Australia Further Expands Law Enforcement Agency Powers To Fight Online Crime
U.S. Census Bureau has cyber vulnerabilities; Apples settles with and keeps suing Corellium
Photo by Thandy Yung on Unsplash
Australia’s Parliament passed an amended version of the “Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020” that will give more power to the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) to fight online crime. The bill had been proposed last year alongside other measures to address the online and digital worlds. Again, Australia is leading the way among western nations in changing how technology is regulated. The bill was changed after a Parliamentary committee heard views from stakeholders and the ruling party and main opposition party agreed on a raft of changes. Nonetheless, the basic structure survived and law enforcement agencies could request and operate under three new types of warrants: data disruption warrants, network activity warrants, and account takeover warrants.
In January, I wrote about this bill (see here for more detail and analysis) as it stood then and before the Parliamentary Joint Committee on Intelligence and Security (PJCIS) issued its advisory report on the bill, including recommendations on how to alter the legislation. As I wrote then, and this still holds true, generally:
This new legislation follows a 2018 law that allows the Australian government to order technology companies to assist in decrypting and handing over communications. Under the new bill, some of Australia‘s law enforcement agencies would be able to use new “data disruption warrants” to stop and interfere with online crimes. Additionally, agencies could use “network activity warrants” to surveil online criminal activity and may obtain “account takeover warrants” to seize online accounts to acquire evidence in the course of an investigation.
As noted, last week, Australia’s House of Representatives and then the Senate passed an amended version of the “Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020” and the bill takes effect upon getting the Royal Assent from Australia’s Governor-General.
In the first of two explanatory memorandums on the revised bill, the Minister for Home Affairs Karen Andrews MP summarized the bill at a high-level:
The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 amends the Surveillance Devices Act 2004 (SD Act), the Crimes Act 1914 (Crimes Act) and associated legislation to introduce new law enforcement powers to enhance the ability of the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) to combat online serious crime.
Andrews continued with the government’s rationale for expanding the powers of Australian law enforcement agencies:
§ Cyber-enabled serious and organised crime, often enabled by the dark web and other anonymising technologies, such as bespoke encrypted devices for criminal use, present a direct challenge to community safety and the rule of law. For example, on the dark web criminals carry out their activities with a lower risk of identification and apprehension. Many anonymising technologies and criminal methodologies can be combined for cumulative effect, meaning it is technically difficult, and time and resource intensive, for law enforcement to take effective action. Just as online criminals are constantly changing their operations and reacting to new environments, the law must adapt in order to give law enforcement agencies effective powers of response.
§ Existing electronic surveillance powers, while useful for revealing many aspects of online criminality, are not suitably adapted to identifying and disrupting targets where those targets are actively seeking to obscure their identity and the scope of their activities. Without the critical first step of being able to identify potential offenders, investigations into serious and organised criminality can fall at the first hurdle. Being able to understand the networks that criminals are involved in and how they conduct their crimes is also a crucial step toward prosecution.
§ This Bill addresses gaps in the legislative framework to better enable the AFP and the ACIC to collect intelligence, conduct investigations, disrupt and prosecute the most serious of crimes, including child abuse and exploitation, terrorism, the sale of illicit drugs, human trafficking, identity theft and fraud, assassinations, and the distribution of weapons.
Then Andrews claimed:
§ The Bill contains the necessary safeguards, including oversight mechanisms and controls on the use of information, to ensure that the AFP and the ACIC use these powers in a targeted and proportionate manner to minimise the potential impact on legitimate users of online platforms.
§ The Bill introduces three new powers for the AFP and the ACIC. They are:
· Data disruption warrants to enable the AFP and the ACIC to disrupt data by modifying, adding, copying or deleting in order to frustrate the commission of serious offences online
· Network activity warrants to allow agencies to collect intelligence on serious criminal activity being conducted by criminal networks, and
· Account takeover warrants to provide the AFP and the ACIC with the ability to take control of a person’s online account for the purposes of gathering evidence to further a criminal investigation.
§ The Bill also introduces sunset provisions for warrants and emergency authorisations under the Bill.
Of course, all the above is the ruling Liberal–National Coalition’s position on and justification for the “Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020.” However, the main opposition party was mostly aligned with the government. The Deputy Leader of the opposition Labour Party, Senator Kristina Keneally, asserted during debate:
§ I now want to turn to the amendments proposed by the Parliamentary Joint Committee on Intelligence and Security, and the government's response. The government has implemented, wholly or substantially, 23 of the PJCIS's 33 recommendations, through legislative amendments or changes to the explanatory memorandum to this bill. Significantly, these changes include strengthening the issuing criteria for warrants, including considerations for privacy, public interest, privileged and journalistic information, and financial impacts; reviews by the Independent National Security Legislation Monitor and the PJCIS; sunset powers in five years; and good-faith immunity provisions for assistance orders. These are significant recommendations, made in a bipartisan fashion by the Parliamentary Joint Committee on Intelligence and Security, and I am pleased that the government has taken them up in the form of legislative amendments to this bill.
§ Of the other 10 PJCIS recommendations, four have been accepted by the government and will be incorporated into its response to the comprehensive review of the national intelligence community conducted by Dennis Richardson; these are that the Ombudsman's powers be expanded to cover the AFP and the ACIC. The government has noted this was recommended by the Richardson review and accepted by the government and will be implemented as part of the government's electronic surveillance reforms. The committee also recommended that the issuing authority for these warrants should be a superior court judge or an eligible judge. These are extraordinary powers, and committee members felt that they required a higher level of authorisation.
§ Another recommendation that the government has accepted but is not progressing with this bill but as part of another process is the committee's recommendation that a public interest advocate must be appointed when warrants are being sought in relation to journalists or media organisations. The minister has confirmed to me that the government notes and accepts this recommendation, noting that it is responding to this recommendation as part of its response to the Parliamentary Joint Committee on Intelligence and Security's report on the impact of the exercise of law enforcement and intelligence powers on the freedom of the press.
