House Democrats Release Their Tech and Competition Package
EU Parliament passes its version of Digital Services Act; SEC lays out plans to tighten cybersecurity regulation
First, the Wavelength will transition to a paid product, but there will still be a free version available. Details to come this coming week.
Second, please send the Wavelength to anyone you think might find value in it.
Third, I have a new newsletter that is unrelated to tech. Check it out.
Quote of the Day
“In 1834, exactly a century before the SEC was established, the Blanc brothers in Bordeaux, France, committed the world’s first hack. The two bankers bribed telegraph operators to tip them off as to the direction the market was headed. Therefore, they gained an information advantage over investors who waited for the information to arrive by mail coach from Paris.” — Securities and Exchange Commission (SEC) Chair Gary Gensler
However, the Federal Bureau of Investigation does not apparently agree with Gensler.
Tweet of the Day
House Democrats Release Their Tech and Competition Package
Some number of months after the United States (U.S.) Senate sent the “United States Competition and Innovation Act” (S.1260) to the House (see here and here for more detail and analysis), the leadership of the U.S. House has worked out a massive package (more than 2900 pages) chock full of policy issues the Senate bill did not encompass.
A number of committees announced the release of the “America Creating Opportunities for Manufacturing, Pre-Eminence in Technology and Economic Strength Act of 2022” (aka the America COMPETES Act of 2022) (H.R.4521) and asserted in their press release that the bill “includes a historic investment to surge production of American-made semiconductors, tackles supply chain vulnerabilities to make more goods in America, turbocharges America’s scientific research and technological leadership, and strengthens America’s economic and national security at home and abroad.” The committees issues a section-by-section and a fact sheet.
This post will be the first in a series on the technology policy and funding in this package and will discuss the first two sections.
Like the Senate’s bill, the America COMPETES Act (S.1260) includes over $50 billion for the production of semiconductors in the U.S. and programmatic language to guide U.S. agencies in disbursing those funds.
While U.S.-headquartered semiconductor firms reaped 47% of global sales in semiconductors in 2019, this figure has fallen from 51.8% in 2012, and, more importantly for the purposes of this bill and funding, most of the world’s semiconductors are produced elsewhere. As the Biden Administration stressed in its mid-2021 report on supply chains:
The U.S. semiconductor industry accounts for nearly half of global semiconductor revenue, yet the share of semiconductor manufacturing capacity on U.S. soil has fallen from 37 percent 20 years ago and stands at about 12 percent of global production. U.S. companies, including major fabless semiconductor companies, depend on foreign sources for semiconductors, especially in Asia, creating a supply chain risk. Many of the materials, tools, and equipment used in the manufacture of semiconductors are available from limited sources, semiconductor manufacturing is geographically concentrated, and the production of leading-edge semiconductors requires multi-billion dollar investments.
It seems likely the proponents of dedicated funding for semiconductor production in the U.S. are thinking of a program from the Reagan Administration to help U.S. manufacturers fend off the challenge from Japanese manufacturers called the Semiconductor Manufacturing Technology (SEMATECH) that provided $870 million to large chip makers.
And there is also the ongoing shortage in semiconductors that is acting as a drag on manufacturing all over the world.
The bill establishes within the Department of the Treasury a “Creating Helpful Incentives to Produce Semiconductors (CHIPS) for America Fund” (CHIPS Fund) that the Department of Commerce (Commerce) would administer. This language builds on a section in the FY 2021 National Defense Authorization Act (P.L. 116-283), the “Creating Helpful Incentives to Produce Semiconductors for America (CHIPS) Act.” The lion’s share of the funding made available for the CHIPS Fund is for semiconductor incentives and advanced microelectronics research and development. With this latter program, much of the funds would be directed to a new National Semiconductor Technology Center and a new National Advanced Packaging Manufacturing Program.
In terms of semiconductor incentives, $39 billion would be appropriated to Commerce over five years, of which no more than $6 billion could be dedicated to “for the cost of direct loans and loan guarantees” and $2 billion would go to “mature technology nodes” for semiconductor production. Incidentally, Commerce has discretion to define what a “mature technology node” is. Otherwise, with the remaining funds, Commerce is authorized to make financial assistance awards for semiconductor production.
The bill also establishes a Creating Helpful Incentives to Produce Semiconductors (CHIPS) for America Defense Fund to “provide for research, development, test and evaluation, workforce development, and other requirements that are unique to the Department of Defense and the intelligence community.” The CHIPS Defense Fund would fund the Department of Defense’s execution of Section 9903 of the FY 2021 NDAA that requires the DOD to establish:
a public-private partnership through which the Secretary shall work to incentivize the formation of one or more consortia of companies (or other such partnerships of private sector entities, as appropriate) to ensure the development and production of measurably secure microelectronics, including integrated circuits, logic devices, memory, and the packaging and testing practices that support these microelectronic components by the Department of Defense, the intelligence community, critical infrastructure sectors, and other national security applications.
