicated wiring diagrams that do not provide the clear lines of accountability that are needed.
  • The clearest requirement for immediate action is for new legislation: the Intelligence Community must be given the tools it needs and be put in the best possible position if it is to tackle this very capable adversary, and this means a new statutory framework to tackle espionage, the illicit financial dealings of the Russian elite and the ‘enablers’ who support this activity.
  • More broadly, the way forward lies with taking action with our allies; a continuing international consensus is needed against Russian aggressive action. The West is strongest when it acts collectively and that is the way in which we can best attach a cost to Putin’s actions. The UK has shown it can shape the international response, as it did in response to the Salisbury attacks. It must now seek to build on this effort to ensure that momentum is not lost.

The Committee is pursuing additional inquiries that could also result in proposed changes in how the UK handles cyberspace threats:

  • an Inquiry into national security issues relating to China;
  • an Inquiry into Right Wing Terrorism;
  • an examination of the current threat from Northern Ireland-Related Terrorism; and
  • a case study on GCHQ procurement.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by TeeFarm from Pixabay

Further Reading, Other Developments, and Coming Events (22 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 22 July, the Senate Homeland Security & Governmental Affairs Committee will markup a number of bills and nominations, including:
    • The nomination of Derek Kan to the Office of Management and Budget’s Deputy Director
    • The “Federal Emergency Pandemic Response Act” (S.4204)
    • The “Securing Healthcare and Response Equipment Act of 2020” (S.4210)
    • The “National Response Framework Improvement Act of 2020” (S.4153)
    • The “National Infrastructure Simulation and Analysis Center Pandemic Modeling Act of 2020” (S.4157)
    • The “PPE Supply Chain Transparency Act of 2020” (S.4158)
    • The “REAL ID Act Modernization Act” (S.4133)
    • The “Safeguarding American Innovation Act” (S.3997)
    • The “Information Technology Modernization Centers of Excellence Program Act” (S.4200)
    • The “Telework for U.S. Innovation Act” (S.4318)
    • The “GAO Database Modernization Act” (S.____)
    • The “CFO Vision Act of 2020” (S.3287)
    • The “No Tik Tok on Government Devices Act” (S. 3455)
    • The “Cybersecurity Advisory Committee Authorization Act of 2020” (S. 4024)
  • On 23 July, the Senate Commerce, Science, and Transportation Committee’s Communications, Technology, Innovation, and the Internet Subcommittee will hold a hearing on “The State of U.S. Spectrum Policy” with the following witnesses:
    • Mr. Tom Power, Senior Vice President and General Counsel, CTIA
    • Mr. Mark Gibson, Director of Business Development, CommScope
    • Dr. Roslyn Layton, Visiting Researcher, Aalborg University
    • Mr. Michael Calabrese, Director, Wireless Future Project, Open Technology Institute at New America
  • On  27 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” that will reportedly have the heads of the four companies as witnesses.
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures – The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules – The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules – The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service – The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)
    • Inmate Calling Services – The Commission will consider a Report and Order on Remand and a Fourth Further Notice of Proposed Rulemaking that would respond to remands by the U.S. Court of Appeals for the District of Columbia Circuit and propose to comprehensively reform rates and charges for the inmate calling services within the Commission’s jurisdiction.  (WC Docket No. 12-375)

Other Developments

  • Acting Office of Management and Budget (OMB) Director Russell Vought was confirmed by the Senate by a 51-45 vote. OMB has been without a Senate-confirmed Director since Mick Mulvaney resigned at the end of March, but he was named acting White House Chief of Staff in January 2019, resulting in Vought serving as the acting OMB head since that time.
  • Former Vice President and Democratic candidate for President Joe Biden issued a statement on Russian interference with the 2020 election that laid out his plan to respond and retaliate against these ongoing activities. His very high-level plan is a list of currently used methods of combatting cyber-attacks, much of which he would be able to undertake without Congressional assent. Biden contended “[d]espite the exposure of Russia’s malign activities by the U.S. Intelligence Community, law enforcement agencies, and bipartisan Congressional committees, the Kremlin has not halted its efforts to interfere in our democracy.” Biden said “[i]n spite of President [Donald] Trump’s failure to act, America’s adversaries must not misjudge the resolve of the American people to counter every effort by a foreign power to interfere in our democracy, whether by hacking voting systems and databases, laundering money into our political system, systematically spreading disinformation, or trying to sow doubt about the integrity of our elections.” He vowed:
    • If elected president, I will treat foreign interference in our election as an adversarial act that significantly affects the relationship between the United States and the interfering nation’s government.
    • I will direct the U.S. Intelligence Community to report publicly and in a timely manner on any efforts by foreign governments that have interfered, or attempted to interfere, with U.S. elections.
    • I will direct my administration to leverage all appropriate instruments of national power and make full use of my executive authority to impose substantial and lasting costs on state perpetrators.
    • These costs could include financial-sector sanctions, asset freezes, cyber responses, and the exposure of corruption.
    • A range of other actions could also be taken, depending on the nature of the attack.
    • I will direct our response at a time and in a manner of our choosing.
    • In addition, I will take action where needed to stop attempts to interfere with U.S. elections before they can impact our democratic processes.
    • In particular, I will direct and resource the Department of Defense, Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Department of State, and the Federal Bureau of Investigation’s Foreign Interference Task Force to develop plans for disrupting foreign threats to our elections process.
    • This will be done, wherever possible, in coordination with our allies and partners, so that we are isolating the regimes that seek to undermine democracies and civil liberties.
  • Top Democrats in Congress have written the Director of the Federal Bureau of Investigation (FBI) requesting “a defensive counterintelligence briefing to all Members of the House of Representatives and the Senate regarding foreign efforts to interfere in the 2020 U.S. presidential election.” Speaker of the House Nancy Pelosi (D-CA), Senate Minority Leader Chuck Schumer (D-NY), House Intelligence Committee Chair Adam Schiff (D-CA), and Senate Intelligence Committee Ranking Member Mark Warner (D-VA) sent a letter to FBI Director Christopher Wray in which they claimed “that Congress appears to be the target of a concerted foreign interference campaign, which seeks to launder and amplify disinformation in order to influence congressional activity, public debate, and the presidential election in November.”
  • District of Columbia Attorney General Karl Racine (D) has inserted himself into the struggle raging over the Trump Administration’s remaking of the United States (US) Agency for Global Media (USAGM), in part, by installing Michael Pack as the head of USAGM. He filed suit “to resolve a dispute between two dueling Boards of Directors that has paralyzed the Open Technology Fund (OTF), a District nonprofit…which supports encryption and anti-censorship tools for people living in repressive societies…an independent nonprofit corporation organized and created under District law that receives grant funding from the USAGM” per his press release. Racine claimed:
    • The USAGM CEO does not have authority over OTF’s Board or officers: OTF is an independent D.C. nonprofit corporation, which governs itself under local law and under its own bylaws. While USAGM provides grant funding for OTF’s work, it does not have authority over OTF’s governance. OAG asserts that OTF’s bylaws are clear and that only the organization’s Board of Directors—not USAGM, its leadership, or any other body—has the authority to appoint or remove OTF directors.
    • Dueling Boards have paralyzed OTF: Two Boards are currently claiming authority over OTF, and without clarity as to which Board is properly in place, the organization is effectively leaderless. It is also unable to authorize decisions necessary for carrying out its functions, including decisions to authorize funding partner organizations have already been promised, and decisions related to potential new partnership. The leadership crisis has also left employees of the organization at risk of losing their jobs.
    • The original Board of Directors is the valid Board: OAG asserts that because Pack did not have authority under either District law or OTF’s bylaws to dismiss OTF’s Board of Directors, the Court should recognize OTF’s original Board as valid.
    • Any actions taken on behalf of OTF by Michael Pack or his replacement Board should be voided: Michael Pack did not have authority as USAGM CEO to dismiss or appoint Directors on behalf of OTF. As a result, any actions Pack or the replacement Board have taken on behalf of OTF should be invalidated.
  • The Department of Commerce’s (DOC) Bureau of Industry and Security (BIS) has announced further action against entities from the People’s Republic of China (PRC) by adding “to the Entity List 11 Chinese companies implicated in human rights violations and abuses in the implementation of the PRC’s campaign of repression, mass arbitrary detention, forced labor, involuntary collection of biometric data, and genetic analyses targeted at Muslim minority groups from the Xinjiang Uyghur Autonomous Region (XUAR)” according to the agency’s press release. DOC claimed “[t]oday’s action will result in these companies facing new restrictions on access to U.S.-origin items, including commodities and technology…[and] will supplement BIS’s two tranches of Entity List designations in October 2019 and June 2020, actions that together added 37 parties engaged in or enabling PRC’s repression in Xinjiang.”