§ I note that three of the recommendations were rejected, in essence, by the government that go to the expansion of the PJCIS oversight of the intelligence functions of the ACIC and the AFP, as well as the expansion of the IGIS oversight of the intelligence functions of the AFP. The government takes the view that parliamentary oversight exists through the Parliamentary Joint Committee on Law Enforcement Integrity and it notes that the Richardson review did not endorse expanding the IGIS's oversight to the intelligence functions of the AFP. While Labor acknowledges that this is the government's position, I would nonetheless like to make clear that Labor in government would implement all of the PJCIS's recommendations to the SLAID Bill.
§ I will note that the government has added two amendments such that, when a national emergency has been declared, the minister's power to modify administrative arrangements does not apply to account takeover warrants, bringing the bill into conformity with the Surveillance Devices Act and the Crimes Act and aligning the periods for reporting to the Ombudsman with those of other agencies, as recommended by the PJCIS. I acknowledge those amendments and advise that we are pleased to see them.
However, another opposition party voted against the bill. Senator Lidia Thorpe of the Green Party spoke against the bill, which the Green Party opposed:
§ The Greens are the ones who led the push to get this legislation reviewed by the committee when the government—with the help of the opposition, mind you—tried to push this through the parliament. We tried to refer this bill to the Senate Legal and Constitutional Affairs Legislation Committee; however, this failed and it was referred to the closed shop, Labor-and-Liberal PJCIS. So the Greens aren't allowed onto that committee to make decisions or contribute to those decisions and neither is anybody else. It's a closed shop between Liberal and Labor, who may as well join as one and forget the rest.
§ In effect, this bill would allow spy agencies to modify, add, copy or delete your data with a data disruption warrant or collect intelligence on your online activities with a network activity warrant. Also, they could take over your social media and other online accounts and profiles with an account takeover warrant. What's worse is that the data disruption and network activity warrants could be issued by a member of the Administrative Appeals Tribunal. Really? It is outrageous that these warrants won't come from a judge of a superior court appointed on their personal capacity. The bill also limits court oversight in decisions concerning the issuing of these warrants when criminal proceedings have already started.
§ It is not clear that these powers are needed. The Richardson review recommended that law enforcement agencies not be given specific cyberdisruption powers like those in this bill. The Richardson review concluded there was not a material gap in existing investigative powers which could justify effectively placing the AFP or ACIC in the position of judge, jury and executioner. The proposal to give specific intelligence collection powers to the AFP and ACIC under network activity warrants does not clearly identify a gap in existing powers. They're not telling us everything. They're expecting us to make decisions without real, genuine, informed consent.
§ The scope of the new powers is disproportionate compared to the threats of serious and organised cybercrime to which they are directed. There is a lack of evidence justifying the need for warrants of this nature beyond those already available to the AFP and ACIC. No other country in the Five Eyes alliance has conferred the powers on its law enforcement agencies that this bill will. What's more, the government moved 60 amendments in the other place, as a block, at the last moment, and now we're all here, expected to jump through hoops, without the time to scrutinise the legislation properly.
In the December 2019 “Report of the Comprehensive Review of the Legal Framework of the National Intelligence Community” (aka the Richardson Review), the reviewers argued against expanding law enforcement power to conduct cyber operations:
§ Although we completely accept that disrupting criminal activities is an essential part of policing, we are reluctant to endorse a proposal that results in AFP being given access to powers that allow it to destroy property. Our concerns with this are twofold.
§ First, it is a fact that offensive cyber operations are highly complex and require careful planning. This was highlighted in the submissions. A poorly planned or executed operation could have disastrous implications, and may even compromise computers that support the provision of essential services, affecting the lives or livelihood of innocent people. All agencies, including the AFP, can and do make mistakes and this would be no exception.
§ Second, a more specific disruption mandate for the AFP risks compromising essential democratic rights. We are particularly concerned about empowering police officers to pass conclusive judgement and act in accordance with that judgement to destroy property.
§ In fact, we do not think the lack of legislative tools is what holds the AFP back from being effective in disrupting online crime. Online cyber disruption operations are highly complex, and require special skills, equipment and training. The Parliamentary Joint Committee on Law Enforcement (PJCLE) recommended that there should be ‘dedicated agency funding with sufficient flexibility to enable law enforcement agencies to respond to the escalating challenges of cybercrime’. We agree and think this is actually the key issue. The AFP must develop the highly specialised skillset necessary to respond to the challenges posed by online crime.
