Further Reading, Other Developments, and Coming Events (15 August)

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” By 21 August, the FTC “is seeking comment on a range of issues including:
    • How are companies currently implementing data portability? What are the different contexts in which data portability has been implemented?
    • What have been the benefits and costs of data portability? What are the benefits and costs of achieving data portability through regulation?
    • To what extent has data portability increased or decreased competition?
    • Are there research studies, surveys, or other information on the impact of data portability on consumer autonomy and trust?
    • Does data portability work better in some contexts than others (e.g., banking, health, social media)? Does it work better for particular types of information over others (e.g., information the consumer provides to the business vs. all information the business has about the consumer, information about the consumer alone vs. information that implicates others such as photos of multiple people, comment threads)?
    • Who should be responsible for the security of personal data in transit between businesses? Should there be data security standards for transmitting personal data between businesses? Who should develop these standards?
    • How do companies verify the identity of the requesting consumer before transmitting their information to another company?
    • How can interoperability among services best be achieved? What are the costs of interoperability? Who should be responsible for achieving interoperability?
    • What lessons and best practices can be learned from the implementation of the data portability requirements in the GDPR and CCPA? Has the implementation of these requirements affected competition and, if so, in what ways?”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The Global Engagement Center (GEC) at the U.S. Department of State published the “GEC Special Report: Pillars of Russia’s Disinformation and Propaganda Ecosystem” The GEC drew on “on publicly available reporting to provide an overview of Russia’s disinformation and propaganda ecosystem.”  The GEC identified the five pillars of Russia’s Disinformation and Propaganda Ecosystem:
    • official government communications;
    • state-funded global messaging;
    • cultivation of proxy sources;
    • weaponization of social media; and
    • cyber-enabled disinformation.
    • The GEC stated
      • This report provides a visual representation of the ecosystem described above, as well as an example of the media multiplier effect it enables. This serves to demonstrate how the different pillars of the ecosystem play distinct roles and feed off of and bolster each other. The report also includes brief profiles of select proxy sites and organizations that occupy an intermediate role between the pillars of the ecosystem with clear links to Russia and those that are meant to be fully deniable. The emphasis on these proxy sites is meant to highlight the important role they play, which can be overlooked given the attention paid to official Russian voices on one end of the spectrum, and the social media manipulation and cyber-enabled threats on the other.
  • The United States (U.S.) Department of Veterans Affairs (VA) has restarted its process for rolling out its new electronic health record (EHR) and announced it has “revised its previous schedule to convert facilities to its new HER capabilities with updated timelines for deployments in August in Columbus, Ohio, and October in Spokane, Washington.” The VA opted to replace its Veterans Health Information Systems and Technology Architecture (VistA) with a commercial off-the-shelf system the U.S. Department of Defense has chosen, Cerner Millennium. However, this $16 billion acquisition has encountered numerous difficulties and delays, which has caught he continued attention of Congress.
    • The VA claimed “The new timeline will preserve the 10-year implementation schedule and the overall cost estimates of VA’s EHR modernization program…[and] [a]fter the conversion at these sites, VA will bring other select facilities forward in the timeline.”
    • In June 2020, the U.S. Government Accountability Office (GAO) found:
      • VA met its schedule for making the needed system configuration decisions that would enable the department to implement its new EHR system at the first VA medical facility, which was planned for July 2020. In addition, VA has formulated a schedule for making the remaining EHR system configuration decisions before implementing the system at additional facilities planned for fall 2020.
      • VA’s Electronic Health Record Modernization (EHRM) program was generally effective in establishing decision-making procedures that were consistent with applicable federal standards for internal control. However, VA did not always ensure the involvement of relevant stakeholders, including medical facility clinicians and staff, in the system configuration decisions. Specifically, VA did not always clarify terminology and include adequate detail in descriptions of local workshop sessions to medical facility clinicians and staff to ensure relevant representation at local workshop meetings. Participation of such stakeholders is critical to ensuring that the EHR system is configured to meet the needs of clinicians and support the delivery of clinical care.
  • The United States (U.S.) Government Accountability Office (GAO) studied and reported on privacy and accuracy issues related to the use of facial recognition technology requested by the chairs of the House Judiciary and Oversight and Reform Committees. This report updates a 2015 report on the same issues and renews the agency’s call first made in 2013 that Congress “strengthen[] the current consumer privacy framework to reflect the effects of changes in technology and the marketplace—particularly in relation to consumer data used for marketing purposes—while also ensuring that any limitations on data collection and sharing do not unduly inhibit the economic and other benefits to industry and consumers that data sharing can accord.”
    • In the new report, the GAO explained that “[s]takeholders we interviewed identified additional activities that companies could improve the use of facial recognition technology. These activities include
      • defining the purpose for the technology’s use and clearly notifying consumers how companies are using the technology—such as surveillance or marketing;
      • identifying risks and limitations associated with using the technology and prohibiting certain uses (e.g., those with discriminatory purposes); and
      • providing guidance or training related to these issues.
