House Armed Services Digs Into Information Warfare
Top Israeli court denies challenge to content moderation unit; Signal claims that Cellebrite's software has vulnerabilities
Photo by Julius Silver from Pexels
First, my first Lawfare article has been posted on data brokering and national security.
The House Armed Services Committee’s Cyber, Innovative Technologies, and Information Systems Subcommittee conducted a 30 April hearing titled “Technology and Information Warfare: The Competition for Influence and the Department of Defense.”
Will the U.S. catch up to Russia and the PRC on information operations?
Cocktail Party
A house committee continues to bang the drum on military information operations. A panel of experts advised the committee on how the Department of Defense (DOD) in particular and the United States (U.S.) in general can better conduct information warfare. There was agreement that the Russian Federation and People’s Republic of China (PRC) were far more advanced in this realm and that the U.S. has not yet begun to take seriously this new area of competition.
Meeting
The subcommittee chair, Representative James Langevin (D-RI), intimated the DOD is not moving fast enough or effectively enough to combat Russian, Chinese, and other information operations. He also pinned blame on the last administration and called on the Biden Administration to articulate an effective strategy. Langevin conceded that Congress may not have provided a sufficient level of resources for the DOD.
Langevin’s counterpart, Ranking Member Elise Stefanik (R-NY), was even more direct in her disapproval of how the Pentagon has used the authority on information operations Congress has provided and its disregard of Congressional intent.
The witnesses offered a buffet of options as to how the U.S. and DOD can pull even in information operations with its adversaries, much of which requires buy-in from and direction to the Biden Administration.
Geek Out
Chair James Langevin (D-RI) (watch his opening statement) contended the United States (U.S.) is at a disadvantage to the Russian Federation, the People’s Republic of China (PRC), and terrorist organizations in the information warfare realm. He asserted these entities use information warfare to seek and gain asymmetrical advantage against the U.S. and to undermine the international order and democratic values. Langevin stated the recently released Intelligence Community’s Worldwide Treats Assessment made clear U.S. adversaries are using information warfare to undermine the U.S. by sowing discord among citizens. He noted these efforts have turned what once was a U.S. strength in its informational advantage into a weakness.
Langevin claimed that at present the U.S. military is at an immense disadvantage in the information environment. He stressed that the U.S is under threat even though adversaries do not need to engage physically or cross U.S. borders. Langevin predicted these threats will grow as artificial intelligence, machine learning, and other technologies advance that will allow the speed and scope of these operations to increase exponentially. He quoted the National Security Commission on Artificial Intelligence (NSCAI) which warned that AI will make information operations much harder to counter.
Langevin declared his solution to information operations entails a forceful U.S. response to deter bad actors, investment in robust public diplomacy, and education of U.S. residents and servicemembers. He added the U.S. must articulate a vision for the information environment and delineate thresholds that will trigger a response. Langevin lauded the NSCAI recommendation that the U.S. develop a new strategy to counter disinformation while investing in technology to counter AI-enabled warfare. Langevin stated the subcommittee will examine how the DOD is structured to confront information operations and disinformation, cyber threats, the electromagnetic spectrum, military information operations, deception, and operational security.
Langevin noted the committee has pushed the DOD to adapt to the new and evolving information environment and asserted the DOD has a key role to play. Langevin said the committee and Congress have pushed the Pentagon to adapt to the weaponized information environment, including by creating the position of the Principal Information Operations Advisor. He voiced his concern that the DOD has been slow to adapt to the current information operations realm. Langevin quoted a memorandum most of the combatant commanders wrote asking for more assistance and greater action in pushing the DOD to evolve along with current conditions.
Ranking Member Elise Stefanik (R-NY) (watch her opening statement) asserted information warfare is one of the most complex and important missions the DOD undertakes. She claimed that just as in large scale wars of the past and today’s gray zone operations, shaping the information environment is frequently critical. Stefanik stated it is important not only to target and erode support for adversaries but also to win the hearts and minds remains the ultimate objective of information operations. She quoted a former senior advisor to a Secretary of Defense who said victory comes when the enemy speaks your language and embraces your ideas. Stefanik declared Russia, the PRC, Iran, and non-state actors are weaponizing information to undermine the U.S. and its interests, deploying asymmetric information capabilities rather than engaging in traditional military competition. She asserted the U.S. must not only fend off these efforts but also deploy its own capabilities to exploit and shape the environment.
Stefanik remarked that the media and online world of today are much different than in the past with new technology allowing words and ideas to spread faster and wider than ever before. She said that in the future international competition, diplomacy, and military operations will be ever more based on “human-centric networks and patterns.” Stefanik claimed the DOD and IC recognize this and are adapting to this new landscape. She noted Congress has given the Pentagon clear authority to conduct information operations. Stefanik said Congress expects use of this authority and argued it is not feasible to rely only on Special Forces to conduct information operations. She asserted the entire DOD must use information operations that are effective and positively shape the environment.
Stefanik remarked that Congress required the DOD to assess and report on its information operations two years, but Congress is still awaiting this briefing and strategy. She noted the subcommittee has jurisdiction over these matters but without input and cooperation from the DOD, it is difficult for the subcommittee to support the Pentagon. Stefanik noted Congress has created the position of Principal Information Operations Advisor to establish one person as the overseer of military information operations. She expressed disappointment that this position was “layered under” the Under Secretary of Defense for Policy contrary to Congressional intent. Stefanik stated this position was not established to be part of the larger bureaucracy but to have an agile, unified approach to information operations.