As noted, the PJCIS conducted an inquiry of the bill and made 33 recommendations, some of which were incorporated into the final bill through amendments. In the second explanatory memorandum issued along with the revised bill text, the government detailed the changes:
§ The amendments to the Bill will:
o require additional matters to be specified in an application for a data disruption warrant, and emergency authorisations for disruption of data, namely:
§ for data disruption warrants – an assessment of how disruption of data held in a target computer is likely to substantially assist in frustrating a relevant offence;
§ for data disruption warrants – an assessment of the likelihood that disruption of data held in a target computer is likely to substantially assist in frustrating a relevant offence; and
§ for emergency authorisations for disruption of data – that there are no alternative methods that could be used to avoid risk of serious violence to a person or substantial damage to property that are likely to be as effective as disruption of data;
o require issuing authorities to be satisfied of additional matters before issuing a warrant or an assistance order:
§ for network activity warrants – the issue of the warrant is justified and proportionate, having regard to the relevant offences;
§ for assistance orders – the assistance order is reasonable and necessary to enable the warrant or emergency authorisation to be executed; and
§ for assistance orders – the assistance order is justifiable and proportionate, having regard to the nature and gravity of the offence, and the likely impact of compliance on the specified person or on other persons, including persons lawfully using the computer;
o require additional matters to be considered before a warrant, emergency authorisation or an assistance order may be issued:
o for data disruption warrants – the nature of the things proposed to be authorised by the warrant;
§ for data disruption warrants – the extent to which the execution of the warrant is likely to result in access to, or disruption of, data of persons lawfully using a computer, and any privacy implications (to the extent known) resulting from that access or disruption;
§ for data disruption warrants – any steps that are proposed to be taken to avoid or minimise the extent to which the execution of the warrant is likely to impact on persons lawfully using a computer;
§ for data disruption warrants and account takeover warrants – the extent to which the execution of the warrant is likely to cause a person to suffer a temporary loss of money, digital currency or property other than data, to the extent known;
§ for network activity warrants – any privacy implications resulting from access, to the extent known;
§ for account takeover warrants and emergency authorisations for disruption of data – the extent to which the execution of the warrant or emergency authorisation is likely to impact on persons lawfully using a computer, to the extent known;
§ for all warrants – if the issuing authority believes on reasonable grounds that data or an account belongs to a journalist and the offence to which the warrant relates is an offence against a secrecy provision, that the public interest in issuing the warrant outweighs the public interest in protecting the confidentiality of the identity of a journalist’s source and facilitating the exchange of information between journalists and members of the public so as to facilitate reporting of matters in the public interest;
§ for all warrants – specifying certain offences to which weight must be given when having regard to the nature and gravity of the conduct constituting the offence for which the warrant is sought;
§ for emergency authorisations for disruption of data – whether the likely impact of the execution of the emergency authorisation on persons lawfully using a computer is proportionate, having regard to the risk of serious violence or substantial damage;
§ for assistance orders – whether the specified person is or has been subject to another assistance order, to the extent known;
o impose additional limitations and requirements on the exercise of authority conferred under data disruption warrants and network activity warrants, namely:
§ for data disruption warrants and network activity warrants – to return a computer or other thing removed from a premises in accordance with the warrant as soon as is reasonably practicable to do so once the computer or thing is no longer required for the purposes of doing any thing authorised by the warrant; and
§ for data disruption warrants – to notify the Ombudsman where material loss or damage is caused to one or more persons lawfully using a computer, within 7 days after the person executing the warrant became aware of that loss or damage;
o amend reporting requirements and frequency of Ombudsman’s inspections from six-monthly to annually, in line with existing regimes overseen by the Ombudsman;
o provide a legislative basis for independent and parliamentary review of powers contained in the Bill; and
o introduce sunset provisions for warrants and emergency authorisations under the Bill.
In its report, the PJCIS summarized or quoted some of the arguments stakeholders made for and against the bill. I will not quote them all but will pick and choose some I found representative:
§ The AFP Commissioner argued:
o I want to emphasise that disrupting crime is a core business for the AFP. There is a misconception that disrupting crimes means that an investigation will never proceed to prosecution. This is simply not true. Many of our disruption efforts still result in the prosecution of offenders.
o The best example of this is our unrelenting efforts in covering illegal drugs imported to Australia. We can simply seize the drugs at the border and arrest an offender or two, if we identify them at that point, but we can also take a different approach to disrupt the harmful effects of drugs in our community. We seek to discover who sent the drugs, who bought them and their distribution points. We take law enforcement action at an appropriate time, but we also disrupt the immediate impact of drugs entering our community, identify a larger number of offenders and have a better chance of reducing future harm.
o But, in the online environment, we’re far more restricted in how we can track illegal activities in this way. We can assume an identity and interact with offenders. We can get targeted warrants to intercept their communications and access their data, and, with the TOLA industry assistance framework, we can get help to open the front door. But we’ve still got one hand tied behind our back because we cannot identify what their distribution point is and what criminal network they belong to; understand what they are communicating, due to encryption; move things around inside their network – that is, modify data – or take control of their distributors to collect evidence. And, in many cases, we may not even know where the distribution network is.
§ The Law Council said the Bill represented a change in focus for the AFP and ACIC, saying:
o The bill proposes major and, respectfully, novel expansions of the existing powers of the AFP and ACIC, which merit detailed scrutiny. The new powers depart sharply from the traditional focus of investigative powers on the collection of admissible evidence of specific offences.
§ The powers were described as extraordinary by the Law Council because:
o They go further than collecting evidence for prosecution into a realm where they are actively doing things to that data, either by way of preventing access or by destroying it, which would include destroying other peoples’ property, their computers and so on, so that’s a big next step. It’s extraordinary in this other way because of the operation of computers. Computers now do everything for us. They are so directly involved in all of our personal, business and other lives that there’s a vast field of information there available for people to collect if they’re authorised to do that.
§ The Cyber Security Cooperative Research Centre (CSCRC) said:
o We are now at a critical point where we as a society need to decide what kind of world we want to live in. Central to this must be the notion that all crime, whether committed online or offline, should be treated the same and the rule of law must be applied equally. If passed, this legislation will play a key role in countering serious cyber-enabled crime...While the powers contained within the bill are undoubtedly extraordinary they are proportionate and appropriate in relation to the scale and seriousness of the threat posed.
§ The CSCRC further outlined the requirement of the powers, noting ‘as it stands bad has the upper hand. The criminals are the ones with power’.
§ The Office of the Australian Information Commissioner (OAIC) said the powers were ‘wide-ranging and coercive in nature’. Specifically the OAIC said:
o These powers may adversely impact the privacy of a large number of individuals, including individuals not suspected of involvement in criminal activity, and must therefore be subject to a careful and critical assessment of their necessity, reasonableness and proportionately. Further, given the privacy impact of these law enforcement powers on a broad range of individuals and networks, they should be accompanied by appropriate privacy safeguards. The OAIC considers that the Bill requires further consideration to better ensure that any adverse effects on the privacy of individuals which result from these coercive powers are minimised, and that additional privacy protections are included in the primary legislation.
