Biden Administration Releases Full FY 2022 Budget Request
Amazon faces antitrust action; EDPS looks into possible GDPR violations for uses of AWS and Microsoft Office
Photo by Karolina Grabowska from Pexels
First, an administrative matter. For the next six weeks, the Wavelength will be a lighter product for personal reasons, all of which are very good. Consequently, I’ll still be sending out a product four times a week but just with the Other Developments, Further Reading, and Coming Events sections. Normal publishing will resume in mid-July.
The White House releases a transformative budget that has very little chance of being enacted.
Cocktail Party
It is often said budgets are moral documents for they convey the principles of an administration. And so it is with the Biden Administration’s first full budget request. The new administration seeks nothing less than a reordering of United States (U.S.) priorities with the first budget request in recent memory that provides more funding for non-national security programs than for agencies like the Department of Defense and others.
Meeting
The Biden Administration’s budget request has the same odds of enactment as the Trump Administration’s budget requests did that sought to dramatically reduce domestic funding for a range of programs. In all likelihood, FY 2022 appropriations will likely resemble FY 2021 appropriations with modest increases. Nonetheless, some of the administration’s priority programs and projects may see significant increases in funding.
Despite cybersecurity and information technology (IT) modernization being priorities for the Biden White House, the funding the budget request makes available are modest increases for these programs in the aggregate. Additionally, an important agency in this space would see a slight decrease in comparison to FY 2021 appropriations.
Geek Out
The Biden Administration released its full FY 2022 budget request and is proposing a $6 trillion plan (including both what Congress appropriates and the funding the federal government makes available automatically according to previously passed laws). The White House is projecting a budget deficit of more than $3.6 trillion for FY 2021 and more than $1.8 trillion for FY 2022, and an historic realignment of funding under which non-national security programs would receive higher funding than national security programs. The non-national security side of the discretionary budget would get $770 billion and national security would receive $753 billion.
For the first time since September 11, 2001, an administration is asking Congress for more non-defense discretionary spending than defense spending. In its FY 2022 budget request, the White House is calling for $770 billion in non-defense (16.5% more than FY 2021 appropriated funds) and $753 billion for defense (1.6% more than FY 2021 appropriated funds). Additionally, the Biden Administration is calling for an end to the Overseas Contingency Operations (OCO) accounts, which were used to pay for operations in Iraq, Afghanistan, and elsewhere that were not counted against the cap on defense spending that existed during the last decade. In all, the Biden Administration is projecting over $6 trillion in spending (a combination of discretionary and mandatory funding). The budget also projects a budget deficit of $3.669 trillion for FY 2021 and a deficit of $1.837 for FY 2022.
The FY 2022 budget request features the American Families Plan as a centerpiece that guarantees “universal high-quality pre-school for every 3- and 4-year old in America, and adding 2 years of free community college,” increase funding for Pell grants “investments in institutions serving low-income, first generation students, and students of color.” The previously announced American Jobs Plan also features prominently in the budget rollout, and the White House is reiterating the components it wants in an infrastructure package, including its expansive definition of what constitutes infrastructure. In all, these programs would total $1.355 trillion in spending over the ten-year budget window with the vast majority being spent over the next five years.
Besides its signature policy proposals, most agencies that administer domestic programs will see major funding increases. For example, the Department of Education would get a boost of 41%, the Department of Commerce 30%, the Department of Health and Human Services 23%, and the Environmental Protection Agency 22%. This Office of Management and Budget (OMB) chart provides a good overview of the funding the Biden Administration is asking Congress to provide:
Another OMB chart shows the percentage increase each agency would see under the administration’s budget request:
With respect to technology programs, in a summary, the Biden Administration claimed:
§ Delivers Clean Drinking Water, a Renewed Electric Grid, and High-Speed Broadband to All Americans. The President’s plan would eliminate all lead pipes and service lines in drinking water systems, improving the health of the Nation’s children and communities of color. It would put hundreds of thousands of people to work laying thousands of miles of transmission lines and capping hundreds of thousands of orphan oil and gas wells and abandoned mines. It would also bring affordable, reliable, high-speed broadband to every household, including the more than 35 percent of rural families who lack access to broadband infrastructure, the millions of families paying too much for broadband, and the millions of low-income and marginalized communities left behind by digital redlining and the digital divide.
§ Counters 21st Century Challenges and Threats. The Budget prioritizes the need to counter the threat from China while also deterring destabilizing behavior by Russia. Leveraging the Pacific Deterrence Initiative and working together with allies and partners in the Indo-Pacific region and the North Atlantic Treaty Organization, DOD would ensure that the United States builds the concepts, capabilities, and posture necessary to meet these challenges. To ensure the United States plays a lead role in defending democracy, freedom, and the rule of law, the Budget also includes a significant increase in resources to: strengthen and defend democracies throughout the world; advance human rights; fight corruption; and counter authoritarianism. In addition, to support agencies as they modernize, strengthen, and secure antiquated information systems and bolster Federal cybersecurity, the Budget provides $500 million for the Technology Modernization Fund, an additional $110 million for the Cybersecurity and Infrastructure Security Agency, and $750 million in additional investments tailored to respond to lessons learned from the SolarWinds incident.
§ Supports a Future Made in America. The President is committed to ensuring the future is made in America by all of America’s workers. The American Jobs Plan proposes transformative new funding for manufacturing programs at the National Institute of Standards and Technology (NIST), and the Budget complements those investments with additional discretionary funding, enabling the establishment of two new Manufacturing Innovation Institutes, in addition to institutes previously launched by the Departments of Defense (DOD) and energy (DOE). The Budget also nearly doubles funding for the Manufacturing extension Partnership to boost the competitiveness of small and medium manufacturers.
§ Renews America’s Commitment to R&D. The Budget proposes historic increases in funding for foundational R&D across a range of scientific agencies—including the National Science Foundation (NSF), the National Aeronautics and Space Administration (NASA), DOE, NIST, and others—to help spur innovation across the economy and renew America’s global leadership. These investments would: accelerate discoveries that would transform America’s understanding of the solar system and universe; launch the next generation of satellites to study and improve life on earth; and support upgrades to cutting-edge scientific user facilities at DOE national laboratories to build climate and clean energy research programs and train the next generation of scientists at HBCUs and MSIs. This funding, combined with the investments proposed as part of the American Jobs Plan, would firmly reestablish the United States as a global leader in R&D.
§ Delivering Better Services through Design and Technology. Too often, outdated tools, systems, and practices make interacting with the Federal government cumbersome and frustrating. The COVID-19 pandemic laid bare and exacerbated the government’s technology and service delivery challenges in a time of immediate need. Recognizing this, the Administration requested and received $200 million through the American Rescue Plan for the United States Digital Service (USDS) for a multiyear investment in the USDS mission to use design and technology to deliver better services to the American people. USDS quickly deployed teams of seasoned operational engineers, service designers, product managers, and procurement experts to bring best practices and new approaches to these technology challenges, ensure access and equity are integrated into products and processes, and help agencies modernize their systems for long-term stability. USDS is integrally engaged on American Rescue Plan projects and Administration priorities for COVID-19 pandemic vaccines and testing, economic rescue and recovery, environmental justice, and immigration reform.
§ Modernizing Federal IT Systems. In a world of constantly evolving technology and expanding cybersecurity threats, the Administration recognizes the critical need for additional investment in enhancing Federal IT to improve service delivery to the American public. To support agencies as they modernize, strengthen, and secure outdated information systems, the Budget includes $500 million for the Technology Modernization Fund (TMF). This builds on the substantial down-payment provided by the Congress in the American Rescue Plan to address urgent IT modernization challenges, bolster cybersecurity defenses, and improve the delivery of COVID-19 pandemic relief. The TMF would continue to serve as the predominant vehicle for delivering improvements to public-facing digital services, enhancements to cross-government collaboration, and modern technology designed with security and privacy in mind.