    • The GAO asserted
      • However, these voluntary privacy frameworks and suggested activities that could help address privacy concerns or improve the use of facial recognition technology are not mandatory. Furthermore, as discussed earlier, in most contexts facial recognition technology is not currently covered by federal privacy law. Accordingly, we reiterate our 2013 suggestion that Congress strengthen the current consumer privacy framework to reflect the effects of changes in technology and the marketplace.
  • The United States Department of Justice (DOJ) “announced the dismantling of three terrorist financing cyber-enabled campaigns, involving the al-Qassam Brigades, Hamas’s military wing, al-Qaeda, and Islamic State of Iraq and the Levant (ISIS)…the government’s largest-ever seizure of cryptocurrency in the terrorism context.”
    • The DOJ claimed
      • These three terror finance campaigns all relied on sophisticated cyber-tools, including the solicitation of cryptocurrency donations from around the world.  The action demonstrates how different terrorist groups have similarly adapted their terror finance activities to the cyber age.  Each group used cryptocurrency and social media to garner attention and raise funds for their terror campaigns.  Pursuant to judicially-authorized warrants, U.S. authorities seized millions of dollars, over 300 cryptocurrency accounts, four websites, and four Facebook pages all related to the criminal enterprise.
  • The United States (U.S.) National Counterintelligence and Security Center (NCSC) revealed it has “has been providing classified briefings and other assistance to federal procurement executives, chief information officers and chief information security officers from across the U.S. Government on supply chain threats and risks stemming from contracting with five Chinese companies.” The NCSC explained the “supply chain security briefings are designed to assist federal agencies implement” Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232).
    • The NCSC stated:
      • One provision of the NDAA prohibits the U.S. Government from directly using goods and services from five specified Chinese companies — Huawei, ZTE Corporation, Hytera Communications, Hanghzou Hikvision and Dahua Technology Company.
      • Another, broader, provision of Section 889 prohibits federal agencies from contracting with any company that uses goods and services from these five Chinese firms. This particular prohibition takes effect on August 13, 2020, unless a federal agency authorizes a waiver for a specific company, which can only be granted by the agency head after receiving NCSC supply chain security guidance.
  • The Federal Communications Commission (FCC) denied two petitions to stay an April 2020 rulemaking that would make the 6Ghz band of spectrum available to users other than the incumbents. The FCC noted “wo parties—Edison Electric Institute (EEI) and Association of Public-Safety Communications Officials-International, Inc. (APCO)—petitioned to stay the Order:
    • EEI, a trade association representing investor-owned electric utilities, seeks only to stay the effectiveness of the rules that apply to low-power indoor devices. 
    • APCO, a non-profit association of persons who manage and operate public-safety communications systems, seeks to stay the rules for both standard-power and low-power indoor operations.
    • In the rule and order, the FCC explained
      • We authorize two different types of unlicensed operations—standard-power and indoor low-power operations. We authorize standard-power access points using an automated frequency coordination (AFC) system. These access points can be deployed anywhere as part of hotspot networks, rural broadband deployments, or network capacity upgrades where needed. We also authorize indoor low-power access points across the entire 6 GHz band. These access points will be ideal for connecting devices in homes and businesses such smartphones, tablet devices, laptops, and Internet-of-things (IoT) devices to the Internet. As has occurred with Wi-Fi in the 2.4 GHz and 5 GHz bands, we expect that 6 GHz unlicensed devices will become a part of most peoples’ everyday lives. The rules we are adopting will also play a role in the growth of the IoT; connecting appliances, machines, meters, wearables, and other consumer electronics as well as industrial sensors for manufacturing.
  • In a speech, the Australian Competition and Consumer Commission (ACCC) Chair Rod Sims laid out the status of his agency’s actions against Google, Facebook, and other large technology platforms flowing from its final report in its “Digital Platforms Inquiry” that “proposes specific recommendations aimed at addressing some of the actual and potential negative impacts of digital platforms in the media and advertising markets, and also more broadly on consumers,” including:
    • The ACCC recently launched an action against Google regarding misleading representations it made to consumers to obtain their consent to expand the scope of personal information it collected and used about its’ users online activities.
    • In another case, which we brought against Google last year, we allege that Google misled consumers into sharing location data with Google. We contend Google did not clearly inform consumers using Android mobile devices that a particular account setting allowed Google to collect location data. We assert that many consumers may have unknowingly provided more of their personal location data to Google than they intended. Google then used consumers’ location data to enhance the value of its advertising services to prospective advertisers. This case is currently in Court with a hearing scheduled in late November.
    • Currently the ACCC is considering the acquisition by Google and Facebook of Fitbit and Giphy, respectively. We are considering questions such as whether they have the ability to give themselves advantages by favouring their own products, or whether these acquisitions are raising barriers to entry for other competitors.
    • In April 2020 the Federal Government directed the ACCC to develop a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms. We recently published the draft legislation for the code.
  • A British appeals court overturned a decision that found that a police force’s use of facial recognition technology in a pilot program that utilized live footage to be legal. The appeals court found the use of this technology by the South Wales Police Force a violation of “the right to respect for private life under Article 8 of the European  Convention  on  Human  Rights,  data  protection  legislation,  and  the  Public  Sector Equality Duty (“PSED”) under section 149 of the Equality Act 2010.”

