Bipartisan Infrastructure Package: DHS and CISA
FTC refiles Facebook anti-trust suit; T-Mobile confirms potentially massive data breach; OMB directs agencies to secure critical software
Photo by Markus Spiske on Unsplash
The “Infrastructure Investment and Jobs Act” (H.R.3684), and the bill is now in the House. Yesterday, the House Rules Committee met to consider the legislative procedure for floor consideration and has scheduled another meeting for today on the same along with the FY 2022 budget resolution (S. Con. Res. 14) that will allow Democrats to proceed with the $3.5 trillion package to enact the White House’s Build Back Better agenda and the “John R. Lewis Voting Rights Advancement Act of 2021” (H.R.4).
However, the path to House passage of H.R.3684 has been complicated by the insistence of 10 moderate House Democrats that Congress pass this bill before turning to the $3.5 trillion plan. Under normal circumstances, House Democrats can lose no more than three Democrats if no Republicans vote for a bill. House Speaker Nancy Pelosi (D-CA) has long been saying the House will not pass the infrastructure package before passing the larger bill through budget reconciliation. In part, Pelosi’s position is informed by the opposition of liberals in her caucus of passing the infrastructure package first, allowing moderate Democrats to then possibly vote against the $3.5 trillion bill replete with policies that liberals tend to support more than moderates. House Democratic Leadership was trying to round up votes yesterday but apparently fell short as a vote on the three measures was pushed into today.
H.R. 3684 is teeming with technology funding and policy, the likes of which could alter United States (U.S.) policy in a number of realms for years to come. We looked at the broadband provisions (see here) and drinking water and electric grid provisions (see here) and today, we will examine the provisions and funding related to cybersecurity broadly speaking and any loose ends in the bill.
The Senate has opted to add funding for the newly established Office of the National Cyber Director (NCD) in the White House. There would be $21 million for the NCD, which may be in addition to what Congress may appropriate through the annual funding process. Alternatively, considering this is a bit more than one chamber has proposed for the NCD, Congress may not choose to appropriate any more funding to stand up and staff up this office.
In its FY 2022 budget request, the Biden Administration asked Congress for $15 million and 25 Full-Time Equivalents (FTE) to stand up the Office of the NCD. However, the CSC in making the recommendation that Congress create such a position called for at least 50 FTE in this office. Congress may appropriate funds and direct the creation of a larger office than the administration apparently wants. On 29 July, the House passed the “Financial Services and General Government Appropriations Act, 2022” (H.R.4502) that would make available $18.750 million for the NCD.
Additionally, last month, the Senate passed a bill, S.2382, “that would help ensure the newly created Office of the NCD will be able to quickly secure qualified personnel to support its important cybersecurity mission” according to the sponsors’ press release. However, in late July, the House postponed floor proceedings to pass the bill under an expedited process until some later point in the future. It is possible if the House proposes its own package, this provision is added.
The Cybersecurity and Infrastructure Security Agency (CISA) would be given an additional $35 million “for risk management operations and stakeholder engagement and requirements.”
The Department of Homeland Security’s (DHS) Science and Technology Directorate (S&T) would be given $157.5 million “for critical infrastructure security and resilience research, development, test, and evaluation: Provided, That the funds made available under this heading in this Act may be used for
§ special event risk assessments rating planning tools;
§ electromagnetic pulse and geo-magnetic disturbance resilience capabilities;
§ positioning, navigation, and timing capabilities;
§ public safety and violence prevention to evaluate soft target security, including countering improvised explosive device events and protection of U.S. critical infrastructure; and
§ research supporting security testing capabilities relating to telecommunications equipment, industrial control systems, and open source software
DHS would need to submit to Congress a detailed spending plan before these funds can be used.
H.R.3684 contains two discrete cybersecurity bills advanced in the last few months to counter the growing use of ransomware and penetration of federal networks.
The “State and Local Cybersecurity Improvement Act” (H.R.3138) would establish and fund with $1 billion a new grant program at DHS. The committee report for this House Homeland Security Committee bill explained:
H.R. 3138, the ‘‘State and Local Cybersecurity Act,’’ seeks to foster stronger partnerships between the Federal government and State and local governments to defend State and local networks against cyber attacks from sophisticated foreign adversaries or cyber criminals. It does so by authorizing a new Department of Homeland Security (DHS) grant program to address cybersecurity vulnerabilities on State and local government networks.
This bill would amend the section of the “Homeland Security Act of 2002” that established CISA (i.e. 6 U.S.C. 651, et. seq.) and establish the State and Local Cybersecurity Grant Program to help state and Tribal governments “to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, State, local, or Tribal governments.” However, CISA will not administer the grant program; rather the Federal Emergency Management Agency (FEMA) will do so given its experience with other longstanding grant programs to state and Tribal governments.
State and Tribal governments that receive a grant “shall use the grant to—
§ implement the Cybersecurity Plan of the eligible entity;
§ develop or revise the Cybersecurity Plan of the eligible entity;
§ pay expenses directly relating to the administration of the grant, which shall not exceed 5 percent of the amount of the grant;
§ assist with activities that address imminent cybersecurity threats, as confirmed by the Secretary, acting through the Director, to the information systems owned or operated by, or on behalf of, the eligible entity or a local government within the jurisdiction of the eligible entity; or
§ fund any other appropriate activity determined by the Secretary, acting through the Director.