The America COMPETES Act appropriates $2 billion for the CHIPS Defense Fund.
A third fund, the (CHIPS) for America International Technology Security and Innovation Fund is created “to provide for international information and communications technology security and semiconductor supply chain activities, including to support the development and adoption of secure and trusted telecommunications technologies, secure semiconductors, secure semiconductors supply chains, and other emerging technologies.” $500 million would be given to the Department of States to undertake this program.
In Title II of the bill, the National Institute of Standards and Technology (NIST) would receive new authority regarding cybersecurity and privacy. NIST’s enabling statute is revised[1] to provide additional means of implementation in meeting its required functions. Notably, NIST would need to develop guidance and other products for “the development and lifecycle of software and the software supply chain;” to “support information security measures…[for] cloud computing services;” to improve the usability of cybersecurity processes and technologies;” to facilitate “appropriate privacy protections for personally identifiable information in systems, technologies, and processes used by both the public and private sector;” and “support privacy measures…for the design, adoption and deployment of privacy enhancing technologies.”
Obviously, these provisions are intended to widen NIST’s purview and role in the cybersecurity and privacy of public and private networks. However, and this must be stressed, a limited set of NIST guidance documents are binding on U.S. government agencies (and by extension) contractors, and many of them are reference points for the private sector. The thinking here is that NIST’s reputation and its history of working with the private sector will lead to guidance materials private companies can use as they need. And so, the effect of NIST’s guidance materials that flow from these new directives will likely be limited even in the event the White House directs agencies to heed some of them.
There are further changes to NIST’s enabling statute. Section e of 15 U.S.C. 272 is amended, which is the section of this statute that directs NIST how to use its authority to “facilitate and support the development…of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure.” Specifically, under the change in the bill, NIST must “conduct reviews of and create impact metrics for cybersecurity solutions and capabilities developed by the Institute for purposes of improvement” as they pertain to reducing cyber risks for critical infrastructure. Thus, the America COMPETES Act is prodding NIST to develop metrics by which its cybersecurity solutions and capabilities could be graded and theoretically compared.
NIST’s responsibilities visa vis software security and authentication are widened. Consequently, NIST must “assess and assign severity metrics to identified vulnerabilities with open source software and produce voluntary guidance to assist the entities that maintain open source software repositories to discover and mitigate vulnerabilities.” If this language was conceived of before the Log4j vulnerability was revealed, someone at the House Science, Space, and Technology Committee was listening to what some security experts have been warning about for years. Presumably, a robust system of rating open source software vulnerabilities will help organizations locate and fix these weaknesses, but, as always, this will only work as well as the processes any given entity has in place to act on this type of information.
NIST also get artificial intelligence (AI) cybersecurity added to its plate. The agency must “carry out research and testing to improve the effectiveness of artificial intelligence-enabled cybersecurity, including by generating optimized data sets to train artificial intelligence defense systems and evaluating the performance of varying network architectures at strengthening network security.” Clearly, the projected future of cybersecurity is automated means to detect and remediate threats that takes humans out of the process to the extent feasible and wise to do so; at least, this is the commonly accepted thinking with the U.S. defense community (see here, here, and here.)
In terms of other responsibilities, NIST would also need to “ensure all software released by the Institute is digitally signed and maintained to enable stakeholders to verify its authenticity and integrity upon installation and execution.” The agency would be charged with helping inspectors general through the U.S. government perform audits of agency cybersecurity and information security practices per the Federal Information Security Modernization Act.
NIST would be given responsibilities regarding software supply chain security on top of those in Executive Order 14028, “Improving the Nation's Cybersecurity” (see here for NIST’s explanation.) Generally, in consultation with a range of stakeholders, NIST would need to “develop a set of security outcomes and practices, including security controls, control enhancements, supplemental guidance, or other supporting information to enable software developers and operators to identify, assess, and manage cyber risks over the full lifecycle of software products.”
NIST would also need to get more fully on the field of digital identity management as the agency has issued digital identity guidelines in the last decade. Nonetheless, NIST must conduct research in identity management for four purposes, and with an eye towards updating or developing new guidance materials:
§ to improve interoperability and portability among identity management technologies;
§ to strengthen identity proofing and verification methods used in identity management systems;
§ to improve privacy protection in identity management systems through authentication and security protocols; and
§ to monitor and improve the accuracy, usability, and inclusivity of identity management systems.
