Biden Administration Tries To Tie Down Sensitive U.S. Personal Data; Mandatory Cyber Reporting Legislation Floated
CISA issues emergency order to U.S. agencies; Social media companies are asked to give U.S. children the same protection U.K. children will soon enjoy
Sensitive Data Executive Order
Photo by Vitaly Vlasov from Pexels
Given that I was not able to cover some of the developments over the previous six weeks in the depth I normally would have, I will be going back to examine some of the higher profile items from June. Today, I want to dive into Executive Order 14034, “Protecting Americans' Sensitive Data From Foreign Adversaries,” given my particular interest in the issue. As I explained in great detail, it is almost a certainty that foreign intelligence services are accessing the oceans of personal data siphoned off from Americans every day. As a result, there are national security implications, and the United States (U.S.) government would be wise to take steps to address the flow of data to other nations, especially the People’s Republic of China (PRC), the Russian Federation, Iran, North Korea, and others.
In its fact sheet, the Biden Administration makes the impetus for the executive order (EO) very clear:
The Biden Administration is committed to promoting an open, interoperable, reliable and secure Internet; protecting human rights online and offline; and supporting a vibrant, global digital economy. Certain countries, including the People’s Republic of China (PRC), do not share these values and seek to leverage digital technologies and Americans’ data in ways that present unacceptable national security risks while advancing authoritarian controls and interests.
And, the Biden Administration is right. The PRC is trying to get its hands on as much personal data as possible while trying to protect its own (as evidenced by the recently proposed Personal Information Protection Law (PIPL), the PRC’s first data protection law.)
This EO builds on the Trump Administration’s Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain” that was intended “to protect the security, integrity, and reliability of information and communications technology and services provided and used in the United States” through the declaration of a national emergency. The EO bars U.S. entities from buying or using the information and communications technology and services (ICT) from “foreign adversaries” if a determination is made that doing so would sabotage or subvert U.S. ICT, place U.S. critical infrastructure or its digital economy at “undue risk,” or “poses an unacceptable risk” to national security or safety. On the last day of the Trump Administration, per the EO, the Department of Commerce (Commerce) issued an interim final rule, and the agency explained:
§ These regulations create the processes and procedures that the Secretary of Commerce will use to identify, assess, and address certain transactions, including classes of transactions, between U.S. persons and foreign persons that involve information and communications technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and pose an undue or unacceptable risk. While this interim final rule will become effective on March 22, 2021, the Department of Commerce continues to welcome public input and is thus seeking additional public comment. Once any additional comments have been evaluated, the Department is committed to issuing a final rule.
§ On November 27, 2019, the Department of Commerce (Department) published a proposed rule to implement the terms of the Executive Order. (84 FR 65316). The proposed rule set forth processes for (1) how the Secretary would evaluate and assess transactions involving ICTS to determine whether they pose an undue risk of sabotage to or subversion of the ICTS supply chain, or an unacceptable risk to the national security of the United States or the security and safety of U.S. persons; (2) how the Secretary would notify parties to transactions under review of the Secretary’s decision regarding the ICTS Transaction, including whether the Secretary would prohibit or mitigate the transaction; and (3) how parties to transactions reviewed by the Secretary could comment on the Secretary’s preliminary decisions. The proposed rule also provided that the Secretary could act without complying with the proposed procedures where required by national security. Finally, the Secretary would establish penalties for violations of mitigation agreements, the regulations, or the Executive Order.
§ In addition to seeking general public comment, the Department requested comments from the public on five specific questions: (1) Whether the Secretary should consider categorical exclusions or whether there are classes of persons whose use of ICTS cannot violate the Executive Order; (2) whether there are categories of uses or of risks that are always capable of being reliably and adequately mitigated; (3) how the Secretary should monitor and enforce any mitigation agreements applied to a transaction; (4) how the terms, “transaction,” “dealing in,” and “use of” should be clarified in the rule; and (5) whether the Department should add record-keeping requirements for information related to transactions.
§ The list of “foreign adversaries” consists of the following foreign governments and non-government persons: The People’s Republic of China, including the Hong Kong Special Administrative Region (China); the Republic of Cuba (Cuba); the Islamic Republic of Iran (Iran); the Democratic People’s Republic of Korea (North Korea); the Russian Federation (Russia); and Venezuelan politician Nicolás Maduro (Maduro Regime).
However, not all of the previous administration’s PRC directives were maintained. The Biden EO rescinds three Trump Administration Eos aimed squarely at the PRC:
§ Executive Order 13942 of August 6, 2020 (Addressing the Threat Posed by TikTok, and Taking Additional Steps To Address the National Emergency With Respect to the Information and Communications Technology and Services Supply Chain);
§ Executive Order 13943 of August 6, 2020 (Addressing the Threat Posed by WeChat, and Taking Additional Steps To Address the National Emergency With Respect to the Information and Communications Technology and Services Supply Chain); and
§ Executive Order 13971 of January 5, 2021 (Addressing the Threat Posed by Applications and Other Software Developed or Controlled by Chinese Companies).