Broadly speaking, recipient governments could fund Cybersecurity Plans or address imminent threats to their systems or those of local governments in their jurisdiction. These governments could also pull down 5% to administer the program and other appropriate activities CISA designates.
The Cybersecurity Plans would generally require governments to plan for cyber incidents and how they plan on recovering from them, including a continuous process of searching for and mitigating threats and vulnerabilities. These plans would also require the adoption and use of best practices. There is to be a risk-based approach with the greatest emphasis on the highest value systems and assets. In short, the sponsors of the legislation are hoping to use the power of Congress to condition the use of federal funds to drive better cybersecurity throughout the governments in the U.S.
Each eligible entity that wants to receive a grant must “establish a cybersecurity planning committee to—
§ assist with the development, implementation, and revision of the Cybersecurity Plan of the eligible entity;
§ approve the Cybersecurity Plan of the eligible entity; and
§ assist with the determination of effective funding priorities for a grant
Moreover, DHS “may award grants under this section to a multi-entity group to support multi-entity efforts to address cybersecurity risks and cybersecurity threats to information systems within the jurisdictions of the eligible entities that comprise the multi-entity group.” Multi-entity groups are those made up of two or more state or Tribal governments.
The bill appropriates $1 billion for this program in these allotments;
§ for fiscal year 2022, $200,000,000;
§ for fiscal year 2023, $400,000,000;
§ for fiscal year 2024, $300,000,000; and
§ for fiscal year 2025, $100,000,000.
The other bill folded into H.R. 3684, the “Cyber Response and Recovery Act of 2021” (S.1316), is legislation the sponsors claimed when it was introduced in April “would help improve the federal response to cyber breaches, such as recent and serious attacks by foreign adversaries including the Chinese and Russian governments that penetrated both federal networks and private companies’ servers.”
The first section of this bill explains its reason for being:
§ the purpose of this subtitle is to authorize the Secretary to declare that a significant incident has occurred and to establish the authorities that are provided under the declaration to respond to and recover from the significant incident; and
§ the authorities established under this subtitle are intended to enable the Secretary to provide voluntary assistance to non-Federal entities impacted by a significant incident.
The “Cyber Response and Recovery Act” adds a new term to the federal lexicon of cybersecurity: “significant incident,” which is defined to be:
§ an incident or a group of related incidents that results, or is likely to result, in demonstrable harm to—
o the national security interests, foreign relations, or economy of the United States; or
o the public confidence, civil liberties, or public health and safety of the people of the United States; and
§ does not include an incident or a portion of a group of related incidents that occurs on
o a national security system (as defined in section 3552 of title 44, United States Code)[i.e. generally Department of Defense and Intelligence Community systems]; or
o an information system described in paragraph (2) or (3) of section 3553(e) of title 44, United States Code[1].
Congress has opted to define this term instead of delegating this responsibility to DHS and CISA as it sometimes does.
Under this bill, the definition for a mere “incident” is the one currently in the U.S. Code: “an occurrence that-
§ actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or
§ constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.
Clearly, significant incidents are those with much wider potential or actual repercussions than incidents.
DHS, in consultation with the NCD, “may make a declaration of a significant incident in accordance with this section for the purpose of enabling the activities described in this subtitle [more on this below] if the Secretary [of Homeland Security] determines that—
§ a specific significant incident—
o has occurred; or
o is likely to occur imminently; and
§ otherwise available resources, other than the Fund [more on this below], are likely insufficient to respond effectively to, or to mitigate effectively, the specific significant incident
Moreover, the Secretary of Homeland Security may not delegate this responsibility to any other official. And so, this legislation contemplates that a Senate confirmed member of the Cabinet is the only official that may make the determination a significant incident has occurred. This was likely decided upon to keep decisions like this at the top of the U.S. government and made by an official who directly answers to both the President and Congress. Nonetheless, the NCD Chris Inglis, CISA Director Jen Easterly, and Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, and others would play significant roles in the making of such a determination.
Significant incident declarations would last either 120 days or when the Secretary determines the declaration is no longer necessary, whichever comes first. The Secretary could extend the declaration if necessary. The Secretary must immediately alert the NCD and certain Congressional committees of a significant incident declaration, and this notification must estimate the expected duration, the reasons why the declaration was issued, the expected impact on federal and non-federal entities and on federal operations, the culprit (if known), the scope of those entities effected, justification for the resources to be used, and a description of the proposed coordination activities. Six months after a declaration or renewal, DHS must report to Congress on the actions taken, the funds expended, and the results.
And DHS must publish the declaration or a renewal of a declaration in the Federal Register within 72 hours of being made. However, any such declaration cannot include the name of any effected individual or company, which is a bit strange since any major incident will undoubtedly be widely reported upon.
After the Secretary has made this determination, DHS may must coordinate “asset response activities” which are defined as:
§ an activity to support an entity impacted by an incident with the response to, remediation of, or recovery from, the incident, including—
o furnishing technical and advisory assistance to the entity to protect the assets of the entity, mitigate vulnerabilities, and reduce the related impacts;
o assessing potential risks to the critical infrastructure sector or geographic region impacted by the incident, including potential cascading effects of the incident on other critical infrastructure sectors or geographic regions;
o developing courses of action to mitigate the risks assessed…;
o facilitating information sharing and operational coordination with entities performing threat response activities; and
o providing guidance on how best to use Federal resources and capabilities in a timely, effective manner to speed recovery from the incident.