NIST must “develop and maintain a technical roadmap for digital identity management research and development focused on enabling the voluntary use and adoption of modern digital identity solutions that align with the [above] four criteria.” The agency would also be required to work out common definitions with stakeholders and voluntary guidance for digital identity management systems.
NIST’s involvement with biometrics, namely facial recognition technology, would be broadened. NIST would be tasked with issuing binding standards and guidance for U.S. civilian agencies and relevant contractors regarding:
performance standards and guidelines for high risk biometric identification systems, including facial recognition systems, accounting for various use cases, types of biometric identification systems, and relevant operational conditions.
The agency would need to “establish a program to support measurement research to inform the development of best practices, benchmarks, methodologies, procedures, and voluntary, consensus-based technical standards for biometric identification systems, including facial recognition systems.” The agency would also be charged with establishing a testing program “to provide biometrics vendors the opportunity to test biometric identification technologies across a range of modalities.”
The job of addressing cybersecurity risk at research institutions is added to NIST’s purview as well. The agency would now need to develop and distribute resources for such institutions to help them fend off attacks or attempts to access and exfiltrate their research.
NIST would be required to “carry out a program of measurement research to inform the development of common definitions, benchmarks, best practices, methodologies, and voluntary, consensus-based technical standards for advanced communications technologies.”
The “National Quantum Initiative Act” would be expanded and NIST’s responsibilities increased to include research to help the development and standardization of quantum cryptography, post-quantum classical cryptography, quantum networking and communications technology and application.
NIST is also to “continue to support the development of artificial intelligence and data science, and carry out the activities of the National Artificial Intelligence Initiative Act of 2020.”
Most likely in response to the PRC’s dominance in many international standards settings proceedings, NIST would “shall lead information exchange and coordination among Federal agencies and communication from Federal agencies to the private sector of the United States to ensure effective Federal engagement in the development and use of international technical standards.” There are a range of provisions to foster more effective engagement with the private sector and other stakeholders to increase U.S. participation and sway over these types of proceedings.
Finally, to help NIST meet these new responsibilities and roles, the agency would be authorized for appropriations of $1.409 billion in FY 2022, a figure that would rise to $1.765 billion in FY 2026. To out those numbers in context, NIST was appropriated 1.0345 billion in FY 2021 and 1.034 billion in FY 2020. Of course, these are merely authorization levels, and the Appropriations Committees are under no obligation to actually provide these funds.
Other Developments
Photo from the European Parliament
§ The European Union’s (EU) Parliament approved an amended version of the “Digital Services Act” that “will be used as the mandate to negotiate with the French presidency of the Council, representing member states.” The Parliament had explained its position earlier this month on the bill a few months after the European Council had laid out its position. Regarding the passed bill, the EU Parliament explained:
o Removing illegal content and preventing the spread of disinformation
o The Digital Services Act (DSA) proposal defines clear responsibilities and accountability for providers of intermediary services, and in particular online platforms, such as social media and marketplaces.
o The DSA establishes a “notice and action” mechanism, as well as safeguards, for the removal of illegal products, services or content online. Providers of hosting services should act on receipt of such a notice “without undue delay, taking into account the type of illegal content that is being notified and the urgency of taking action”. MEPs also included stronger safeguards to ensure notices are processed in a non-arbitrary and non-discriminatory manner and with respect for fundamental rights, including the freedom of expression.
o Online marketplaces must ensure that consumers can purchase safe products online, MEPs say, strengthening the obligation to trace traders (the “Know Your Business Customer” principle).
o Additional obligations for very large platforms
o Very large online platforms (VLOPs) will be subject to specific obligations due to the particular risks they pose regarding the dissemination of both illegal and harmful content. The DSA would help to tackle harmful content (which might not be illegal) and the spread of disinformation by including provisions on mandatory risk assessments, risk mitigation measures, independent audits and the transparency of so-called “recommender systems” (algorithms that determine what users see).
o Other key points
o Parliament introduced several changes to the Commission proposal, including on:
§ exempting micro and small enterprises from certain DSA obligations;
§ targeted advertising: the text provides for more transparent and informed choice for the recipients of digital services, including information on how their data will be monetised. Refusing consent shall be no more difficult or time-consuming to the recipient than giving consent. If their consent is refused or withdrawn, recipients shall be given other options to access the online platform, including “options based on tracking-free advertising”;
§ targeting or amplification techniques involving the data of minors for the purpose of displaying ads will be prohibited, as well as targeting individuals on the basis of special categories of data which allow for targeting vulnerable groups;
§ compensation: recipients of digital services and organisations representing them must be able to seek redress for any damages resulting from platforms not respecting their due diligence obligations;
§ online platforms should be prohibited from using deceiving or nudging techniques to influence users’ behaviour through “dark patterns”;
§ more choice on algorithm-based ranking: VLOPs should provide at least one recommender system that is not based on profiling.
o Further amendments approved in plenary relate to the need for providers to respect in their terms and conditions the freedom of expression and freedom and pluralism of the media, as well as a new provision on the right to use and pay for digital services anonymously (the voting list is available here and all amendments tabled to plenary here).