Stefanik stated the NSCAI recommended reforms to address AI-enabled information threats as well as increased coordination with the Department of State’s Global Engagement Center to counter propaganda targeted towards the U.S. She said she wanted to hear how the DOD could work with the IC to better handle and conduct information operations and how the department can protect the U.S. as adversaries continue to wage a persistent information war on U.S. interests abroad and in the U.S.
Former National Security Agency General Counsel Glenn Gerstell (watch his opening statement and read his full written testimony) argued:
§ We know disinformation is already a big problem, and we fear it could be even worse, so why haven’t we done something about it? As with any complex problem, there are many answers.
§ There are steps we can take to start to fix the problem. No one solution is at hand, but we have tools at our disposal to use and they will, bit by bit, make a difference. I’ll mention just three that will help attenuate the threats to our national security.
§ Probably the most obvious tool is the law, but we first have to get over what seems like a big obstacle. We want neither government nor the private sector to be the final arbiter of the truth or the decider of what we hear and see. Yet allowing the private sector to profit from manipulating what we view online without regard to its truthfulness or the consequences of viral dissemination is simply not sensible public policy. But it’s not all or nothing, there is room for some thoughtful regulation. After all, the First Amendment applies only to government and not to private businesses.
§ So there’s room for Congress to act in tightening rules on political campaign ads, perhaps by making certain knowing or intentional falsehoods illegal, such as deliberately spreading incorrect information about polling places – much in the way that the law prevents someone from filing a false police report. Admittedly, there is a delicate line between a prank or spoof, and something clearly malicious and potentially illegal. But the mere fact that the line may be difficult to draw, need not preclude legislation that provides a framework for that process. As has been the subject of recent Congressional attention, some amendment of Section 230 of the Communications Decency Act could be helpful. However well-intentioned at the time of its adoption, the law has come to insulate the business models of social media platforms that are the source of information for billions of people around the globe. These ad-driven models rely on secret, complex algorithms that micro-target users, facilitating the forwarding of material without regard to its accuracy, thus allowing falsehoods to go viral, and often amplifying problematic material.
§ Another obvious tool is the technology itself. The very technology that helps spawn the problem can be used to correct it too, with AI helping social media platforms spot lies in the first place, identify doctored videos and photographs, and track the dissemination of falsehoods by both domestic and foreign users. And after social media was awash in disinformation during the pandemic and this last election, the platforms finally abandoned their hands-off approach and were more muscular in blocking objectionable content and taking down sham or malevolent accounts. True, there will always be difficulty in deciding what’s sufficiently objectionable or incorrect to warrant labeling or even removal – but again, just because it’s tough to draw the line doesn’t mean we shouldn’t even start. One helpful step would be for greater transparency about how such decisions are made, and how a platform’s algorithms make recommendations and curate what we see and hear.
§ Finally, there’s a whole range of other steps that can be taken beyond regulation of social media platforms. For example, we could promote international coordination to stop the export of disinformation or to bring cross-border cyber criminals to justice. We could do a much better job of organizing our federal government in a coherent way to fight disinformation, perhaps by setting up a national disinformation center within our intelligence community, just the way we’ve successfully done with the national counterterrorism center. The Intelligence Community could work more in a more integrated way with the military to counter adversaries’ ongoing malign influence campaigns. Saving the potentially most profound step for last, we would garner rich benefits by teaching digital literacy and putting civic education back in our schools – so that disinformation, whether foreign or domestic, will be less likely to take hold in an educated and cyber-sophisticated populace.
Wilson Center Disinformation Fellow Nina Jankowicz (watch her opening statement and read her full testimony) argued:
To meet the challenge of perpetual information competition, the Department of Defense and broader United States Government should organize themselves around a posture of Enduring Information Vigilance. This framework sets out how the USG, through the “three Cs”—capability building, inter- office and interagency coordination, and international cooperation—can work more effectively to detect the vulnerabilities that adversaries exploit, manage those attempts, and ultimately deny adversaries any benefit.
1. Capability: Beyond Discrete Campaigns
In ensuring that the DOD workforce is capable of proactively monitoring and identifying informational vulnerabilities that U.S. adversaries might use in information operations, the old military adage “don’t operate the equipment, equip the operator” is prescient. Tools for detecting online campaigns and inauthentic activity have developed rapidly in recent years, and parts of the national security infrastructure have adopted them, but none of these tools is a panacea without skilled staff and a baseline of resilience in the general population.
Enduring Information Vigilance relies on skilled people with a nuanced understanding of the threat who are capable of applying the full range of tools and techniques for monitoring, detecting, and responding to information operations. Section 589E of the 2021 NDAA, which “establish[es] a program for training members of the Armed Forces and civilian employees of the Department of Defense regarding the threat of foreign malign influence campaigns targeted at such individuals and the families of such individuals, including such campaigns carried out through social media” is an excellent starting point for these efforts, given that active-duty personnel and veterans have both been targets of state-sponsored information operations in the recent past; veterans were also a key contingent among those who stormed the Capitol on January 6. As this program is implemented, it is critical that training is produced together with nonpartisan subject matter and pedagogical experts and is engaging and well-resourced. This broad-based training, which would reach the 2.75 million active-duty, reserve, and civilian employees of the Department of Defense, and could also be rolled out to all civil servants and their families across the Federal Government; a bill providing for such a program is being spearheaded by the Task Force on Digital Citizenship and the Office of Congresswoman Jennifer Wexton.