In the aftermath of a significant incident declaration, DHS would coordinate the asset response activities of all federal agencies with a jurisdictional claim to the incident. DHS could also coordinate with public and private sector entities and state and local governments and law enforcement agencies as well.
Moreover, DHS need not wait for a significant incident declaration before acting. The agency may seek and obtain resources for asset response activities and technical assistance.
The bill establishes a Cyber Response and Recovery Fund (Fund) that shall, in part, finance the activities described in this section. DHS may also use the resources of CISA in responding to significant incidents. Money from the Fund could be provided to a range of effected entities on a reimbursable or non-reimbursable basis. CISA may also make “grants for, or cooperative agreements with, Federal, State, local, and Tribal public and private entities to respond to, and recover from, the specific significant incident associated with a declaration, such as—
§ hardware or software to replace, update, improve, harden, or enhance the functionality of existing hardware, software, or systems; and
§ technical contract personnel support;
Appropriations and reimbursements from other federal agencies would provide money for the Fund. $20 million is appropriated for this new program for each of the next five fiscal years, with the funding for two more fiscal years authorized. This program would end seven years after enactment unless Congress extends it.
There are finally transportation cybersecurity provisions. Within two years, the Federal Highway Administration (FHWA) “shall develop a tool to assist transportation authorities in identifying, detecting, protecting against, responding to, and recovering from cyber incidents.” Transportation authorities include state highway departments and other transportation agencies, manufacturers of products related to transportation (a very broad term), and offices of the FHWA. The tool would need to use the National Institute of Standards and Technology’s (NIST) cybersecurity framework, “establish a structured cybersecurity assessment and development program,” be established in coordination with the Transportation Security Administration (TSA) and the Cybersecurity and Infrastructure Security Administration (CISA), and be implemented only after consultation from stakeholders and a public comment period. The agency would also need “designate an office as a ‘‘cyber coordinator’’, which shall be responsible for monitoring, alerting, and advising transportation authorities of cyber incidents.”
And for those skeptical of the effect of Government Accountability Office (GAO) reports and the like, the Department of Transportation (DOT) has three years to implement the GAO’s recommendations from its report titled “Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges.” Specifically, the DOT must comply
§ by developing a cybersecurity risk management strategy for the systems and information of the Department;
§ by updating policies to address an organization-wide risk assessment; and
§ by updating the processes for coordination between cybersecurity risk management functions and enterprise risk management functions.
The DOT would also need to implement recommendations made in a different GAO report “Cybersecurity Workforce: Agencies Need to Accurately Categorize Positions to Effectively Identify Critical Staffing Needs” by
§ reviewing positions in the Department; and
§ assigning appropriate work roles in accordance with the National Initiative for Cybersecurity Education Cybersecurity Workforce Framework.
The GAO would then need to study and report on the DOT’s “cybersecurity for the systems and information of the Department.”
Other Developments
Photo by Ian Hutchinson on Unsplash
§ The Federal Trade Commission split along party lines in voting to file an amended complaintagainst Facebook in its federal antitrust case and rejected the company’s complaint that Chair Lina Khan recuse herself. In late June, a federal court granted Facebook’s motion to dismiss against the FTC because it failure to makes its case under Section 2 of the Sherman Antitrust Act that Facebook “has monopoly power in the market for Personal Social Networking (PSN) Services.” The court stated the FTC may refile its case and laid out a map for doing so:
o To guide the parties in the event amendment occurs, this Opinion also explains two further conclusions of law. First, even if the FTC had sufficiently pleaded market power, its challenge to Facebook’s policy of refusing interoperability permissions with competing apps fails to state a claim for injunctive relief. As explained herein (and in the Court’s separate Opinion in the States’ case), there is nothing unlawful about having such a policy in general. While it is possible that Facebook’s implementation of that policy as to certain specific competitor apps may have violated Section 2, such finding would not change the outcome here: all such revocations of access occurred in 2013, seven years before this suit was filed, and the FTC lacks statutory authority to seek an injunction “based on [such] long-past conduct.” FTC v. Shire ViroPharma, Inc., 917 F.3d 147, 156 (3d Cir. 2019). Regardless of whether the FTC can amend its Complaint to plausibly allege market power and advance this litigation, then, the conduct it has alleged regarding Facebook’s interoperability policies cannot form the basis for Section 2 liability. Second, the agency is on firmer ground in scrutinizing the acquisitions of Instagram and WhatsApp, as the Court rejects Facebook’s argument that the FTC lacks authority to seek injunctive relief against those purchases. Whether other issues arise in a subsequent phase of litigation is dependent on how the Government wishes to proceed.
o In its press release, the FTC summarized its amended complaint:
§ The complaint alleges that after repeated failed attempts to develop innovative mobile features for its network, Facebook instead resorted to an illegal buy-or-bury scheme to maintain its dominance. It unlawfully acquired innovative competitors with popular mobile features that succeeded where Facebook’s own offerings fell flat or fell apart. And to further moat its monopoly, Facebook lured app developers to the platform, surveilled them for signs of success, and then buried them when they became competitive threats. Lacking serious competition, Facebook has been able to hone a surveillance-based advertising model and impose ever-increasing burdens on its users.