Further Reading

  • Google Promises Privacy With Virus App but Can Still Collect Location Data” – The New York Times. Google’s version of the contact racing app developed with Apple has a feature the other company does not: it prompts users to turn on the Android device’s location setting. This feature would seem to be contrary to the claims made by Google and Apple that their Bluetooth tracing system does not collect sensitive location data. In fact, the companies refused to request of the governments of the United Kingdom and France, among others, to change settings on their smartphones to allow for centralized information collection on possible COVID-19 transmission. A number of European nations have pressed Google to remove this feature, and a Google spokesperson claimed the Android Bluetooth tracing capability did not use location services, begging the question why the prompt appears.
  • Inside the Federal Trade Commission’s Facebook probe” – Axios. The anonymous sources inside the Federal Trade Commission (FTC) cautioning that the agency will not likely pursue an anti-trust action against Facebook before next year may be part of an inner-agency quarrel slowing down the inquiry. Allegedly, the FTC’s Bureau of Competition and its Office of Policy Planning are at odds over the drafting of guidance that will govern the Facebook and other anti-trust investigations. The latter wants to keep the current standards of harm to consumers in terms of price changes, which the former thinks are inapplicable in the provision of free services. How this struggle plays out may well inform the agency’s approach to Facebook and other tech companies.
  • Beware the ‘But China’ Excuses” – The New York Times. This article cautions people from putting too much stock in the claims by the Trump Administration and technology companies that the People’s Republic of China (PRC) is the seeming threat they say it is. If the PRC is such a threat, the United States might consider investing more in basic research and development (R&D) and in some critical tech sectors to develop and build their products in the US. Also the notion advanced by some tech sector CEOs that breaking up the tech giants will ultimately benefit PRC competitors is scrutinized.
  • DHS Authorizes Domestic Surveillance to Protect Statues and Monuments” – Lawfare. One of my law school professors and a colleague examine a Department of Homeland Security’s (DHS) Office of Intelligence & Analysis (I&A) that authorizes intelligence and information collection on those who present threats to monuments, memorials, and statues that seems like a Trojan Horse by which DHS could surveil and mobilize protestors in the streets of American cities. The surveillance cannot be electronic surveillance, but then DHS could ask a sister agency to conduct such activity if needed.
  • Two more cyber-attacks hit Israel’s water system” – ZDNet. It appears Iran has responded to Israel’s cyber attacks that led to a number of problems at facilities in Tehran. This is the latest in an ongoing battle between the two Middle Eastern enemies that may escalate further.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

House Starts Consideration of Its NDAA

The House will consider scores of amendments to change US technology policy, including a number of implement the recommendations of a congressional cybersecurity panel. However, some may not be in the final NDAA.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

As is almost always the case, House Members are using the occasion of the annual consideration of the National Defense Authorization Act (NDAA) to offer a range of amendments to the House Rules Committee. Hundreds of amendments were submitted, and at the 17 July hearing, the Committee determined which would be made in order and allow to be debated on the House floor, including scores of technology amendments. Many of these amendments to the “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395) would change US technology policy and funding, and some are complete bills the House has already passed, for inclusion in the NDAA increases the chances of enactment. Among the higher profile amendments made in order is one offered by Cyberspace Solarium Commission members that would establish a National Cyber Director position in the White House that the Senate declined to include in its FY 2021 NDAA, suggesting addition to the House’s bill does not necessarily this provision will make it into law.

Earlier today, the House began its consideration of H.R.6395, which may take up the better part of the week. The House Rules Committee made the following amendments in order to be offered during debate that pertain to technology:

The House Armed Services Committee has also released its Committee Report in two parts (Volume I and II) and detailed the overall funding authorized by the package:

H.R. 6395 supports an overall authorization of $740.5 billion dollars for our national defense. H.R. 6395 would authorize approximately $662.6 billion in discretionary spending for national defense and approximately $69.0 billion in discretionary spending for Over-seas Contingency Operations. This authorization level will allow our military to maintain readiness, expand capabilities, and invest in the new software and technologies required to secure our country.

The committee included a number of requests and directives of the DOD and other agencies, including but not limited to:

  • Report on Cybersecurity Maturity Model Certification
    • The committee acknowledges that the Department of Defense has taken initial steps to ensure that its contractors are aware of the actions necessary to protect the government’s data and networks from cybersecurity threats. However, the committee is concerned that there remain key unanswered questions about how it will implement its cybersecurity framework, especially given the level of collaboration necessary between industry and government for its success. Therefore, the committee directs the Under Secretary of Defense for Acquisition and Sustainment to submit a report to the congressional defense committees by January 15, 2021, regarding the Cybersecurity Maturity Model Certification (CMMC) program.
  • Report on Ties between Russia and China
    • The Department of Defense has acknowledged that China and Russia are increasingly working in cooperation on a wide range of matters, including economically, politically, and militarily; and that the Department believes the growing ties between Russia and China are challenging the rules-based order and present a threat to U.S. national security interests. The committee notes that the National Defense Strategy highlights the joint force’s eroding competitive edge against China and Russia. The committee endeavors to fully understand the extent of the ties between Russia and China. Therefore, the committee directs the Director of National Intelligence, in consultation with the Secretary of Defense, to submit a report to the congressional defense committees and the congressional intelligence committees by March 1, 2021, on the relationship between China and Russia.
  • Fourth Estate Network Optimization
    • The committee recognizes the importance of creating efficiencies and cost savings within the Fourth Estate and across the Department of Defense, to include the consolidation of information technology services away from legacy common use information technology services into a single service provider (SSP). The committee notes that on August 15, 2019 the Deputy Secretary of Defense directed the Defense Information Systems Agency (DISA) to execute such consolidation under the Fourth Estate Network Optimization (4ENO) effort over the period of fiscal year 2020 to fiscal year 2024. The committee directs the Secretary of Defense to provide a report to the congressional defense committees not later than February 1, 2021, on the status of the consolidation effort, including details on the schedule and plan for consolidation, progress on the transition of each Defense Agency and Field Activity (DAFA) from common use information technology services into the SSP environment, the list of assets and services being transitioned, a list of assets and services remaining within each DAFA, a justification for assets not transitioned, and the reallocation of funding as a result of the transition.
  • GAO Assessment on DOD Cyber Incident Management Efforts
    • The committee notes that the Department of Defense (DOD) has experienced a number of high-profile breaches to Department of Defense (DOD) systems and networks. For example, in July 2015, a phishing attack on the Joint Chiefs of Staff unclassified email servers resulted in the system being shut down for more than a week while cyber experts rebuilt the network, affecting the work of roughly 4,000 military and civilian personnel. In 2018, DOD disclosed a data breach to its contracted travel management system that allegedly affected approximately 30,000 military and civilian employees. In 2020, DOD similarly acknowledged that the Defense Information Systems Agency networks were breached that reportedly resulted in the personal data of approximately 200,000 network users being compromised.
    • The committee is concerned that while DOD established the Joint Force Headquarters–DOD Information Network (JFHQ– DODIN) to operationalize and defend DOD systems and networks, other DOD components still view these systems and networks as an administrative capability. Cyber incidents, such as those identified above, can disrupt critical military operations, lead to inappropriate access to and modification of sensitive information, result in long-term financial obligations for credit monitoring, and threaten national security. Therefore, the committee directs the Comptroller General of the United States to provide the congressional defense committees with an assessment of DOD management of cyber incidents and efforts to mitigate future cyber incidents.
  • GAO Study and Report on Electronic Continuity of Operations on the Department of Defense
    • The committee notes the centrality of electronic command, control, and communications to Department of Defense continuity of operations. To ensure that the committee is fully informed of how the Department of Defense is addressing issues related to the risk to electronic communications, the committee requests that the Comptroller General of the United States conduct a study of electronic communications continuity of operations of the Department of Defense.
  • Information Technology Asset Management and Inventory
    • The committee commends the Department of Defense for the considerable improvement made on information technology, asset discovery, and asset management. However, the committee believes the Department would benefit from an established process for auditing software and hardware inventories. The lack of a single policy framework hinders the capacity of the Department to discover license duplication and the Department is at risk of wasting valuable resources on redundant or underutilized hardware and software. The Department also lacks real-time discovery of and visibility over its network attack surface, particularly its forward-facing internet assets and Department assets held in cloud environments, resulting in increased risk of exposures exploitable by malicious adversaries. The private sector has successfully navigated this challenge through the use of automated software tools widely available on the commercial market.
    • The committee directs the Chief Information Officer of the Department of Defense, in coordination with chief information officers of the military services, to provide a briefing to the House Committee on Armed Services, not later than March 1, 2021, on the processes in place for asset discovery and management of hardware and software products.
  • Internet Architecture Security
    • The committee recognizes that the internet is inextricable and central to the American way of life, and the architecture that enables internet communications is layered, complex, and multi-faceted. The committee notes that this architecture includes high-capacity cables laid underground and underseas, cable landing stations that connect cables from continent to continent, and internet exchange points that serve as clearinghouses for data between Internet Service Providers and content delivery networks; all of which are required for the internet to operate. The committee recognizes that the executive branch has assigned responsibility for components or sectors of critical infrastructure to various executive branch departments and agencies, and internet architecture is approached in a fractured and piecemeal fashion, with multiple government stakeholder entities claiming responsibility. The committee is concerned that the lack of direction on the subject of internet architecture security creates significant risks to the nation. Consequently, the committee directs the Comptroller General of the United States to provide a report to the House Committee on Armed Services by September 1, 2021, to examine the issue of internet architecture security.
  • Report and GAO Briefing on DOD Cyber Hygiene and Cybersecurity Maturity Model Certification Framework
    • Given the importance of implementing cyber hygiene practices that could effectively protect DOD missions, information, and systems and networks, we direct the Secretary of Defense to submit a report to the defense committees identifying the extent to which each of the DOD components have implemented cyber hygiene practices and levels identified in the CMMC framework. For each DOD component that does not achieve level 3 status (referred to as ‘‘good cyber hygiene’’ in CMMC Model ver. 1.02), the head of the component is to provide the Congressional defense committees, the DOD Chief Information Officer, the commander of JFHQ–DODIN a plan on how the component will implement those security measures within one year and mitigate potential consequences until those practices are implemented. In order to aid in the under-standing of what cyber hygiene practices have been and have not been implemented by the DOD that the department requires private sector companies to implement before they receive a contract where they would have access to controlled unclassified information, the Secretary of Defense shall submit the DOD report to the Congressional defense committees and the Comptroller General of the United States by March 1, 2021. The committee further directs the Comptroller General to conduct an independent review of the Secretary’s report and provide a briefing to the Congressional defense committees no later than the end of the fiscal year.
  • Department of Defense Artificial Intelligence Capabilities and Strategy
    • The committee believes that global leadership in artificial intelligence (AI) technology is a national security priority. In 2018, the Department of Defense issued a department-wide AI strategy to provide direction for AI development. As the Department increases its investments in AI, machine learning, and other automation technologies, the committee believes that the Department’s re-sources, capabilities, and plans should continue to ensure U.S. competitive advantage over potential adversaries. Therefore, the committee directs the Comptroller General of the United States to provide the committee with an assessment of the Department’s resources, capabilities, and plans for AI.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by David Mark from Pixabay

Senate Armed Services Marks Up FY 2021 NDAA

Per usual, the NDAA contains a number of technology related provisions, including a some of the CSC’s recommendations. The People’s Republic of China and the Russian Federation continue to receive attention.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

This week, legislative work began on the FY 2021 National Defense Authorization Act (NDAA). The Senate Armed Services Committee conducted markups at the subcommittee and committee level, almost of which were in closed settings, and announced a finished bill that has not yet been made available per committee tradition. However, as in years past, a summary of the NDAA has been released that provides a high level overview of the bill, including its cybersecurity and technology related provisions. Bill text will not likely be released before the bill comes to the Senate floor.

Most notably, a number of the Cyberspace Solarium Commission’s (CSC) recommendations were apparently included in the bill, an outcome the four CSC Members who also serve in Congress were working towards; Senators Ben Sasse (R-NE) and Angus King (I-ME) served on the CSC and are also on the Senate Armed Services Committee.

The CSC’s highest profile recommendation was not entirely accepted, however. The CSC had called for a National Cyber Director its final report that would be “be the President’s principal advisor for cybersecurity-related issues, as well as lead national-level coordination of cybersecurity strategy and policy, both within government and with the private sector.” However, the FY 2021 NDAA merely uses an old strategy on possibly controversial changes: a study would be conducted on a National Cyber Director. Nevertheless, the CSC’s mandate would be extended another 16 months if this legislation is enacted, giving the body more time to work to see this and other recommendations possibly come to fruition.

