House Democrats Release Their Tech and Competition Package, Part III
EC proposes digital declaration of rights; EDPB wants input on draft right of access guidance; FTC sues to block defense industry merger
First, the Wavelength will transition to a paid product, but there will still be a free version available. Details to come this coming week.
Second, please send the Wavelength to anyone you think might find value in it.
Some number of months after the United States (U.S.) Senate sent the “United States Competition and Innovation Act” (USCIA) (S.1260) to the House (see here and here for more detail and analysis), the leadership of the U.S. House has worked out a massive package (more than 2900 pages) chock full of policy issues the Senate bill did not encompass.
A number of committees announced the release of the “America Creating Opportunities for Manufacturing, Pre-Eminence in Technology and Economic Strength Act of 2022” (aka the America COMPETES Act of 2022) (H.R.4521) and asserted in their press release that the bill “includes a historic investment to surge production of American-made semiconductors, tackles supply chain vulnerabilities to make more goods in America, turbocharges America’s scientific research and technological leadership, and strengthens America’s economic and national security at home and abroad.” The committees issues a section-by-section and a fact sheet.
Today, the House Rules Committee will meet to consider the amendments submitted to be in order for floor consideration of the America COMPETES Act and to vote on the rule under which the package will be brought to the House floor.
This is the third and last post on the technology funding and programmatic provisions in the massive bill.
First, there are numerous provisions designed to help the United States (U.S.) counter the threat exposed during the COVID pandemic of having many supply chains originate in the People’s Republic of China (PRC). This is especially the case with electronic devices, and the House is prescribing a complex set of initiatives, programs, and funding that would ideally bring back a significant part of this manufacturing back to the U.S. Whether this succeeds is another matter, and the funding made available for these purposes seems wholly inadequate to the task. By contrast, the funding for reversing the slide in U.S. production of semiconductors is more than $50 billion, the funds for all the programs to address supply chains may not even add up to $10 billion. What’s more, the America COMPETES Act actually provides the funds for semiconductors whereas the balance of funds are merely authorized, which is the first step in the two-part process Congress has historically used to control funding. Consequently, almost all of the other programs are subject to the vicissitudes of the White House, Congress, and the Appropriations Committees. It must also be said that appropriations often fall below authorization levels, and so, one must approach the vast ambitions of the America COMPETES Act with some skepticism.
Having said that, one of the few things on which the two parties agree is that the PRC poses a real threat and so real measures are needed. And so many Republicans may agree to historic funding increases since many of the programs and provisions to address the PRC’s rise could be considered national security spending, a category of appropriations conservatives have historically supported.
A final but not insignificant consideration is whether U.S. tech giants will be willing to accept the incentives in the bill at the risk of angering Beijing and possibly increasing production costs by moving to the U.S. A number of these companies urged the Trump Administration to grant exceptions to its program of penalizing the PRC’s imports. Moreover, the supply chains of most of the world’s technology devices either originates in the PRC or passes through the PRC at some point. If the U.S. is to shift a significant percentage of supply chains, especially those for critical items, it will require massive resources, focus, and sustained effort.
Nonetheless, turning to the bill, the Department of Commerce must “establish a Supply Chain Resilience and Crisis Response Office” to coordinate and focus U.S. policy on critical supply chains in partnership with like-minded nations and stakeholders. An Assistant Secretary will head the office.
The agency must also “develop and implement a strategy taking a Government- wide approach to support the resilience, diversity, security, and strength of supply chains” within one year per Executive Order 14017, America's Supply Chains. This strategy is multi-pronged and would entail a plan to reduce reliance on critical items from the PRC and other countries of concern, incentives for domestic manufacturing, and revisions to trade agreements with allies and like-minded nations to shift supply chains elsewhere.