§ The FTC filed the amended complaint today in the U.S. District Court for the District of Columbia, following the court’s June 28 ruling on the FTC’s initial complaint. The amended complaint includes additional data and evidence to support the FTC’s contention that Facebook is a monopolist that abused its excessive market power to eliminate threats to its dominance.
§ According to the amended complaint, a critical transition period in the history of the internet, and in Facebook’s history, was the emergence of smartphones and the mobile Internet in the 2010s. Facebook’s CEO, Mark Zuckerberg, recognized at the time that “we’re vulnerable in mobile” and a major shareholder worried that Facebook’s mobile weakness “ran the risk of the unthinkable happening - being eclipsed by another network[.]”
§ After suffering significant failures during this critical transition period, Facebook found that it lacked the business talent and engineering acumen to quickly and successfully integrate its outdated desktop-based technology to the new era of mobile-first communication. Unable to maintain its monopoly or its advertising profits by fairly competing, Facebook’s executives addressed this existential threat by buying up the new mobile innovators, including its rival Instagram in 2012 and mobile messaging app WhatsApp in 2014, who had succeeded where Facebook had failed. The company supplemented its anticompetitive shopping spree with an open-first-close-later scheme that helped cement its monopoly by severely hampering the ability of rivals and would-be rivals to compete on the merits. By anticompetitively cementing its personal social networking monopoly, Facebook has harmed the competitive process and limited consumer choice.
§ As described in the amended complaint, after starting Facebook Platform as an open space for third party software developers, Facebook abruptly reversed course and required developers to agree to conditions that prevented successful apps from emerging as competitive threats to Facebook. By pulling this bait and switch on developers, Facebook insulated itself from competition during a critical period of technological change. Developers that had relied on Facebook’s open-access policies were crushed by new limits on their ability to interoperate. Facebook’s conduct not only harmed developers such as Circle and Path, but also deprived consumers of promising and disruptive mavericks that could have forced Facebook to improve its own products and services.
§ The amended complaint bolsters the FTC’s monopoly power allegations by providing detailed statistics showing that Facebook had dominant market shares in the U.S. personal social networking market. The suit also provides new direct evidence that Facebook has the power to control prices or exclude competition; significantly reduce the quality of its offering to users without losing a significant number of users or a meaningful amount of user engagement; and exclude competition by driving actual or potential competitors out of business.
§ Facebook’s dominant position is also protected by significant barriers to entry, including high switching costs. Over time, users of a personal social network build more connections and develop a history of posts and shared experiences, which they cannot easily transfer to another personal social networking provider.
§ Other significant barriers to entry include user-to-user effects, known as network effects, which make a personal social network more valuable as more users join the service. As the amended complaint notes, it is very difficult for a new entrant to displace an established personal social network in which users’ friends and family already participate.
§ T-Mobile confirmed reports of a massive data breach of customer persona; data. Vicereported the personal data of 100 T-Mobile users was for sale online, and while T-Mobile has put the figure lower, it has conceded it is still investigating. The company claimed:
o We have continued to work around the clock on the forensic analysis and investigation into the cyberattack against T-Mobile systems while also taking a number of proactive steps to protect customers and others whose information may have been exposed.
o Our investigation is ongoing and will continue for some time, but at this point, we are confident that we have closed off the access and egress points the bad actor used in the attack. Below is what we know to date.
o We previously reported information from approximately 7.8 million current T-Mobile postpaid customer accounts that included first and last names, date of birth, SSN, and driver’s license/ID information was compromised. We have now also determined that phone numbers, as well as IMEI and IMSI information, the typical identifier numbers associated with a mobile phone, were also compromised. Additionally, we have since identified another 5.3 million current postpaid customer accounts that had one or more associated customer names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. These additional accounts did not have any SSNs or driver’s license/ID information compromised.
o We also previously reported that data files with information from about 40 million former or prospective T-Mobile customers, including first and last names, date of birth, SSN, and driver’s license/ID information, were compromised. We have since identified an additional 667,000 accounts of former T- Mobile customers that were accessed with customer names, phone numbers, addresses and dates of birth compromised. These additional accounts did not have any SSNs or driver’s license/ID information compromised.
o Separately, we have also identified further stolen data files including phone numbers, IMEI, and IMSI numbers. That data included no personally identifiable information.
o We continue to have no indication that the data contained in any of the stolen files included any customer financial information, credit card information, debit or other payment information.
o As we previously reported, approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were exposed. We have proactively reset ALL of the PINs on these accounts. Similar information from additional inactive prepaid accounts was also accessed. In addition, up to 52,000 names related to current Metro by T-Mobile accounts may have been included. None of these data sets included any personally identifiable information. Further, none of the T-Mobile files stolen related to former Sprint prepaid or Boost customers.