In making its recommendations, he PJCIS noted that online crime is a pervasive, vexing issue and the bill presents a “world-leading and novel” approach. However, the committee argued the government could have done a much better in explaining the bill through the Explanatory Memorandum and in fleshing out technical details:
§ The Committee accepts evidence the threat environment from serious cyber- enabled crime is severe and Australian authorities do not currently have the tools to address the threat. It is international, complex, and technologically advanced. The Committee accepts evidence there is a requirement for powers such as these due to the effects of anonymising technology and the dark web in particular. The Committee accepts evidence serious crime is being enabled by these technologies and the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) are currently unable to prevent the harm. The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (the Bill) is world-leading and novel but it also needs to be subject to serious consideration and review. The Committee accepts it is one among many measures being considered to counter these threats.
§ The Committee supports these powers and the Bill conditional on the amendments as outlined below. As identified by many submissions to this inquiry, the key issues at the micro level are the articulation and definition of necessity and proportionality with these powers. While almost all submissions generally supported the intent of the Bill, many submissions thought the Bill was either poorly defined or differed substantially from the Explanatory Memorandum (EM). On this latter point, the Committee strongly recommends Government clearly articulate these key issues in the EM as if it had done so then it is likely the inquiry process would have occurred more smoothly as people’s understanding of what the Bill is would have been likely stronger. This is particularly the case for the debate on relevant offences and issuing authorities which are the two key issues from a technical and legislative perspective.
Other Developments
Photo by Enayet Raheem on Unsplash
§ The United States (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) unveiled the Vulnerability Disclosure Policy (VDP) Platform per an Office of Management and Budget (OMB) directive. CISA explained:
o Last fall, we issued the final version of Binding Operational Directive (BOD 20-01), which was issued in support of the Office of Management and Budget M-20-32, “Improving Vulnerability Identification, Management, and Remediation”. This Directive reflects CISA’s commitment to strengthening cybersecurity and resilience for federal civilian agencies by requiring agencies to establish policies enabling the public to contribute and report vulnerability disclosures. Recognizing that policies alone are not sufficient, we also announced plans to launch a vulnerability disclosure platform service in the near future. Today, the future arrived.
o The Cybersecurity and Infrastructure Security Agency (CISA) is proud to announce the VDP Platform
o for the federal civilian enterprise, the latest shared service offered by CISA’s Cyber Quality Services Management Office (QSMO) and provided by BugCrowd and EnDyna. The VDP Platform provides a single, centrally managed online website for agencies to list systems in scope for their vulnerability disclosure policies, enabling security researchers and members of the general public to find vulnerabilities in agency websites and submit reports for analysis. The Department of Homeland Security (DHS), the Department of Labor (DoL), and the Department of Interior (DoI) are among the agencies planning to leverage this platform at the onset.
o This new platform allows agencies to gain greater insights into potential vulnerabilities, thereby improving their cybersecurity posture. This approach also enables significant government-wide cost savings, as agencies no longer need to develop their own, separate systems to enable reporting and triage of identified vulnerabilities. CISA estimates over $10 million in government-wide cost savings will be achieved by leveraging the QSMO shared services approach.
o Through this crowdsourcing platform, Federal Civilian Executive Branch (FCEB) agencies will now be able to coordinate with the security research community in a streamlined fashion and those reporting incidents enjoy a single, usable website to facilitate submission of findings. The platform encourages collaboration and information sharing between the public and private sectors by allowing uniquely skilled researchers to submit vulnerability reports, which agencies will use to understand and address vulnerabilities that were previously unidentified. BugCrowd and EnDyna, the service providers, will conduct an initial assessment of the vulnerability reports submitted. This initial assessment will free up agencies’ time and resources and allow agencies to focus on those reports that have real impact.
o CISA’s VDP Platform will help the FCEB improve day-to-day operations when managing vulnerabilities in their information systems. Agencies have the option to utilize the platform to serve as the primary point of entry for intaking, triaging, and routing vulnerabilities disclosed by researchers. Our goal is for the platform to act as a centralized vulnerability disclosure mechanism to enhance information sharing between the public and federal agencies. This approach will improve agencies ability to analyze, address, and communicate disclosed vulnerabilities.
§ The Department of Commerce’s Office of the Inspector General (OIG) released an audit titled “The U.S. Census Bureau’s Mishandling of a January 2020 Cybersecurity Incident Demonstrated Opportunities for Improvement” The OIG turned up problems with the agency’s cyber incident response process with respect to mitigation of critical vulnerabilities. The OIG made the following findings:
o The OIG made the following recommendations:
§ The United States (U.S.) Government Accountability Office (GAO) sent a letter on priority open recommendations to the U.S. Department of Homeland Security in order “to provide an update on the overall status of the DHS implementation of GAO’s recommendations and to call your personal attention to areas where open recommendations should be given high priority.” The GAO noted that “[s]ince our April 2020 letter, DHS has implemented 12 of our 29 open priority recommendations” including:
o DHS established metrics for assessing the National Cybersecurity and Communications Integration Center’s (NCCIC) execution of statutory required cybersecurity functions in accordance with associated implementing principles. This action will better enable the agency to articulate the effectiveness of actions taken to provide cybersecurity incident coordination, information sharing, and incident response across the federal civilian government and critical infrastructure.
o DHS identified the positions in its information technology workforce that performed cybersecurity functions. This action will improve the reliability of the information DHS needs to identify its cybersecurity workforce roles of critical need.
o DHS developed a cybersecurity risk management strategy. By establishing this strategy, DHS should have an improved organization-wide understanding of acceptable risk levels and appropriate risk response strategies to protect its systems and data.
o The GAO added:
§ DHS has 17 priority recommendations remaining from those we identified in the 2020 letter. We ask for your attention to the remaining priority recommendations. We are adding 21 new recommendations. These include five recommendations related to emergency preparedness, eight recommendations related to border security, two recommendations related to transportation security, three recommendations related to infrastructure and management, two recommendations related to cybersecurity and information technology management, and one recommendation related to chemical security bringing the total number of priority recommendations to 38.
§ Information Technology and Cybersecurity.