§ Bolstering Federal Cybersecurity. Cybersecurity will continue to be a key focus in protecting this Nation’s security, and recent, significant cybersecurity incidents highlight the long-standing need to modernize Federal IT systems and augment cybersecurity capabilities. The Budget contains $9.8 billion in cybersecurity funding to secure Federal civilian networks, protect the Nation’s infrastructure, and support efforts to share information, standards, and best practices with critical infrastructure partners and American businesses. This funding includes $110 million for the Cybersecurity and Infrastructure Security Agency (CISA) and $750 million to agencies affected by recent, significant cyber incidents to address exigent gaps in security capability. These resources would better enable Federal agencies to protect technology and safeguard citizen’s sensitive information from the threats posed by cyber criminals and adversaries. Agencies will continue to improve cybersecurity practices, implement supply chain risk management programs, develop coordinated vulnerability disclosure programs, and improve cyber threat intelligence analysis. The Budget also provides $15 million to support the Office of the National Cyber Director established in the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021.
§ Improving the Federal IT Workforce. To support the Federal IT and cybersecurity portfolio, the Budget proposes to identify and address critical skills gaps across the IT and cybersecurity workforce. The Budget invests in innovative programs that improve the government’s ability to recruit, retain, and train a workforce that can build, maintain, and secure Federal information and information systems. The Administration is focused on continuing the use of reskilling and upskilling training programs to address critical knowledge skills gaps by reinvesting in existing employees. Moreover, the American Rescue Plan includes resources for USDS and CISA to hire information technology and cybersecurity experts.
In another document, the Biden Administration offered that:
§ Federal Information Technology (IT) provides Americans with important services and information, and is the foundation of how Government serves the public in the digital age. The President proposes spending $58.4 billion on IT at civilian agencies in FY 2022, which will be used to deliver critical citizen services, keep sensitive data and systems secure, and further the vision of digital Government. The Budget also supports the implementation of Federal laws that enable agency technology planning, oversight, funding, and accountability practices and Office of Management and Budget (OMB) guidance to agencies on the strategic use of IT to enable mission outcomes. It supports the modernization of antiquated and often unsecured IT; agency migration to secure, cost-effective commercial cloud solutions and shared services; the recruitment, retention, and reskilling of the Federal technology and cybersecurity workforce to ensure higher value service delivery; and the reduction of cybersecurity risk across the Federal enterprise.
§ Cybersecurity is an important component of the Administration’s IT modernization efforts, and the President remains dedicated to securing the Federal enterprise from cyber-related threats. The President’s Budget includes approximately $9.8 billion for civilian cybersecurity funding, which supports the protection of Federal IT and our Nation’s most valuable information including the personal information of the American public. These investments will, in alignment with the Administration’s priorities, focus on addressing root cause structural issues, promoting stronger collaboration and coordination among Federal agencies, and addressing capability challenges that have impeded the Government’s technology vision.
The White House also provided an overview of federal research and development funding:
Investments in research and development (R&D) are necessary to help spur innovation across the economy and renew America’s global leadership. R&D is also critical to tackling the climate crisis and driving the emerging technologies that will power future industries and create good-paying jobs across the nation. The 2022 Budget proposes $171.26 billion, a 9 percent increase, in total research and development across the Federal Government. A breakdown of the request by the major funding Department or agency is shown in the table at the end of this chapter. In addition to the 2022 Budget figures discussed in this chapter, the American Jobs Plan includes major R&D investments, including $50billion in the National Science Foundation, $30 billion in additional funding for R&D that spurs innovation and job creation and $40 billion to upgrade research infrastructure in laboratories across the country.
At the White House, the Biden Administration is asking Congress for $15 million and 25 Full-Time Equivalents (FTE) to stand up the newly created Office of the National Cyber Director. However, the Cyberspace Solarium Commission in making the recommendation that Congress create such a position called for at least 50 FTE in this office. Congress may appropriate funds and direct the creation of a larger office than the administration apparently wants.
The United States (U.S.) Department of Homeland Security (DHS) issued its FY 2022 Budget in Brief and summarized the cybersecurity portion of DHS’s request, which is one of the primary arms of U.S. cybersecurity efforts:
§ The FY 2022 President’s Budget for DHS responds, in a variety of ways, to funding challenges precipitated by recent cybersecurity incidents. The discretionary request provides $2.1 billion, a $110 million increase from the FY 2021 Enacted level, for the Cybersecurity and Infrastructure Security Agency (CISA), which builds on the $650 million provided for CISA in the American Rescue Plan Act of 2021. This funding would allow CISA to enhance its cybersecurity tools, hire highly qualified experts, and obtain support services to protect and defend Federal information technology systems.
§ To defend the Federal Government’s civilian information technology infrastructure, the Budget includes $408 million for the National Cybersecurity Protection System/EINSTEIN. This integrated system-of-systems increases intrusion detection, analytics, and information- sharing capabilities, and counters the threat from China while also deterring destabilizing behavior by Russia
§ To enable improved national public safety communications, the Budget includes $178 million for CISA emergency communications. This program develops and implements policy and plans; coordinates funding, sustainment, and grant programs to support communications interoperability; and builds capacity with Federal as well as State, Local, Tribal, and Territorial (SLTT) stakeholders by providing technical assistance, training, resources, and guidance.
§ To mitigate against the effects of the SolarWinds attack, the Budget provides $93 million to the DHS Office of the Chief Information Officer. DHS has developed a set of five common capabilities that will provide common critical recovery solutions across the Department and will strengthen systems integrity and reduce vulnerabilities going forward.
§ To enhance CISA’s ability to respond to future cyber incidents, the Budget provides $20 million for a new Cyber Response and Recovery Fund (CRRF). The CRRF will enable CISA to support critical infrastructure in responding to and recovering from significant cyber incidents that exceed the Federal Government’s standing resources and capacity.
In the Congressional Justification the Cybersecurity and Infrastructure Security Agency (CISA) issued, the agency provides much greater detail about its budget request:
§ $1.3 billion for cybersecurity efforts to protect Federal civilian executive branch networks and partner with the State and local governments and the private sector to increase the security of critical networks including:
o $407.6 million for the National Cybersecurity Protection System/EINSTEIN, an integrated system-of-systems that delivers a range of capabilities, including intrusion detection, analytics, intrusion prevention, and information sharing capabilities, that contribute to the defense of the civilian Federal Government’s information technology infrastructure from cyber threats;
o $325.4 million for the Continuous Diagnostics and Mitigation to fortify the cybersecurity of Federal Government networks and systems
o $20.0M to pilot a Cyber Response and Recovery Fund (CRRF) in order to make funding available to CISA to support non-Federal critical infrastructure in responding to and recovering from a significant cyber event.
§ $175.3 million for infrastructure security efforts to secure and increase resilience for critical infrastructure against all hazards through risk management and collaboration with the critical infrastructure community;
§ $178.4 million to ensure emergency communication interoperability and provide assistance and support to Federal, State, local, tribal, territorial (SLTT) stakeholders;
§ $180.3 million for Integrated Operations for CISA’s frontline, externally-facing activities to ensure seamless support and expedited response to critical needs;
§ $116.6 million for the National Risk Management Center to provide infrastructure consequence analysis, decision support, and modeling capabilities to public and private sector partners;
§ $58.2 million for Stakeholder Engagement and Requirements to foster collaboration, coordination, and a culture of shared responsibility for national critical infrastructure risk management and resilience with Federal, SLTT, and private sector partners within the United States, as well as with our international partners abroad; and
§ $141.6 million for mission support activities.