Consequently, the Office of Management and Budget (OMB) and federal agencies are directed to suspend all activities related to these EOs.
The legality of the TikTok and WeChat EOs were challenged in U.S. court to the effect that the Trump Administration could not enforce them. However, given the last administration’s emphasis on optics, as long as it was seen as trying to fight the PRC, the actual results were less important. The Biden Administration filed motions in court allowing it more time to determine how it would address these EOs, and this is the denouement of these orders. As for the third EO, it was likely not even implemented because of the late date it was issued.
Under the new EO, Commerce, in coordination with virtually all the national security and ICT stakeholder agencies, is directed to draft recommendations within two months (i.e. by early August) for National Security Advisor Jake Sullivan “to protect against harm from the unrestricted sale of, transfer of, or access to United States persons' sensitive data, including personally identifiable information, personal health information, and genetic information, and harm from access to large data repositories by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.” Additionally, “the Director of National Intelligence shall provide threat assessments, and the Secretary of Homeland Security shall provide vulnerability assessments, to the Secretary of Commerce to support development of the report.” And so, the Office of the Director of National Intelligence (ODNI) and the Department of Homeland Security (DHS) have deliverables Commerce will need before it can draft and submit its recommendations.
Additionally, within three months of issuance of the EO (early September), Commerce will also need to submit a report to Sullivan “recommending additional executive and legislative actions to address the risk associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.”
And so, the heart of this EO is to develop recommendations regarding personal data and software applications, meaning the Biden Administration will not be taking immediate action and will instead await reports. Moreover, once the reports have been submitted, the White House, and specifically the National Security Council, will probably not act in the short term, but if and when they do, there may be another EO or directives to agencies to press whatever levers of power they possess. Some of the recommendations may take the form of legislative language the Congress should enact to give the executive branch more authority to address foreign adversary access to U.S. personal data.
Of course, Commerce’s remit is to make recommendations on transfers to or access by a foreign adversary, but this seems to omit such an adversary from accessing these data in a third nation. Consequently, even if all goes according to plan, the PRC or other nations may still be able to access U.S. personal data through a third country.
Moreover, under this EO, Commerce must:
§ evaluate on a continuing basis transactions involving connected software applications that may pose an undue risk of sabotage or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States;
§ pose an undue risk of catastrophic effects on the security or resiliency of the critical infrastructure or digital economy of the United States; or otherwise pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.
The EO continues “[b]ased on the evaluation, the Secretary of Commerce shall take appropriate action in accordance with Executive Order 13873 and its implementing regulations.”
There is interest in the national security facets of personal data on Capitol Hill, as I discussed in my Lawfare article:
Democratic Sen. Ron Wyden of Oregon recently released a discussion draft of the Protecting Americans’ Data from Foreign Surveillance Act, a bill he claims “would create new safeguards against exporting sensitive personal information to foreign countries if doing so could harm U.S. national security.” The bill would append a new section to the existing export control statute regarding the export of certain personal data. This bill would provide an impetus and framework for the Biden administration to begin addressing the unimpeded flow of U.S. personal data. Presumably this bill would bar data brokering for clients in or associated with nations such as the PRC, Russia, Iran, North Korea and others.
Under Wyden’s proposal, the Department of Commerce would need to establish an interagency process to determine (a) which categories of personal data would be covered by the export control system, (b) the threshold above which the export of specified categories of personal data would be controlled, (c) the nations for which one would need a license of other authorization to transfer, export, reexport, or do in-country transfers of covered data, and (d) a list of those nations for which one would not need such a license of authorization.
The bill further provides that this interagency process would focus on the categories of personal data that could be exploited to the detriment of national security and would need to name these categories within one year of enactment. Also within one year, these agencies would need to set a threshold between 10,000 and 1,000,000 U.S. residents above which an entity’s proposed transfer of covered categories of personal data may entail obtaining a license or authorization. As noted above, the agencies would create a list of nations to whom the export of covered personal data is likely to harm national security. And any proposed transfers to these nations would require the exporting party to make the case that national security would not be harmed (the interagency process must review all such applications).
Certain transfers would be exempted in Wyden’s bill. For example, a person sending her personal data would not need an export license. Likewise, if a person is performing a service for another and the transfer of strictly necessary personal data is required, no license would be needed. (This language is tightly written to avoid the outcome where this exception nulls the rule that one needs an export license by stipulating it upon necessity.) Moreover, the bill provides that if the personal data is encrypted to certain standards, an export license may not be needed. And to protect the data from foreign adversaries, the interagency process would also need to set the length of time each category of covered personal data must be encrypted.
Violations would be punished under the current export control regime, and some people whose personal data is transferred in violation of the act would be able to sue. Notably, only those physically harmed, detained or imprisoned in a foreign jail as a result of the violation would have a private right of action. And five years after the bill’s enactment, unintentional transfers to nations identified as national security risks could be punished unless the data is encrypted or is delivered by a third party that said the data would not transit or end up in a prohibited nation.