Beyond such a broad resilience-building program, it is critical to equip specialists with the training and tools they need. The National Security Commission on Artificial Intelligence (NSCAI) suggests the establishment of a “Digital Service Academy to train current and future employees,” though other nations’ efforts suggest such training need not be relegated to a standalone body. Instead, a more agile and responsive training program might be integrated into employees’ regular professional development activities. U.S. allies have adopted a similar approach; The UK Government trains its public-sector communications personnel on the “RESIST” toolkit, which emphasizes the importance of understanding the objectives of information operations when formulating appropriate responses. Critically, the toolkit points out:
The speed and agility of your response is crucial in countering disinformation. This can mean working to faster deadlines than is usual and developing protocols for responding that balance speed with formal approval from senior officials.
This is not DOD—or the Federal Government’s—strong suit. Proactive, creative communications are often stymied and stifled by government clearance processes, resulting in ineffective and even embarrassing products that have little chance at countering sometimes-slick adversarial operations.
2. Coordination: All Sectors, At All Times
The breadth of activity related to hostile state information operations, whether Russian campaigns or China’s “three warfares” approach, spans the remit of multiple government agencies. The Department of Defense and wider USG must break out of siloed national security thinking, coordinate more effectively, and provide space for cross-sector cooperation. From hard security and defense to cultural activity and media, as well as many other realms of society not typically situated at the forefront of foreign interference, hostile states have the potential to exploit the government’s difficulty to work effectively across traditional departmental boundaries. This “bureaucratic vulnerability” can lead to poor information flow, competition for resources and influence, or the exclusion of key stakeholders.
These shortcomings emphasize the need to work more effectively across government. Newly built capabilities required for monitoring, detecting, and understanding the multiple elements of hostile information activities must be integrated to advance a shared view of what adversaries are doing, whom they are targeting, and whether these activities are effective.
In its report, the NSCAI recommends the creation of a Joint Interagency Task Force bringing together the Departments of “State, Defense, Justice, and Homeland Security, and the [Office of the] Director of National Intelligence to stand-up an operations center to counter foreign-sourced malign information...survey the landscape of relevant public and private actors, coordinate among them, and act in real time to counter foreign information campaigns.”
While I agree with the NSCAI’s conclusion that the Federal Government requires a central node for the monitoring and coordination of intelligence and policymaking around disinformation, ideally in the White House, my research across Central and Eastern Europe suggests it is necessary to involve nontraditional security departments via leads with the necessary security clearances in such efforts as well. Building this situational awareness across the government will enable the prioritized coordination of effective responses in the short term and beyond. Policy and operational levers for ameliorating vulnerabilities and building resilience against information threats in the long term lie with departments of education, health, and at local levels; they require policies that ensure a thriving and pluralistic media, societal awareness of the threat, robust media and digital literacy, and an understanding of civics.
3. Cooperation: International Partnership
Hostile influence activities have never occurred at such a scale before. Any deterrent effect of Enhanced Information Vigilance is augmented by demonstrating resolve and denying benefit to adversaries through a collective stance against their activities, including better sharing of information and knowledge to identify threats, tactics, and tools, and the formulation of effective responses. In the wake of the attempted assassination of Sergei Skripal in the United Kingdom in 2018, the coordinated expulsion of over 140 Russian diplomatic personnel from allied nations demonstrates how a well-coordinated response can impose costs on a threat actor. Building cross- border resilience and reducing vulnerability to deny benefit, however, requires enduring cooperation and demonstrations of shared capability and resolve.
The NSCAI suggests that one way to build this resolve is through an international task force to counter and compete against disinformation, led by the Global Engagement Center (GEC) at the Department of State. In principle, this is an operable suggestion, though I would add some nuance to its implementation. To begin with, the GEC’s remit is too large, budget too small, and reputation within the interagency and international community too uncertain to add such a task force to its portfolio. Currently, the GEC conducts open source intelligence analysis in addition to its coordination, policymaking, and programmatic work. I recommend that intelligence gathering and analysis be left to the Intelligence Community and shared within the interagency. While the GEC should benefit from such analysis, its limited resources are better allocated in coordinating with embassies and other agencies in establishing and implementing policy and program priorities.
Finally, while the idea of a task force for international coordination is a noble one, the United States must be careful not to reinvent the wheel in its desire to engage on issues related to information operations. We are arriving late to this party and should seek to use American convening power to augment, not upstage, existing task forces and coordination efforts, particularly those spearheaded by close allies, such as the International Partnership for Countering State-Sponsored Disinformation (led by the United Kingdom in cooperation with the GEC) and the G7 Rapid Response Mechanism (led by Canada).
Stanford University’s Center for International Security and Cooperation Senior Research Scholar Dr. Herb Lin (watch his opening statement and read his full written testimony) stated:
§ The general thrust of my remarks is that the Department of Defense is poorly authorized, structured, and equipped to cope with the information warfare threat facing the United States as a whole, although it can make meaningful contributions in addressing a portion of the problem.
§ The DOD can pursue offensive and defensive activities with respect to information warfare, but it must be realized that offensive activities will not help to defend the U.S. population against the information warfare threat. Moreover, since our information warfare adversaries are authoritarian entities, they already exercise a great deal of control and influence over the information that flows through their borders or into their spheres of influence. Thus, offensive information warfare activities of the United States would be pitted against a strong suit of authoritarian governments.