The Biden Administration has stressed the need to better secure government and private sector systems, especially critical infrastructure. And yet, the agency with primary responsibility for overseeing U.S. efforts would see a modest decrease for FY 2022 at a time when the agency is reportedly stressed and stretched. CISA’s numbers show a total of $2.717 billion in FY 2021 but $2.56 billion for FY 2022. This may be an agency Congress provides greater funding for than requested. Of course, the Biden Administration may be playing the old budgetary game of under-requesting for agencies it knows Congress will more generously fund in order to ask for more funds than Congress is apt to provide for other agencies (e.g. the Departments of Education and Housing and Urban Development.)
Additionally, CISA is asking for funds for a new program, as mentioned above, $20 million for the Cyber Response and Recovery Fund (CRRF) that
shall be used to provide support to critical infrastructure, including through the provision of services, technology, or capabilities, with or without reimbursement, to respond to or recover from a significant cyber incident as defined in Presidential Policy Directive 41: Provided further, That such support may include the provision of assistance to private entities and State, local, territorial, and tribal governments in responding to or recovering from a significant cyber incident: Provided further, That amounts appropriated under this heading shall be available only upon a determination by the President that additional resources are needed for the purposes under this heading. Provided further, That amounts made available under this heading shall be in addition to any other amounts available for such purposes.
The Federal Trade Commission (FTC) also submitted its Congressional Justification in which acting FTC Chair Rebecca Kelly Slaughter stated “in FY 2022, the FTC is requesting $389,800,000 and 1,250 FTEs, which is an overall increase of $38,800,000 and 110 FTEs compared to the FTC’s FY 2021 enacted appropriation.” In other words, the FTC wants a 10% above its current funding.
In terms of the funding the FTC wants to for new employees, the FTC provided this breakdown:
§ Increase of $18,521,000 for 110 additional Full Time Equivalents (FTE):
o Thirteen FTE in the Bureau of Consumer Protection (BCP) to support increasing needs in enforcement, privacy, and emerging technologies:
o Two FTE to address increasingly complex privacy and data security issues; (2) three FTE to ensure effective compliance monitoring and enforcement investigations; (3) two FTE to address emerging technology in the area of marketing practices; and (4) six FTE to enhance BCP’s ability to understand quickly evolving technological issues implicated by its casework and keep pace with litigation demands.
o Thirty-six FTE in the Bureau of Competition (BC) to support identifying and challenging anticompetitive mergers and conduct in complex and increasingly pervasive technology markets:
o Thirty FTE to support the BC litigation divisions with the high level of merger activity and litigation volume; (2) five FTE to increase BC’s paralegal workforce to assist in investigations, litigation, and policy projects; and (3) one FTE in the Premerger Notification Office to address increased HSR filing volume.
o Eight FTE in the Bureau of Economics (BE) to increase the amount of economic analysis that guides the Commission’s consumer protection and competition policies and enforcement.
o Ten FTE to support the heavy litigation workload in the regional offices for consumer protection and competition matters.
o One FTE in the Office of Policy Planning (OPP) to conduct thorough qualitative and quantitative analysis of antitrust issues on an ongoing basis.
o One FTE in the Office of General Counsel (OGC) to advise the Commission, Bureaus, and Offices on legal matters such as jurisdiction, statutory authority, administrative procedure, etc.
o Four FTE in the Administrative Law Judges’ Office (ALJ) to support the agency’s increased litigation via administrative complaint proceedings.
The FTC enumerated its “Planned Activities in FY 2021 and Beyond.” In the section titled “Protecting Consumers,” the agency offered the following:
§ The FTC protects consumers from unfair and deceptive practices in the marketplace. The FTC conducts investigations, sues companies and people that violate the law, develops rules to protect consumers, and educates consumers and businesses about their rights and responsibilities. The agency also collects complaints about a host of consumer issues, including fraud, identity theft, financial matters, and DNC violations. The FTC makes these complaints available to law enforcement agencies worldwide.
§ Protecting Consumers as Technology Evolves
o The FTC will continue to focus on identifying consumer protection issues associated with the use of new technology, including a careful consideration of the costs and benefits of practices and the importance of fostering innovation. The FTC also will take enforcement action against deceptive advertisements that appear in new formats and new media (e.g., apps, games, videos, and social networks). In addition, the agency will continue to evaluate consumer protection issues in the mobile marketplace through surveys and workshops. The FTC also will continue its efforts to root out entities responsible for illegal robocalls, enforce its DNC rules, and work with other stakeholders and industry to help develop technology- based solutions. The FTC will continue to conduct research on emerging technologies to assist with enforcement actions, educate consumers, and inform policy.
§ Protecting Consumer Privacy and Data Security
o The FTC will continue to take a leading role in efforts to protect consumers from unfair or deceptive practices related to the privacy and security of their personal information, while preserving the many benefits that technological advances offer. The agency will stop unfair and deceptive consumer privacy and data security practices through law enforcement focused on matters that cause or are likely to cause substantial injury to consumers. It will promote strong and balanced privacy protections through policy initiatives on a range of topics.
o The FTC also will participate in interagency groups, promote self-regulatory efforts, provide technical assistance to Congress on draft legislation, and participate in international privacy initiatives.
o In addition, the FTC will continue to be the repository for identity theft complaints and to make them available to federal criminal law enforcement agencies. Our trained counselors will continue to advise identity theft victims about the rights and remedies available to them under federal law, and to educate all consumers about how to avoid becoming victims. The FTC will continue to make enhancements to IdentityTheft.gov, the federal government’s one-stop resource to help consumers report and recovery from identity theft.
The FTC continued with a section titled “Maintaining and Promoting Competition:”
§ The FTC’s competition work is critical to protect and strengthen free and open markets. Robust competition promotes lower prices, higher quality products and services, and greater innovation, all of which benefit consumers and the economy. A vigorous, open,
and competitive marketplace provides the incentive and opportunity for new ideas and innovative products and services. The FTC will continue to use all of the tools at its disposal to promote competition and protect consumers from anticompetitive mergers and business practices.
§ Identifying anticompetitive mergers remains a top priority of the agency’s competition mission. The premerger notification requirements of the HSR Act provide the FTC
with an effective starting point for identifying anticompetitive mergers before they are consummated, thereby preventing competitive harm. The FTC also devotes attention
to identifying unreported, often consummated, mergers that could harm consumers. Reviewing and challenging anticompetitive mergers will continue to require substantial agency resources. Nonetheless, the FTC will continue its vigorous antitrust enforcement to maintain competition in a broad array of economic sectors of great importance to American consumers, including healthcare, technology, manufacturing, and consumer goods and services.
§ Continuing Emphasis on Technology and Intellectual Property
o The FTC continues to promote competition in complex and innovative high-tech markets through its ongoing enforcement, research, and advocacy efforts. Competition in technology sectors can be especially important to ensure that technological advances continue to drive innovation and growth in the economy, introducing more efficient products and processes into the marketplace, increasing quality, and decreasing prices. Antitrust matters increasingly intersect with intellectual property issues, raising difficult questions about how best to integrate these two bodies of law to further the common goal of promoting innovation.
o This focus on technology markets places increasing demands on the FTC’s antitrust enforcement mission in both the merger and nonmerger areas. The FTC remains vigilant about firms illegally using a dominant market position to thwart competition in order to raise prices, reduce the quality or choice of goods and services, or inhibit innovation; or about groups of competitors acting collectively to increase prices or stifle innovation. The Bureau of Competition continues to strengthen its Technology Enforcement Division dedicated to monitoring competition in U.S. technology markets, investigating any potential anticompetitive conduct in those markets, and taking enforcement actions when warranted.