All of the recommendations in the FY 2021 NDAA are those within the jurisdiction of the Armed Services Committees, suggesting the non-defense cybersecurity recommendations will need to be enacted by the various committees of jurisdiction. Ironically, this is the very issue the CSC addressed in its recommendation that Congress establish “House Permanent Select and Senate Select Committees on Cybersecurity.” However, it is a rare occurrence for Congress to redraw committee jurisdictions in such a significant way, and the Homeland Security Committees were created after the attacks on the United States on 11 September 2001. And yet, it is not uncommon for legislation that pertains mostly to civilian agencies and affairs to get added to the NDAA. For example, the “Federal Information Technology Acquisition Reform” (FITARA) (P.L. 113-291) was enacted as part of the FY 2013 NDAA.

The Committee explained that the NDAA includes 11 of the CSC’s recommendations:

  • A review of National Guard response to cyberattacks,
  • Adding a force structure assessment in the quadrennial cyber posture review,
  • A report on enabling Cyber Command authorities, direction, and control of Cyber Operations Forces-related budgets, ensuring flexibility and agility to control acquisition,
  • An evaluation of cyber reserve force options, which could provide capable surge capability and enable DOD to draw on cyber talent in the department sector,
  • Improving cyber resiliency of nuclear command and control systems,
  • A modification to fortify the Strategic Cybersecurity program and further cyber vulnerability assessment of weapons systems,
  • A Defense Industrial Base threat intelligence sharing program to support companies’ ability to defend themselves,
  • An assessment of the risk posed by quantum computing to national security systems,
  • An extension of the Cyberspace Solarium Commission for tracking and facilitating the implementation of its recommendations for 16 months,
  • An independent assessment on the feasibility and advisability of establishing a National Cyber Director.

The House Armed Services Committee will begin marking up its FY 2021 NDAA later this month with a full committee markup scheduled for 1 July. It is very likely CSC recommendations make it into this bill, and so it will be a matter of final negotiations to determine which recommendations are part of the bill, which is seen as must-pass on Capitol Hill. Moreover, CSC recommendations could get folded into appropriations bills for FY 2021, which is often one of the last matters Congress addresses before recessing for the winter holidays.

The Committee highlighted other cybersecurity and cyberspace provisions:

  • Updates the responsibilities of the Principal Cyber Advisor, a key driver of the Department’s development and implementation of its 2018 cyber strategy, by increasing the integration and coordination responsibilities of that office to ensure that DOD’s cyber policies are coherent, cohesive, and meet needs,
  • Improves transparency and requires DOD to provide more regular updates on cyber operations to Congress,
  • Requires pilot programs, demonstrations, and/or plans for: speed-based cybersecurity capability metrics to measure DOD performance and effectiveness; interoperability and automated orchestration of cybersecurity systems (increased by $10 million above the President’s request); addressing network timing and address inconsistencies; and integration of user activity monitoring and cybersecurity systems,
  • Requires an assessment of gaps between Cyber Mission Forces and Cybersecurity Service Providers,
  • Authorizes increased funding ($25 million for Air Force Operation and Maintenance and $5 million for Army Operation and Maintenance) to provide Cyber Mission Forces with more resources to access, operate, and train as required by increased operational demands,
  • Improves cyber readiness and “man, train, and equip” by:
    • Authorizing a pilot program to prepare the National Guard for providing cyber assistance remotely in the case of cyber attacks,
    • Prohibiting the Secretary of Defense from taking any action on the National Defense University’s College of Information and Cyber Space until completing an assessment of educational requirements for military and civilian leaders in this domain,
    • Modifying authority to use Operation and Maintenance funds to allow for rapid creation, testing, and fielding of cyber capabilities to respond more quickly to threats, and
    • Improving the training and retention of highly qualified cyber personnel, including providing Cyber Command with the same hiring authority for technical talent as exists at DARPA, the Strategic Capabilities Office, and the Joint Artificial Intelligence Center, and by allowing for pay that is more competitive with commercial industry.

Again, the Committee addressed the threats posed by the DOD having a significant part of its supply chain rooted in the People’s Republic of China (PRC) and the challenges posed by the nation to US military and national security:

  • The FY21 NDAA takes numerous steps to reshape the Defense Industrial Base as a National Security Innovation Base, expanding its industrial capacity, promoting agility and resiliency, and identifying and mitigating risks associated with reliance on foreign adversaries, while investing in relationships with allies and partners. The shift to a National Security Innovation Base requires acknowledging that a whole-of-government approach is needed, and this bill encourages DOD to study broad factors that shape the industrial base and engage with outside stakeholders and interests. Recognizing that procurement restrictions are very powerful, the bill also ensures DOD is exploring all pathways to expand domestic capacity, including increased research and development. Lastly, the legislation safeguards proprietary technology, intellectual property, and other defense-sensitive data from being infiltrated by the government of China.
  • Further implements recommendations from DOD’s report proceeding from Executive Order 13806 on assessing and strengthening the manufacturing and defense industrial base and supply chain resiliency of the U.S., and updates the framework for modernizing acquisition processes to ensure the integrity of the Defense Industrial Base,
  • Requires analyses of a variety of materials and technology sectors, such as microelectronics, rare earth minerals, medical devices, personal protective equipment and pharmaceutical ingredients, to determine actions to take to address sourcing and industrial capacity,
  • Directs additional steps for certain items, such as microelectronics, printed circuit boards, critical raw materials, and unmanned aircraft systems to mitigate risk of relying on foreign sources for products, materials, components, and manufacturing,
  • Strengthens the National Technology and Industrial Base (NTIB) by creating a Regulatory Council and directing DOD to establish a process for admitting new members,
  • Requires assessment of foreign industrial base capabilities and capacity to see how these drive risk to the U.S. from overreliance on China and their economic aggression,
  • Continues to expand the role of small business, extending the authorization of a pilot program to streamline contracting and auditing processes for innovative technology programs and ensuring DOD pays small business contractors quickly,
  • Directs steps to safeguard defense-sensitive U.S. intellectual property and technology from acquisition by China and with post-employment restricts pertaining to China.

The Committee highlighted provisions aimed at the PRC and Russia:

  • Extends the limitation on providing sensitive missile defense information to Russia and on the integration of U.S. missile defense systems into those of China and Russia,
  • Requires the Secretary of Defense to submit a report on the risk to DOD personnel, equipment, and operations due to Huawei 5G architecture in host countries and possible steps for mitigation,
  • Requires the Secretary of Defense to consider 5G and 6G security risks posed by vendors like Huawei and ZTE when making overseas basing decisions,
  • Protects the defense industrial base and supply chain, as well as intellectual property and technology, from disruption, infiltration, or theft by the Government of China (see “Innovation Base”),
  • Fully funds the European Deterrence Initiative and increases funding to support rotational forces in Europe,
  • Requires a report on Russian support to racially and ethnically motivated violent extremist groups and networks in Europe and the United States that creates or causes growing national security threats, information warfare, and increasing risks to societal stability and democratic institutions,
  • Extends restrictions on military-to-military cooperation with Russia and any activities that would recognize Russian sovereignty over Crimea,
  • Expresses a sense of the Senate that long-term strategic competition with Russia is a top defense priority that requires sustained investment and enhanced deterrence due to the level of threat posed,

The Committee added

As our strategic competitors develop more and more advanced weapons, equipment, and technology, it’s critical that the United States keep pace through deliberate, knowledge-based development. The FY21 NDAA directs investments and implements policies that will maintain or expand our comparative advantage over China and Russia for key capabilities and technologies. One strategy for accelerating innovation will be through a tailored approach of both subsystem prototypes, including for unmanned surface vessels, and full-scale prototypes, including for hypersonic weapons, based on a detailed understanding of what is necessary to achieve technical and technological maturity.