§ The United States (U.S.) House Oversight and Reform Committee released its version of an update to the Federal Information Security Modernization Act (FISMA) that “aims to improve the federal government’s cyber defenses following a string of high-profile cyberattacks, including SolarWinds and the Microsoft Exchange Server hack, as well as vulnerabilities discovered in common Apache Log4j software” as explained by Chair Carolyn Maloney (D-NY) and Ranking Member James Comer (R-KY) in their press release. The committee held a hearing on FISMA reform earlier this month (see here for more detail and analysis), and in December, the Senate Homeland Security and Governmental Affairs Committee tried to append its FISMA reform package to the FY 2022 National Defense Authorization Act (P.L. 177-81) (see here for more detail and analysis). Maloney and Comer claimed:
o The Federal Information Security Modernization Act of 2022, or FISMA 2022, would advance a risk-based cybersecurity posture, modernize and streamline reporting requirements to enhance security through automation, and expand inventories and information-sharing for improved security.
o FISMA 2022 also clarifies and streamlines the roles of the National Cyber Director, the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency, the Federal Chief Information Security Officer, and other federal entities to better coordinate efforts to mitigate and respond to cyber incidents.
§ United States (U.S.) Securities and Exchange Commission (SEC) Chair Gary Gensler gave a speech titled “Cybersecurity and Securities Laws” and laid out his vision for how the agency improves cybersecurity across the entities and markets it regulates:
o Financial Sector SEC Registrants
o Let me first turn to our three projects related to financial sector registrants.
o Regulation Systems Compliance and Integrity
o First, I believe we have an opportunity to freshen up Regulation Systems Compliance and Integrity (Reg SCI).
o A lot has changed, though, in the eight years since the SEC adopted Reg SCI. Thus, I’ve asked staff how we might broaden and deepen this rule. For example, might we consider applying Reg SCI to other large, significant entities it doesn’t currently cover, such as the largest market-makers and broker-dealers?
o To that end, in 2020, the Commission proposed to bring large Treasury trading platforms under the SCI umbrella. At our next Commission meeting, we will consider whether to re-propose this rule.
o Similarly, I think there might be opportunities to deepen Reg SCI to further shore up the cyber hygiene of important financial entities.
o Funds, Advisers, and Broker-Dealers
o As I mentioned earlier, this group has to comply with various rules that may implicate their cybersecurity practices, such as books-and-records, compliance, and business continuity regulations. Building upon that, I’ve asked staff to make recommendations for the Commission’s consideration around how to strengthen financial sector registrants’ cybersecurity hygiene and incident reporting, taking into consideration guidance issued by CISA and others.
o I think such reforms could reduce the risk that these registrants couldn’t maintain critical operational capability during a significant cybersecurity incident. I believe they could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the Commission with more insight into intermediaries’ cyber risks.
o Data Privacy
o Congress addressed this issue in the Gramm-Leach-Bliley Act of 1999. The Commission adopted Regulation S-P in the wake of that law. It requires registered broker-dealers, investment companies, and investment advisers to protect customer records and information. It’s the reason that, to this day, a lot of us receive notices informing us about companies’ privacy policies.
o More than two decades since Reg S-P was adopted — an eternity in the cybersecurity world — I think there may be opportunities to modernize and expand this rule. In particular, I’ve asked staff for recommendations about how customers and clients receive notifications about cyber events when their data has been accessed, such as their personally identifiable information. This also could include proposing to alter the timing and substance of notifications currently required under Reg S-P.
o Public Companies
o Thus, I’ve asked staff to make recommendations for the Commission’s consideration around companies’ cybersecurity practices and cyber risk disclosures. This may include their practices with respect to cybersecurity governance, strategy, and risk management.
o A lot of issuers already provide cyber risk disclosure to investors. I think companies and investors alike would benefit if this information were presented in a consistent, comparable, and decision-useful manner.
o In addition, I’ve asked staff to make recommendations around whether and how to update companies’ disclosures to investors when cyber events have occurred.
o Service Providers
o Service providers often play critical roles within our financial sector. These service providers go far beyond the cloud. They can include investor reporting systems and providers, middle-office service providers, fund administrators, index providers, custodians, data analytics, trading and order management, and pricing and other data services, among others. Many of these entities may not be registered with the SEC.
o I’ve asked staff to consider recommendations around how we can further address cybersecurity risk that comes from service providers. This could include a variety of measures, such as requiring certain registrants to identify service providers that could pose such risks. Further, it could include holding registrants accountable for service providers’ cybersecurity measures with respect to protecting against inappropriate access and investor information. This could help ensure important investor protections are not lost and key services are not disrupted as financial sector registrants increasingly rely on outsourced services.
o That being said, it’s worth noting that banking agencies regulate and supervise certain banks’ third-party service providers directly through the Bank Service Company Act. It might be worthwhile to consider similar authorities for market regulators.