Incidentally, Wyden and co-sponsors also introduced the Fourth Amendment Is Not for Sale Act this month, a bill that would largely bar data brokers from selling or sharing location data and other personal data to U.S. law enforcement and intelligence agencies unless approved by a court.
It is possible that the recommendations submitted to the National Security Advisor seek to leverage existing authorities under the U.S. export control regime or the Committee on Foreign Investment in the United States (CFIUS), or these may be requests to Congress for even more authority. Time will tell.
Possible U.S. Legislative Response to Supply Chain Attacks
Last month, Senate Intelligence Committee Chair Mark Warner (D-VA) and Ranking Member Marco Rubio (R-FL) along with Senator Susan Collins (R-ME) floated a draft bill, the “Cyber Incident Notification Act of 2021,” that would change United States (U.S.) law to require critical cyber infrastructure owners and operators and many federal contractors to report actual or potential cybersecurity intrusions within 24 hours of detection to the Cybersecurity and Infrastructure Security Agency (CISA). CISA would be tasked with promulgating regulations to effectuate the goals of this bill drafted in response to the SolarWinds and Microsoft Exchange hacks. These Members have gotten feedback and gathered support. Today, Warner was quoted as saying:
Unlike some of the other things I’m working on, huge, huge progress. We are very close to having almost every member of the committee on it. It has been purely waiting for the members to get back [to Washington]. I’ve got to have a couple of member-to-member discussions, but the notion that we need some level of mandatory incident reporting. The fact that many business groups have coalesced behind this, I think it’s all great news.
And so, the prospects for this bill sound good in the Senate, at least. To date, a companion bill has not been introduced in the House.
With these developments in mind, now is a good time to go back and review the bill much more closely than I was able to in June when Warner, Rubio, and Collins published it.
Big picture, the bill is proposing a new mandatory reporting regime for many of the owners and operators of critical cyber infrastructure should their systems experience a “cyber intrusion.” As mentioned, this bill directly flows from the SolarWinds and Microsoft Exchange supply chain hacks, one of which was discovered and exposed only through the efforts of a cybersecurity firm, FireEye, that had been compromised itself. The sentiment among some Members is that it is necessary to dispense with U.S.’ the largely voluntary reporting system that results in some intrusions making their way to federal officials late if at all. Consequently, a mandatory reporting responsibility would be established with liability protection for entities submitting reports is seen as the best incentive structure to change the status quo.
Of course, the U.S. has a system in place for entities to voluntarily report cyber threat information. The “Cybersecurity Act of 2015” (P.L. 114-113) established an information sharing system that provided significant liability protection for private sector entities sharing amongst themselves and especially with the U.S. government. However, this system has been widely panned and rarely used according to U.S. data (the 2017 and 2019 joint Office of the Inspectors General reports on this program.) The creation of a new reporting system inside CISA as opposed to tacking it onto the current, existing system seems like an indictment of the latter’s functionality.
The draft Cyber Incident Notification Act of 2021 seeks to address a flaw inherent in the cyber information sharing system established in the Cybersecurity Act of 2015. There are a host of reasons why private sector companies have not participated in this information sharing arrangement as noted in this blog posting from 2015 by a “white shoe” law firm that warned “disclosing information about a company’s own specific cyber vulnerabilities and incidents can carry legal, competitive, and reputational risks that are far greater if that information is learned by competitors and customers.” However, the draft bill makes this a responsibility and has language allowing for enforcement, but whether the penalties are enough to compel reporting or the likelihood of not reporting being discovered by the federal government are questions for later in this post.
Now to the specifics of the bill. CISA shall have six months to establish “Cyber Intrusion Reporting Capabilities to facilitate the submission of timely, secure, and confidential cybersecurity notifications from Federal agencies and covered entities to the Agency.” Any entity may submit information to CISA’s new reporting mechanism and shall be exempt from all federal, state, local, and tribal Freedom of Information requests. The bill goes even further in creating an incentive by barring the use of any such submissions from use in any criminal or civil trial in the U.S. This, along with other liability protections, go to the recurring claim of industry that companies would face significant if not ruinous liability if plaintiffs’ attorneys could get their hands on any such submissions. CISA must implement the same privacy and civil liberties protections used in the information sharing program created per the Cybersecurity Act of 2015 to protect the privacy of any identifiable individuals in the information transmitted to the agency.
DHS would be required to issue an interim final rule establishing many critical parts of the new systems with no notice within 60 days of enactment that would define the critical terms of the new reporting system that will determine which entities are covered, what kind of intrusions and information must be reported, and what constitutes the confirmation of a cybersecurity incident that will trigger reporting requirements. DHS would accept comments and thereafter issue a final rule with some modifications based on the comments.
Those entities that must submit a cybersecurity notification in the event of a confirmation or potential confirmation of a cybersecurity intrusion but no later than 24 hours after confirmation. The bill makes clear that this responsibility does not replace any existing legal, regulatory, or contractual obligations of entities to report such intrusions to another federal agency. For example, many electric utilities have the responsibility to report cybersecurity incidents within one hour to both Electricity Information Sharing and Analysis Center (E-ISAC) and CISA. Consequently, electric utilities would still need to submit a cybersecurity notification under this bill.