§ The Office of Management and Budget (OMB) issued a memorandum titled “Protecting Critical Software Through Enhanced Security Measures”
o Executive Order (EO) 14028, Improving the Nation’s Cybersecurity (May 12, 2021), recognizes the importance to the Federal Government of software security – and in particular, the security of “critical software,” as defined by the National Institute of Standards and Technology (NIST). The EO directs NIST to issue guidance on security measures for critical software, and further directs the Office of Management and Budget (OMB) to require agencies to comply with that guidance. The guidance from NIST, issued on July 8, 2021, outlines core security measures, the implementation of which is crucial for the protection of critical software.
o This memorandum provides instructions for the implementation of those fundamental measures required to secure the use of software falling within the definition below and directs executive departments and agencies (hereafter referred to as agencies) to implement those measures in phases. Agencies should keep in mind that the measures identified in the guidance from NIST are not comprehensive; their adoption may not eliminate the need to implement additional security measures to satisfy requirements and objectives that lie outside the scope of the NIST guidance.
o Government-wide implementation of NIST’s guidance for the use of critical software will occur through a phased approach. During the initial implementation phase, agencies should focus on standalone, on-premise software that performs security-critical functions or poses similar significant potential for harm if compromised. Such software includes applications that provide the following categories of services:
§ identity, credential, and access management (ICAM);
§ operating systems, hypervisors, container environments;
§ web browsers;
§ endpoint security;
§ network control;
§ network protection;
§ network monitoring and configuration;
§ operational monitoring and analysis;
§ remote scanning;
§ remote access and configuration management; and
§ backup/recovery and remote storage.
o Agencies must review this guidance and ensure it is implemented across all categories of critical software described in section II.A. Subsequent phases of implementation will address additional categories of software, as determined by the Cybersecurity and Infrastructure Security Agency (CISA). The following categories of software, among others, will be included in those future phases:
§ software that controls access to data;
§ cloud-based and hybrid software;
§ software development tools, such as code repository systems, testing software, integration software, packaging software, and deployment software;
§ software components in boot-level firmware; and
§ software components in operational technology (OT).
§ The United States (U.S.) Department of Homeland Security (DHS) Science and Technology Directorate (S&T) published an “Artificial Intelligence and Machine Learning Strategic Plan” “which lays out an actionable path for S&T to advise and assist the Department in harnessing the opportunities of Artificial Intelligence and Machine Learning (AI/ML).” S&T stated:
o The S&T AI/ML Strategic Plan defnes S&T’s approach to effectively address the opportunities and challenges that AI/ML poses to the Department, the broader Homeland Security Enterprise, and the missions they serve. The S&T AI/ML Strategic Plan presents three goals:
o GOAL 1: Drive Next-Generation AI/ML Technologies for Cross-Cutting Homeland Security Capabilities S&T will make strategic investments in AI/ML research and development activities that meet critical DHS needs. S&T has identified three R&D objectives: Advance Trustworthy AI, Advance Human Machine Teaming, and Leverage AI/ML for Secure Cyberinfrastructure. Advancing Trustworthy AI is an interdisciplinary effort to research and provide actionable solutions for issues such as explainable AI, privacy protection, countering bias, and countering adversarial machine learning. S&T will research Human Machine Teaming, optimizing human and machine interactions while limiting their weaknesses. In the area of Secure Cyberinfrastructure, S&T will research capabilities that allow data sharing and processing across systems, effective management of AI/ML models, and AI/ML capabilities that enable threat detection and response.
o GOAL 2: Facilitate Use of Proven AI/ML Capabilities in Homeland Security Missions S&T will identify technically mature capabilities and match them to mission needs to facilitate understanding and adoption of existing AI/ML solutions by DHS Components and stakeholders. S&T will also advance capabilities that can be used by non specialists to curate and process large datasets, while advising the Department on the technical and policy infrastructure needed for AI/ML.
o GOAL 3: Build an Interdisciplinary AI/ML-Trained Workforce
S&T will recruit experts and train current personnel to improve AI/ML competence across the S&T workforce in order to more effectively achieve S&T missions. Additionally, S&T will provide expert advice and recommendations for training opportunities to the broader DHS and Homeland Security Enterprise (HSE) communities.o S&T’s approach to AI/ML is informed by national guidance and the DHS Artificial Intelligence Strategy. S&T leadership is committed to ensuring that AI/ML research, development, test, evaluation, and departmental applications comply with statutory and other legal requirements, and sustain privacy protections and civil rights and civil liberties for individuals. A subsequent S&T AI/ML Implementation Plan will detail how the S&T AI/ML Strategic Plan will be operationalized.
§ New Zealand’s Privacy Commissioner explained in a blog post how damages can be awarded for emotional harm under the Privacy Act:
o Under the Privacy Act, the Human Rights Review Tribunal (“the Tribunal”) can award damages for emotional harm caused by a privacy breach. Damages are compensatory rather than punitive; the goal is to compensate individuals for specific harm rather than punish a defendant’s bad behaviour.
o Calculating damages for emotional harm is not an exact science, especially when there has been no quantifiable financial loss. We have identified some factors contributing to the different amounts awarded for emotional harm in recent cases, which are helpful to consider when balancing the risks and benefits of taking your complaint to the Tribunal.
o What damages can the Tribunal award?
o The Tribunal can award damages if, as a result of a privacy breach, the complainant has:
§ suffered a pecuniary loss
§ reasonably incurred expenses
§ lost a benefit that they might reasonably have expected, or
§ suffered humiliation, loss of dignity, and injury to feelings.
o The Tribunal has provided some useful guidance on quantifying emotional harm caused by a privacy breach. There are three broad bands of emotional harm: less serious breaches can see up to $10,000, more serious awards have ranged from $10,000 to $50,000, and the most serious awards have been more than $50,000.
o The Tribunal occasionally awards high amounts for emotional harm – $98,000 in Hammond v Credit Union Baywide and $70,000 in Director of Human Rights Proceedings v Slater – but the majority of successful claims are in the $5,000 to $25,000 range. (See the table of damages awarded on the Tribunal’s website.)