§ The United Kingdom’s (UK) Department for Digital, Culture, Media & Sport issued guidance on Digital identity certification for right to work, right to rent and criminal record checks and explained:
o On 27 December 2021, the government announced its intention to enable employers and landlords to use certified digital identity service providers to carry out identity checks on their behalf for many who are not in scope to use the Home Office online services, including British and Irish citizens. The legislation will take effect from 6 April 2022.
o This development will align with the Disclosure and Barring Service’s (DBS) proposal to enable digital identity checking within their criminal record checking process, through the introduction of its Identity Trust Scheme.
o This guidance sets how providers can become certified to complete digital identity checks for the Right to Work, Right to Rent, and DBS schemes respectively, in line with the Department for Digital, Culture, Media and Sport’s (DCMS) UK Digital Identity and Attributes Trust Framework (‘the trust framework’).
§ The European Commission (EC) published “the findings of its competition sector inquiry into the consumer Internet of Things (IoT).” The EC stated that “[t]he final report and its accompanying staff working document identify potential competition concerns in the rapidly growing markets for IoT related products and services in the European Union.” The EC stated:
o The main findings of the sector inquiry on the Consumer IoT cover the following points also covered in the preliminary report: (i) the characteristics of consumer IoT products and services, (ii) the features of competition in these markets, (iii) the main areas of potential concern raised by stakeholders in relation to the current functioning of consumer IoT markets, as well as to their future outlook.
o Characteristics of consumer IoT products and services
o The findings of the sector inquiry indicate that the consumer IoT is growing rapidly and becoming more and more a part of our everyday lives. In addition, there is a trend towards the increasing availability of voice assistants as user interfaces that enable interaction with other smart devices and consumer IoT services.
o Features of competition in the markets for consumer IoT products and services
o Most of the stakeholders who participated in the sector inquiry indicate that one of the main barrier to entry or expansion in the sector is the cost of technology investment, which is particularly high in the market for voice assistants. Another important barrier to entry is the competitive situation as a large number of stakeholders have reported difficulties in competing with vertically integrated companies that have built their own ecosystems within and beyond the consumer IoT sector (e.g. Google, Amazon or Apple). As these players provide the most common smart and mobile device operating systems as well as the leading voice assistants, they determine the processes for integrating smart devices and services in a consumer IoT system.
o Main areas of potential concerns
o Stakeholders raised concerns regarding the following areas:
§ Certain exclusivity and tying practices in relation to voice assistants, as well as practices limiting the possibility to use different voice assistants on the same smart device.
§ The position of voice assistants and smart device operating systems as intermediaries between users, on one side, and smart devices or consumer IoT services on the other side. This position, combined with their key role in the generation and collection of data, would allow them to control user relationships. In this context, stakeholders have also raised concerns in relation to the discoverability and visibility of their consumer IoT services.
§ The extensive access to data, including information on user interactions with third-party smart devices and consumer IoT services by providers of voice assistants. Stakeholders consider that the access to and accumulation of large amounts of data allow voice assistant providers to improve their market position and to leverage more easily into adjacent markets.
§ The lack of interoperability in the consumer IoT sector due to the prevalence of proprietary technology, leading at times to the creation of “de facto standards”. In particular, a few providers of voice assistants and operating systems are said to unilaterally control interoperability and integration processes and to be capable of limiting functionalities of third-party smart devices and consumer IoT services, compared to their own.
§ The United States (U.S.) central bank “released a discussion paper that examines the pros and cons of a potential U.S. central bank digital currency, or CBDC…[and] invites comment from the public and is the first step in a discussion of whether and how a CBDC could improve the safe and effective domestic payments system.” The Federal Reserve Board stated:
o The paper summarizes the current state of the domestic payments system and discusses the different types of digital payment methods and assets that have emerged in recent years, including stablecoins and other cryptocurrencies. It concludes by examining the potential benefits and risks of a CBDC, and identifies specific policy considerations.
o Consumers and businesses have long held and transferred money in digital forms, via bank accounts, online transactions, or payment apps. The forms of money used in those transactions are liabilities of private entities, such as commercial banks. Conversely, a CBDC would be a liability of a central bank, like the Federal Reserve.
o While a CBDC could provide a safe, digital payment option for households and businesses as the payments system continues to evolve, and may result in faster payment options between countries, there may also be downsides. They include how to ensure a CBDC would preserve monetary and financial stability as well as complement existing means of payment. Other key policy considerations include how to preserve the privacy of citizens and maintain the ability to combat illicit finance. The paper discusses these and other factors in more detail.