Covered entity is a term to be defined in CISA’s rulemaking, but it must include “at a minimum, Federal contractors, owners or operators of critical infrastructure, and nongovernmental entities that provide cybersecurity incident response services.” Therefore, CISA could go beyond those classes of entities in determining who shall be required to report intrusions. Other terms that will be defined through the rulemaking will also determine the parameters of the duty to report. For example, “cybersecurity intrusion” and “potential cybersecurity intrusion” need to be defined, and what does or does not qualify as either will be hugely consequential because the duty to report will hinge on whether a cyber incident is an actual or potential cybersecurity intrusion. Moreover, one can depend on the legal departments of covered entities urging the company’s leadership to read these terms as narrowly as possible once CISA has defined them in order to avoid reporting and any possible bad consequences. Be that as it may, the definition of “cybersecurity intrusion” must include those incidents that
§ involves or is assessed to involve a nation-state;
§ involves or is assessed to involve an advanced persistent threat cyber actor;
§ involves or is assessed to involve a transnational organized crime group (as defined in section 36 of the State Department Basic Authorities Act of 1956 (22 U.S.C. 2708));
§ results, or has the potential to result, in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of people in the United States;
§ is or is likely to be of significant national consequence;
§ is identified by covered entities but affects, or has the potential to affect, agency systems; or
§ involves ransomware.
But the way this passage in this bill is written, the agency could possibly include other circumstances.
In the same vein, what constitutes “cybersecurity threat information” pursuant to a cybersecurity notification in the event of an actual or potential cybersecurity intrusion must contain certain things:
§ a description of the cybersecurity intrusion, including identification of the affected systems and networks that were, or are reasonably believed to have been, accessed by a cyber actor, and the estimated dates of when such an intrusion is believed to have occurred;
§ a description of the vulnerabilities leveraged, and tactics, techniques, and procedures used by the cyber actors to conduct the intrusion;
§ any information that could reasonably help identify the cyber actor, such as internet protocol addresses, domain name service information, or samples of malicious software; and
§ contact information, such as a tele- phone number or electronic mail address, that a Federal agency may use to contact the covered entity, either directly or through an authorized agent of the covered entity; and
§ actions taken to mitigate the intrusion.
It may well prove to be the case that covered entities will want to report the minimum amount of information.
DHS and CISA must coordinate with the sector-specific agencies that regulate each of the 17 critical cyber infrastructure sectors. Pursuant to this responsibility, DHS and CISA must
establish a set of reporting criteria for Sector Risk Management Agencies and other Federal agencies as identified by the Director to submit cybersecurity notifications regarding cybersecurity incidents affecting covered entities in their respective sectors or covered entities regulated by such Federal agencies to the Agency through the Cyber Intrusion Reporting Capabilities;
As mentioned, the Cyber Intrusion Notification Act gives liability protection to entities that submit a cybersecurity notification to CISA through this new reporting system. These entities could not be sued in any U.S. court except by the U.S. government which could presumably litigate to exercise its new enforcement powers to either possibly bar a company from obtaining federal contracts or to levy .5% fine equal to the company’s gross revenue from the previous year. These provisions would become operative if an entity fails to follow the requirements of the new reporting requirements.
The bill applies the reporting requirements to federal agencies, too. Moreover, the definition of agency used in the bill (from 44 U.S.C. 3502) encompasses virtually the entire federal government, including the Department of Defense and independent agencies:
any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency,
Hence, the customary differentiation between civil and military critical cyber infrastructure is not honored in this legislation.
Both CISA and DHS must submit annual reports to Congress on the program with differing focuses. CISA shall report “on the number of notifications received through the Cyber Intrusion Reporting Capabilities, and a description of the associated mitigations taken, during the 1-year period preceding the report.” DHS is to report on “the categories of covered entities, noting additions or removals of categories, that are required to submit cybersecurity notifications; and the types of cybersecurity intrusions and other information required to be submitted as a cybersecurity notification, noting any changes from the previous submission.” This reporting requirement would allow for easier oversight of the program and permit Members to press for changes if needed.
Other Developments
Photo by Evelyn Geissler on Unsplash
§ The United States (U.S.) Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued “Emergency Directive 21-04” “to mitigate a Microsoft Windows print spooler service vulnerability CVE-2021-34527 being actively exploited” the agency explained in its statement. CISA added in its press release:
o Federal civilian agencies are required to immediately disable the print spooler service on Microsoft Active Directory Domain Controllers, apply the Microsoft July 2021 cumulative updates, and make additional configuration changes to all Microsoft Windows servers and workstations within one week.
o Exploitation of the vulnerability allows an attacker to remotely execute code with system level privileges, enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization.
o The emergency directive is in response to validated active exploitations. CISA is concerned that exploitation of this vulnerability may lead to full system compromise of affected agency networks if left unmitigated.
o CISA provided direction in the directive to federal cloud providers and advice to third party providers working with agencies outside the agency’s jurisdiction:
§ CISA is working closely with FedRAMP to coordinate the response to this Directive with FedRAMP Authorized cloud service providers (CSPs). FedRAMP Authorized CSPs have been informed to coordinate with their agency customers. CISA is also aware of third parties providing services for federal information systems subject to this Directive that may not be covered by a FedRAMP authorization.