The bill also

  • Supports the development of fifth-generation (5G) wireless networks by establishing a cross- functional team for 5G wireless networks and designates the DOD Chief Information Officer to lead the team and serve as the senior designated official for related policy, oversight, guidance, and coordination at DOD,
  • Strengthens Science and Technology efforts in emerging technologies, including by requiring: an assessment of U.S. efforts to develop biotechnologies compared to our adversaries; development of Artificial Intelligence use-cases for reform efforts; enhancements to the Quantum Information Science research and development program; and a demonstration of innovative 5G commercial technologies, Encourages DOD to leverage commercially available technology where appropriate, particularly for artificial intelligence,
  • Includes several provisions designed to recruit and retain talent with technology expertise, including requiring a study comparing methods for recruiting and retaining technology researchers used by both the U.S. and Chinese governments and authorizing a pilot program to permit university students and faculty to take on part-time and term employment at DOD labs to work on critical technologies and research activities,

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading and Other Developments (6 June)

Other Developments

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

  • A number of tech trade groups are asking the House Appropriations Committee’s Commerce-Justice-Science Subcommittee “to direct the National Institute of Standards and Technology (NIST) to create guidelines that help companies navigate the technical and ethical hurdles of developing artificial intelligence.” They argued:
    • A NIST voluntary framework-based consensus set of best practices would be pro-innovation, support U.S. leadership, be consistent with NIST’s ongoing engagement on AI industry consensus standards development, and align with U.S. support for the OECD AI principles as well as the draft Memorandum to Heads of Executive Departments and Agencies, “Guidance for Regulation of Artificial Intelligence Applications.”
  • The Department of Defense (DOD) “named seven U.S. military installations as the latest sites where it will conduct fifth-generation (5G) communications technology experimentation and testing. They are Naval Base Norfolk, Virginia; Joint Base Pearl Harbor-Hickam, Hawaii; Joint Base San Antonio, Texas; the National Training Center (NTC) at Fort Irwin, California; Fort Hood, Texas; Camp Pendleton, California; and Tinker Air Force Base, Oklahoma.”  The DOD explained “[t]his second round, referred to as Tranche 2, brings the total number of installations selected to host 5G testing to 12…[and] builds on DOD’s previously-announced 5G communications technology prototyping and experimentation and is part of a 5G development roadmap guided by the Department of Defense 5G Strategy.”
  • The Federal Trade Commission announced a $150,000 settlement with “HyperBeard, Inc. [which] violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) by allowing third-party ad networks to collect personal information in the form of persistent identifiers to track users of the company’s child-directed apps, without notifying parents or obtaining verifiable parental consent.”
  • The National Institute of Standards and Technology (NIST) released Special Publication 800-133 Rev. 2, Recommendation for Cryptographic Key Generation that “discusses the generation of the keys to be used with the approved  cryptographic  algorithms…[which] are  either  1) generated  using  mathematical  processing  on  the  output  of  approved  Random  Bit  Generators (RBGs) and  possibly  other  parameters or 2) generated based on keys that are generated in this fashion.”
  • United States Trade Representative (USTR) announced “investigations into digital services taxes that have been adopted or are being considered by a number of our trading partners.” These investigations are “with respect to Digital Services Taxes (DSTs) adopted or under consideration by Austria, Brazil, the Czech Republic, the European Union, India, Indonesia, Italy, Spain, Turkey, and the United Kingdom.” The USTR is accepting comments until 15 July.
  • NATO’s North Atlantic Council released a statement “concerning malicious cyber activities” that have targeted medical facilities stating “Allies are committed to protecting their critical infrastructure, building resilience and bolstering cyber defences, including through full implementation of NATO’s Cyber Defence Pledge.” NATO further pledged “to employ the full range of capabilities, including cyber, to deter, defend against and counter the full spectrum of cyber threats.”
  • The Public Interest Declassification Board (PIDB) released “A Vision for the Digital Age: Modernization of the U.S. National Security Classification and Declassification System” that “provides recommendations that can serve as a blueprint for modernizing the classification and declassification system…[for] there is a critical need to modernize this system to move from the analog to the digital age by deploying advanced technology and by upgrading outdated paper-based policies and practices.”
  • In a Department of State press release, a Declaration on COVID-19, the G7 Science and Technology Ministers stated their intentions “to work collaboratively, with other relevant Ministers to:
    • Enhance cooperation on shared COVID-19 research priority areas, such as basic and applied research, public health, and clinical studies. Build on existing mechanisms to further priorities, including identifying COVID-19 cases and understanding virus spread while protecting privacy and personal data; developing rapid and accurate diagnostics to speed new testing technologies; discovering, manufacturing, and deploying safe and effective therapies and vaccines; and implementing innovative modeling, adequate and inclusive health system management, and predictive analytics to assist with preventing future pandemics.
    • Make government-sponsored COVID-19 epidemiological and related research results, data, and information accessible to the public in machine-readable formats, to the greatest extent possible, in accordance with relevant laws and regulations, including privacy and intellectual property laws.
    • Strengthen the use of high-performance computing for COVID-19 response. Make national high-performance computing resources available, as appropriate, to domestic research communities for COVID-19 and pandemic research, while safeguarding intellectual property.
    • Launch the Global Partnership on AI, envisioned under the 2018 and 2019 G7 Presidencies of Canada and France, to enhance multi-stakeholder cooperation in the advancement of AI that reflects our shared democratic values and addresses shared global challenges, with an initial focus that includes responding to and recovering from COVID-19. Commit to the responsible and human-centric development and use of AI in a manner consistent with human rights, fundamental freedoms, and our shared democratic values.
    • Exchange best practices to advance broadband connectivity; minimize workforce disruptions, support distance learning and working; enable access to smart health systems, virtual care, and telehealth services; promote job upskilling and reskilling programs to prepare the workforce of the future; and support global social and economic recovery, in an inclusive manner while promoting data protection, privacy, and security.
  • The Digital, Culture, Media and Sport Committee’s Online Harms and Disinformation Subcommittee held a virtual meeting, which “is the second time that representatives of the social media companies have been called in by the DCMS Sub-committee in its ongoing inquiry into online harms and disinformation following criticism by Chair Julian Knight about a lack of clarity of evidence and further failures to provide adequate answers to follow-up correspondence.” Before the meeting, the Subcommittee sent a letter to Twitter, Facebook, and Google and received responses. The Subcommittee heard testimony from:
    • Facebook Head of Product Policy and Counterterrorism Monika Bickert
    • YouTube Vice-President of Government Affairs and Public Policy Leslie Miller
    • Google Global Director of Information Policy Derek Slater
    • Twitter Director of Public Policy Strategy Nick Pickles
  • Senators Ed Markey (D-MA), Ron Wyden (D-OR) and Richard Blumenthal (D-CT) sent a letter to AT&T CEO Randall Stephenson “regarding your company’s policy of not counting use of HBO Max, a streaming service that you own, against your customers’ data caps.” They noted “[a]lthough your company has repeatedly stated publicly that it supports legally binding net neutrality rules, this policy appears to run contrary to the essential principle that in a free and open internet, service providers may not favor content in which they have a financial interest over competitors’ content.”
  • The Brookings Institution released what it considers a path forward on privacy legislation and held a webinar on the report with Federal Trade Commissioner (FTC) Christine Wilson and former FTC Commissioner and now Microsoft Vice President and Deputy General Counsel Julie Brill.