§ United States (U.S.) Homeland Security and Governmental Affairs Committee Chair Gary Peters (D-MI) and Senator John Cornyn (R-TX) introduced “bipartisan legislation requiring the Cybersecurity and Infrastructure Security Agency (CISA) to provide cybersecurity resources to commercial satellite owners and operators.” Peters and Cornyn stated:
o The Satellite Cybersecurity Act (S.3511) will require CISA to develop voluntary satellite cybersecurity recommendations to help companies understand how to best secure their systems. Some of these resources will be specific to small businesses who own and operate commercial satellite systems. Additionally, the bill requires CISA to develop a publicly available, online resource to ensure companies can easily access satellite-specific cybersecurity resources and recommendations to secure their networks. The legislation will also require the Government Accountability Office to perform a study on how the federal government supports commercial satellite industry cybersecurity. It will also ensure a better understanding of how network vulnerabilities in commercial satellites could impact critical infrastructure.
§ The United Kingdom (UK) and Australia have agreed on “a new Cyber and Critical Technology Partnership” with UK Foreign Secretary Liz Truss and Australia’s Foreign Minister Marise Payne signing a document “to strengthen global technology supply chains, ensure the UK’s positive technology vision and tackle malign actors who disrupt cyber-space.” The UK and Australia claimed:
o The new agreement includes provisions to build greater resilience to ransomware amongst Indo-Pacific nations and sharpen legal sanctions against cyber attackers. It will also deepen practical co-operation on ensuring technology standards reflect our shared values.
o … the agreement will also support development of a network of liberty that will deter cyber-attacks before they happen and call out malign actors who perpetrate the acts.
§ The European Data Protection Supervisor (EDPS) issued his “Opinion on the Proposal for Regulation on the transparency and targeting of political advertising” and stated:
§ The United States (U.S.) Federal Energy Regulation Commission (FERC) issued a draft Notice of Proposed Rulemaking “that proposes…to direct the North American Electric Reliability Corporation (NERC) to develop and submit for Commission approval new or modified Critical Infrastructure Protection (CIP) Reliability Standards that require internal network security monitoring for high and medium impact Bulk Electric System (BES) Cyber Systems.” FERC asserted:
o The draft NOPR explains that the currently effective CIP Reliability Standards do not address internal network security monitoring, and this omission constitutes a gap in the CIP Reliability Standards. Currently, network security monitoring in the CIP Reliability Standards focuses on preventing unauthorized access to BES Cyber Systems at the network perimeter. Including internal network security monitoring requirements in the CIP Reliability Standards, as the draft NOPR proposes, would complement existing perimeter requirements for high and medium impact BES Cyber Systems by improving the visibility of communications inside the network.
o The 2020 SolarWinds attack demonstrated how an attacker can bypass all network perimeter-based security controls traditionally used to identify the early phases of an attack. This supply chain attack leveraged a trusted vendor to compromise the networks of public and private organizations, and SolarWinds customers had no reason to suspect the installation of compromised updates because the attacker used an authenticated SolarWinds certificate.
o To address the current reliability gap and improve cybersecurity, the draft NOPR proposes to direct that NERC develop new or modified CIP Reliability Standards requiring that applicable responsible entities implement internal network security monitoring for their high and medium impact BES Cyber Systems.
o While centered on high and medium impact BES Cyber Systems, the draft NOPR also seeks comments on the potential usefulness and practicality of implementing internal network security monitoring to detect malicious activity in networks with low impact BES Cyber Systems, including any potential benefits, technical barriers and associated costs. Among other specific questions, the draft NOPR seeks comment on possible criteria or methodologies for identifying an appropriate subset of low impact BES Cyber Systems that could benefit from internal network security monitoring.
§ The International Committee of the Red Cross (ICRC) announced “[a] sophisticated cyber security attack against computer servers hosting information” that “compromised personal data and confidential information on more than 515,000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention.” The ICRC stated:
o The ICRC's most pressing concern following this attack is the potential risks that come with this breach -- including confidential information being shared publicly -- for people that the Red Cross and Red Crescent network seeks to protect and assist, as well as their families. When people go missing, the anguish and uncertainty for their families and friends is intense.
o The ICRC has no immediate indications as to who carried out this cyber-attack, which targeted an external company in Switzerland the ICRC contracts to store data. There is not yet any indication that the compromised information has been leaked or shared publicly.