§ Each agency is responsible for maintaining an inventory of its information systems hosted in third-party environments (FedRAMP Authorized or otherwise) and working with service providers directly for status updates pertaining to, and to ensure compliance with, this Directive.
§ For reporting purposes, if instances of affected versions have been found in a third-party environment, reporting obligations will vary based on whether the provider is another federal agency or a commercial provider.
§ If the affected third-party service provider is another federal entity, the provider agency itself is responsible for reporting status to CISA and the customer agency does not have any further reporting obligation.
§ If the affected third-party service provider is a commercial provider (FedRAMP Authorized or otherwise), the service provider must report the status of affected endpoints to the customer agency. Agencies remain responsible for engaging their service providers directly, as needed, to ensure compliance with this Directive.
§ All other provisions specified in this Directive remain applicable.
§ Dozens of prominent women from around the world signed an open letter to the CEOs of Facebook, Google, TikTok and Twitter “ask[ing] that you urgently prioritise the safety of women on your platforms.” They stated:
o No quick-fix will cure the problem, but there are many avenues to make significant progress. For over a year, you have engaged with civil society and government experts from over 35 countries to tackle online abuse. This has been an important step forward, demonstrating the power of co-creating solutions informed by a wide range of partners, including women who have directly experienced abuse.
o Now it is vital to put into action two priorities women have said are critical for their safety — more control of their experiences on your platforms, and better reporting systems:
o Give people greater control to manage their safety. Rather than a one-size-fits-all experience, women should have more control over who can interact with them on tech platforms, as well as more choice over what, when and how they see content online. These tools should be easy to find and simple to use.
o Improve your systems for reporting abuse. Current tools need to be improved so women can easily report abuse and track the progress of these reports. For example, dashboards that show users the status of all their reports in one place, features to guide them through the reporting process, and tools that offer women access to additional support when it’s needed, could make a huge difference.
§ The Federal Communications Commission acted on a number of items at its 13 July open meeting, including:
o an Order that incorporates changes to the Commission’s rules consistent with the Consolidated Appropriations Act, 2021, which appropriated $1.895 billion for the Secure and Trusted Communications Networks Reimbursement Program. The Commission created the Reimbursement Program in 2020 to reimburse providers of advanced communications services for costs reasonably incurred in removing, replacing, and disposing of communications and equipment that pose an unacceptable risk to national security. Today’s Order, among other changes, increases the eligibility cap for participation in the Reimbursement Program from providers serving two million or fewer customers to those with 10 million or fewer customers. Securing America’s critical communications infrastructure from potential security threats is more important than ever due to the outsized impact our communications networks have on work, education, health care, and personal communications. Today’s Order is another step in ongoing FCC action to protect the communications networks from those who would harm the United States. Key changes in the Order include:
· Modifying the equipment and services eligible for the Reimbursement Program to include all communications equipment and services produced or provided by Huawei Technologies Company or ZTE Corporation;
· Establishing June 30, 2020 as the new date by which covered communications equipment and services must have been obtained to be eligible for Reimbursement Program funds;
· Enacting the prioritization scheme expressly provided for in the Consolidated Appropriations Act if demand for Reimbursement Program funding exceeds the $1.895 billion appropriated by Congress; and
· Clarifying some Reimbursement Program requirements to assist eligible providers as they prepare to seek reimbursement for expenses related to removing, replacing, and disposing of covered communications equipment or services.
o Enabling State-of-the-Art Radar Sensing Technologies in the 60 GHz Band. The Commission considered a Notice of Proposed Rulemaking proposing revisions to Section 15.255 of the rules governing short range radar operations in the 64-71 GHz frequency band. (ET Docket No. 21-264)
o Updating Technical Rules for Radio Broadcasters*. The Commission considered a Notice of Proposed Rulemaking to eliminate or amend outmoded or unnecessary broadcast technical rules. (MB Docket No. 21-263)
o Updating International Filing Requirements for the Digital Age. The Commission considered an Order that would amend rules to require the remaining applications and reports to be filed electronically in the International Bureau Filing System (IBFS) and eliminate duplicative paper filing requirements. (IB Docket No. 21-265)
o Affirming Mobile Relay Fine. The Commission considered a Memorandum Opinion and Order that affirms a fine against Mobile Relay Associates for monopolizing shared spectrum and interfering with other licensees.
o Promoting Technological Solutions to Combat Contraband Wireless Device Use in Correctional Facilities*. The Commission considered a Second Report and Order taking steps to combat contraband wireless devices in correctional facilities and Second Further Notice of Proposed Rulemaking seeking comment on additional technological solutions to combat contraband device usage in correctional facilities. (GN Docket No. 13-111)
§ The National Institute of Standards and Technology (NIST) stated that it “fulfilled two of its assignments to enhance the security of the software supply chain called for by a May 12, 2021, Presidential Executive Order on Improving the Nation’s Cybersecurity (14028).” NIST “published guidance outlining security measures for critical software use after consulting with the Cybersecurity & Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB)” and “also published guidelines recommending minimum standards for vendors’ testing of their software source codeafter consulting with the National Security Agency (NSA) as required under the EO.”
o In the guidance on security measures for critical software use, NIST asserted:
§ The scope of this guidance on security measures is federal agency use of EO-critical software. Development and acquisition of EO-critical software are out of scope. The security measures are intended to protect the use of deployed EO-critical software in agencies’ operational environments.