Further Reading

  • North Korean Hacking Group Attacks Israeli Defense Industry” by Ronen Bergman and Nicole Perlroth – The New York Times. Israel is denying the claims of a cybersecurity firm that hackers from the Democratic People’s Republic of Korea (DPRK) deeply penetrated its defense industry. Through the use of sophisticated phishing, including fake LinkedIn accounts and fluent English speakers, employees at Israeli defense companies were tricked into stalling spyware on these personal computers and then the hackers allegedly eventually accessed classified Israeli networks. The attacks show growing sophistication from DPRK hackers and that those looking to penetrate networks will always seek out weak spots.
  • Pentagon Requests More Time to Review JEDI Cloud Contract Bids” by Frank Konkel – Nextgov. The United States Department of Defense (DOD) has asked for yet more time to resolve who will win the second round of the Joint Enterprise Defense Infrastructure (JEDI) cloud contract that may prove worth more than $10 billion to the winner. The Pentagon had told the court it was on schedule to make an award ion the rebid of the contract that Microsoft had won over Amazon. The latter claimed political interference from the White House violated federal contract law, among other claims, resulting in this lawsuit.
  • Google rival’s study urges letting mobile users pick search defaults” by Ashley Gold – Axios. DuckDuckGo, a search engine, claims in newly released research that permitting Android users to choose their search engine would decrease Google’s market share by 20%. This could be relevant to the United States (U.S.) Department of Justice’s (DOJ) antitrust investigation. As a point of reference, in the U.S., the United Kingdom, and Australia, Google’s share of the mobile search engine market is 95%, 98% and 98%. DOJ may seriously look at this remedy as the European Commission (EC) imposed this as part of its antitrust case against Google, resulting in a record €4.34 billion fine.
  • Facial Recognition Start-Up Mounts a First Amendment Defense” By Kashmir Hill – The New York Times. Clearview AI has retained legendary First Amendment lawyer Floyd Abrams to make the argument that its collection, use, and dissemination of publicly photos scraped from the internet is protected as free speech. Abrams is quoting as saying that while privacy is, of course, an important right, the First Amendment to the United States Constitution would trump any such rights. It is expected that this argument will be employed in the myriad suits against the facial recognition technology firm in the range of suits against the company.
  • An advanced group specializing in corporate espionage is on a hacking spree” By Jeff Stone – cyberscoop. A new hacking group, RedCurl, has gone on a worldwide hacking campaign that broke into businesses in the United Kingdom, Canada, and other places. The hackers phished a number of businesses successfully by impersonating someone from the human resources in he organization.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Federal Software Hearing

Through the prism of the US’ inadequate response to the COVID-19 pandemic, a House committee chewed over familiar issues plaguing the US’ government’s technology use and modernization efforts.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On 15 July, the House Budget Committee held a virtual hearing titled “Software Update Required: COVID-19 Exposes Need for Federal Investments in Technology” to highlight the effects of underfunding of technology programs in the federal government has had in hindering efforts to combat COVID-19 and measures to mitigate its impacts. The shortcomings of federal information technology (IT) procurements, processes, and performance is one of the areas where there is bipartisan agreement on many of the issues and proposed solutions. However, Republicans and Democrats often differ on funding for civilian IT programs, a feature of the ongoing debate about another COVID-19 stimulus package. And this was the line that divided the chair and ranking member of the committee on how to address acknowledged failures in how federal and state governments distributed aid to people and businesses. Because the House Budget Committee does not have direct jurisdiction over technology programs other than setting broad parameters in the years it drafts and passes a budget resolution to guide Congressional funding, the impact of this hearing is more in the vein of shaping discussion in the House on how it should address the funding and governance of IT programs, which. Now total more than $90 billion annually of the more than $1.2 trillion in funds Congress doles out every year.

Chair John Yarmuth (D-KY) claimed “[r]ash funding cuts over the past decade have prevented the Internal Revenue Service (IRS) from modernizing its information technology (IT) systems, deteriorating the agency’s ability to not only carry out its core function of tax collection and enforcement, but also needlessly prolonging the delivery of stimulus payments to workers and families during the coronavirus pandemic and recession.” He asserted that “[t]he coronavirus pandemic has proved that the quicker the response the better the outcome – and that the steps taken by Congress to help American workers and families are only as effective as the agencies delivering that relief.” Yarmuth claimed “[u]nfortunately, the IRS is not alone in its inability to meet the needs of the American people in this perilous time.”

Yarmuth stated

  • Instead of helping to generate much-needed solutions, outdated IT systems are worsening an already difficult situation as Americans grapple with unreliable or insufficient internet access, useless automated systems, and overwhelmed and underprepared agencies. Emergency assistance programs across the board have been hampered by our antiquated IT systems – leaving families with delayed relief or no relief at all.
  • The most glaring example is unemployment assistance. We are four months into the worst economic downturn since the Great Depression, and there are still tens of thousands of workers who have filed for jobless claims but have not yet received a single payment. Many are going into debt or default, skipping meals, or losing their homes.
  • State unemployment offices, already underfunded and understaffed, were left completely unprepared for the massive influx of need. And a big reason for that is the fact that national administrative funding is essentially the same as it was in 2001 – and that’s before accounting for inflation.