§ Nevertheless, should the DOD wish to prosecute the offensive side of information warfare against foreign adversaries, I begin with the observation that the DOD cyber operators appear to be expanding their purview into the information warfare space. However, the expertise of DOD cyber forces to this point in time has focused on the information delivery side of cyber-enabled psychological operations. Prosecuting information warfare requires content as well, and it is by virtue of long experience in executing influence operations that U.S. Special Operations Command has developed its extensive psychological and cultural expertise on the information content side of psychological operations.
§ Thus, DOD should establish a standing operational entity that can integrate specialists in psychological operations and in cyber operations as co-equal partners. This entity would bring “to bear the respective expertise of each command [Cyber Command for cyber expertise, Special Operations Command for psychological operations] should . . . enhance the synergies possible between cyber- enabled psychological operations and offensive cyber operations, and it would be most desirable if the two commands could partner rather than compete over the cyber-enabled psychological operations mission.” The “standing” part of this entity is essential, as it would recognize the continuing need to conduct such operations against adversaries who believe that open conflict need not have been declared or even started for hostile activity in information space to begin.
§ Perhaps the most important policy matter in pursuing the offensive side of information warfare is the extent to which DOD offensive information warfare operations are constrained by a need to be truthful and not misleading. A long tradition of U.S. efforts in this regard, especially those undertaken during the Cold War, reflects a deeply-held belief that as long as the United States presents truthful information against adversaries that lie and mislead, it will prevail. But the Cold War ended before the advent of the Internet, social media, search engines and other information technologies that have changed the information environment by many orders of magnitude. The very successes of our information warfare adversaries today have demonstrated that truth does not always prevail, in part because lies spread faster than truth and because the first message to get through has significant advantages. What may have been true about likely winners and losers in the past may not be so true today and in the future.
§ How and to what extent, if any, should the United States and DOD adopt the tactical approaches of our information warfare adversaries against them is an open question. As an American citizen, I am very uneasy with the idea of my government using deception and misdirection as tools of its defense and foreign policy, and yet I wonder if relying only on truths that move at a snail’s pace in cyberspace leaves us at a fundamental disadvantage with respect to our adversaries. Sometimes we do accept disadvantage as a matter of principle—it is our stated policy to adhere to the laws of armed conflict whether or not our adversaries so. But the ethics of how to conduct information warfare ourselves is perhaps a different issue that is way above my pay grade to address.
§ Addressing the defensive side of information warfare conducted against the populace of the United States is also complex. DOD’s freedom of action is constrained by policy and public concerns about DOD actions that directly affect the information available to U.S. citizens. Nevertheless, DOD is well positioned to address the cyber-enabled information warfare threat for at least one important segment of the U.S. populace—the U.S. armed forces and their families. Consider that:
o Every member of the U.S. military swears an oath to “the United States against all enemies, foreign and domestic.” But DOD offers essentially zero support and defend the Constitution of training on what it means in a practical or operational sense to “support and defend” the Constitution and how to identify an “enemy, foreign or domestic.”
o Section 589E of the FY2021 National Defense Authorization Act called for the DOD to establish a training program regarding foreign malign influence campaigns for U.S. military personnel and their families. Although the legislation provided no specifics on the content of the training program, it is hard to imagine that it would not try to teach/educate U.S. military personnel how to identify and resist the influence of hostile information warfare campaigns.
o Section 589F of the FY2021 National Defense Authorization Act called for DOD to assess aspects of the foreign information warfare threat to members of the U.S. armed forces and their families, although the legislative language used somewhat different terms than are used in this testimony.
§ Secretary of Defense Austin has taken action to counter extremism in the Department of Defense, including the military personnel within DOD. The scope, nature, and extent of extremism within the U.S. armed forces is unknown at this time, and Secretary Austin’s actions will shed some light on these matters. Nevertheless, to the extent that extremism is a problem, it is clear that information warfare operations and exposure to disinformation contribute in some ways to the problem.
Government Accountability Office Defense Capabilities and Management Team Director Dr. Joseph Kirschbaum (watch his opening statement and read his full testimony) said:
§ GAO found, in 2019, that DOD had made limited progress in implementing the 2016 DOD IO strategy and faced a number of challenges in overseeing the IO enterprise and integrating its IO capabilities. Specifically:
o In seeking to implement the strategy, DOD had not developed an implementation plan or an investment framework to identify planning priorities to address IO gaps.
o DOD has established department-wide IO roles and responsibilities and assigned most oversight responsibilities to the Under Secretary of Defense for Policy. The Under Secretary had exercised some responsibilities, such as establishing an executive steering group. However, the Under Secretary had not fulfilled other IO oversight responsibilities, such as conducting an assessment of needed tasks, workload, and resources. Instead, the Under Secretary delegated these responsibilities to an official whose primary responsibilities are focused on special operations and combatting terrorism.
o DOD had integrated information-related capabilities in some military operations, but had not conducted a posture review to assess IO challenges. Conducting a comprehensive posture review to fully assess challenges would assist DOD in effectively operating while using information-related capabilities.