§ The Office of the Privacy Commissioner of Canada (OPC) updated several guidance documents “to reaffirm some of the types of personal information generally considered sensitive in the context of the Personal Information Protection and Electronic Documents Act (PIPEDA).” The OPC stated:
o The updated guidance includes considerations for businesses evaluating what types of information are “sensitive”. Under PIPEDA, organizations must protect personal information with appropriate safeguarding measures commensurate with the sensitivity of the information, and seek express consent when the information is likely to be considered sensitive.
o These updates help to reflect how the OPC has interpreted sensitive information in the context of PIPEDA.
o While under PIPEDA any personal information can be sensitive depending on the context, we have found that certain types of personal information will generally be considered sensitive because of the specific risks to individuals when said information is collected, used or disclosed.
o The updated guidance sets out that certain types of information that will generally be considered sensitive and require a higher degree of protection. This includes health and financial data, ethnic and racial origins, political opinions, genetic and biometric data, an individual’s sex life or sexual orientation, and religious/philosophical beliefs.
o The updates follow discussions with Industry, Science and Economic Development Canada (ISED) with respect to an ongoing review by the European Commission about the “adequacy” of Canada’s privacy legislation.
o The General Data Protection Regulation (GDPR) requires adequacy decisions to be reviewed every four years. As a result, Canada’s adequacy status – which allows data to flow freely from the European Union (EU) to Canada – is now being reviewed.
o An adequacy review involves a comprehensive assessment of the country’s privacy regime.
o The updated guidance documents are:
§ Guidelines for obtaining meaningful consent;
§ What you need to know about mandatory reporting of breaches of security safeguards;
§ Guidelines on privacy and online behavioural advertising;
§ Policy Position on online behavioural advertising;
§ PIPEDA fair information principle 7 – safeguards;
§ Personal information retention and disposal: principles and best practices;
§ Amazon announced an extension of its “A-to-Z Guarantee to cover property damage and personal injury” and explained:
o Amazon originally launched the A-to-z Guarantee more than 20 years ago to provide customers with a hassle-free return process for products sold and fulfilled by third-party sellers. This helped customers more confidently shop from sellers, raising the bar on customer experience and driving sellers’ growth.
o Now, in the unlikely event a defective product sold through Amazon.com causes property damage or personal injury, Amazon will directly pay customers for claims under $1,000—which account for more than 80% of cases—at no cost to sellers, and may step in to pay claims for higher amounts if the seller is unresponsive or rejects a claim we believe to be valid. We are also launching Amazon Insurance Accelerator to help sellers buy insurance at competitive rates from trusted providers. We’re excited that these innovations create a more trustworthy shopping and selling experience for customers and sellers in our store.
§ The BBB National Programs Children’s Advertising Review Unit (CARU) issued “a revised version of the CARU Advertising Guidelines, widely recognized industry standards that ensure advertising directed to children is not deceptive, unfair, or inappropriate for its intended audience.” In their press release, BBB National Programs explained:
o These Guidelines were revised to address newer digital and immersive forms of child-directed interactive media more specifically.
o CARU’s self-regulatory role is to review and evaluate advertising, whether in print or digital ads, on TV, on product labeling, or now, within games and apps, for truth, accuracy, appropriateness, and sensitivity to the uniquely impressionable child audience. The revised Guidelines extend this watchful eye to now include video, influencer marketing, apps, in-game advertising, and purchase options in games.
o Starting January 1, 2022, CARU will begin reviewing the marketplace for non-compliance with the revised Guidelines. Until that time, CARU will continue to review and evaluate advertising under the current Guidelines.
o To help advertisers prepare for the debut of the new Guidelines, we have highlighted six key changes:
§ 1. Children: Under Age 13
§ The revised Guidelines now cover advertising primarily directed to children under age 13 in any media. The current Guidelines covered advertising directed to children under age 12. This change aligns with COPPA, the Children’s Online Privacy Protection Act, which provides protections against the online collection of personal information from children under age 13.
§ At the same time, the revised Guidelines recognize that, for instance, advertising aimed at children 10-12 years old should not have to look or sound like advertising directed to 5-year-olds. New language in the Guidelines makes clear that determining whether advertising complies with the Guidelines will be based upon the age-range of the target audience.
§ 2. Diversity and Inclusion
§ CARU’s revised Guidelines take a stand on the need for advertising in the children’s space to promote positive change by reflecting the diversity of humanity and providing an inclusive space where children of all races, religions, cultures, genders, sexual orientations, and physical and cognitive abilities can feel valued and respected. Building upon the positive strides made by many advertisers, the Guidelines make clear that advertising portraying or encouraging negative social stereotyping, prejudice, or discrimination violates CARU’s standards.
§ 3. In-App and In-Game Advertising and Purchases
§ Recognizing that kids spend considerable free time playing games on their mobile devices, the revised Guidelines specifically call out the use of unfair, deceptive, or other manipulative in-app and in-game advertising and purchase offer tactics.