§ We have five priority recommendations in this area. In February 2017, we recommended that DHS establish methods for monitoring the implementation of cybersecurity functions against the principles identified in the National Cybersecurity Protection Act of 2014 on an ongoing basis. In March 2021, DHS has demonstrated that it had developed metrics for assessing adherence to applicable principles in carrying out statutorily required functions. However, to fully implement this recommendation, DHS needs to show evidence that the metrics are reported on an on- going basis.
§ To facilitate adoption of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity, we recommended in February 2018 that DHS take steps to consult with respective sector partners, such as the sector coordinating councils, and NIST, as appropriate, to develop methods for determining the level and type of adoption of the framework by entities across their respective sectors.
§ From October through December 2019, DHS, in coordination with its Information Technology (IT) sector partner, administered a survey to approximately 100 small and midsized businesses (with 50 percent representing IT sector organizations) to gather information on, among other things, their level of framework adoption and use in conjunction with other cybersecurity standards. However, the survey did not measure the level and type of framework adoption by entities across DHS’s other critical infrastructure sectors, such as the communications and critical manufacturing sectors. While the department has taken important initial steps to measure framework adoption and use for a portion of the IT sector and has developed sector-specific framework implementation guidance for other sectors, implementing our recommendations to gain a more comprehensive understanding of the framework’s use by all of its critical infrastructure sectors is essential to understanding the success of efforts to protect our nation’s critical infrastructure from cyber threats and where to focus limited resources for cyber risk mitigations.
§ In July 2019, we recommended that DHS document a process for coordination between its cybersecurity risk management and enterprise risk management functions. DHS concurred with our recommendation and stated that it planned to clarify cybersecurity roles and responsibilities for coordination with offices responsible for enterprise risk management. DHS estimated that it would complete these actions by July 31, 2020. For us to consider this recommendation fully implemented, DHS needs to provide details on how coordination occurs between entities responsible for cybersecurity and those responsible for enterprise risk management.
§ In February 2020, we recommended that DHS develop a schedule and plan for completing a reassessment of the high value asset (HVA) program process which focuses on the protection of the government’s most critical and high impact information and information systems. This included addressing issues on completing required high value asset assessments and identifying needed resources for Tier 1 assets and assessments, and finalizing guidance for Tier 2 and 3 HVA systems. DHS concurred with our recommendation. In December 2020, DHS stated that while it was not on track to complete required Tier 1 assessments, it was working to address the assessment constraints, including increasing staffing levels and developing process improvements. However, it has yet to provide a schedule and plan for completing these assessments and improvements. Further, in March 2021, DHS stated that it has developed standardized training to develop resources for completing HVA assessments. DHS stated that its training capability will be fully operational in May 2021. However, it will only be able to train about one third of the people required in this fiscal year due to budget constraints. Training dates for the next two fiscal year years, which are needed to have enough people to conduct the required assessments, are still pending. Further, DHS stated that it has drafted supplemental guidance for Tier 2 and 3 HVAs (now called non-Tier-1 assets). However, the guidance that it had hoped to publish in March 2021 has not yet been completed.
§ In June 2020, we recommended that DHS begin measuring results associated with its transition to Agile software development and measuring the success of the transition based on its impact on the department. DHS concurred with our recommendation. In July 2021, DHS’s Acting Chief Technology Officer approved an updated Agile Software Delivery Core Metrics Guidebook. The guidebook explains that programs must report monthly on six Agile core metrics (e.g., availability, cycle time, and unit test coverage) in DHS’s Investment Evaluation Submission and Tracking system. In addition, in August 2021, DHS noted that these metrics are included as part of its Program Health Assessments for major and standard IT programs across the department. DHS also stated that the Office of the Chief Information Officer has informed programs that non-compliance will result in an adverse Program Health Assessment score. According to DHS, these measurements will ensure that the DHS Agile transition is successful. Nevertheless, DHS did not provide evidence to demonstrate that the updated metrics are being collected and used to measure results associated with its transition to Agile and the success of the transition based on its impact on the department.
§ Apple filed an appeal of the copyright lawsuit it had brought against Corellium, a firm that offers customers “tailored, virtual models of iPhones” and Androids. However, Apple and Corellium settled the Digital Millennium Copyright Act (DCMA) claims, and in this settlement, the court explained:
o The parties have now stipulated that: (1) Apple will dismiss with prejudice its claim under the Digital Millennium Copyright Act, 17 U.S.C. §§ 1201(a)(2), (b), and 1203 (Second Amended Complaint, Count 4); (2) Corellium will dismiss with prejudice its counterclaims against Apple; (3) both sides release all claims for monetary damages, attorneys’ fees, and costs, past, present, and future relating to this case or any appeal in this case; and (4) Apple preserves and retains its right to appeal the Court’s order granting summary judgment to Corellium on Apple’s copyright claims as to the injunctive relief only.
o In the notice of appeal, Apple asserted:
§ hereby appeals to the United States Court of Appeals for the Eleventh Circuit from the Final Judgment entered in this action on August 17, 2021 (ECF No. 1013) as to Apple’s claims for copyright infringement (First, Second, and Third Claim for Relief in the Second Amended Complaint, ECF No. 589) and all other orders and decisions antecedent and ancillary thereto, including all rulings, reports, recommendations, and opinions that merged into and became part of the Final Judgment and upon which the Final Judgment is based—including but not limited to the District Court’s Order on the Parties’ Motion for Summary Judgment entered on December 29, 2020 (ECF Nos. 783, 784).
o At end of last year, a federal court threw out a significant portion of a suit Apple brought against a security company, Corellium. The United States District Court for the Southern District of Florida summarized the case:
§ On August 15, 2019, Apple filed this lawsuit alleging that Corellium infringed Apple’s copyrights in iOS and circumvented its security measures in violation of the federal Digital Millennium Copyright Act (“DMCA”). Corellium denies that it has violated the DMCA or Apple’s copyrights. Corellium further argues that even if it used Apple’s copyrighted work, such use constitutes “fair use” and, therefore, is legally permissible.