§ NIST defined the following objectives for the security measures:
· Protect EO-critical software and EO-critical software platforms (the platforms on which EO-critical software runs, such as endpoints, servers, and cloud resources) from unauthorized access and usage.
· Protect the confidentiality, integrity, and availability of data used by EO-critical software and EO-critical software platforms. (See FAQ #6.)
· Identify and maintain EO-critical software platforms and the software deployed to those platforms to protect the EO-critical software from exploitation.
· Quickly detect, respond to, and recover from threats and incidents involving EO-critical software and EO-critical software platforms.
· Strengthen the understanding and performance of humans’ actions that foster the security of EO-critical software and EO-critical software platforms.
§ NIST has identified security measures that are fundamental for meeting these objectives. These “Security Measures for EO-Critical Software Use” are not intended to be comprehensive, nor are they intended to eliminate the need for other security measures that federal agencies implement as part of their existing requirements and cybersecurity programs. Agencies should continue their efforts to secure systems and networks that EO-critical software runs on and to manage cyber supply chain risk (see FAQ #4), as well as implement zero trust practices (see FAQ #5), which depend on the fundamental security measures. The intent of specifying these security measures is to assist agencies by defining a set of common security objectives for prioritizing the security measures that should be in place to protect EO-critical software use.
o In the guidelines setting forth minimum standards for vendors testing their software source code, NIST stated:
§ To ensure that software is sufficiently safe and secure, the software must be designed, built, delivered, and maintained in accordance with best practices. Frequent and thorough testing by developers as early as possible in the software development life cycle (SDLC) is one critical practice. At its highest conceptual level, verification is a discipline employed to increase software security. Verification encompasses many static and active assurance techniques, tools, and related processes to identify and remediate security defects while continuously improving the methodology and supporting processes. They must be employed alongside other methods to achieve a high level of software security.
§ This webpage summarizes minimum standards recommended for verification by software vendors or developers. No single verification standard can encompass all types of software testing, be specific and prescriptive, and present efficient and effective testing. Thus, this document recommends high-level guidelines for software producers to create their own prescriptive processes.
§ These guidelines expand on NIST’s Secure Software Development Framework (SSDF) practices. See especially Produce Well-Secured Software (PW) Practice 7, Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements, and PW Practice 8, Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements.
§ The Department of Health and Human Services' Office of the National Coordinator for Health Information Technology (ONC) released “the United States Core Data for Interoperability version 2 (USCDI v2), a standardized set of health data classes and constituent data elements for nationwide, interoperable health information exchange.” The agency explained:
o With this new update, health IT stakeholders nationwide will have clearer direction toward the standardized, electronic exchange of social determinants of health (SDOH), sexual orientation, and gender identity (SO/GI) among several other updated data elements. This lays the foundation for the provider community to start systemizing the capture and use of SDOH and SO/GI data in the clinical setting. While encouraged, this update does not require health professionals, such as doctors and nurses, to record this data or individuals to share such data. It does however set a path forward for health IT to build in support for exchanging these data as they become applicable to an individual's care.
§ Senate Finance Committee Chair Ron Wyden (D-OR) introduced “new legislation to protect reporters and journalists against unnecessary government surveillance that can chill First Amendment activities.” In his press statement, Wyden asserted:
o The Protect Reporters from Excessive State Suppression (PRESS) Act ensures reporters cannot be compelled by the government to disclose their confidential sources or research files, and also protects their data held by third parties like phone and internet companies from being secretly seized by the government without the opportunity to challenge those demands in court. The bill shields journalists’ communications records, such as those that DOJ obtained about reporters at CNN, the Washington Post, and New York Times from the government, with narrow exceptions for terrorism and threat of imminent violence or harm.
o While 48 states and the District of Columbia have some form of shield law or reporters privilege, protections vary significantly, and there is no federal shield law, and the state laws do not apply to investigations by federal agencies, such as DOJ. Importantly, there are currently no legal restrictions that prevent the government from secretly obtaining a reporters’ records directly from phone companies, email providers and other third parties in order to identify their sources.