Other Developments
Photo by Haley Black from Pexels
§ President Joe Biden gave his first State of the Union address and naturally touched upon some of the technology components of his “American Jobs Plan:”
o And finally, the American Jobs Plan will be the biggest increase in nondefense research and development on record. We will see more technological change — and some of you know more about this than I do — we’ll see more technological change in the next 10 years than we saw in the last 50. That’s how rapidly artificial intelligence and so much more is changing.
o And we’re falling behind the competition with the rest of the world.
o Decades ago, we used to invest 2 percent of our gross domestic product in America — 2 percent of our gross domestic product — in research and development.
o Today, Mr. Secretary, that’s less than 1 percent. China and other countries are closing in fast. We have to develop and dominate the products and technologies of the future: advanced batteries, biotechnology, computer chips, clean energy.
o The Secretary of Defense can tell you — and those of you on — who work on national security issues know — the Defense Department has an agency called DARPA — the Defense Advanced Research Project Agency. The people who set up before I came here — and that’s been a long time ago — to develop breakthroughs that enhance our national security -– that’s their only job. And it’s a semi-separate agency; it’s under the Defense Department. It’s led to everything from the discovery of the Internet to GPS and so much more that has enhanced our security.
o The National Institute of Health — the NIH –- I believe, should create a similar Advanced Research Projects Agency for Health.
o And that would — here’s what it would do. It would have a singular purpose: to develop breakthroughs to prevent, detect, and treat diseases like Alzheimer’s, diabetes, and cancer.
o I’ll still never forget when we passed the cancer proposal the last year I was Vice President — almost $9 million going to NIH. And if you excuse the point of personal privilege, I’ll never forget you standing and mentioning — saying you’d name it after my deceased son. It meant a lot.
o But so many of us have deceased sons, daughters, and relatives who died of cancer. I can think of no more worthy investment. I know of nothing that is more bipartisan. So, let’s end cancer as we know it. It’s within our power. It’s within our power to do it.
o Biden also turned to foreign policy:
§ The investments I’ve proposed tonight also advance the foreign policy, in my view, that benefits the middle class. That means making sure every nation plays by the same rules in the global economy, including China.
§ In my discussions — in my discussions with President Xi, I told him, “We welcome the competition. We’re not looking for conflict.” But I made absolutely clear that we will defend America’s interests across the board. America will stand up to unfair trade practices that undercut American workers and American industries, like subsidies from state — to state-owned operations and enterprises and the theft of American technology and intellectual property.
§ I also told President Xi that we’ll maintain a strong military presence in the Indo-Pacific, just as we do with NATO in Europe — not to start a conflict, but to prevent one.
§ I told him what I’ve said to many world leaders: that America will not back away from our commitments — our commitment to human rights and fundamental freedoms and to our alliances.
§ And I pointed out to him: No responsible American President could remain silent when basic human rights are being so blatantly violated. An American President — President has to represent the essence of what our country stands for. America is an idea — the most unique idea in history: We are created, all of us, equal. It’s who we are, and we cannot walk away from that principle and, in fact, say we’re dealing with the American idea.
§ With regard to Russia, I know it concerns some of you, but I made very clear to Putin that we’re not going to seek esca- — ecala- — exc- — excuse me — escalation, but their actions will have consequence if they turn out to be true. And they turned out to be true, so I responded directly and proportionally to Russia’s interference in our elections and the cyberattacks on our government and our business. They did both of these things, and I told them we would respond, and we have.
§ But we can also cooperate when it’s in our mutual interest. We did it when we extended the New START Treaty on nuclear arms, and we’re working to do it on climate change. But he understands we will respond.
§ On Iran and North Korea — nuclear programs that present serious threats to American security and the security of the world — we’re going to be working closely with our allies to address the threats posed by both of these countries through di- — through diplomacy, as well as stern deterrence.
§ On 28 April, the Senate Commerce, Science, and Transportation Committee marked up a number of bills, sending them to the full Senate. However, the committee pulled two of the technology bills it had planned on marking up: S.326, Measuring the Economic Impact of Broadband Act; Sponsors: Sens. Amy Klobuchar (D-MN), Shelley Moore Capito (R-WV), Dan Sullivan (R-AK) and S.1260, Endless Frontier Act; Sponsors: Sens. Chuck Schumer (D-NY), Todd Young (R-IN). The committee also approved two nominations: Don Graves to be Deputy Secretary of Commerce and former Senator Bill Nelson to be the National Aeronautics and Space Administration Administrator. The bills the committee did act upon include:
o S.120, Safe Connections Act; Sponsors: Sens. Brian Schatz (D-HI), Deb Fischer (R-NE), Rick Scott (R-FL), Richard Blumenthal (D-CT), Jacky Rosen (D-NV), Shelley Moore Capito (R-WV)
§ a. Schatz substitute
§ b. Lee 2 (as modified)
o S.163, Telecommunications Skilled Workforce Act; Sponsors: Sens. John Thune, (R-SD) Jon Tester (D-MT), Gary Peters (D-MI), Roger Wicker (D-MS), Jerry Moran (R-KS)
§ a. Thune substitute
o S.198, Data Mapping to Save Mom’s Lives Act; Sponsors: Sens. Jacky Rosen (D-NV), Deb Fischer (R-NE), Todd Young (IN), Brian Schatz (D-HI), Ed Markey (D-MA), Richard Blumenthal (D-CT), Amy Klobuchar (D-MN), Gary Peters (D-MI)
o S.735, Advanced Technological Manufacturing Act; Sponsors: Sens. Roger Wicker (R-MS), Maria Cantwell (D-WA), Jacky Rosen (D-NV)
§ a. Wicker substitute
§ b. Luján 1
§ The Federal Communications Commission (FCC) held an open meeting and approved the following matters:
o FCC Lays the Groundwork for Text-to-988
§ Further Notice of Proposed Rulemaking
o FCC Seeks to Make Spectrum Available for Commercial Space Launches
o FCC Looks to Open the Door to New Wireless Microphone Technologies
§ Notice of Proposed Rulemaking
o FCC Proposes Action to Improve 911 Reliability
§ Notice of Proposed Rulemaking
o FCC Successfully Concludes 800 MHz Rebanding Process
§ Order
o FCC Enhances Transparency of Foreign Government-Sponsored Programming
o FCC Fines Tele Circuit $4,145,000 for Cramming & Slamming Violations
§ Israel’s Supreme Court has denied a challenge (in Hebrew only) to the Israeli State Attorney’s Cyber Unit’s practice of asking social media platforms to remove content. Adalah – The Legal Center for Arab Minority Rights in Israel and the Association for Civil Rights in Israel (ACRI) brought the action and claimed in their press release:
o Israel’s Cyber Unit uses an "alternative enforcement" mechanism to essentially censor social media platforms and muzzle users: it flags and submits social media posts – without legal proceedings and often without even the knowledge of the individual user – to social media giants and requests their removal.