Yarmuth continued

  • This lack of federal investment combined with old hardware, crashing web servers, and the need for new-hires proficient in COBOL – their systems’ 60-year old coding language – have left states scrambling. Their antiquated IT systems failed and continue to fail repeatedly – and American workers, those who lost their jobs through no fault of their own, are paying the price.
  • This aspect of our ongoing crisis is not new. The federal government has long sought to prioritize modern, secure, and shared IT solutions, but funding uncertainties – stemming from constrained discretionary funding under budget caps, shutdown threats, and continuing resolutions – have made agencies more likely to update instead of modernize. The Government Accountability Office (GAO) reports that while the total share of federal IT spending is increasing, it isn’t because we are investing in better and new technology. It’s because the price of updating our existing systems is snowballing as our ancient software becomes increasingly outdated and hardware parts nearly impossible to find.

Yarmuth said “[t]o date, Congress has passed legislation that includes $1 billion in grants to state unemployment offices to help process claims faster – and more is needed.” He argued that “[b]y refusing to bring the “HEROES Act” (H.R.6800) to the floor, [Senate Majority] Leader [Mitch] McConnell (R-KY) is holding up an additional $1 billion for the federal Technology Modernization Fund and a combined $5.5 billion to help schools, libraries, and impacted families access high speed connectivity and devices to facilitate distance learning – something we must prioritize in order to protect our children and educators.” Yarmuth remarked “earlier this month, House Democrats passed the “Moving Forward Act,” (H.R.2) a comprehensive infrastructure package that includes $100 billion in broadband funding to extend high speed internet to underserved and hard to reach communities.” He declared that “[w]e have to invest in modernization now, so that the federal government can help provide workers, families, and state and local governments with the necessary tools and resources to support our nation’s recovery efforts.”

Ranking Member Steve Womack (R-AR) said “[f]ederal information technology (IT) systems are critical to providing Americans with a wide range of government services and information…[and] [i]n the 21st century, it’s no secret that IT is fundamental to many different operations.” He contended “[t]hese systems are aimed at improving program delivery, maximizing effectiveness and efficiency, and ensuring data security…[and] [i]f we cannot maintain and optimize this critical infrastructure, the federal government will be unable to execute one of its essential functions: providing crucial resources and services to the American people.” Womack asserted “[w]e should never allow the delivery of veteran health care, social security benefits, or defense initiatives to fail because of outdated and faulty IT systems.”

Womack stated that “[u]nfortunately, current federal IT upgrade efforts are faltering due to missed deadlines, cost overruns, and inadequate outcomes, including operability failure and data breaches…[and] [w]hile COVID-19 exposed additional deficiencies of federal IT systems, these shortages existed long before the current pandemic.”

Womack stated

  • For example, in 2011, the Department of Veterans Affairs (VA) and the Department of Defense (DOD) began an electronic health record (EHR) modernization initiative to create a single, shared system between the two departments. In 2013, and after spending more than $1 billion on the program, the VA and DOD announced they were abandoning the project with nothing to show for the money spent other than a painful lesson learned. This is not only a waste of taxpayer dollars, but, more disconcerting, it hurts our nation’s service members and veterans who depend on these health care services. This is the more upsetting part for me. Program indecision and mismanagement have resulted in us failing those who’ve served this country.
  • Where is this EHR effort at the VA today? The VA and DOD are trying this again with a new government contract from Cerner. This initiative is already nearly one year behind schedule and has yet to go live in even one medical center. I truly hope this story ends better than past VA efforts in the IT space.

Womack added “I’m not just picking on the VA’s challenges. There are other examples of how we have fallen short:

  • In 2014, the Office of Personnel Management’s data was breached, which resulted in approximately 21.5 million compromised records.
  • The HITECH Act, which was part of the 2009 stimulus package, allocated billions of dollars for the Department of Health and Human Services (HHS) for IT development. To date, HHS still does not have an interoperable system and continues to struggle with siloed and fragmented data due to the different electronic health records vendors.”

Womack claimed “the question is, how do we make sure, going forward, all federal investments in IT modernization efforts result in the timely deployment of up-to-date, secure, and properly functioning systems?”

Womack asserted

  • Strong vetting and planning for proper IT implementation is key. It is imperative that these investments are met with rigorous oversight—yes, that is our job here in Congress—and agency accountability to ensure that the public is getting the best services available and taxpayer dollars are not wasted.
  • But, as I mentioned last week, there is another threat to federal investments in vital government programs such as IT modernization. That is our out-of-control deficit and debt. If we don’t confront the autopilot mandatory spending that is hurtling us towards a fiscal cliff, there won’t be any money left to fund a range of prerogatives.
  • Time is running out, and it’s essential that Congress directly address this problem. The Budget Committee must meet its duty and put together a budget to chart a new way forward. We need to get back to making the tough choices that will determine a brighter future. We have an obligation to current and future generations to ensure that critical programs don’t cease to exist.