§ Senator Ed Markey (D-MA) and Representatives Kathy Castor (D-FL) and Lori Trahan (D-MA) wrote the CEOs of Amazon, Facebook, Google, Snapchat, TikTok, and Twitter, “urging them to extend privacy protections required under the United Kingdom’s Age Appropriate Design Code (AADC) to children and teens in the United States.” They argued:
o The AADC is a statutory code of practice that requires all commercial online services—including apps, search engines, social media platforms, and online games—that are likely to be accessed by young users’ in the United Kingdom to meet fifteen standards that protect children and teens’ privacy and wellbeing online. These standards include protections for both children and teens up to 18 years old, and they limit the amount of data companies can collect from young users. In their letter, the lawmakers express concerns about threats to young people’s online privacy amidst the recent rise in children and teens’ technology use and argue that, as companies update their data practices to comply with the AADC, they should apply those same practices in the United States.
o They asserted:
§ It is imperative that Congress acts with urgency to enact a strong privacy law for children and teens in the 21st century. As we work towards that goal, we urge you to extend to American children and teens any privacy enhancements that you implement to comply with the AADC. We also request responses to the following questions by July 21, 2021.
· Will you commit to providing American children and teens with the same privacy enhancements that you provide in the United Kingdom in accordance with the AADC?
· If so, what specific privacy enhancements will you implement for users in the United States? Please describe in detail when you plan to implement these enhancements for users in the United States.
· If not, why not?
§ The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) “requested public comment on proposed guidance designed to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology-focused entities.” The agencies added:
o The proposed guidance is intended to assist banking organizations in identifying and addressing the risks associated with third-party relationships and responds to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance.
o Banking organizations that engage third parties to provide products or services or to perform other activities remain responsible for ensuring that such outsourced activities are conducted in a safe and sound manner and in compliance with all applicable laws and regulations, including consumer protection laws.
§ Per Congressional direction, the National Telecommunications and Information Administration (NTIA), the Federal Communications Commission (FCC) and the U.S. Department of Agriculture (USDA) announced “an interagency agreement to share information about and coordinate the distribution of federal broadband deployment funds.” The agencies explained:
o In accordance with the Broadband Interagency Coordination Act, enacted as part of the Consolidated Appropriations Act of 2021, the respective Cabinet and agency leaders announced that their agencies will consult with one another and share information about the distribution of new funds from the FCC’s high-cost programs that support broadband buildout in rural areas, the USDA’s Rural Utilities Services grant and loan programs, and programs administered or coordinated by NTIA.
o As part of the signed agreement, each federal agency partner will share information about existing or planned projects that receive funding from the previously mentioned federal funding sources. Each partner will also, upon request, identify entities providing broadband service in a specified geographic area; the levels of broadband service in that area, including broadband speeds and technologies deployed; the geographic scope of broadband service in that area; and each entity in that area that has or will receive funds from these programs. The Agreement also requires the federal agency partners to consider basing the distribution of funds from the programs on standardized broadband coverage data. More information about what programs will now require explicit coordination among the FCC, NTIA, and USDA can be found on NTIA's website. The agreement is effective at the date of its signing, June 25.
Further Reading
Photo by Jared Rice on Unsplash
§ “What If Regulating Facebook Fails?” By Siva Vaidhyanathan — WIRED. What if nothing works? What if, after years of scholarship and journalism exposing the dominance, abrogations, duplicity, arrogance, and incompetence of Facebook, none of the policy tools we have come to rely on to rein in corporations make any difference at all? We have to be prepared for just such an outcome.
§ “Don’t be that employee: How to avoid ransomware attacks at work” By Tatum Hunter — The Washington Post. When a security vulnerability at IT software-maker Kaseya led to a ransomware attack that affected 800 to 1,500 businesses, it wasn’t one employee’s fault. But that’s not always the case. Ransomware, which locks down a target’s computers and data, can infect a network a few different ways, including through employee accounts. Click the wrong link, open the wrong attachment or log into the wrong website, and you could put your company in a perilous position.
§ “Scale, details of massive ransomware attack emerge” By Frank Bajak — Associated Press. Cybersecurity teams worked feverishly Sunday to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit. An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.
§ “Biden announces investigation into international ransomware attack” — The Guardian. Joe Biden said on Saturday he had directed US intelligence agencies to investigate a sophisticated ransomware attack that hit hundreds of American businesses as the Fourth of July holiday weekend began and aroused suspicions of Russian gang involvement. Huntress, a security company, said on Friday it believed the Russia-linked REvil ransomware gang was to blame. Last month, the FBI blamed the same group for paralyzing the meat packer JBS.
§ “China's cyberspace regulator orders Didi off app stores after launching investigation” — ABC News. China's cyberspace regulator said that it had ordered smartphone app stores to stop offering Didi's app after finding the ride-hailing giant had illegally collected users' personal data. The Cyberspace Administration of China (CAC) said it had told Didi to make changes to comply with Chinese data protection rules, four days after Didi began trading on the New York Stock Exchange, having raised $5.8 billion in an initial public offering.
§ “TikTok's Algorithm and AI Tech Are Now up for Sale” By Alyse Stanley — Gizmodo. Now anyone can tap into the secret sauce behind ByteDance’s globally successful TikTok app—for a price. The China-based company quietly launched a new BytePlus division back in June focused on selling TikTok’s artificial intelligence technology, including the popular recommendation algorithm behind its ForYou feed, to businesses worldwide, the Financial Times reported Sunday. Some of the features up for sale include the short-form video app’s computer vision tech, real-time video effects, automated translation of text and speech functions, and tools for data analysis and management, among others, the Times reports. Customers can then tailor this tech to fit the needs of their apps and consumer base.