As part of its FY 2022 budget materials, the FTC included its FY 2022 Performance Report, which consists of “the Annual Performance Report for fiscal year (FY) 2020 and Annual Performance Plan for FY 2021 and 2022.” The agency stated “he FTC’s strategic goals, objectives, and performance measures articulate what the agency intends to accomplish to meet its mandated mission (Goals 1 and 2), support and improve the management functions vital to core mission success (Goal 3), and demonstrate the highest standards of stewardship.
§ Strategic Goal 1: Protect consumers from unfair and deceptive practices in the marketplace
o Objective 1.1: Identify and take actions to address deceptive or unfair practices that harm consumers.
o Objective 1.2: Provide consumers and businesses with knowledge and tools that provide guidance and prevent harm.
o Objective 1.3: Collaborate with domestic and international partners to enhance consumer protection.
§ Strategic Goal 2: Maintain competition to promote a marketplace free from anticompetitive mergers, business practices, or public policy outcomes
o Objective 2.1: Identify and take actions to address anticompetitive mergers and practices.
o Objective 2.2: Engage in effective research, advocacy, and stakeholder outreach to promote competition and advance its understanding.
o Objective 2.3: Collaborate with domestic and international partners to preserve and promote competition.
§ Strategic Goal 3: Advance the FTC’s performance through excellence in managing resources, human capital, and information technology
o Objective 3.1: Optimize resource management and infrastructure.
o Objective 3.2: Cultivate a high-performing, diverse, and engaged workforce.
o Objective 3.3: Optimize technology and information management that supports the FTC mission.
The Department of Commerce’s National Telecommunications and Information Administration (NTIA) is asking Congress for “$89.5 million and 189 positions,” a nearly 100% increase above the $45.5 billion Congress gave the agency for the current fiscal year. The agency explained:
The budget request supports NTIA’s critical role of advising the President on communications and information policy issues. NTIA’s programs and policymaking focus on expanding the availability of spectrum for all users, managing core Federal spectrum programs effectively and efficiently, and identifying innovative approaches to increase spectrum access and spectrum sharing opportunities. This Budget provides the resources to ensure that the Internet remains an engine for continued economic growth, promotes a 21st century Internet economy in rural communities, and expands broadband Internet access and adoption in America.
The Department of Commerce made available the top-line funding request for the National Institute of Standards and Technology (NIST) of $1.497 billion, a 45% increase above its current appropriation of $1.034 billion. However, NIST has not released its Congressional Justification as of yet.
The Federal Communications Commission (FCC or Commission) issued its full FY 2022 budget request. In its Budget-In-Brief, the agency stated “[f]or FY 2022, the Commission is requesting the budget and personnel amounts that are summarized in the bullets and a table below:
§ The Commission requests $387,950,000 in budget authority from regulatory fee offsetting collections. This request represents a net increase of $13,950,000 or 3.7 percent from the FY 2021 appropriated level of $374,000,000.
§ The Commission requests $128,621,000 in budget authority for the spectrum auctions program. This request represents a net decrease of $5,874,000 or -4.4 percent from the FY 2021 appropriated level of $134,495,000. To date, the Commission’s spectrum auctions program has generated over $210.5 billion for government use; at the same time, the total cost of the auctions program has been less than $2.2 billion or 1.1 percent of the total auctions’ revenue.
§ In creating a lean, accountable, and efficient Commission that works for the American people, the Commission requests 1,550 Full Time Equivalents (FTEs) funded by budget authority from regulatory fee offsetting collections, spectrum auctions program, and other budget authorities provided by President and Congress. This FTE level is an increase of 78 from the FY 2021 enacted level of 1,472. With this FTE level, the Commission will meet its increased mission demands in FY 2022.
The FCC offered its “Strategic Goals for FY 2022:”
§ Strategic Goal 1: Pursue a “100 Percent” Broadband Policy. The COVID-19 pandemic put a spotlight on the serious broadband gaps that exist across the country, including in rural infrastructure, affordability for low-income Americans, and at-home access for students. This continuing digital divide means millions of Americans do not have meaningful access to essential infrastructure for 21stcentury success. In response to the COVID-19 pandemic and the challenges that many Americans face, the agency should advance access to communications that are essential for Americans to work remotely, learn remotely, receive healthcare, and engage in commerce. To this end, the FCC will pursue policies to help bring affordable, reliable, high-speed broadband to 100 percent of the country.
§ Strategic Goal 2: Promote Diversity, Equity, Inclusion and Accessibility. The FCC will seek to gain a deeper understanding of how the agency’s rules, policies, and programs may promote or inhibit advances in diversity, equity, inclusion, and accessibility. The FCC will pursue focused action and investments to eliminate historical, systemic, and structural barriers that perpetuate disadvantaged or underserved individuals and communities. In so doing, the FCC will work to ensure equitable and inclusive access and facilitate the ability of underserved individuals and communities to leverage and benefit from the wide range of opportunities made possible by digital technologies, media, communication services, and next-generation networks. In addition, the FCC recognizes that it is more effective when its workforce reflects the experience, judgement, and input of individuals from many different backgrounds. Advancing equity is core to the agency’s management and policymaking processes and will benefit all Americans.
§ Strategic Goal 3: Empower Consumers. Consumers who are well informed about their rights and what they’re buying are more confident and more likely to participate in the digital economy. The FCC will tackle new challenges to consumer rights and opportunities stemming from the COVID-19 pandemic, plans for post-COVID recovery, and digital transitions. The FCC also will pursue effective enforcement and new approaches to protect consumers from unwanted and intrusive communications, phone-based scams, telephone privacy issues, and other trends that affect consumers. The FCC will work to enhance competition and pursue policies that protect the competitive process to improve consumer choice and access to information. The FCC will work to foster a regulatory landscape that fosters media competition, diversity, and localism. The FCC also must work to ensure the availability of quality, functionally equivalent communications services for persons with disabilities.
§ Strategic Goal 4: Enhance Public Safety and National Security. There is no task at the FCC that is more important than keeping the American people safe. The FCC will pursue policies to promote the availability of secure, reliable, interoperable, redundant, and rapidly restorable critical communications infrastructure and services. The FCC also will promote the public’s access to reliable 911, emergency alerting, and first responder communications. The FCC will work to ensure the continued availability of timely emergency alerts. The FCC will work in coordination with Federal and state, local, Tribal, and territorial government partners and industry stakeholders to support disaster response and to ensure the nation’s defense and homeland security.
§ Strategic Goal 5: Advance America’s Global Competitiveness. The FCC will take action to promote investment and advance the development and deployment of new communications technologies, such as 5G, that will allow the nation to remain a global leader in an increasingly competitive, international marketplace. The FCC will identify incentives and policies to close security gaps and accelerate trustworthy innovation. The FCC will work with its federal partners to advocate for US interests abroad.
§ Strategic Goal 6: Foster Operational Excellence. The FCC should be a model for excellence in government by effectively managing its resources, maintaining a commitment to transparent and responsive processes that encourage public involvement and decision-making that best serves the public interest, and encouraging a culture of collaboration both internally and across government agencies.