National Academy of Public Administration President and CEO Teresa Gerton stated

  • The government’s IT infrastructure is heavily dependent upon technologies that were invented in the mid-twentieth century. The coronavirus pandemic has made it abundantly clear that those systems pose extraordinary risk to government operations in a steady state environment, and they may fail catastrophically in a crisis. And yet, government budgeting rules and appropriation law have created IT acquisition challenges for almost as long as the term “IT” has existed.
  • Insufficient funding for capital improvements has forced agencies to repeat a cycle in which robust plans submitted with their budget requests have to be scaled back to align with the reduced funding amounts they eventually receive. Insufficient funding leads to implementation of sub-optimal solutions with limited impact on improving efficiency. Ironically, governments bear an extra cost burden for such strategies because they must allocate expensive resources to maintain obsolete and inefficient solutions, which by any reasonable business standard should have been rationalized and replaced.
  • To really change the future, we must change the rules. Today the government has challenges with cloud procurement, but the market is constantly evolving. More things will be sold as a service in the future. With enablers like quantum computing and machine learning, technology innovation will inevitably continue at an increasing rate. Given the economic, demographic, and social challenges facing this nation, the federal government must find new ways to invest in and to improve its effectiveness and efficiency to successfully meet the current and future demands of the American public. We must provide acquisition and sustainment flexibility that reflects what the commercial market is selling, and we must adapt our accounting and auditing rules to encourage, not discourage, the use of these flexibilities. We must be ready to effectively acquire and deploy modern technology solutions or risk failures in our support to our citizens, and potentially calamitous failures in our ability to govern.

Code for America Founder and U.S. Digital Response Co-Founder Jennifer Pahlka said “[t]o get government tech right, we of course need to be able to procure more modern technology platforms…[b]ut that will be insufficient if we don’t also do three things that support ​agility and human-centered design:

  • The first is to break down the silos between policy, technology and other disciplines. Technology can’t speed a process in which most cases must be handled manually, as I described above in the case of unemployment benefits under the CARES Act. A similar problem is that many states require applicants for Pandemic Unemployment Assistance (PUA) to apply for regular unemployment first, wait to receive their rejection, and only then apply for PUA. Tech, operations, policy and compliance staff must work together to solve these problems, and agile development models allow for this collaboration in ways that legacy models do not. We must even have digital professionals at the table when we craft policy; understanding how the service will be delivered is critical to getting the outcomes the policy seeks, especially now, as we face greater and greater needs and limited delivery capabilities. As the former head of the White House Domestic Policy Council Cecilia Muñoz has said, “Policy leaders must learn the skills of human-centered design, and technology must have a seat at the strategy table.”
  • The second is to encourage rapid prototyping and continuous development. Our legacy process involves a requirements gathering period that can take many years, followed by the development of a Request for Proposal that can be thousands of pages long, lengthy contracting and development periods, and then a move into what’s called sustainment. This process may work for constructing buildings, but it’s simply not how good software comes to life. It is better, faster and cheaper when interdisciplinary teams start small, build iteratively, work closely with the users of the software all the way through, and continuously update and improve the application.
  • The third is to demand that all services provide real-time data about their usage and that human beings are assigned to looking at that data to understand what’s working, what’s not working and what can be done about it. When Code for America started working to decrease the participation gap in Supplemental Nutrition Assistance (SNAP) in California, our team found that the program leadership had very little insight into the reasons people tried to apply and couldn’t, or applied but couldn’t make it through the burdensome process despite being eligible. It wasn’t that they didn’t care; the systems they’d been given to manage eligibility and enrollment simply didn’t provide that data, and what data they did get was usually months, if not years, old by the time they got it. Creating an online application that was simpler and easier to use had huge benefits for the people applying, but an equally important benefit was that the system was instrumented to allow decision-makers to see in near real-time where users got stuck and begin to fix those issues. This access to real-time data is part of what’s needed as we deal with today’s crisis.

National Employment Law Project Executive Director Rebecca Dixon urged “Congress to immediately take the following steps, which will help stabilize and ensure greater accountability and transparency over the state IT systems:

1. Fully Fund the States Linked to Strong Accountability Standards: Most importantly, the federal government must make a sizable commitment to provide dedicated funding of IT modernization and far more adequate levels of basic state unemployment insurance (UI) administration funding. With the additional funding should come strong federal oversight and enforcement, including tangible requirements that the modernization process include input from stakeholders (including workers and their advocates) from beginning to end, and comprehensive user testing that ensures participation from Black people who are faced with the most barriers, and all communities of color; those on the other side of the digital divide; people with limited English proficiency; and people with disabilities.

2. Expand the Department of Labor’s (DOL) IT Expertise and Mandate to Ensure Full Access: There is extremely limited independent capacity and IT expertise on the part of DOL to actively monitor and enforce the state UI systems. DOL should create a specialized unit devoted to the IT, phone and other state UI agency infrastructure needs. DOL’s new regime should include strong measures of state success and failure (including adequate customer service) that can be assigned a grade that should be prominently featured on the DOL website to provide transparency to the public and compare the operation of programs across the states. For example, DOL should extend the timeliness regulations to ensure that workers are able to successfully reach a claims agent by phone within a reasonable period of time. In addition, DOL’s Center for Civil Rights should also be fully resourced to more promptly investigate and respond to complaints and make the results of their investigations public. DOL should also have the authority to review IT contractor agreements, audit contractors where necessary, and require the states to produce data documenting contractor performance.