Further Reading
Photo by PhotoMIX Company from Pexels
§ “As its data flows woes grow, Google lobbies for quickie fix to EU-US transfers” By Natasha Lomas —TechCrunch. As the legal uncertainty in Europe clouding use of US cloud services cranks up, Google has responded by firing up its lobbying engines to call for US and European lawmakers to get a move on and come up a new rubberstamp to grease transatlantic data flows as usual as the bloc’s regulators finally start to find their banhammers.
§ “Nothing Sacred: These Apps Reserve The Right To Sell Your Prayers” By Emily Baker-White — BuzzFeed News. 2016 was the worst year of Katie’s life. Just after New Year’s Day, her 24-year-old son went missing. Seven weeks later, police recovered his body from the river that snakes through her town. For months, to get to work, Katie had to drive across the bridge near where his body was found. To grieve, she turned to prayer apps: first, the now-defunct Instapray, and then to Pray.com.
§ “FTC Chair Lina Khan sits down with Andrew Ross Sorkin and Kara Swisher to discuss her plans to take on Big Tech” By Lauren Feiner — CNBC. Federal Trade Commission Chair Lina Khan joined CNBC’s Andrew Ross Sorkin and Kara Swisher, host of The New York Times’ “Sway” podcast, for her first on-camera interview on Wednesday. The exclusive interview, part of CNBC’s “Capital Exchange,” comes as the FTC grapples with a historic merger surge for which the agency has said it needs more resources to tackle. Meanwhile, Khan has laid out a sweeping vision for reforming the agency, including expanding the ways it thinks about both competition policy and consumer protection.
§ “Lina Khan Is (Still) Bursting Big Tech’s Bubble” — The New York Times. Yesterday, the Federal Trade Commission and the Department of Justice announced they would work to rewrite merger rules in an approach that would clamp down on big tech deals that have allowed companies like Amazon, Google and Facebook to expand their tentacles across industries and across more areas of our lives. Today, Lina Khan sat down with Kara Swisher and DealBook’s editor Andrew Ross Sorkin in an exclusive interview for The New York Times and CNBC.
§ “U.S. examining Alibaba's cloud unit for national security risks – sources” By Alexandra Alper — Reuters. The Biden administration is reviewing e-commerce giant Alibaba's cloud business to determine whether it poses a risk to U.S. national security, according to three people briefed on the matter, as the government ramps up scrutiny of Chinese technology companies' dealings with U.S. firms.
§ “FSB detains administrator of UniCC carding forum” By Catalin Cimpanu — The Record. The Russian Federal Security Service (FSB) has arrested the administrator of the UniCC carding forum and one of the members of the Infraud cybercrime cartel. The suspect was identified as Andrey Sergeevich Novak and was detained for two months on charges of computer crimes and money laundering. Three other suspects, identified as Kirill Samokutyaev, Konstantin Vladimirovich Bergman, and Mark Avramovich Bergman, were also detained and subsequently placed under house arrest.
§ “Biden’s cyber chief wants to help software developers code better and Americans click smarter” By Eric Geller — Politico. National Cyber Director Chris Inglis is planning projects focused on the security of open-source software and the cyber literacy of the American public as he seeks to establish himself within a crowded constellation of cybersecurity leaders in the Biden administration.
§ “Back to School, but Still Learning Online” By Dana Goldstein — The New York Times. When Education Secretary Miguel Cardona appeared before Congress in September to promote the Biden administration’s stimulus funding for schools, he promised tutoring to help students make up missed learning, as well as an end to instruction through screens.
§ “Biden Official Credits Diplomacy With Russia for Arrest of Colonial Pipeline Hacker” By Mariam Baksh — Nextgov. A senior administration official put questionable timing aside and commended the Kremlin’s arrest Friday of individuals Russian officials say comprise the notorious REvil ransomware group, which U.S. officials have attributed to attacks on critical infrastructure.
§ “How Facebook took over the internet in Africa – and changed everything” By Nesrine Malik — The Guardian. Badri Ibrahim is a Sudanese comic artist and the founder of the Abbas Comics empire. His strips are quirky and irreverent, poking fun at the Sudanese military and encouraging civic activism. One recurrent character is a hapless but wise cat called Ghadanfar, a sort of Garfield meets Snoopy protagonist, who finds himself on the wrong end of misunderstandings with neighbourhood felines and humans. It is all rendered in colloquial dialect and is dry, funny and often poignant. So popular has the comic become that Ibrahim is regularly commissioned to do private work, rendering Ghadanfar in different guises – as a bashful groom on a wedding invitation card, for example.