Further Reading

  • Google: Overseas hackers targeting Trump, Biden campaigns” – Politico. In what is the latest in a series of attempted attacks, Google’s Threat Analysis Group announced this week that People’s Republic of China affiliated hackers tried to gain access to the campaign of former Vice President Joe Biden and Iranian hackers tried the same with President Donald Trump’s reelection campaign. The group referred the matter to the federal government but said the attacks were not successful. An official from the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) remarked “[i]t’s not surprising that a number of state actors are targeting our elections…[and] [w]e’ve been warning about this for years.” It is likely the usual suspects will continue to try to hack into both presidential campaigns.
  • Huawei builds up 2-year reserve of ‘most important’ US chips” ­– Nikkei Asian Review. The Chinese tech giant has been spending billions of dollars stockpiling United States’ (U.S.) chips, particularly from Intel for servers and programable chips from Xilinx, the type that is hard to find elsewhere. This latter chip maker is seen as particularly crucial to both the U.S. and the People’s Republic of China (PRC) because it partners with the Taiwan Semiconductor Manufacturing Company, the entity persuaded by the Trump Administration to announce plans for a plant in Arizona. Shortly after the arrest of Huawei CFO Meng Wanzhou in 2018, the company began these efforts and spent almost $24 billion USD last year stockpiling crucial U.S. chips and other components.
  • GBI investigation shows Kemp misrepresented election security” – Atlanta-Journal Constitution. Through freedom of information requests, the newspaper obtained records from the Georgia Bureau of Investigation (GBI) on its investigation at the behest of then Secretary of State Brian Kemp, requested days before the gubernatorial election he narrowly won. At the time, Kemp claimed hackers connected to the Democratic Party were trying to get into the state’s voter database, when it was Department of Homeland Security personnel running a routine scan for vulnerabilities Kemp’s office had agreed to months earlier. The GBI ultimately determined Kemp’s claims did not merit a prosecution. Moreover, even though Kemp’s staff at the time continues to deny these findings, the site did have vulnerabilities, including one turned up by a software company employee.
  • Trump, Biden both want to repeal tech legal protections — for opposite reasons” – Politico. Former Vice President Joe Biden (D) wants to revisit Section 230 because online platforms are not doing enough to combat misinformation, in his view. Biden laid out his views on this and other technology matters for the editorial board of The New York Times in January, at which point he said Facebook should have to face civil liability for publishing misinformation. Given Republican and Democratic discontent with Section 230 and the social media platforms, there may be a possibility legislation is enacted to limit this shield from litigation.
  • Wearables like Fitbit and Oura can detect coronavirus symptoms, new research shows” –The Washington Post. Perhaps wearable health technology is a better approach to determining when a person has contracted COVID-19 than contact tracing apps. A handful of studies are producing positive results, but these studies have not yet undergone the per review process. Still, these devices may be able to determine disequilibrium in one’s system as compared to a baseline, suggesting an infection and a need for a test. This article, however, did not explore possible privacy implications of sharing one’s personal health data with private companies.
  • Singapore plans wearable virus-tracing device for all” – Reuters. For less than an estimated $10 USD for unit, Singapore will soon introduce wearable devices to better track contacts to fight COVID-19. In what may be a sign that the city-state has given up on its contact tracing app, TraceTogether, the Asian nation will soon release these wearables. If it not clear if everyone will be mandated to wear one and what privacy and data protections will be in place.
  • Exclusive: Zoom plans to roll out strong encryption for paying customers” – Reuters. In the same vein as Zoom allowing paying customers to choose where their calls are routing through (e.g. paying customers in the United States could choose a different region with lesser surveillance capabilities), Zoom will soon offer stronger security for paying customers. Of course, should Zoom’s popularity during the pandemic solidify into a dominant competitive position, this new policy of offering end-to-end encryption that the company cannot crack would likely rouse the ire of the governments of the Five Eyes nations. These plans breathe further life into the views of those who see a future in which privacy and security are commodities to be bought and those unable or unwilling to afford them will not enjoy either. Nonetheless, the company may still face a Federal Trade Commission (FTC) investigation into its apparently inaccurate claims that calls were encrypted, which may have violated Section 5 of the FTC Act along with similar investigations by other nations.
  • Russia and China target U.S. protests on social media” – Politico. Largely eschewing doctored material, the Russian Federation and the People’s Republic of China (PRC) are using social media platforms to further drive dissension and division in the United States (U.S.) during the protests by amplifying the messages and points of views of Americans, according to an analysis of one think tank. For example, some PRC officials have been tweeting out “Black Lives Matter” and claims that videos purporting to show police violence are, in fact, police violence. The goal to fan the flames and further weaken Washington. Thus far, the American government and the platforms themselves have not had much of a public response. Additionally, this represents a continued trend of the PRC in seeking to sow discord in the U.S. whereas before this year use of social media and disinformation tended to be confined to issues of immediate concern to Beijing.
  • The DEA Has Been Given Permission To Investigate People Protesting George Floyd’s Death” – BuzzFeed News. The Department of Justice (DOJ) used a little known section of the powers delegated to the agency to task the Drug Enforcement Agency (DEA) with conducting “covert surveillance” of to help police maintain order during the protests following the killing of George Floyd’s, among other duties. BuzzFeed News was given the two page memorandum effectuating this expansion of the DEA’s responsibilities beyond drug crimes, most likely by agency insiders who oppose the memorandum. These efforts could include use of authority granted to the agency to engage in “bulk collection” of some information, a practice the DOJ Office of the Inspector General (OIG) found significant issues with, including the lack of legal analysis on the scope of the sprawling collection practices.
  • Cops Don’t Need GPS Data to Track Your Phone at Protests” – Gizmodo. Underlying this extensive rundown of the types of data one’s phone leaks that is vacuumed up by a constellation of entities is the fact that more law enforcement agencies are buying or accessing these data because the Fourth Amendment’s protections do not apply to private parties giving the government information.
  • Zuckerberg Defends Approach to Trump’s Facebook Posts” – The New York Times. Unlike Twitter, Facebook opted not to flag President Donald Trump’s tweets about the protests arising from George Floyd’s killing last week that Twitter found to be glorifying violence. CEO Mark Zuckerberg reportedly deliberated at length with senior leadership before deciding the tweets did not violate the platform’s terms of service, a decision roundly criticized by Facebook employees, some of whom staged a virtual walkout on 1 June. In a conference call, Zuckerberg faced numerous questions about why the company does not respond more forcefully to tweets that are inflammatory or untrue. His answers that Facebook does not act as an arbiter of truth were not well freceived among many employees.
  • Google’s European Search Menu Draws Interest of U.S. Antitrust Investigators” – The New York Times. Allegedly Department of Justice (DOJ) antitrust investigators are keenly interested in the system Google lives under in the European Union (EU) where Android users are now prompted to select a default search engine instead of just making its Google’s. This system was put in place as a response to the EU’s €4.34 billion fine in 2018 for imposing “illegal restrictions on Android device manufacturers and mobile network operators to cement its dominant position in general internet search.” This may be seen as a way to address competition issues while not breaking up Google as some have called for. However, Google is conducting monthly auctions among the other search engines to be of the three choices given to EU consumers, which allows Google to reap additional revenue.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Executive Order on Securing the United States Bulk-Power System

A new EO will result in the systems and equipment from certain nations, most likely including China, being barred from the U.S. electric grid on account of the risk they pose to national security.  