§ “Rioters accused of erasing content from social media, phones” By Jacques Billeaud — Associated Press. They flaunted their participation in the Jan. 6 riot at the U.S. Capitol on social media and then, apparently realizing they were in legal trouble, rushed to delete evidence of it, authorities say. Now their attempts to cover up their role in the deadly siege are likely to come back to haunt them in court. An Associated Press review of court records has found that at least 49 defendants are accused of trying to erase incriminating photos, videos and texts from phones or social media accounts documenting their conduct as a pro-Donald Trump mob stormed Congress and briefly interrupted the certification of Democrat Joe Biden’s election victory.
§ “California’s yoga, wellness and spirituality community has a QAnon problem” By Laura Nelson — Los Angeles Times. It seemed like the end of a typical reiki attunement: A group of women wearing yoga pants and flowing floral skirts, gathered in a healer’s home after a course in the alternative therapy of balancing chakras, clearing auras and transferring energy. But it was the early days of the pandemic and COVID-19 was spreading fast. The women in the room stood so close that their bodies touched. No one wore masks. Kathleen Abraham, 61, saw that the Facebook photo of the group had been taken in the Orange County home of one of her dearest friends, a woman she had known for 15 years who had helped her recover from breast cancer and introduced her to the world of New Age spiritualism.
§ “VA Secretary: Changes Coming to Electronic Health Records Program” By Aaron Boyd — Nextgov. The Veterans Affairs Department will move forward with its multibillion-dollar commercial electronic health records rollout after a 12-week strategic review put the program on pause. The review will lead to significant changes, VA Secretary Denis McDonough said this week, though he declined to share further details. VA has been working for more than two years with commercial EHR company Cerner to develop and deploy a single records management system across the agency that will also be interoperable with the Cerner-built system being deployed by the Defense Department and the Leidos Partnership for Defense Health.
Coming Events
Photo by Fidel Fernando on Unsplash
§ On 15 July, the Senate Commerce, Science, and Transportation Committee will convene a hearing titled “Implementing Supply Chain Resiliency.”
§ The House Homeland Security Committee will hold a 15 July hearing titled “Securing the Homeland: Reforming DHS to Meet Today's Threats.”
§ On 21 July, the Federal Trade Commission (FTC) will open its monthly open meeting with this agenda:
o Care Labeling Rule: In July 2011, the Commission initiated a regulatory review proceeding of the Care Labeling Rule. As part of the proceeding, the Commission has solicited public comments on multiple proposals to change the rule, including a proposal to repeal the Rule entirely. The Commission will vote on whether to rescind the proposal to repeal the Care Labeling Rule.
o Proposed Policy Statement on Repair Restrictions Imposed by Manufacturers and Sellers: The FTC Act authorizes the Commission to adopt policy statements. The Commission will vote on whether to issue a new policy statement, following the Commission's “Nixing the Fix” report which was unanimously agreed to and announced on May 6, 2021.
o Policy Statement on Prior Approval and Prior Notice Provisions in Merger Cases: In 1995, the Commission adopted a policy statement regarding “prior approval” and “prior notice” remedies in merger cases. The Commission will vote on whether to rescind this policy statement.
§ On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.
§ On 5 August, the Federal Communications Commission (FCC) will hold its monthly open meeting with this tentative agenda:
o Establishing Two New Innovation Zones. The Commission will consider a Public Notice that would create two new Innovation Zones for Program Experimental Licenses and the expansion of an existing Innovation Zone. (ET Docket No. 19-257)
o Numbering Policies for Modern Communications. The Commission will consider a Further Notice of Proposed Rulemaking to update the Commission’s rules regarding direct access to numbers by interconnected Voice over Internet Protocol providers to safeguard the nation’s finite numbering resources, curb illegal robocalls, protect national security, and further promote public safety. (WC Docket Nos. 13-97, 07-243, 20-67; IB Docket No. 16-155)
o Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions. The Commission will consider a Report and Order that would establish a process for the Commission to review decisions of the private STIR/SHAKEN Governance Authority that would have the effect of placing voice service providers out of compliance with the Commission’s STIR/SHAKEN implementation rules. (WC Docket Nos. 17-97, 21-291)
o Modernizing Telecommunications Relay Service (TRS) Compensation. The Commission will consider a Notice of Proposed Rulemaking on TRS Fund compensation methodology for IP Relay service. (CG Docket No. 03-123; RM-11820)
o Updating Outmoded Political Programming and Record-Keeping Rules. The Commission will consider a Notice of Proposed Rulemaking to update outmoded political programming rules. (MB Docket No. 21-293)
o Review of the Commission’s Part 95 Personal Radio Services Rules. The Commission will consider a Memorandum Opinion and Order on Reconsideration that would grant three petitions for reconsideration of the Commission’s May 2017 Part 95 Personal Radio Services Rules Report and Order. (WT Docket No. 10-119)