The Department of Defense (DOD) summarized its cybersecurity and information security activities and funding request under the heading “Innovate and Modernize: Cyberspace Activities:”
§ Key portfolios of DOD Cyberspace Activities:
o Cybersecurity– Securing the DOD Information Network
o Cyberspace Operations– Cyber Collection/Intelligence, Offensive/Defensive Cyber Operations, Cyber Mission Forces, and infrastructure supporting Cyber Operations
o R&D in support of Cyber– Research and Development in support of Cybersecurity and Cyberspace Operations
§ $10.4 billion committed to cyberspace activities in FY 2022
o Increases capabilities in Identity, Credential and Access Management (ICAM), Comply-to-Connect (C2C), and Automated Continuous Endpoint Monitoring (ACEM) to accelerate a Zero Trust framework.
o Provides improved integrated cyber capabilities that support Combatant Commander military Cyber operations and contingencies.
o More effective risk mediation activities focused on critical infrastructure vulnerabilities and the Defense Industrial Base (DIB).
o Grows the Cyber Mission Force from 133 to 137 (+4) Teams.
o Continues development of the Joint Cyber Warfighting Architecture (JCWA) that will provide secure connect and integrated information/capabilities to the Cyber Mission Forces.
Other Developments
Photo by Robynne Hu on Unsplash
§ In response to the Colonial Pipeline ransomware attack, the United States (U.S.) Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) announced “a Security Directive that will enable the Department to better identify, protect against, and respond to threats to critical companies in the pipeline sector.” Although the Security Directive was not released, TSA further explained in its press release:
o The Security Directive will require critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA) and to designate a Cybersecurity Coordinator, to be available 24 hours a day, seven days a week. It will also require critical pipeline owners and operators to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.
o TSA is also considering follow-on mandatory measures that will further support the pipeline industry in enhancing its cybersecurity and that strengthen the public-private partnership so critical to the cybersecurity of our homeland.
§ The European Data Protection Supervisor (EDPS) launched two investigations, “one regarding the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by European Union institutions, bodies and agencies (EUIs) and one regarding the use of Microsoft Office 365 by the European Commission.” EDPS contended:
o These investigations are part of the EDPS’ strategy for EU institutions to comply with the “Schrems II” Judgement so that ongoing and future international transfers are carried out according to EU data protection law.
o In line with his strategy, the EDPS ordered EUIs in October 2020 to report on their transfers of personal data to non-EU countries. The EDPS’ analysis shows that because of diverse processing operations, in particular when using tools and services offered by large service providers, individuals’ personal data is transferred outside the EU and to the United States (US) in particular.
o The EDPS’ analysis also confirms that EUIs increasingly rely on cloud-based software and cloud infrastructure or platform services from large ICT providers, of which some are based in the US and are therefore subject to legislation that, according to the “Schrems II” Judgement, allows disproportionate surveillance activities by the US authorities.
o The objective of the first investigation is to assess EUIs’ compliance with the “Schrems II” Judgement when using cloud services provided by Amazon Web Services and Microsoft under the so-called “Cloud II contracts” when data is transferred to non-EU countries, in particular to the US.
o The objective of the second investigation into the use of Microsoft Office 365 is to verify the European Commission’s compliance with the Recommendations previously issued by the EDPS on the use of Microsoft’s products and services by EUIs.
§ The District of Columbia’s Attorney General has filed an antitrust action in a District of Columbia court against Amazon “seeking to end its anticompetitive practices that have raised prices for consumers and stifled innovation and choice across the entire online retail market.” Attorney General Karl Racine claimed:
o The Office of the Attorney General (OAG) alleges that Amazon fixed online retail prices through contract provisions and policies it previously and currently applies to third-party sellers on its platform. These provisions and policies, known as “most favored nation” (MFN) agreements, prevent third-party sellers that offer products on Amazon.com from offering their products at lower prices or on better terms on any other online platform, including their own websites. These agreements effectively require third-party sellers to incorporate the high fees charged by Amazon – as much as 40% of the total product price – not only into the price charged to customers on Amazon’s platform, but also on any other online retail platform. As a result, these agreements impose an artificially high price floor across the online retail marketplace and allow Amazon to build and maintain monopoly power in violation of the District of Columbia’s Antitrust Act. The effects of these agreements continue to be far-reaching as they harm consumers and third-party sellers, and suppress competition, choice, and innovation. OAG is seeking to put an end to Amazon’s control over online retail pricing, as well as damages, penalties, and attorney’s fees.
o Amazon is the world’s largest online retailer, controlling 50-70% of the online market sales. Amazon sells its own products, and some products it sources wholesale from major manufacturers, through its online platform. It also allows independent third-party sellers to sell their own products on Amazon.com through what it calls “Amazon Marketplace.” Because of the company’s dominance and vast base of customers, over two million independent third-party sellers rely on Amazon Marketplace.
o In 2019, Amazon claimed to have removed its price parity policy that explicitly prohibited third-party sellers from offering their products on a competing online retail sales platform, including the third-party sellers’ own website, at a lower price or on better terms than offered the products on Amazon. But in fact, Amazon quickly and quietly replaced the price parity policy with an effectively-identical substitute, its Fair Pricing Policy. Under the Fair Pricing Policy, third-party sellers can be sanctioned or removed from Amazon altogether if they offer their products for lower prices or under better terms on a competing online platform.
o The lawsuit alleges that the pricing agreements Amazon imposes on third-party sellers are facially anticompetitive and allow Amazon to illegally build and maintain monopoly power in the online retail market in violation of the District of Columbia’s Antitrust Act. Specifically, the lawsuit alleges that Amazon:
§ Raises prices for consumers: Amazon’s MFNs harm consumers by artificially inflating prices they pay for products purchased across the online retail market. When third-party sellers sell on Amazon, they must pass on the cost of Amazon’s high fees and commissions to consumers. While third-party sellers can sell their products for lower prices on other platforms and on their own websites, where fees are lower or non-existent, Amazon’s MFNs prevent sellers from passing on these savings to consumers. These agreements create an artificially high price “floor” across the entire online market and prevent other platforms from enticing consumers away from Amazon with lower prices and gaining market share. Without these restraints, products would be available to consumers at lower prices.
§ Stifles competition in the online retail market: Amazon maintains its dominance in online retail by preventing other platforms from competing on price to win market share. The most important factor in online shoppers’ purchasing decisions is price. By ensuring that third-party sellers cannot offer lower prices elsewhere online, Amazon insulates itself from meaningful competition.
§ Deprives consumers of choice: Amazon’s anticompetitive actions have resulted in less choice for consumers in the online retail market, suppressed innovation, and reduced investment in potentially-competing platforms.
o With this lawsuit, OAG is seeking to end Amazon’s use of illegal price agreements to foreclose competition and maintain its monopoly in online retail sales. Additionally, the lawsuit seeks to recover damages and impose penalties to deter similar conduct by Amazon and other companies.