§ The court found “that Corellium’s use of iOS constitutes fair use” but did not for the DMCA claim, thus allowing Apple to proceed with that portion of the suit.
§ In an opinion piece published by the Wall Street Journal titled “Free Speech and Corporate Responsibility Can Coexist Online ,” YouTube CEO Susan Wojcicki argued:
o As CEO of YouTube, I grapple every day with issues related to free expression and responsibility. Companies, civil society and governments are facing unprecedented challenges and sorting through complicated questions, determining where to draw the lines on speech in the 21st century. Policy makers around the world are introducing regulatory proposals—some argue that too much content is left up on platforms, while others say too much is taken down. At YouTube, we’re working to protect our community while enabling new and diverse voices to break through. Three principles should guide discussions about the regulation of online speech.
o First, the open internet has transformed society in incredible ways.
o The second principle: Democratic governments must provide companies with clear guidelines about illegal speech.
o But not everything about content moderation will be overseen by governments, which is why I believe strongly in the third principle: Companies should have flexibility to develop responsible practices to handle legal but potentially harmful speech.
o Some may say that governments should oversee online speech, but we need flexibility to strike the right balance between openness and responsibility. When we get it wrong or lean too heavily in either direction, our business and the millions of creator small businesses built on YouTube are hurt. Advertisers have pulled spend from YouTube when their ads ran next to problematic content.
o The stakes are high for updating our approach to online speech. Overregulation of legal content would have a chilling effect on speech and could rob us of the next big idea or great discovery. I’m confident there is a way forward that both keeps our community safe and allows for free expression.
§ Common Sense Media issued a report titled “Privacy of Streaming Apps and Devices: Watching TV that Watches Us” with the “generous support and underwriting that funded this report from the Michael and Susan Dell Foundation, the Bill and Melinda Gates Foundation, and the Chan Zuckerberg Initiative.” Common Sense Media also issued a two-page rating of streaming devices and apps. In its press release, Common Sense Media argued:
o We reviewed the privacy protections in the top 10 streaming apps, as well as the top five streaming devices, that include programming directed at kids and families and found that most apps and devices are using practices that are putting consumers' privacy at risk -- especially that of kids.
o The companies behind streaming apps must do more to protect kids' privacy, from providing stronger parental controls to establishing specific policies for kids. But our findings also serve as a reminder to parents to make smart choices around the apps they allow their kids to use and how to better protect their privacy while streaming.
§ United Nations (UN) “human rights experts” “called on all States to impose a global moratorium on the sale and transfer of surveillance technology until they have put in place robust regulations that guarantee its use in compliance with international human rights standards.” They argued:
o Two years ago the then UN Special Rapporteur on Freedom of Opinion and Expression published a report on the dangerous impact of surveillance technology on human rights and recommended an immediate moratorium on its sale and transfer until international regulations incorporating human rights safeguards were adopted. The international community failed to heed his call.
o On 18 July 2021, Forbidden Stories and Amnesty International exposed the widespread surveillance of the mobile devices of hundreds of journalists, human rights defenders and political leaders, using the NSO Group’s Pegasus spyware. The NSO Group promptly rejected allegations concerning its involvement in these unlawful practices.
o The experts include:
§ Ms. Irene Khan, Special Rapporteur on the promotion and protection of the right to freedom of expression; Ms. Mary Lawlor, Special Rapporteur on the situation of human rights defenders; Mr. Clement Nyaletsossi Voulé, Special Rapporteur on the rights to freedom of peaceful assembly and of association; and UN Working Group on the issue of human rights and transnational corporations and other business enterprises (known as the Working Group on Business and Human Rights), Mr. Surya Deva (Chairperson), Ms. Elzbieta Karska (Vice-Chairperson), Mr. Githu Muigai, Mr. Dante Pesce, and Ms. Anita Ramasastry.
§ 24 “public interest, consumer advocacy, and civil rights groups” wrote the Federal Trade Commission (FTC) “urging the [FTC] to protect civil rights and privacy in the digital economy by initiating a new rulemaking…[and] also create an Office of Civil Rights and commit more resources to enforce against unfair and deceptive practices.” These groups provided a detailed list of harms and steps the agency can take to protect people from unfair and deceptive data practices. They claimed:
o As has been extensively documented by independent researchers, journalists, courts, companies, and this Commission, unfettered data practices employed single-mindedly for private gain cause significant harm to the public. Tech companies directly cause or contribute to many of these harms. Like the sprawling consequences of historic redlining, other harms arise as negative externalities (including downstream effects) from data-exploitative business models and the market incentives they create. Addressing direct harms and changing incentives will have positive effects for the Internet ecosystem as a whole.
§ In response to her 7 July letter, Securities and Exchange Commission (SEC) Chair Gary Gensler wrote Senator Elizabeth Warren (D-MA) “regarding the sufficiency of the SEC’s authority to regulate crypto platforms.” Gensler asserted:
o I believe we need additional authorities to prevent transactions, products, and platforms from falling between regulatory cracks. We also need more resources to protect investors in this growing and volatile sector.
o In my view, the legislative priority should center on crypto trading, lending, and decentralized finance (DeFi) platforms. Regulators would benefit from additional plenary authority to write rules for and attach guardrails to crypto trading and lending.
o House Financial Services Committee Ranking Member Patrick McHenry (R-NC) opined on the Warren-Gensler exchange in a press release:
§ Chairman Gensler’s latest move to ask Congress for jurisdiction over non-securities exchanges is a blatant power grab that will hurt American innovation. Given the distinct nature of digital assets, policymakers must be thoughtful and deliberative in legislating in this space. That’s why I introduced H.R. 1602, the Eliminate Barriers to Innovation Act, to bring regulatory certainty to market participants and regulators. We need smart policy, made through a transparent process, to ensure innovation and job creation continue in the U.S. We don’t need another backroom deal between Gensler and Elizabeth Warren.