§ The Guidelines identify examples of violative practices, such as the use of deceptive door openers and social pressure or validation to mislead or cause children to unknowingly or inadvertently engage in ad viewing or make in-app purchases. CARU’s guidelines make clear that advertisers, app designers, and developers must create these spaces with children in mind and build in transparency from the start.
§ 4. Endorsers and Influencers
§ CARU recognizes the tremendous popularity and impact that endorsers and influencers have in the child’s space. When it comes to influencer marketing, the Guidelines say to make it clear and obvious - in language children can easily understand - that an influencer is being paid or receiving free product to promote or play with an advertiser’s products or services.
§ 5. Blurring
§ CARU and most advertisers recognize that children have limited knowledge, experience, sophistication, and maturity to evaluate the credibility of information and may not even understand when they are viewing or hearing advertising. While the blurring of advertising and non-advertising content isn’t new, the power of children’s digital media to blur these lines means it is especially important for advertisers to clearly and conspicuously inform children that what they are seeing is advertising – in simple language that they can understand. The Guidelines make clear that transparency is key.
§ 6. Material Disclosures
§ The exploding range of digital media directed to children, including influencer marketing, games, and other immersive content, heightens the need for and importance of clear and conspicuous disclosures of material information in words that children can understand.
§ The Guidelines have been revised to better spell out what clear and conspicuous mean in the context of different advertising formats. For instance, the Guidelines make clear that, with limited exceptions, in audio-video advertisements, disclosures should be made in both audio and video form to best ensure that children see/hear them. In addition, in videos and other content that lasts more than a few minutes, advertisers must repeat this disclosure more than once so that children are more likely to get the message.
§ The PCI Security Standards Council (PCI SSC) and the Cloud Security Alliance (CSA) “issued a joint bulletin to highlight the importance of properly scoping cloud environments.” The PCI SSC and CSA asserted in their press release:
o At a high level, scoping involves the identification of people, processes, and technologies that interact with or could otherwise impact the security of payment data or systems. When utilizing cloud security for payments, this responsibility is typically shared between the cloud customer and the cloud service provider.
o Data breach investigation reports continue to find that organizations suffering compromises involving payment data were unaware that cardholder data was present on the compromised systems. Proper scoping should be a critical and ongoing activity for organizations to ensure they are aware of where their payment data is located and that the necessary security controls are in place to protect that data. Improper scoping can result in vulnerabilities being unidentified and unaddressed, which criminals can exploit. Knowing exactly where payment data is located within your systems will empower organizations to develop a game plan to protect that data.
o Limiting exposure to payment data reduces the chance of being a target for criminals. Some important best practices areas of focus should be:
§ Data protection: Assure that information is protected by maximizing use of strong cryptography and key management practices, tokenization, and masking where feasible and employing robust data loss prevention solutions.
§ Authentication: Assure that strong multi-factor authentication is pervasive to protect against common attacks against the credentials of consumers, merchants, and service providers
§ Systems management: Recent high-profile breaches have pointed to weaknesses in how responsible parties perform routine systems management functions, such as patch management, verification of code updates and configuration management.
§ DevOps & DevSecOps: Software supply chains are important areas of exposure for malicious attackers and merchants should understand the original source of all components of the payment solution.
§ Data governance: With global nature of cloud, assure that information stays within the appropriate jurisdiction boundaries and is accessed by stakeholders with legitimate needs.
§ Resiliency: Assure that service providers take advantage of cloud’s nearly unlimited capabilities to provide redundancy for application availability and data backups.
Further Reading
Photo by Brett Jordan on Unsplash
§ “The Novel Material That’s Shrinking Phone Chargers, Powering Up Electric Cars, and Making 5G Possible” By Christopher Mims — The Wall Street Journal. If you’re reading this on a screen, it’s likely you’re literally staring at the future. Present in most LED screens, as well as the LED lights that now provide much indoor illumination, is the metal gallium. And while not as well known as silicon, it is taking over in many of the places that silicon once reigned supreme—from antennas to charging bricks and other energy-converting systems known as “power electronics.” In the process, it’s enabling a surprising array of new technologies, from faster-charging cellphones, to lighter electric vehicles, to more power-efficient data centers that run the services and apps we use.
§ “Student proves Twitter algorithm ‘bias’ toward lighter, slimmer, younger faces” By Alex Hern — The Guardian. Twitter’s image cropping algorithm prefers younger, slimmer faces with lighter skin, an investigation into algorithmic bias at the company has found. The finding, while embarrassing for the company, which had previously apologised to users after reports of bias, marks the successful conclusion of Twitter’s first ever “algorithmic bug bounty”. The company has paid $3,500 to Bogdan Kulynych, a graduate student at Switzerland’s EFPL university, who demonstrated the bias in the algorithm, which is used to focus image previews on the most interesting parts of pictures, as part of a competition at the DEF CON security conference in Las Vegas.
§ “This forgotten language is seeing a revival thanks to TikTok” By Bianca Brutus — NBC News. Cia, 20, was scrolling through TikTok one night when she came across a video about a forgotten secret tongue. She learned this language was called Tut. It was a clandestine form of communication, rooted in English and created by Black people during the 18th century. Cia said she did not know about the existence of Tut prior to the video. In fact, she never knew African Americans had their own form of communication during slavery.