§ The United Kingdom’s (UK) Department for Digital, Culture, Media & Sport (DCMS) contracted with Ipsos MORI for a report on the artificial intelligence labor market in the UK. The report offered the “following recommendations are based on the evidence generated from all elements of this study.” Ipsos MORI asserted “[i]t will require engagement from government, AI firms and other employers, education institutions and recruitment agencies to take them forward:
o Increase diversity in the AI workforce, particularly among women, a wider range of ethnic minorities, and people from poorer backgrounds within the UK. Attracting global talent can also support increasing diversity in the workforce.
o Improve the talent pipeline through education, student employability and diversity. Increasing the talent pool and ensuring a future pipeline is key to the success of the AI sector within the UK. Entry into the AI sector from a diverse range of people needs to be encouraged, and can be achieved by increasing the levels of awareness about AI in general and the career opportunities in this sector. The talent pipeline can be further bolstered by ensuring that graduates have the skills required by employers. There was some evidence that employers felt that new graduates were unable to apply their skills to real life situations and/or had sufficient soft skills – Industrial Funded AI Masters have been one way of providing undergraduates with work experience to increase their employability.
o Create more opportunities for those not currently working in AI to convert to a career in AI and raise the levels of awareness of these opportunities. AI conversion courses [8] have been set-up to meet this demand and a new apprenticeship scheme has recently been launched. However, more thought should be given to how people at different life stages can convert to a career in AI.
o Encourage small firms to broaden their recruitment practices and provide support to small firms/employers located outside ‘hot spots’ to recruit and retain staff: small firms preferred word-of-mouth and networking to recruit their employees; this was a cost effective method of recruitment but meant that their talent pool of candidates was restricted. Employers who were located outside of the AI ‘hotspots’ found the recruitment and retention of staff particularly challenging, and there is a need to explore how to support these firms.
o Firms need employees to have a range of both technical and soft skills so that they can communicate effectively with management, other team members, internal stakeholders and clients about the AI product, its application and the benefits or limitations.
o Identify the AI skills required by different sectors: focus needs to shift towards thinking about the AI skills required in each sector, and how academic organisations could expand their courses to ensure that students gain the correct skill set.
o Increase ethics and bias training and make the case that it is in firms’ commercial interests to avoid flaws related to bias and ethical issues in their products.
§ The European Data Protection Board (EDPB) published a statement “on the Data Governance Act in light of the legislative developments.” The EDPB stated:
o On 9 March 2021 the EDPS and the EDPB adopted the Joint Opinion on the Proposal for a Data Governance Act (DGA), which has also been presented at the European Parliament at the hearing of the LIBE Committee of 16 March 2021.
o The EDPB is closely following the work of the co-legislators on this important legislative initiative, which -we recall-contains provisions concerning the processing of data, including personal data, in the context of the re-use of data held by public sector bodies, of “data sharing services” (which would also include so-called data brokers), and in the context of processing of data (including personal data concerning health) by “data altruism” organizations.
o The DGA will have serious impact on the rights and freedoms of individuals and civil society as a whole throughout the EU. In most cases, the processing of personal data would indeed be the core activity of the aforementioned entities3, and thus on the fundamental rights to privacy and to the protection of personal data, enshrined in Article 7 and 8 of the Charter of Fundamental Rights of the European Union (the Charter), and in Article 16 of the Treaty on the Functioning of the European Union (TFEU). Those rights are a paramount expression of the values of the European Union.
o Without robust data protection safeguards, there is a risk that the (trust in the) digital economy would not be sustainable. In other words, data re-use, sharing and availability may generate benefits, but also various types of risk of damages to the persons concerned and society as a whole, impacting individuals from an economic, political and social perspective.
o To address and mitigate these risks, and to foster individuals trust, data protection principles and safeguards must be implemented from the early design of the data processing, especially when the latter concerns personal data which have not been obtained directly from the natural person/individual concerned. Moreover, the DGA must be consistent not only with the GDPR but also with other Union and national laws, notably the Open Data Directive5, thus responding to the overarching principle of rule of law, and provide legal certainty for public administrations, legal persons and individuals concerned.
§ The United States (U.S.) National Aeronautics and Space Administration (NASA) Office of the Inspector General (OIG) assessed the agency’s cybersecurity readiness. The OIG found:
o Attacks on NASA networks are not a new phenomenon, although attempts to steal critical information are increasing in both complexity and severity. As attackers become more aggressive, organized, and sophisticated, managing and mitigating cybersecurity risk is critical to protecting NASA’s vast network of IT systems from malicious attacks or breaches that can seriously inhibit the Agency’s ability to carry out its mission. Although NASA has taken positive steps to address cybersecurity in the areas of network monitoring, identity management, and updating its IT Strategic Plan, it continues to face challenges in strengthening foundational cybersecurity efforts.
o We found that NASA’s ability to prevent, detect, and mitigate cyber-attacks is limited by a disorganized approach to Enterprise Architecture. Enterprise Architecture (EA) and Enterprise Security Architecture (ESA)—the blueprints for how an organization analyzes and operates its IT and cybersecurity—are crucial components for effective IT management. Enterprise Architecture has been in development at NASA for more than a decade yet remains incomplete while the manner in which the Agency manages IT investments and operations remains varied and ad hoc. Unfortunately, a fragmented approach to IT, with numerous separate lines of authority, has long been a defining feature of the environment in which cybersecurity decisions are made at the Agency. The result is an overall cybersecurity posture that exposes NASA to a higher-than-necessary risk from cyber threats.
o We also noted that NASA conducts its assessment and authorization (A&A) of IT systems inconsistently and ineffectively, with the quality and cost of the assessments varying widely across the Agency. These inconsistencies can be tied directly to NASA’s decentralized approach to cybersecurity. NASA plans to enter into a new Cybersecurity and Privacy Enterprise Solutions and Services (CyPrESS) contract intended to eliminate duplicative cyber services, which could provide the Agency a vehicle to reset the A&A process to more effectively secure its IT system
o The OIG made these recommendations:
§ Integrate EA and ESA, and develop metrics to track the overall progress and effectiveness of EA.
§ Collaborate with the Chief Engineer on strategies to identify and strengthen EA gaps across mission and institutional IT boundaries.
§ Evaluate the optimal organizational placement of the Enterprise Architect and Enterprise Security Architect during and after MAP implementation to improve cybersecurity readiness.
§ Determine each Center’s annual cost for performing independent assessments, including staffing, during the A&A process for NASA’s 526 systems.
§ Develop baseline requirements in the planned CyPrESS contract for a dedicated enterprise team to manage and perform the assessment process for all NASA systems subject to A&A.
§ The Australian Cyber Security Centre (ACSC) “is calling for ACSC Partners to help pilot the Critical Infrastructure Uplift Program (CI-UP).” The ACSC explained:
o CI-UP will help protect Australia’s essential services from cyber threats by raising the security levels of critical infrastructure organisations. CI-UP is part of the Australian Signals Directorate’s Cyber Enhanced Situational Awareness and Response (CESAR) package and compliments the Australian Government’s ongoing work to protect critical infrastructure security through proposed amendments to the Security of Critical Infrastructure Act 2018.
o CI-UP will build knowledge and expertise for critical infrastructure providers to strengthen their cyber defences. CI-UP has been designed to:
o evaluate critical infrastructure cyber security maturity;
o deliver prioritised vulnerability and risk mitigation recommendations; and
o assist partners to implement the recommended risk mitigation strategies.
§ The United Nations (UN) Institute for Disarmament Research published a report “Known Unknowns: Data Issues and Military Autonomous Systems.” The UN stated:
o The following five avenues for action could bolster efforts to minimize the risks of unintended or unaccountable harms arising from the use of military autonomous systems. Like all international initiatives relating to autonomous military systems, they will require close cooperation between stakeholders from all domains, including governments, militaries, civil society, academia and the technology sector.
o 1. Perform advanced, collaborative research on the legal review process. Legal reviews are likely to be key to addressing data issues. Developing legal review procedures that resolve the many ambiguities described in this report will require significant new research, collaborative dialogue and knowledge-sharing.
o 2. Develop classification criteria for data issues and resulting failures; specifically, develop criteria to distinguish known unknown issues from unknown unknown issues, and frameworks to assign appropriate responsibility in cases of harm arising from such issues. A finer-grain scheme for differentiating between different types of failure – and a clearer framework designating the actors for whom those failures should be knowable – could aid efforts to quantify risk in operations and assign due responsibility for unintended harm arising from data issues.