3. Federal Commission on Modernization of Federally Funded Benefit Programs: A federal task force should be immediately created to evaluate the performance of federally funded programs, including UI, and make recommendations for reform related to funding, the creation of robust standards and metrics, contractor accountability, best practices, and the adequacy of federal agency oversight and enforcement, including compliance with civil rights laws. The task force should also explore whether certain administrative and infrastructure functions (especially in response to disasters and public health emergencies) should be federalized, and whether federal agencies should have the authority to negotiate favorable terms with IT and phone system vendors that take advantage of the federal government’s ability to leverage cost savings while also producing more compatible and high-quality state systems. Federalization in whole or part may be the simplest solution. The patchwork of state systems means that each state has to struggle with the modernization process and vendor negotiations. While some states have banded together into consortia to get a better deal, those consortia can dissolve as political leadership shifts in allied states or as states develop different modernization goals, wasting time and money. A federal process could achieve these goals on the largest possible scale.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Christina @ wocintechchat.com on Unsplash

Further Reading and Other Developments (13 June)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Other Developments

  • The University of Toronto’s Citizen Lab alleged that an Indian information technology (IT) firm has been running a hacking for hire operation possibly utilized by multinationals to target non-profits, journalists, and advocacy groups:
    • Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries.
    • Dark Basin extensively targeted American nonprofits, including organisations working on a campaign called #ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades.
    • We also identify Dark Basin as the group behind the phishing of organizations working on net neutrality advocacy, previously reported by the Electronic Frontier Foundation.
  • The Massachusetts Institute of Technology (MIT) and the University of Michigan (UM) “released a report on the security of OmniBallot, an Internet voting and ballot delivery system produced by Democracy Live…[that] has been deployed in Delaware, West Virginia, and other jurisdictions.” MIT and UM “The full technical report contains detailed recommendations for jurisdictions, but here’s what individual voters can do to help reduce risks to their security and privacy:
    • Your safest option is to avoid using OmniBallot. Either vote in person or request a mail-in absentee ballot, if you can. Mail-in ballots are a reasonably safe option, provided you check them for accuracy and adhere to all relevant deadlines.
    • If you can’t do that, your next-safest option is to use OmniBallot to download a blank ballot and print it, mark it by hand, and mail it back or drop it off. Always double-check that you’ve marked your ballot correctly, and confirm the mailing address with your local jurisdiction. 
    • If you are unable to mark your ballot by hand, OmniBallot can let you mark it on-screen. However, this option (as used in Delaware and West Virginia) will send your identity and secret ballot selections over the Internet to Democracy Live’s servers even if you return your ballot through the mail. This increases the risk that your choices may be exposed or manipulated, so we recommend that voters only use online marking as a last resort. If you do mark your ballot online, be sure to print it, carefully check that the printout is marked the way you intended, and physically return it.
    • If at all possible, do not return your ballot through OmniBallot’s website or by email or fax. These return modes cause your vote to be transmitted over the Internet, or via networks attached to the Internet, exposing the election to a critical risk that votes will be changed, at wide scale, without detection. Recent recommendations from DHS, the bi-parisan findings of the Senate Intelligence Committee, and the consensus of the National Academies of Science, Engineering, and Medicine accord with our assessment that returning ballots online constitutes a severe security risk.
  • The “Justice in Policing Act of 2020” (H.R.7120/S.3912) was introduced this week in response to the protests and disparate policing practices towards African Americans primarily and would bar the use of facial recognition technology for body cameras, patrol car cameras, or other cameras authorized and regulated under the bill. The House Oversight and Reform Committee has held a series of hearings this Congress on facial recognition technology, with Members on both sides of the aisle saying they want legislation regulating the government’s use of it. As of yet, no such legislation has been introduced. Facial recognition technology language was also a major factor in privacy legislation dying last year in Washington state and was outright removed to avoid the same fate this year.
  • The Government Accountability Office (GAO) released “ELECTRONIC HEALTH RECORDS: Ongoing Stakeholder Involvement Needed in the Department of Veterans Affairs’ Modernization Effort” a week after Secretary of Veterans Affairs Robert Wilkie informed the House Appropriations Committee that the electronic health record rollout has been paused due to COVID-19. Nevertheless, the GAO concluded:
    • VA met its schedule for making the needed system configuration decisions that would enable the department to implement its new EHR system at the first VA medical facility, which was planned for July 2020. In addition, VA has formulated a schedule for making the remaining EHR system configuration decisions before implementing the system at additional facilities planned for fall 2020. VA’s EHRM program was generally effective in establishing decisionmaking procedures that were consistent with applicable federal standards for internal control.
    • However, VA did not always ensure the involvement of relevant stakeholders, including medical facility clinicians and staff, in the system configuration decisions. Specifically, VA did not always clarify terminology and include adequate detail in descriptions of local workshop sessions to medical facility clinicians and staff to ensure relevant representation at local workshop meetings. Participation of such stakeholders is critical to ensuring that the EHR system is configured to meet the needs of clinicians and support the delivery of clinical care.
  • The GAO recommended
    • For implementation of the EHR system at future VA medical facilities, we recommend that the Secretary of VA direct the EHRM Executive Director to clarify terminology and include adequate detail in descriptions of local workshop sessions to facilitate the participation of all relevant stakeholders including medical facility clinicians and staff. (Recommendation 1)