§ “Dechert lawyer hid hacked emails' origin - former colleague” By Raphael Satter — Reuters. A senior attorney at the law firm Dechert covered up the origin of a cache of hacked emails used to win a lawsuit against an Iranian-American aviation tycoon, a former colleague said in legal papers filed last week.
§ “Intel to Invest at Least $20 Billion in Ohio Chip-Making Facility” By Meghan Brobowsky — The Wall Street Journal. Intel Corp. said it plans to invest at least $20 billion in new chip-making capacity in Ohio, bolstering the company’s semiconductor-production ambitions as greater demand for digital products and a global chip shortage have amplified the need for more manufacturing.
§ “Tonga begins to come back online after volcanic eruption” By Andrea Peterson — The Record. Online activity is starting to trickle out of the island nation of Tonga after a massive volcanic eruption and tsunami Saturday left the area offline while responding to the disaster, according to global networks watchers.
§ “Suspected Belarus ties to Ukrainian hacks complicate Biden’s quandary” By Maggie Miller — Politico. Intelligence reports suggesting one of Russia’s European allies perpetrated last week’s hacking of Ukrainian government websites are creating a new dilemma for the Biden administration — how to respond if other countries launch cyberattacks on Russia’s behalf.
§ “Lesson from Log4j: Open-source software improvements need help from feds” By Eric Geller — Politico. The cyber community’s scramble to address major vulnerabilities in the widely used code library Log4j is just the latest wake-up call about the security risks of the open-source software ecosystem — and it’s fueling new calls for more government support in plugging those gaps.
§ ““Hey, Alexa! Are you trustworthy?”” By Adam Zewe — MIT News. A family gathers around their kitchen island to unbox the digital assistant they just purchased. They will be more likely to trust this new voice-user interface, which might be a smart speaker like Amazon’s Alexa or a social robot like Jibo, if it exhibits some humanlike social behaviors, according to a new study by researchers in MIT’s Media Lab.
§ “What Exactly Does the “Metaverse” Have to Do With the Microsoft-Activision Deal?” By Justin Charity — The Ringer. On Tuesday morning, I wasn’t alone in wondering why so many news publications, such as The New York Times, reported Microsoft’s acquisition of the video game publisher Activision Blizzard, in a $70 billion deal—the largest in the history of Microsoft—as a major breakthrough for “the metaverse.”
§ “Big Tech Anxious About Commerce Plan to Secure Supply Chains from Foreign Influence” By Mariam Baksh — Nextgov. The Information Technology Industry Council is uneasy with language in a Commerce Department proposal for securing supply chains that suggests a need to conduct source-code reviews as part of a process for approving U.S. transactions of information and communications technology to guard against threats from China and other foreign adversaries.
§ “Ransomware isn’t always about gangs making money. Sometimes it’s about nations manufacturing mayhem.” By Tim Starks — cyberscoop. Ransomware is fundamentally about reaping massive profits from victims — payments were on pace to cross the billion-dollar threshold in 2021, according to the U.S. government — but there are signs foreign government-connected groups are increasingly moving into a territory dominated by criminal gangs, and for an entirely different motive: namely, causing chaos.
§ “Women who drive for Uber and Lyft are being left to fend for themselves” By Anna Betts — The Verge. Tara,Tara, a former elementary school English teacher who lives in Charleston, South Carolina, had been driving for Uber for about two years when she had her first distressing experience with a customer. Late one night, several years ago, she picked up a male passenger outside of a bar. A few minutes into the ride, the man suddenly unzipped his pants and exposed himself to her.
Coming Events
§ 22 February
o The European Data Protection Board will hold a plenary meeting.
§ 16-17 June
o The European Data Protection Supervisor will hold a conference titled “The future of data protection: effective enforcement in the digital world.”
[1] 15 U.S.C. 272(c) would have the following language inserted:
(16) support information security measures for the development and lifecycle of software and the software supply chain, including development of voluntary, consensus-based technical standards, best practices, frameworks, methodologies, procedures, processes, and software engineering toolkits and configurations;
(17) support information security measures, including voluntary, consensus-based technical standards, best practices, and guidelines, for the design, adoption and deployment of cloud computing services;
(18) support research, development, and practical application to improve the usability of cybersecurity processes and technologies;
(19) facilitate and support the development of a voluntary, consensus-based set of technical standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively ensure appropriate privacy protections for personally identifiable information in systems, technologies, and processes used by both the public and private sector;
(20) support privacy measures, including voluntary, consensus-based technical standards, best practices, guidelines, metrology, and testbeds for the design, adoption and deployment of privacy enhancing technologies;