§ “Google Docs Scams Still Pose a Threat” By Lily Hay Newman — WIRED. In May 2017, a phishing attack now known as “the Google Docs worm” spread across the internet. It used special web applications to impersonate Google Docs and request deep access to the emails and contact lists in Gmail accounts. The scam was so effective because the requests appeared to come from people the target knew. If they granted access, the app would automatically distribute the same scam email to the victim's contacts, thus perpetuating the worm. The incident ultimately affected more than a million accounts before Google successfully contained it. New research indicates, though, that the company's fixes don't go far enough. Another viral Google Docs scam could happen anytime.
§ “The Spine Collector” By Reeves Wiedeman — New York. On the morning of March 1, 2017, Catherine Mörk and Linda Altrov Berg were in the offices of Norstedts, a book publisher in Sweden, when they received an unusual email. A colleague in Venice was asking for a top-secret document: the unpublished manuscript of the forth-coming fifth book in Stieg Larsson’s “Millennium” series. The books, which follow hacker detective Lisbeth Salander, have sold more than 100 million copies. David Lagercrantz, another Swedish writer, had taken over the series after Larsson’s death, and his latest — The Man Who Chased His Shadow — was expected to be one of the publishing events of the year.
§ “The Failure of China’s Microchip Giant Tests Beijing’s Tech Ambitions” By Paul Mozur — The New York Times. In 2015, an obscure company run by a real estate mogul woke the world to China’s ambitions in semiconductors, the foundational technology that powers computing. Laden with state funding and political backing, the company made jaws drop with a $23 billion bid to buy the American chip maker Micron.
§ “Homeland Security Considers Outside Firms to Analyze Social Media After Jan. 6 Failure” By Rachael Levy — The Wall Street Journal. The Department of Homeland Security is considering hiring private companies to analyze public social media for warning signs of extremist violence, spurring debate within the agency over how to monitor for such threats while protecting Americans’ civil liberties. The effort, which remains under discussion and hasn’t received approval or funding, would involve sifting through large flows of internet traffic to help identify online narratives that might provide leads on developing attacks, whether from home or abroad.
§ “Senate’s internet access plan rests on better broadband maps” By Dean DeChiaro — Roll Call. The Senate’s bipartisan infrastructure bill makes a $42.5 billion bet that the government will overcome an obstacle that has long plagued efforts to connect most Americans to the internet: notoriously inaccurate maps showing where they can get a signal – and where they can’t. That’s the amount of grant funding that the legislation, which the Senate passed earlier this month on a 69-30 vote, would provide to states to fund broadband projects in areas currently considered unserved or underserved. To qualify, proposals would have to comply with new broadband maps drawn by the Federal Communications Commission. There's one catch: the new maps don’t exist yet. And they may not be ready to go for one or two years, experts say.
§ “Check if your iPhone, iPad is infected with Pegasus spyware with this free tool” By Jason Cipriani — c/net. Whenever there's a new report about an iPhone or iPad exploit being actively distributed and used, it's unnerving. In July, it was revealed that security researchers discovered evidence of Pegasus spyware being used on the phones of journalists, politicians and activists. The spyware can be remotely installed on a target's iPhone or iPad, granting the person or organization who installed it full access to the device and all the data it holds -- without the owner taking any action. That includes text messages, emails and even recording phone calls. Pegasus was originally designed and is marketed by its creator, the NSO Group, to monitor criminals and terrorists.
§ “The Taliban Have Seized U.S. Military Biometrics Devices” By Ken Klippenstein and Sara Sirota — The Intercept. The Taliban have seized U.S. military biometrics devices that could aid in the identification of Afghans who assisted coalition forces, current and former military officials have told The Intercept. The devices, known as HIIDE, for Handheld Interagency Identity Detection Equipment, were seized last week during the Taliban’s offensive, according to a Joint Special Operations Command official and three former U.S. military personnel, all of whom worried that sensitive data they contain could be used by the Taliban. HIIDE devices contain identifying biometric data such as iris scans and fingerprints, as well as biographical information, and are used to access large centralized databases. It’s unclear how much of the U.S. military’s biometric database on the Afghan population has been compromised.
§ “Afghans scramble to delete digital history, evade biometrics” By Rina Chandran — Thomson Reuters Foundation. Thousands of Afghans struggling to ensure the physical safety of their families after the Taliban took control of the country have an additional worry: that biometric databases and their own digital history can be used to track and target them.
Coming Events
Photo by Melissa Askew on Unsplash
§ 1 September
o The House Armed Services Committee will mark up the FY 2022 National Defense Authorization Act (H.R.4395).
§ 30 September
o The Federal Communications Commission (FCC) will hold an open meeting. No agenda has been announced as of yet.
[1] (e) Department of Defense and Intelligence Community Systems.—
(2) The systems described in this paragraph are systems that are operated by the Department of Defense, a contractor of the Department of Defense, or another entity on behalf of the Department of Defense that processes any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Department of Defense.
(3) The systems described in this paragraph are systems that are operated by an element of the intelligence community, a contractor of an element of the intelligence community, or another entity on behalf of an element of the intelligence community that processes any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of an element of the intelligence community.