o This Israeli state practice is aimed at clamping down on social media dissent, and frequently even results in the suspension or removal of users. This censorship is conducted in collaboration and coordination with social media outlets, including U.S.-based giants Facebook and Twitter.
o Similar units operating in countries around the world are known as Internet Referral Units (IRUs).
o Adalah attorneys Fady Khoury and Rabea Eghbariah had filed the petition against the Cyber Unit to the Israeli Supreme Court on 26 November 2019. They stressed that the Cyber Unit’s "alternative enforcement" mechanism violates the constitutional rights of freedom of expression and due process, and that the unit is operating without any legal authority.
o Israeli Supreme Court Justice Hanan Melcer announced the decision on Monday morning in Jerusalem, in his final ruling before retirement.
o In its decision, the court granted unchecked and unauthorized power to the Israeli state, allowing it to govern online speech by using informal channels with social media corporations. The court essentially privatized the judicial process, allowing private corporations to decide upon censorship of social media content based on ostensibly unbinding requests from Israeli state authorities.
o Israel’s State Attorney did not issue a press release but provides on its website a general explanation of how the Cyber Unit works:
§ The Cyber Unit at the Office of the State Attorney is a new national unit which was established in 2015, in view of the need recognized by the State Attorney to coordinate efforts in dealing with crime and terrorism in cyberspace.
§ In recent years cybercrime has been on a sharp upward trend from the quantitative and qualitative aspect. This crime is complex and has unique characteristics that distinguish it from familiar crime in the physical space. Cybercrime raises unique legal questions and requires special proficiency in handling it. In view of the structure of the internet which makes it difficult to collect digital evidence and locate the perpetrators of the offenses and in view of the increasing dependency on cyberspace, much more crimes are committed inside cyberspace or via it.
§ Following the headquarters' work carried out in conjunction with the National Cyber Bureau at the Prime Minister's Office, adopted by the Attorney General and the State Attorney, it was decided to form the Cyber Unit at the Office of the State Attorney.
§ Cybercrime is varied and includes the following types of offenses:
· Offenses against computer and against information - infiltration into computer material, circulating viruses, Trojan horses and worms, interference with computer activity (such as by way of DDoS attacks), stealing computerized information (personal information, information of economic value, information of national security importance) and more. The motives for committing these offenses may be varied: terrorism, business espionage or personal motives.
· Classic offenses copied in full into the computerized space - these are varied offenses (fraud, forgery, gambling, pornographic pedophilic publications, sexual harassment, etc.) that have been copied form the physical space to the computerized space, while exploiting the features of the space so as to allow them to be committed more easily and with less fear of being caught.
· Expression offenses in the computerized space - this is a variety of forbidden publications - incitement to racism and violence, a breach of gag orders, defamation, harm to privacy and also phenomena such as cyberbullying and shaming that are presently committed online.
§ The Senate passed the “Drinking Water and Wastewater Infrastructure Act of 2021” (S.914) and sent it to the House. The White House expressed its support for the bill in a Statement of Administration Policy. This bill addresses the perceived cyber insecurity of United States (U.S.) water systems through a variety of means:
o A Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Program would be established in the Environmental Protection Agency (EPA) to reduce cybersecurity vulnerabilities and increase resilience to natural hazards and extreme weather events.
o The EPA would also need to “carry out a study that examines the state of existing and potential future technology, including technology that could address cybersecurity vulnerabilities, that enhances or could enhance the treatment, monitoring, affordability, efficiency, and safety of drinking water provided by a public water system.” An advanced drinking water technology grant program would thereafter be established at the EPA to address a number of problems, including cybersecurity.
o The EPA and the Cybersecurity and Infrastructure Security Agency (CISA) would “develop a prioritization framework to identify public water systems (including sources of water for those public water systems) that, if degraded or rendered inoperable due to an incident, would lead to significant impacts on the health and safety of the public.” The agencies would also develop a Technical Cybersecurity Support Plan for public water systems.
o The EPA must “establish a clean water infrastructure resilience and sustainability program under which the Administrator shall award grants to eligible entities for the purpose of increasing the resilience of publicly owned treatment works to a natural hazard or cybersecurity vulnerabilities.”