o 3. Share specific knowledge on technical and normative approaches to data and risk in relation to autonomous military systems. Given the formidable challenge of characterizing data issues, to say nothing of addressing them through technical approaches, all stakeholders should be encouraged to share knowledge across political and disciplinary divides. This especially applies to sharing of best practices, given that even good faith efforts to minimize the risks of data issues in autonomous systems could be frustrated by the complexity and ambiguity of data issues. A number of militaries already possess significant shareable relevant knowledge (for example, sophisticated risk assessment tools and procedures) that could serve as a foundation for assessing autonomous systems risks; the distribution of these resources would be beneficial for all actors seeking to mitigate the risks of autonomous systems.
o 4. Study adversarial measures and their effects on autonomous weapons. No autonomous system is “unattackable”, and many of the most dangerous and unpredictable data issues for autonomous systems could arise from adversarial actions. By foregrounding the science of adversarial measures, the international community will better place itself to model their effects and, as necessary, take adversariality into account in the development of norms or policies for the development and use of autonomous systems.
o 5. Adopt a system-of-systems approach to studying data issues. Failures in autonomous systems arise from the interaction of a range of subsystems: not just sensors and algorithms but also actuators, power sources, communications devices and other systems in the battlespace. Taking all these interacting systems into account will help guide parties to more grounded solutions than discussions that solely focus on the algorithmic element of autonomous technologies.
§ The United Kingdom’s (UK) National Cyber Security Centre (NCSC) launched the new ‘Early Warning’ notification service “designed to help organisations defend against cyber attacks by providing timely notifications about possible incidents and security issues.” The NCSC explained:
o Early Warning is a free NCSC service designed to inform your organisation of potential cyber attacks on your network, as soon as possible. The service uses a variety of information feeds from the NCSC, trusted public, commercial and closed sources, which includes several privileged feeds which are not available elsewhere.
o Early Warning filters millions of events that the NCSC receives every day and, using the IP and domain names you provide, correlates those which are relevant to your organisation into daily notifications for your nominated contacts via the Early Warning portal.
o Organisations will receive the following high level types of alerts:
§ Incident Notifications - This is activity that suggests an active compromise of your system. For example: A host on your network has most likely been infected with a strain of malware.
§ Network Abuse Events - This may be indicators that your assets have been associated with malicious or undesirable activity. For example: A client on your network has been detected scanning the internet.
§ Vulnerability and Open Port Alerts - These are indications of vulnerable services running on your network, or potentially undesired applications are exposed to the internet. For example: You have a vulnerable application, or you have an exposed Elasticsearch service.
o Early Warning does not conduct any active scanning of your networks itself, however some of the feeds may use scan derived data, for example from commercial feeds.
§ Graphika issued a report “Ants in a Web: Deconstructing Guo Wengui's Online 'Whistleblower Movement'” that throws light on the disinformation activities of Chinese businessman Guo Wengui, an affiliate of former Trump Administration official Steve Bannon. Graphika summarized its findings:
o Chinese businessman Guo Wengui is at the center ofa vast network of interrelated media entities which have disseminated online disinformation and promoted real-world harassment campaigns.
o Graphika has identified thousands of mostly-authentic social media accounts associated with this network which are active across platforms including Facebook, Instagram, YouTube, Twitter, Gab, Telegram, Parler, and Discord.
o In the last year, this network has promoted harassment campaigns against anti-CCP Chinese dissidents, activists, and other perceived enemies in six countries. These campaigns have been linked to multiple violent incidents.
o Foreign-born participants in Guo’s online and offline operations have been promised political asylum in the United States in exchange for participation.
o Graphika has noted multiple instances of what appear to be coordinated authentic behavior, with real supporters posting with the singular purpose of amplifying Guo-related content.
o The network acts as a prolific producer and amplifier of mis- and disinformation, including claims of voter fraud in the U.S., false information about Covid-19, and QAnon narratives.
o Accounts in the network have used centrally-coordinated tactics to evade enforcement actions by social media platforms.
Further Reading
Photo by Kelvin Han on Unsplash
§ “Jacinda Ardern calls for ‘ethical algorithms’ to help stop online radicalization” — Australian Associated Press . Tech companies need to make more progress on algorithms that can drive social media users to become radicalised, New Zealand’s prime minister, Jacinda Ardern, has said. Along with France, New Zealand is leading a push to rid the world of extremist and terrorist content online – known as the Christchurch Call.
§ “Govt ramps up plan for US data-sharing deal” By Denham Sadler — InnovationAus. The federal government has reignited its efforts to sign an expedited data-sharing deal with the US, with nearly $10 million provided for the scheme over the next four years. On Wednesday afternoon, the powerful bipartisan national security committee called for 23 changes to legislation which will underpin such a deal with the Biden administration, paving the way for its passage through Parliament with amendments.
§ “New laws requiring social media platforms to hire local staff could endanger employees” By Vittoria Elliott — rest of the world. In 2016, Brazilian police arrested Diego Dzodan, Facebook’s then vice president for Latin America, after the company refused to hand over WhatsApp messages that authorities alleged had been sent by drug dealers. A judge later ordered Dzodan to be released, calling his arrest “unlawful coercion.”
§ “Ransomware attacks are surging, but governments are too conflicted to do anything other than sound warnings” By Bernard Keane — Crikey. While ransomware attacks are multiplying rapidly for private corporations, don't expect our cybersecurity agencies to do much other than warn about them. In fact, they remain a core part of the problem of what will become a key element of 21st century life -- the vulnerability of even the largest corporations to being locked out of their own data and systems.
§ “Solar panels are key to Biden's energy plan. But the global supply chain may rely on forced labor from China” By Clare Duffy — CNN Business. China's Xinjiang region has evolved over the past two decades into a major production hub for many of the companies that supply the world with parts needed to build solar panels. But new research suggests that much of that work could rely on the exploitation of the region's Uyghur population and other ethnic and religious minorities, potentially tainting a significant portion of the global supply chain for a renewable energy source critical to combating the climate crisis.
§ “Hackers post hundreds of pages of purported internal D.C. police documents” By Peter Hermann and Dalton Bennett — The Washington Post. Hackers who infiltrated the D.C. police department’s computer network have posted a trove of purported department documents, including some containing information related to street crews and others with raw intelligence on threats following the Jan. 6 attack on the U.S. Capitol.
§ “Pipeline Attack Yields Urgent Lessons About U.S. Cybersecurity” By David E. Sanger and Nicole Perlroth — The New York Times. For years, government officials and industry executives have run elaborate simulations of a targeted cyberattack on the power grid or gas pipelines in the United States, imagining how the country would respond. But when the real, this-is-not-a-drill moment arrived, it didn’t look anything like the war games.
§ “We Found Joe Biden’s Secret Venmo. Here’s Why That’s A Privacy Nightmare For Everyone.” By Ryan Mac, Katie Notopoulos, Ryan Brooks, and Logan McDonald — BuzzFeed News. BuzzFeed News found President Joe Biden’s Venmo account after less than 10 minutes of looking for it, revealing a network of his private social connections, a national security issue for the United States, and a major privacy concern for everyone who uses the popular peer-to-peer payments app. On Friday, following a passing mention in the New York Times that the president had sent his grandchildren money on Venmo, BuzzFeed News searched for the president’s account using only a combination of the app’s built-in search tool and public friends feature. In the process, BuzzFeed News found nearly a dozen Biden family members and mapped out a social web that encompasses not only the first family, but a wide network of people around them, including the president's children, grandchildren, senior White House officials, and all of their contacts on Venmo.