  • Europol and the European Union Intellectual Property Office released a report to advise law enforcement agencies and policymakers “in the shape of a case book and presents case examples showing how intellectual property (IP) crime is linked to other forms of criminality, including money laundering, document fraud, cybercrime, fraud, drug production and trafficking and terrorism.”
  • The New York University Stern Center for Business and Human Rights released its latest report on social media titled “Who Moderates the Social Media Giants? A Call to End Outsourcing” that calls for major reforms in how these companies moderate content so as to improve the online ecosystem and the conditions, pay, and efficiacy of those actually doing the work. The report claimed “[d]espite the centrality of content moderation, however, major social media companies have marginalized the people who do this work, outsourcing the vast majority of it to third-party vendors…[and] [a] close look at this situation reveals three main problems:
    • In some parts of the world distant from Silicon Valley, the marginalization of content moderation has led to social media companies paying inadequate attention to how their platforms have been misused to stoke ethnic and religious violence. This has occurred in places ranging from Myanmar to Ethiopia. Facebook, for example, has expanded into far-flung markets, seeking to boost its user-growth numbers, without having sufficient moderators in place who understand local languages and cultures.
    • The peripheral status of moderators undercuts their receiving adequate counseling and medical care for the psychological side effects of repeated exposure to toxic online content. Watching the worst social media has to offer leaves many moderators emotionally debilitated. Too often, they don’t get the support or benefits they need and deserve.
    • The frequently chaotic outsourced environments in which moderators work impinge on their decisionmaking. Disputes with quality-control reviewers consume time and attention and contribute to a rancorous atmosphere.
  • The National Institute of Standards and Technology (NIST) “requests review and comments on the four-volume set of documents: Special Publication (SP) 800-63-3 Digital Identity Guidelines, SP 800-63A Enrollment and Identity Proofing, SP 800-63B Authentication and Lifecycle Management, and SP 800-63C Federation and Assertions…[that] presents the controls and technical requirements to meet the digital identity management assurance levels specified in each volume.” NIST “is requesting comments on the document in response to agency and industry implementations, industry and market innovation and the current threat environment.” Comments are due by 10 August.
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) updated its Cyber Risks to Next Generation 911 White Paper and released Cyber Risks to 911: Telephony Denial of Service and PSAP Ransomware Poster. CISA explained:
    • Potential cyber risks to Next Generation 9-1-1 (NG9-1-1) systems do not undermine the benefits of NG9-1-1. Nevertheless, cyber risks present a new level of exposure that PSAP administrators must understand and actively manage as a part of a comprehensive risk management program. Systems are already under attack. As cyber threats grow in complexity and sophistication, attacks could be more severe against NG9-1-1 systems as attackers can launch multiple distributed attacks with greater automation from a broader geography and against more targets.  This document provides an overview of the cyber risk landscape, offers an approach for assessing and managing risk, and provides additional cybersecurity resources. 
  • The Government Accountability Office (GAO) released a number of technology reports:
    • The GAO recommended that the Department of Energy’s (DOE) National Nuclear Security Administration (NNSA) “should incorporate additional management controls to better oversee and coordinate NNSA’s microelectronics activities. Such management controls could include investing the microelectronics coordinator with increased responsibility and authority, developing an overarching management plan, and developing a mission need statement and a microelectronics requirements document.”
  • The GAO found that
    • The Department of Homeland Security (DHS) has taken steps to implement selected leading practices in its transition from waterfall, an approach that historically delivered useable software years after program initiation, to Agile software development, which is focused on incremental and rapid delivery of working software in small segments. As shown below, this quick, iterative approach is to deliver results faster and collect user feedback continuously.
    • DHS has fully addressed one of three leading practice areas for organization change management and partially addressed the other two. Collectively, these practices advise an organization to plan for, implement, and measure the impact when undertaking a significant change. The department has fully defined plans for transitioning to Agile development. DHS has partially addressed implementation—the department completed 134 activities but deferred roughly 34 percent of planned activities to a later date. These deferred activities are in progress or have not been started. With respect to the third practice, DHS clarified expected outcomes for the transition, such as reduced risk of large, expensive IT failures. However, these outcomes are not tied to target measures. Without these, DHS will not know if the transition is achieving its desired results.
    • DHS has also addressed four of the nine leading practices for adopting Agile software development. For example, the department has modified its acquisition policies to support Agile development methods. However, it needs to take additional steps to, among other things, ensure all staff are appropriately trained and establish expectations for tracking software code quality. By fully addressing leading practices, DHS can reduce the risk of continued problems in developing and acquiring current, as well as, future IT systems.
  • The GAO rated “[t]he Department of Defense’s (DOD) current initiative to transition to Internet Protocol version 6 (IPv6), which began in April 2017, follows at least two prior attempts to implement IPv6 that were halted by DOD.”
    • In February 2019, DOD released its own IPv6 planning and implementation guidance that listed 35 required transition activities, 18 of which were due to be completed before March 2020. DOD completed six of the 18 activities as of March 2020. DOD officials acknowledged that the department’s transition time frames were optimistic; they added that they had thought that the activities’ deadlines were reasonable until they started performing the work. Without an inventory, a cost estimate, or a risk analysis, DOD significantly reduced the probability that it could have developed a realistic transition schedule. Addressing these basic planning requirements would supply DOD with needed information that would enable the department to develop realistic, detailed, and informed transition plans and time frames.