§ The Department of Justice (DOJ) announced that “Software company, SAP SE, headquartered in Walldorf, Germany, has agreed to pay combined penalties of more than $8 million as part of a global resolution with the U.S. Departments of Justice (DOJ), Commerce and Treasury.” The DOJ entered into a non-prosecution agreement with SAP and explained:
o In voluntary disclosures the company made to the three agencies, SAP acknowledged violations of the Export Administration Regulations and the Iranian Transactions and Sanctions Regulations. As a result of its voluntary disclosure to DOJ, extensive cooperation and strong remediation costing more than $27 million, DOJ’s National Security Division (NSD) and the U.S. Attorney’s Office for the District of Massachusetts entered into a Non-Prosecution Agreement with SAP. Pursuant to that agreement, SAP will disgorge $5.14 million of ill-gotten gain.
o Beginning in approximately January 2010 through approximately September 2017, SAP, without a license, willfully exported, or caused the export, of its products to Iranian users. SAP’s violations occurred in two principle ways.
o First, between 2010 and 2017, SAP and its overseas partners released U.S-origin software, including upgrades or software patches more than 20,000 times to users located in Iran. Certain SAP senior executives were aware that neither the company nor its U.S.-based content delivery provider used geolocation filters to identify and block Iranian downloads, yet for years the company did not remedy the issue. The vast majority of the Iranian downloads went to 14 companies, which SAP partners in Turkey, United Arab Emirates, Germany and Malaysia knew were Iranian-controlled front companies. The remaining downloads went to several multinational companies with operations in Iran, which downloaded SAP’s software, updates, or patches from locations in Iran.
o Second, from approximately 2011 to 2017, SAP’s Cloud Business Group companies (CBGs) permitted approximately 2,360 Iranian users to access U.S.-based cloud services from Iran. Beginning in 2011, SAP acquired various CBGs and became aware, through pre-acquisition due diligence as well as post-acquisition export control-specific audits, that these companies lacked adequate export control and sanctions compliance processes. Yet, SAP made the decision to allow these companies to continue to operate as standalone entities after acquiring them and failed to fully integrate them into SAP’s more robust export controls and sanctions compliance program.
§ The National Institute of Standards and Technology (NIST) is asking for input on its document that provides guidance for the security of industrial control systems:
o Since NIST Special Publication (SP) 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security, was published in 2015, many of the tools, technologies, standards, and recommended practices encompassing control system cybersecurity have changed.
o NIST has initiated an update of SP 800-82 to incorporate lessons learned over the past several years, to provide alignment to relevant NIST guidance (e.g., NIST SP 800-37 Rev. 2, NIST SP 800-53 Rev. 5, NIST SP 800-53B, and the Cybersecurity Framework v1.1), to provide alignment to other relevant control system cybersecurity standards and recommended practices, and to address changes in the threat landscape.
o NIST seeks input from SP 800-82 stakeholders to ensure that the future update will continue to deliver the guidance necessary to help organizations manage the cybersecurity risks associated with their control systems.
o Specifically, NIST requests input on the following:
§ Expansion in scope of SP 800-82 from industrial control systems to control systems in general
§ Over the years, SP 800-82 has been used in areas outside the scope of traditional industrial control systems, from building automation systems to the National Airspace System. The proposed update would expand the scope to control systems in general and would enable SP 800-82 to provide cybersecurity guidance for control systems beyond traditional industrial control systems. What are the benefits and/or impacts of this expansion in scope?
§ Application of new cybersecurity capabilities in control system environments
§ The proposed update would provide guidance on the use of new technologies and cybersecurity capabilities (e.g., behavioral anomaly detection, digital twins, Internet of Things, artificial intelligence, machine learning, zero trust, cloud, edge computing) in control system environments. What new technologies and cybersecurity capabilities should be highlighted in the updated guidance?
§ Development of guidance specific to small and medium-sized control system owners and operators
§ Stakeholder feedback has indicated that there is a need for more cybersecurity guidance to enable small and medium-sized control system owners and operators to select and deploy cybersecurity tools and techniques that best fit their needs. What guidance and resources would be most beneficial to this community of interest?
§ Updates to control system threats, vulnerabilities, standards, and recommended practices
§ The proposed update would revise guidance throughout the document to align with current control system cybersecurity standards and recommended practices. Updates would also be made to the control system threat landscape, vulnerabilities, incidents that have occurred, current activities in control system cybersecurity, and the cybersecurity capabilities, tools, and mitigations sections. How can NIST best both capture theses updates and provide an ongoing reference to other resources?
§ Updates to the control system Overlay
§ The proposed update would revise the control system Overlay to align with SP 800-53, Rev. 5 and SP 800-53B, and address the change in scope to control systems in general.
§ Removal of material from the current document
§ The proposed update would consider removing material that is outdated, unneeded, or no longer applicable. Is there material that is no longer useful in the document?