§ The United Kingdom’s Department for Digital, Culture, Media & Sport (DCMS) announced that “[f]ibre broadband cables could be fed through the country’s water pipes as part of the government’s plan to speed up the nationwide roll out of lightning-fast broadband and mobile coverage in rural areas.” DCMS stated:
o Four million pounds is available for cutting-edge innovators to trial what could be a quicker and more cost-effective way of connecting fibre optic cables to homes, businesses and mobile masts, without the disruption caused by digging up roads and land.
o Civil works, in particular installing new ducts and poles, can make up as much as four fifths of the costs to industry of building new gigabit-capable broadband networks.
o This new scheme could turbocharge the government’s £5 billion Project Gigabit plan to level up broadband access in hard-to-reach areas as well as the £1 billion Shared Rural Network which will bring strong and reliable 4G phone signals to many of the most isolated parts of the country.
o The project will also look to test solutions that reduce the amount of water lost every day due to leaks, which is 20% of the total put into the public supply. It will involve putting connected sensors in the pipes which allow water companies to improve the speed and accuracy with which they can identify a leak and repair it. Water companies have committed to delivering a 50% reduction in leakage, and this project can help to reach that goal.
o Deployment challenges for essential utilities such as water and telecoms are complex and tightly regulated because both are parts of the country’s critical national infrastructure. The project will consider these regulatory barriers as well as the economic, technical, cultural and collaborative challenges and impact on consumer bills.
o Any solution used to trial fibre optic cables in the water mains will be approved by the Drinking Water Inspectorate (DWI) before being used in a real world setting. The DWI requires rigorous testing ahead of approving any products that can be used in drinking water pipes, and fibre has already been deployed in water pipes in other countries such as Spain.
§ The United States (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released its “Get your Stuff Off Search” campaign to help critical infrastructure owners and operators make their systems harder to find online. CISA stated:
o While zero-day attacks draw the most attention, frequently less-complex exposures to both cyber and physical security are missed. Get your Stuff Off Search - S.O.S. - and reduce Internet attack surfaces that are visible to anyone on web-based search platforms.
o Exposures increasingly include Industrial Internet of Things (IIoT), Supervisory Control and Data Acquisition systems (SCADA), industrial control systems (ICS), remote access technologies, and other critical assets – which may impact public safety, human life, and national security.
o In an overview, CISA advised taking these steps:
§ #1 ASSESS YOUR POSTURE You have probably done a lot to secure your facilities. However, without visibility into your assets that are accessible across the Internet, you may not fully understand your potential for being attacked. While many people use search engines to find cat pictures, cyber attackers commonly use similar tools to locate Internet-connected IIoT devices. In fact, once a device is identified, hacking is not even required in many cases – for example, if default and maintenance passwords are in-use, the adversaries’ job is easy as they just flip a switch to exploit.
§ #2 EVALUATE AND REDUCE YOUR EXPOSURE After you know which assets are exposed, decide which need to be open to the Internet. Once you evaluate necessary exposure, assess how changes will affect your assets and any potential impacts to your operations. This step is important to ensure actions associated with vulnerability remediation are performed with full knowledge of safety risk and unintended consequences are avoided based on the specific implementation plan. Also, consult with your utilities, business partners, and asset owners you do business with to ensure
interdependencies are considered.§ #3 HARDEN AND MITIGATE YOUR RESIDUAL EXPOSURE Protect and reduce your risk of business interruptions from cyber-attacks; get your Stuff Off Search (S.O.S.)! CISA has developed a How-to Guide to help you assess your IoT/IIOT – all of your Internet connected computers and industrial devices – and take risk mitigation steps. This can include changing default passwords, implementing robust patch management, installing a virtual private network (VPN), and, using multi-factor authentication. Secure your assets where possible!
§ #4 ESTABLISH ROUTINE ASSESSMENTS While it’s important to get your Stuff Off Search, it’s equally important to make these practices routine. As IT and business needs change, continuously monitor your IoT/IIoT and other critical assets to ensure that you always know when they are exposed on the Internet.
Further Reading
§ “China’s Huawei Hires Democratic Lobbyist Tony Podesta” By Dan Strumpf, Julie Bykowicz, and Jacquie McNish — Wall Street Journal. Huawei Technologies Co. has hired veteran Democratic lobbyist Tony Podesta —whose firm imploded in 2017 amid financial and legal troubles—as part of the Chinese company’s expanded U.S. influence operation, according to people familiar with the matter. Mr. Podesta’s work for Huawei is still in the early stages, and the full scope of his advocacy for the company is still being determined, according to one of these people.
§ “Ajit Pai apparently mismanaged $9 billion fund—new FCC boss starts “cleanup” By Jon Brodkin — Ars Technica. The Federal Communications Commission wants SpaceX to give up a portion of the $885.51 million in broadband funding it was awarded in a reverse auction in December 2020. SpaceX's Starlink satellite broadband division was one of the biggest winners in the FCC's Rural Digital Opportunity Fund (RDOF) grants announced in Ajit Pai's last full month as FCC chairman. Overall, Pai's FCC awarded $9.2 billion over 10 years ($920 million per year) to 180 bidders nationwide, with SpaceX slated to get $885.51 million over 10 years to serve homes and businesses in parts of 35 states.
§ “Low-Cost Broadband in Senate Bill Sparks Alarm on Rates” By Todd Shields and Erik Wasson — Bloomberg. The infrastructure bill moving through Congress requires internet service providers to offer a low-cost option, sparking opposition from a top Republican senator who said the mandate may lead to broadband rate regulation. The $550 billion bill, which advanced in the Senate late Wednesday, includes $65 billion for broadband expansion. The measure will require funding recipients to offer a low-cost plan, the White House said in a summary. It didn’t offer details on price or speed of the service. The bill could lead to pressure from an administration that has said it’s determined to bring broadband prices down, said Paul Gallant, a Washington-based analyst for Cowen & Co.