Further Reading

  • Amid Pandemic and Upheaval, New Cyberthreats to the Presidential Election” – The New York Times. Beyond disinformation and misinformation campaigns, United States’ federal and state officials are grappling with a range of cyber-related threats including some states’ insistence on using online voting, which the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) deemed “high risk” in an unreleased assessment the agency softened before distribution to state lection officials. There are also worries that Russian or other nation-state hackers could assess voting databases in ways that would call election day results into question, or other hackers could break in, lock, and then ransom such data bases. CISA and other stakeholders have articulated concerns about the security of voting machines, apps, and systems currently used by states. 
  • Microsoft won’t sell police its facial-recognition technology, following similar moves by Amazon and IBM” – The Washington Post. The three tech giants responded to pressure from protestors to stop selling facial recognition technology to police departments with Microsoft being the latest to make this pledge. The companies have said they will not sell this technology until there is a federal law regulating it. The American Civil Liberties Union said in its press release “Congress and legislatures nationwide must swiftly stop law enforcement use of face recognition, and companies like Microsoft should work with the civil rights community  — not against it — to make that happen…[and] [t]his includes Microsoft halting its current efforts to advance legislation that would legitimize and expand the police use of facial recognition in multiple states nationwide.” The above mentioned “Justice in Policing Act of 2020” (H.R.7120/S.3912) would not regulate the technology per se but would ban its use from body and car cameras. However, the companies said nothing about selling this technology to federal agencies such as US Immigration and Customs Enforcement. And, IBM, unlike Amazon and Microsoft, announced it was leaving the facial recognition field altogether. However, AI Clearview, the controversial facial recognition firm, has not joined this pledge.
  • ICE Outlines How Investigators Rely on Third-Party Facial Recognition Services” – Nextgov. In a recently released privacy impact assessment, US Immigration and Customs Enforcement’s Homeland Security Investigations (HSI) explained its use of US and state government and commercial recognition databases and technologies. The agency claimed this is to be used only after agents have exhausted more traditional means of identifying suspects and others and only if relevant to the investigation. The agency claimed “ICE HSI primarily uses this law enforcement tool to identify victims of child exploitation and human trafficking, subjects engaged in the online and sexual exploitation of children, subjects engaged in financial fraud schemes, identity and benefit fraud, and those identified as members of transnational criminal organizations.” Given what some call abuses and others call mistakes in US surveillance programs, it is probable ICE will exceed the limits it is setting on the use of this technology absent meaningful, independent oversight.
  • Zoom confirms Beijing asked it to suspend activists over Tiananmen Square meetings” – Axios. In a statement, Zoom admitted it responded to pressure from the People’s Republic of China (PRC) to shut down 4 June meetings to commemorate Tiananmen Square inside and outside the PRC, including in the United States if enough PRC nationals were participating. It is not hard to imagine the company being called to task in Washington and in western Europe for conforming to Beijing’s wishes. The company seems to be vowing to develop technology to block participants by country as opposed to shutting down meetings and a process to consider requests by nations to block certain content illegal within their borders.
  • Coronavirus conspiracy theorists threaten 5G cell towers, DHS memo warns” – CyberScoop. The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has warned telecommunications companies they should establish or better still already have in place security protocols to protect equipment, especially 5G gear, from sabotage arising from the conspiracy theory that 5G transmission either compromises immune systems making one more susceptible to COVID-19 or actually spreads the virus. There have been a spate of attacks in the United Kingdom, and a number of Americans are advocating for this theory, including actor Woody Harrelson.  
  • Police Officers’ Personal Info Leaked Online” – Associated Press. At the same time police are facing protestors in the streets of many American cities and towns, the sensitive personal information of some officers have been posted online, possibly putting them and their families at risk.
  • Facebook Helped the FBI Hack a Child Predator” – Vice’s Motherboard. In a story apparently leaked by Facebook, it is revealed that the company hired a third-party hacker to help reveal a nefarious, technologically adept person who was terrorizing and extorting female minors through the development of a zero-day exploit. This is supposedly the first time Facebook engaged in conduct such as this to help law enforcement authorities. The company revealed it routinely tracks problematic users, including those exploiting children. This article would seem tailor-made to push back on the narrative being propagated by the Department of Justice and other nations’ law enforcement agencies that tech companies opposing backdoors in encrypted systems helps sexual predators. There are also the usual concerns that any exploit of a platform or technology people use to remain private will ultimately be used broadly by law enforcement agencies often to the detriment of human rights activists, dissidents, and journalists.
  • Amazon, Facebook and Google turn to deep network of political allies to battle back antitrust probes” – The Washington Post. These tech companies are utilizing means beyond traditional lobbying and public relations to wage the battle against US and state governments investigating them for possible antitrust and anticompetitive practices.
  • One America News, the Network That Spreads Conspiracies to the West Wing” – The New York Times. The upstart media outlet has received a boost in recent days by being promoted by President Donald Trump who quoted its as of yet unproven allegations that a Buffalo man knocked down by police was an antifa agitator. The outlet has received preferential treatment from the White House and is likely another means by which the White House will seek to get its message out.
  • EU says China behind ‘huge wave’ of Covid-19 disinformation” – The Guardian. European Commission Vice President Vĕra Jourová called out the People’s Republic of China (PRC) along with the Russian Federation for spreading prodigious amounts of disinformation in what is likely a shift for Brussels towards a more adversarial stance versus the PRC. As recently as March, an European Union body toned down a report on PRC activities, but this development seems to be a change of course.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Gerd Altmann from Pixabay