§ The developers of Signal, a messaging app, have posted their assessment of and holes they found in Cellbrite’s security roughly six months after the Israeli security firm claimed it had broken Signal’s encryption. Last year, Human rights attorneys filed suit in Tel-Aviv to force the Ministry of Defence to end exports of Cellebrite’s phone hacking technology to repressive regimes like Hong Kong and Belarus. It is not clear Israel ever granted Cellebrite an export license, and the Ministry is being closed mouth on the issue. Previous filings assert Cellebrite’s technology has been used over 4,000 times in Hong Kong to hack into the phones of dissidents and activists even though many were using device encryption. In its blog post, Signal stated:
o Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. A few months ago, they announced that they added Signal support to their software.
o Their products have often been linked to the persecution of imprisoned journalists and activists around the world, but less has been written about what their software actually does or how it works. Let’s take a closer look. In particular, their software is often associated with bypassing security, so let’s take some time to examine the security of their own software.
§ The American Civil Liberties Union (ACLU) filed a petition for the Supreme Court of the United States to overturn an appeals court decision that allows for suspicionless searches of electronic devices at the border and airports of the United States (U.S.). In February, the United States Court of Appeals For the First Circuit (First Circuit) overturned a district court and hewed to rulings handed down by other circuits. In November 2019, a U.S. District Court held that U.S. Customs and Border Protection (CPB) and U.S. Immigration and Customs Enforcement’s (ICE) current practices for searches of smartphones and computers at the U.S. border are unconstitutional and the agency must have reasonable suspicion before conducting such a search.
Further Reading
§ “Spy chiefs look to declassify intel after rare plea from 4-star commanders” By Betsy Woodruff Swan and Bryan Bender — Politico. Top United States (U.S.) military commanders urged the Intelligence Community to declassify material faster so they can better wage information war against the Russians and Chinese.
§ “Google Promised Its Contact Tracing App Was Completely Private—But It Wasn’t” By Alfred Ng — The Markup. A security researcher found that Google’s COVID-19 contact tracing app had a significant privacy vulnerability and other apps on Androids could potentially access sensitive personal information despite Google’s privacy promises.
§ “Hackers publish extensive dossiers on D.C. police officers in extortion attempt” By Kevin Collier — NBC News. The District of Columbia Police Department is in a tough spot because hackers have apparently obtained the detailed personal background investigation documents on its officers and are demanding payment.
§ “Huawei was able to eavesdrop on Dutch mobile network KPN: Report” — NL Times. A Dutch newspaper, De Volkskrant, is claiming that the People’s Republic of China (PRC) firm listened to the phone calls in the Netherlands because Dutch telco KPN used Huawei’s equipment. The paper based its reporting on an internal investigation at the telco that determined the PRC tech giant was able to access its networks. Huawei denies any wrongdoing.
§ “Commission seeks to block China from sensitive joint science projects” By Cristina Gallardo — Politico EU. The European Commission is pushing the People’s Republic of China (PRC) to agree to certain conditions as part of their bilateral deal such intellectual property rules and others related to research and science.
§ “How Asia came to dominate chipmaking and what the U.S. wants to do about it” By Arjun Kharpal — CNBC.
§ “NHS Covid-19 app update blocked for breaking Apple and Google's rules” By Leo Kelion — BBC.
§ “The Intelligence Community’s Deadly Bias Toward Classified Sources” By Cortney Weinbaum — Defense One.
§ “Facebook knew of Honduran president’s manipulation campaign – and let it continue for 11 months” By Julia Carrie Wong and Jeff Ernst — The Guardian.
Coming Events
§ On 5 May, the House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee will hold a hearing titled “Responding to Ransomware: Exploring Policy Solutions to a Cybersecurity Crisis.”
§ On 6 May, the House Science, Space, and Technology Committee’s Research and Technology Subcommittee will hold a hearing titled “National Science Foundation: Advancing Research for the Future of U.S. Innovation Part II.”
§ The House Energy and Commerce Commerce’s Communications and Technology Subcommittee will hold a hearing titled “Broadband Equity: Addressing Disparities in Access and Affordability” on 6 May.
§ On 6 May, the House Appropriations Committee’s Commerce, Justice, Science Subcommittee will hold a hearing on the FY 2022 Department of Commerce budget request with Secretary of Commerce Gina Raimondo.
§ On 20 May, the Federal Communications Commission (FCC) will hold an open meeting with this tentative agenda:
o Reducing Interstate Rates and Charges for Incarcerated People – The Commission will consider a Third Report and Order, Order on Reconsideration, and Fifth Notice of Proposed Rulemaking that, among other actions, will lower interstate rates and charges for the vast majority of incarcerated people, limit international rates for the first time, and seek comment on further reforms to the Commission’s calling services rules, including for incarcerated people with disabilities. (WC Docket No. 12-375)
o Strengthening Support for Video Relay Service – The Commission will consider a Notice of Proposed Rulemaking and Order to set Telecommunications Relay Services (TRS) Fund compensation rates for video relay service (VRS). (CG Docket Nos. 03-123, 10-51)
o Shortening STIR/SHAKEN Extension for Small Providers Likely to Originate Robocalls – The Commission will consider a Further Notice of Proposed Rulemaking to fight illegal robocalls by proposing to accelerate the date by which small voice service providers that originate an especially large amount of call traffic must implement the STIR/SHAKEN caller ID authentication framework. (WC Docket No. No 17-97)
o Section 214 Petition for Partial Reconsideration for Mixed USF Support Companies – The Commission will consider an Order on Reconsideration to relieve certain affiliates of merging companies that receive model-based and rate-of-return universal service support from a “mixed support” merger condition cap. (WC Docket No. 20-389)
o Enforcement Bureau Action – The Commission will consider an enforcement action.
o Enforcement Bureau Action – The Commission will consider an enforcement action.
§ On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.