§ “How Local Media Spreads Misinformation From Vaccine Skeptics” By Sheera Frenkel and Tiffany Hsu — The New York Times. The Freedom’s Phoenix, a local news site in Phoenix, and The Atlanta Business Journal, a news site in Atlanta, both published the same article about coronavirus vaccines in March. The author was Joseph Mercola, who researchers and regulators have said is a top spreader of misleading Covid-19 information. In the article, Dr. Mercola inaccurately likened the vaccines to “gene therapy” and argued against their usefulness.
§ “Three, two, win? How to adapt to hybrid home and office working” By Alexandra Topping — The Guardian. Working 3:2, what a way to make a living – but a new way that may take a little getting used to, according to experts. As coronavirus restrictions lift, many companies whose staff have worked from home for 18 months are asking those workers to dust off their bras and smart trousers and return to the office part-time. While the majority of people will be given little choice about where they work (the proportion of people working from home more than doubled in 2020, but was still only a quarter, according to the Office for National Statistics), many companies that have used remote working are now expecting staff to work more flexibly.
§ “Do privacy “nutrition” labels stop us from eating the burger?” By Meghan McCarty Carino and Jesus Alvarado — Marketplace. About seven months ago, Apple rolled out some new features that let users see exactly how apps collect data about us and share it with advertisers. The privacy “nutrition” labels run pretty much on the honor system: It’s up to the app makers to provide the information. Now, Google is revealing how its own labels might work for Android. I spoke with Ashkan Soltani, a fellow at Georgetown Law’s Center on Privacy and Technology, who said we can get a sense of how effective Google’s labels might be by looking at how Apple’s have worked so far. The following is an edited transcript of our conversation.
§ “OnlyFans to ban adult material after pressure from payment processors” By Jim Waterson — The Guardian. OnlyFans, the subscriber-only website synonymous with pornography, has announced it will ban adult material from the site after pressure from its payment processors. The company will continue to allow some posts containing nudity but “any content containing sexually-explicit conduct” will be banned, with the site instead focusing on more mainstream content. The London-headquartered outlet has exploded in popularity during lockdown, bringing in billions of pounds of revenue as more than 130 million users signed up to subscribe to content or pay to chat with “creators”. Although OnlyFans insists it has a wide range of people creating material for the site, ranging from chefs to yoga instructors, by far the most popular content on the site is pornography.
§ “Google Dragnets Gave Cops Data On Phones Located At Kenosha Riot Arsons” By Thomas Brewster — Forbes. A year after the Kenosha riots, following the police shooting of Black citizen Jacob Blake, Google has handed over data on any phones that were located in the vicinity of two arson attacks during the public disorder, even though some protesters were trying to stop the fires.
§ “For Big Tech, There’s a New Sheriff on the Beat” By Parmy Olson — Wall Street Journal. The U.K.’s competition authority is stepping out of the shadow of the European Union, launching a flurry of new cases against big tech companies and becoming a new source of global scrutiny for the industry. Earlier this month, the British government said it would bolster the Competition and Markets Authority, the country’s longtime competition watchdog, granting it new powers to move more quickly to probe and fix anticompetitive behavior. The move would also strengthen its ability to fine companies and prevent takeovers that might stymie competition.
§ “Facebook’s New Bet on Virtual Reality: Conference Rooms” By Mike Isaac — The New York Times. For years, the idea that virtual reality would go mainstream has remained exactly that: virtual. Though tech giants like Facebook and Sony have spent billions of dollars trying to perfect the experience, virtual reality has stayed a niche plaything of hobbyists willing to pay thousands of dollars, often for a clunky VR headset tethered to a powerful gaming computer. That changed last year in the pandemic. As people lived more of their lives digitally, they started buying more VR headsets. VR hardware sales shot up, led by Facebook’s Oculus Quest 2, a headset that was introduced last fall, according to the research firm IDC.
§ “Hackers breached US Census Bureau in January 2020 via Citrix vulnerability” By Catalin Cimpanu — The Record. Unidentified hackers breached US Census Bureau servers in January 2020 by abusing a public exploit for a major vulnerability in the agency’s remote-access servers, a US government watchdog said on Monday. Census Bureau officials said the hacked servers were not connected to the 2020 Decennial Census networks, and the intruders did not have the opportunity to interact with census results. Instead, the hackers breached only gained access to servers the agency had been using to provide access to its internal network for its remote workforce, the Office of Inspector General said in a report this week.
§ “The Internet Archive Has Been Fighting for 25 Years to Keep What’s on the Web from Disappearing – and You Can Help” By Kayla Harris, Christina Beis and Stephanie Shreffler — Nextgov. This year the Internet Archive turns 25. It’s best known for its pioneering role in archiving the internet through the Wayback Machine, which allows users to see how websites looked in the past. Increasingly, much of daily life is conducted online. School, work, communication with friends and family, as well as news and images, are accessed through a variety of websites. Information that once was printed, physically mailed or kept in photo albums and notebooks may now be available only online. The COVID-19 pandemic has pushed even more interactions to the web.
Coming Events
Photo by Alexander Popov on Unsplash
§ 1 September
o The House Armed Services Committee will mark up the FY 2022 National Defense Authorization Act (H.R.4395).
o The House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee will hold a hearing titled “Stakeholder Perspectives on the Cyber Incident Reporting for Critical Infrastructure Act of 2021.”
§ 3 September
o Australia’s Parliamentary Joint Committee on Corporations and Financial Services will hold a hearing on its inquiry into Mobile payment and digital wallet financial services and a hearing on its inquiry into Regulation of the use of financial services such as credit cards and digital wallets for online gambling in Australia
§ 7 September
o The California Privacy Protection Agency Board hold a public meeting.
§ 8 September
o Australia’s Select Committee on Australia as a Technology and Financial Centre will hold a hearing on its inquiry.
o The California Privacy Protection Agency Board hold a public meeting.
§ 30 September
o The Federal Communications Commission (FCC) will hold an open meeting. No agenda has been announced as of yet.