Late last week, President Donald Trump signed an executive order (EO) that would direct the Secretary of Energy and other officials to take steps to ensure the United States’ bulk power sector is protected from the threats posed by the manufacture of components by foreign adversaries, most likely the People’s Republic of China (PRC). This EO is of a piece with two Administration priorities: desired changes in trade policies with the PRC and defending the United States from vulnerabilities arising from an information and communications technology (ICT) supply chain that largely originates in the PRC. Trump declared a national emergency with respect to the bulk power system, triggering a range of powers to address this situation. The EO would establish a blanket ban on bulk power utilities from buying systems and equipment from yet to be named foreign adversaries except if allowed by the Department of Energy along with required mitigations.

Even though the EO and related materials released by the Trump Administration do not spell out the predicate for this action, the likely policy background was informed by broader concerns about possibly compromised ICT coming from the PRC and possibly more specific information about such equipment, hardware, software, and systems.The EO is also of a piece with the Trump Administration’s aggressive policy initiatives to protect the U.S. and rebuff alleged Chinese efforts to lace U.S. supply chains and critical systems with compromised technology that could later be used for espionage or cyber-attack.

Over the last few years, the Trump Administration reported of intrusions and penetrations of the U.S. electric system by hackers sponsored by or related to the Russian government. In 2018, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released an advisory in which they “characterize[d] this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” DHS and the FBI stated, “[a]fter obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).” At about the same time, the Department of the Treasury announced sanctions against five Russian entities and 19 Russian nationals for “Russia’s continuing destabilizing activities” including “U.S. government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors” as detailed in “the recent technical alert issued by the Department of Homeland Security and Federal Bureau of Investigation.”

The year before, DHS and the FBI advised critical infrastructure operators of a penetration of a nuclear energy operator in Kansas and others throughout the U.S. The agencies jointly claimed, “[t]here is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.”

And yet, these forays could easily be precursors to the sorts of attacks Russia has waged against its neighbors. For example, in 2015, Russian hackers were identified as the culprits who compromised part of Ukraine’s electric grid, but it appears access was gained and havoc was wreaked through the acquisition of employees’ credentials and not likely through exploitation of weaknesses or backdoors in the utility’s systems. In the Director of National Intelligence’s public 2019 Worldwide Threat Assessment, it was claimed

Russia has the ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure—such as disrupting an electrical distribution network for at least a few hours—similar to those demonstrated in Ukraine in 2015 and 2016.Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.

Moreover, risks to the energy sector have long been recognized. In a 2017 report prepared by the Idaho National Laboratory, “ICS   attacks   are   becoming   increasingly   more   targeted   and   sophisticated, with trusted communications  networks,  remote  access,  mobile  devices,  vendors,  and  supply  chains  are  the most likely routes of ingress.” In 2014, a U.S. think tank claimed

Vulnerabilities arise when utilities procure hardware and software from third-party vendors, including hardware or software that is intended to support smart grid and cybersecurity initiatives. New products and software may not be sufficiently secure in their design or implementation; they may be subject to malicious manipulation or be compromised by the use of counterfeit parts. Suppliers may not face market pressures or requirements to incorporate cybersecurity features in the design of their systems and devices. In some cases, products sold to the power sector may be insecure by design or insufficiently supported as new risks are identified. These issues are further complicated by the global nature of supply chains, which offer multiple possible entry points for cyber attacks. For example, numerous SCADA (supervisory control and data acquisition) devices are manufactured overseas, including in China, where external cyber threats have originated in the past.

In the EO, Trump found “that the unrestricted acquisition or use in the United States of bulk-power system electric equipment designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in bulk-power system electric equipment, with potentially catastrophic effects.” He added that “I therefore determine that the unrestricted foreign supply of bulk-power system electric equipment constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States, which has its source in whole or in substantial part outside the United States.” Trump wrote, “[t]o address this threat, additional steps are required to protect the security, integrity, and reliability of bulk-power system electric equipment used in the United States.” He declared that “[i]n light of these findings, I hereby declare a national emergency with respect to the threat to the United States bulk-power system.”

The EO would bar the purchase of “any bulk-power system electric equipment” from unspecified foreign nations if the transaction poses unacceptable risks to the U.S. electric grid specifically and the U.S. generally. The EO defines foreign adversary as a “foreign government or foreign non-government person engaged in a long‑term pattern or serious instances of conduct significantly adverse to the national security of the United States or its allies or the security and safety of United States persons.” Presumably countries that have well-developed offensive cyber capabilities like the PRC, Russia, Iran, and North Korea would be designated foreign adversaries.

However, the Secretary of Energy could identify and require the use of mitigation measures that could render otherwise banned equipment to be bought and used. The Department of Energy “may establish and publish criteria for recognizing particular equipment and particular vendors in the bulk-power system electric equipment market as pre-qualified for future transactions; and may apply these criteria to establish and publish a list of pre-qualified equipment and vendors.”

More broadly, the Secretary of Energy is directed to use the full authority conferred on his department by Congress and all the powers available under the International Emergency Economic Powers Act (IEEPA), the basis for Presidents to impose sanctions and other economic measures in peace time. Pursuant to the use of these powers, the Department of Energy will likely identify countries as foreign adversaries for purposes of the EO and the companies they own, control, or have a stake in. Furthermore, the Department should also identify those foreign adversaries or companies that deserve additional scrutiny and a licensing process for those transactions that would otherwise be banned under the EO but are allowed to proceed with mitigation measures.  The Department of Energy must also identify any existing bulk power system electric equipment that poses a threat to national or economic security and determine the means by which this equipment could be monitored, isolated, or replaced. The EO would also create a Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security (Task Force) that “shall work to protect the Nation from national security threats through the coordination of Federal Government procurement of energy infrastructure and the sharing of risk information and risk management practices to inform such procurement.”

Finally, regarding the thrust of the EO, it bears mention that the Federal Energy Regulatory Commission (FERC) granted a petition to “defer the implementation of several Commission-approved Reliability Standards that have effective dates or phased-in implementation dates that fall in the second half of 2020,” including CIP-013-1 (Cyber Security – Supply Chain Risk Management), which was designed “to help ensure that responsible entities establish organizationally-defined processes that integrate a cybersecurity risk management framework into the system development lifecycle.” The deferral of this and related standards was on account of the COVID-19 pandemic’s effect on the energy sector. When the rule was adopted, FERC explained “Reliability Standard CIP-013-1 addresses information system planning and vendor risk management and procurement controls by requiring that responsible entities develop and implement one or more documented supply chain cybersecurity risk management plan(s) for high and medium impact Bulk Electric System (BES) Cyber Systems. The required plans must address, as applicable, a baseline set of six security concepts: (1) Vendor security event notification; (2) coordinated incident response; (3) vendor personnel termination notification; (4) product/services vulnerability disclosures; (5) verification of software integrity and authenticity; and (6) coordination of vendor remote access controls.”