§ “Venmo Will Now Let You Hide Your Friend List Because We Found Biden’s Account” By Ryan Mac and Katie Notopoulos — BuzzFeed News. Venmo, the mobile payments app owned by PayPal, is changing its privacy settings after a BuzzFeed News story uncovered President Joe Biden’s account earlier this month. The move allows people to make their friend list private or restrict who can see it, adding a privacy feature to an app that digital rights groups and critics have called a security nightmare. Two weeks ago, BuzzFeed News used public friend lists, which previously could not be made private, to find the president, the first lady, and members of their immediate family, showing how the app can put people at risk.
§ “Japan lashes out against alleged Chinese military cyberattacks” By Yuichi Sakaguchi — Nikkei Asia. Usually a mundane affair, the weekly news conference by the National Public Safety Commission caused a stir recently among the global cybersecurity community after police chief Mitsuhiro Matsumoto officially identified China as responsible for a cyberattack on Japan. Since then the National Police Agency has been deluged with inquiries from foreign governments and media organizations about the claim.
§ “Facebook meets with Israeli and Palestinian officials to discuss online hate speech, threats as violence escalates” By Emily Birnbaum — Politico. Facebook is engaging with both Israel and Palestinian officials on the spread of hate speech and incitements to violence on the platform amid the region's escalating conflict. Top Facebook lobbyists Nick Clegg and Joel Kaplan and several TikTok executives met over Zoom with Israeli Defense Minister Benny Gantz on Thursday evening to discuss the spread of misinformation and violent threats on the social network. Facebook's Clegg and Kaplan are expected to meet with the Palestinian Authority next week, the company said.
§ “Intel seeks $10 bln in subsidies for European chip plant” By Douglas Busvine — Reuters. Intel wants 8 billion euros ($9.7 billion) in public subsidies towards building a semiconductor factory in Europe, its CEO was cited as saying on Friday, as the region seeks to reduce its reliance on imports amid a shortage of supplies.
§ “Irish health system targeted in ‘serious’ ransomware attack” — Associated Press. Ireland’s health service shut down its IT systems on Friday after being targeted in a ransomware attack by what it called “international criminals.” Appointments and elective surgeries were canceled at several hospitals and Deputy Prime Minister Leo Varadkar said the disruption could last for days.
§ “WhatsApp sues Indian government over ‘mass surveillance’ internet laws” By Hannah Ellis-Petersen — The Guardian. WhatsApp has sued the Indian government over new internet laws which the company says will “severely undermine” the privacy of their users. The new IT laws, which have been described as oppressive and draconian, give the Indian government greater power to monitor online activity, including on encrypted apps such as WhatsApp and Signal. They were passed in February but were due to come into effect on Wednesday.
§ “German regulator bans Facebook from processing WhatsApp user data” — Reuters. Germany's lead data protection regulator for Facebook is banning the social network from processing personal data from WhatsApp users because it views the messaging app's new terms of use as illegal, it said on Tuesday.
§ “A Press Corps Deceived, and the Gaza Invasion That Wasn’t” By David M. Halbfinger — The New York Times. The Israeli military abruptly announced after midnight on Friday that its ground forces had begun “attacking in the Gaza Strip,” saying it on Twitter, in text messages to journalists, and in on-the-record confirmations by an English-speaking army spokesman. Several international news organizations, including The New York Times, immediately alerted readers worldwide that a Gaza incursion or invasion was underway, a major escalation of Israeli-Palestinian hostilities.
§ “Exclusive: Inside the Military's Secret Undercover Army” By William Arkin — Newsweek. The largest undercover force the world has ever known is the one created by the Pentagon over the past decade. Some 60,000 people now belong to this secret army, many working under masked identities and in low profile, all part of a broad program called "signature reduction." The force, more than ten times the size of the clandestine elements of the CIA, carries out domestic and foreign assignments, both in military uniforms and under civilian cover, in real life and online, sometimes hiding in private businesses and consultancies, some of them household name companies. The unprecedented shift has placed an ever greater number of soldiers, civilians, and contractors working under false identities, partly as a natural result in the growth of secret special forces but also as an intentional response to the challenges of traveling and operating in an increasingly transparent world. The explosion of Pentagon cyber warfare, moreover, has led to thousands of spies who carry out their day-to-day work in various made-up personas, the very type of nefarious operations the United States decries when Russian and Chinese spies do the same.
§ “Facial recognition, fake identities and digital surveillance tools: Inside the post office's covert internet operations program” By Jana Winter — yahoo! news. The post office’s law enforcement arm has faced intense congressional scrutiny in recent weeks over its Internet Covert Operations Program (iCOP), which tracks social media posts of Americans and shares that information with other law enforcement agencies. Yet the program is much broader in scope than previously known and includes analysts who assume fake identities online, use sophisticated intelligence tools and employ facial recognition software, according to interviews and documents reviewed by Yahoo News.
§ “CNA Financial Paid $40 Million in Ransom After March Cyberattack” By Kartikay Mehrotra and William Turton — Bloomberg. CNA Financial Corp., among the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack, according to people with knowledge of the attack. The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network, according to two people familiar with the attack who asked not to be named because they weren’t authorized to discuss the matter publicly.
§ “You should be worried about how much info WhatsApp shares with Facebook” By Burcu Kilic and Sophia Crabbe-Field — The Guardian. It’s the messaging app that connects a quarter of the world’s population, but many Americans still have haven’t heard of WhatsApp. That’s because most phone plans in the United States provide a standard flat rate for texting that allows people to communicate freely within the country. But throughout much of the world, including many of the world’s poorest countries, people are charged for every single message they send and receive.
§ “Irish Hospitals Are Latest to Be Hit by Ransomware Attacks” By Nicole Perlroth and Adam Satariano — The New York Times. A cyberattack on Ireland’s health system has paralyzed the country’s health services for a week, cutting off access to patient records, delaying Covid-19 testing, and forcing cancellations of medical appointments. Using ransomware, which is malware that encrypts victims’ data until they pay a ransom, the people behind the attack have been holding hostage the data at Ireland’s publicly funded health care system, the Health Service Executive. The attack forced the H.S.E. to shut down its entire information technology system.
§ “Secret Sharers: The Hidden Ties Between Private Spies and Journalists” By Barry Meier — The New York Times. Some journalists are happy to knock on the doors of strangers. I was never one of them, but Christopher Steele, the ex-British spy behind the infamous Trump dossier, left me no choice. During the 2016 presidential campaign, Mr. Steele had been hired by an investigative firm called Fusion GPS to gather dirt about Donald J. Trump and Russia. The firm’s founders, two former Wall Street Journal reporters, made it clear they would not talk to me for a book I was writing about the business of private intelligence. So on an early summer morning in 2019, I arrived at Mr. Steele’s home in Farnham, a picturesque English village.
§ “Meat Is Latest Cyber Victim as Hackers Hit Top Supplier JBS” By Marcy Nicholson, Fabiana Batista, and Sybilla Gross — Bloomberg. The world’s biggest meat supplier has become the latest casualty of a cybersecurity attack, posing a fresh threat to global food security already rattled by the Covid-19 pandemic. JBS SA shut its North American and Australian computer networks after an organized assault on Sunday on some of its servers, the company said by email. Without commenting on operations at its plants, JBS said the incident may delay certain transactions with customers and suppliers.
Coming Events
Photo by Arie Wubben on Unsplash
§ On 2-3 June, the National Institute of Standards and Technology (NIST) will hold a virtual workshop “to enhance the security of the software supply chain and to fulfill the President’s Executive Order (EO) on improving the Nation’s Cybersecurity, issued on May 12, 2021.”
§ On 9 June, the House Homeland Security Committee will hold a hearing on the Colonial Pipeline ransomware attack with the company’s CEO.
§ On 17 June the Senate Appropriations Committee will hold a hearing on the Department of Defense’s FY 2022 budget request.
§ On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.