This EO could serve as a template for future actions to more tightly regulate other critical sectors. It is not hard to imagine Trump or a future president deciding that the threats posed by the PRC or other adversaries justifies a heavier role in the regulation of supply chains and even cybersecurity.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Fourth Volume of Report in 2016 Russian Hacking Endorses IC’s Conclusions

In a report that largely vindicates the Intelligence Community’s (IC) assessment of the 2016 election, a Senate committee continues with its investigation of Russian hacking with a heavily redacted fourth volume. The Republican-led committee rebuts the President’s assertions the IC was wrong and biased.  

The Senate Intelligence Committee has released the fourth of five planned volumes, detailing Russia’s interference in the 2016 presidential election. This volume, titled “Review of the Intelligence Community Assessment,” assessed the classified version of the Intelligence Community’s (IC) review and conclusions regarding Russian efforts to aid President Donald Trump’s campaign and to harm former Secretary of State Hillary Clinton’s bid for the presidency. In this assessment, the Committee found “unprecedented Russian interference” well-described, analyzed, and investigated by the IC. However, much of the report is redacted, and according to Committee Member, Senator Angus King (I-ME), this was done to protect the sources and methods the IC used.

An unclassified version of “Assessing Russian Activities and Intentions in Recent US Elections” was released in mid-2017 that was heavily criticized by the President, the White House, and a number of Republicans. Additionally, the House Intelligence Committee, led by then Chair and Trump ally Devin Nunes (R-CA), found that the IC assessment was plagued by “significant intelligence tradecraft failings.”

Given that the majority of Russian interference was executed in cyberspace, often through social media, it remains to be seen whether these reports will spur proposals to change laws regulating cybersecurity or U.S. intelligence activities. Moreover, like so many issues, the response to COVID-19 will likely overshadow this report and any potential impact it may have otherwise had.

While the White House has largely been silent on this volume of the Senate Intelligence Committee’s investigation, the subject of Russia’s activities during the 2016 election remains touchy at the White House, suggesting efforts to reform how the U.S. responds to this sort of hacking will remain at the agency-level with heads of key entities using authorities they currently possess. This opens the possibility that agencies and private sector entities will not receive new latitude to fight off disinformation campaigns likely to be waged by more than just Russia as North Korea, China, and Iran are often identified as those nations most able to interfer in this year’s election.

The Committee’s previous three volumes are: “Volume I: Russian Efforts Against Election Infrastructure,” “Volume II: Russia’s Use of Social Media,” and “Volume III: U.S. Government Response to Russian Activities.”

As threshold matters, the Committee found

  • [S]pecific intelligence as well as open source assessments support the assessment that President Putin approved and directed aspects of this influence campaign.
  • Further, a body of reporting, to include different intelligence disciplines, open source reporting on Russian leadership policy preferences, and Russian media content, showed that Moscow sought to denigrate then-candidate Clinton.
  • ICA presents information from public Russian leadership commentary, Russian state media reports, and specific intelligence reporting to support the assessment that Putin and the Russian Government demonstrated a preference for candidate Trump.

The Senate Intelligence Committee made the following findings:

1. The Committee found the Intelligence Community Assessment (ICA) presents a coherent and well-constructed intelligence basis for the case of unprecedented Russian interference in the 2016 U.S. presidential election. On the analytic lines of the ICA, the Committee concludes that all [REDACTED] lines are supported with all-source intelligence, although with varying substantiation. The Committee did not discover any significant analytic tradecraft issues in the preparation or final presentation of the ICA.

The ICA reflects proper analytic tradecraft despite being tasked and completed within a compressed time frame. The compact timeframe was a contributing factor for not conducting formal analysis of competing hypotheses.

The differing confidence levels on one analytic judgment are justified and properly represented. Those in disagreement all stated that they had the opportunity to express differing points of view. The decision regarding the presentation of differing confidence levels was the responsibility of the Director of the Central Intelligence Agency (CIA) John Brennan and the Director of the National Security Agency (NSA) Admiral Michael Rogers, both of whom independently expressed to the Committee that they reached the final wording openly and with sufficient exchanges of views.

Multiple intelligence disciplines are used and identified throughout the ICA. Where the Committee noted concerns about the use of specific sources, in no case did the Committee conclude any analytic line was compromised as a result.

In all the interviews of those who drafted and prepared the ICA, the Committee heard consistently that analysts were under no politically motivated pressure to reach specific conclusions. All analysts expressed that they were free to debate, object to content, and assess confidence levels, as is normal and proper for the analytic process.

2. The Committee found that the agencies responsible for the !CA-CIA, NSA, and FBI, under the aegis of ODNI-met the primary tasking as directed by President Obama, which was to assemble a product that reflected the intelligence available to the Intelligence Community (IC) regarding Russian interference in the 2016 election.

3. The Committee found that the ICA provides a proper representation of the intelligence collected by CIA, NSA, and FBI on Russian interference in 2016, and this body of evidence supports the substance and judgments of the ICA.

[REDACTED] Regarding FBI, the ICA states, in its “Scope and Sourcing” introduction, that “[w]e also do not include information from ongoing investigations.” [REDACTED] The Committee found that the information provided by Christopher Steele to FBI was not used in the body of the ICA or to support any of its analytic judgments. However, a summary of this material was included in Annex A as a compromise to FBI’s insistence that the information was responsive to the presidential tasking.

4. The Committee found the ICA makes a clear argument that the manner and aggressiveness of the Russian interference was historically unprecedented. However, the ICA and its sources do not provide a substantial representation of Russian interference in the 2008 and 2012 presidential elections, as the Committee understands was part of the President’s original tasking.

5. [REDACTED]The Committee found that the ICA did not provide a set of policy on how to respond to future Russian active measures, which was part of the tasking the President conveyed to the Director of National Intelligence (DNI) James Clapper. The ICA did include, in the compartmented version, an unclassified section independently produced by DHS, FBI, and the Department of Commerce’s National Institute of Standards and Technology (NIST), “DHS/FBI/NIST Recommendations: Options to Protect and Defend US Election Infrastructure and US Political Parties.”

The absence of policy recommendations was deliberate, due to the well-established norm that the IC provides insight and warning to policy makers, but does not itself make policy.

6. The Committee found the ICA would benefit from a more comprehensive presentation of how Russian propaganda-as generated by Russia’s multiple state-owned platforms-was used to complement the full Russian influence campaign.

Open source collection is a long-standing discipline for CIA and other elements of the IC, and open source reporting is used throughout the ICA to support specific analytic assertions. However, open source reporting on RT and Sputnik’s coverage of WikiLeaks releases of Democratic National Committee (DNC) information would have strengthened the ICA’s examination of Russia’s use of propaganda. On this point, the Committee finds that Annex [REDACTED] of the ICA-“Open Source Center Analysis: Russia: Kremlin’s TV Seeks to Influence Politics, Fuel Discontent in US,” published December 12, 2012-should have been updated to provide a summary of Kremlin propaganda in 2016, thereby making a more relevant contribution to the ICA. An update to this assessment was not produced by the Open Source Enterprise until after the publication of the ICA.

7. [REDACTED] The role of social media has been a significant focus by the Committee and is discussed in a separate volume of this report.