Commerce would get new responsibilities to monitor supply chains in a variety of ways with the goal being to identify and remediate risks before they become acute. Part of this is identifying and evaluating high priority supply chains and possible and potential risks. Commerce and other agencies would need to continuously monitor supply chains and establish a coordination group consisting of stakeholders. Every four years, the agency will need to draft and submit to Congress a Quadrennial Report On Supply Chain Resilience And Domestic Manufacturing that would provide a look back, an assessment of the current state of affairs, and identify possible future steps. Commerce would start a program of grants, loans, and loan guarantees to increase resilience in the U.S. supply chain and those of allies and partners. A Supply Chains for Critical Manufacturing Industries Fund would be established to carry out this section and $45 billion is authorized for appropriations.
Commerce and the National Institute of Standards and Technology (NIST) “shall, on an ongoing basis, facilitate and support the development of a voluntary set of standards, guidelines, best practices, management strategies, methodologies, procedures, and processes for domestic manufacturers and entities manufacturing, purchasing, or using a critical good.” These voluntary standards would undoubtedly be modeled on NIST’s voluntary Cybersecurity Framework and similar guidance documents that have become touchstones and may have actually changed the behavior of the private sector to some extent.
The America COMPETES Act also contains the ‘‘Ensuring American Global Leadership and Engagement Act’’ (EAGLE Act) (H.R.3524), a bill the House Foreign Affairs Committee marked up last year that “prioritizes diplomacy and engagement to bolster our alliances and demonstrate that the United States can tackle global challenges such as global health, nuclear security, global human rights, and climate change” according to the primary sponsor. House Foreign Affairs Committee Chair Gregory Meeks (D-NY) added that “[t]he bill ensures that the U.S. Government will stand for our values and hold the PRC accountable for its gross violations of human rights in Xinjiang, Tibet, and Hong Kong.” So, yes, the EAGLE Act is pointedly anti-PRC in that it seeks to preserve and enhance the U.S. and the post-World War II world order.
The Department of State would receive authority and direction to help U.S. entities looking to shift their supply chains out of the PRC. This portion of the bill expresses the sense of Congress:
§ that the United States, along with allies and partners, should lead an international effort to combat the expanding use of information and communications technology products and services to surveil, repress, and manipulate populations (also known as ‘‘digital authoritarianism’’).
§ that the United States should lead a global effort to ensure that freedom of information, including the ability to safely consume or publish information without fear of undue reprisals, is maintained as the digital domain becomes an increasingly integral mechanism for communication.
The President may establish the Digital Connectivity and Cybersecurity Partnership to help other nations:
§ expand and increase secure Internet access and digital infrastructure;
§ promote and protect human rights and counter corruption and predatory behavior through- out communications and cybersecurity policy and implementation;
§ guard against privacy abuses, cybercrime, disinformation and misinformation, and the use of digital technology and services to carry out criminal activity or human rights violations;
§ bolster the role of civil society in informing ICT policy and regulations;
§ promote exports of United States ICT goods and services and increase United States company market share in target markets;
§ promote the innovation and diversification of ICT goods and supply chain services to be less reliant on imports from the People’s Republic of China;
§ build cybersecurity capacity, expand interoperability, and promote best practices for a national approach to cybersecurity; and
§ enhance the security of their digital infrastructure to facilitate better information sharing with the United States and United States allies and partners, as appropriate.
There are provisions directing the executive branch to build closer and more effective relations with nations around the world in order to counter the PRC, especially in the Indo-Pacific region. There are provisions directing the U.S. to foster closer relations with Taiwan, an initiative sure to upset Beijing. This is to be done through a variety of means, including U.S. power and prestige to urge international organizations to accept Taiwan.
The House is also proposing increased funding and programmatic changes to address PRC disinformation campaigns inside the PRC and around the world. The bill authorizes $100 million for the United States Agency for Global Media (USAGM) “for ongoing and new programs to support local media, build independent media, combat CCP disinformation inside and outside of the PRC, invest in technology to subvert censorship, and monitor and evaluate such programs.” The USAGM’s Open Technology Fund would be directed to establish the a Hong Kong Internet Freedom Program as a means of defeating the PRC’s “Great Firewall.”
The Department of State and United States Agency for International Development would be authorized to receive $170 million in funding “for ongoing and new programs in support of press freedom, training, and protection of journalists.” The package extends the Global Engagement Center at the Department of States, which was established to “’direct, lead, and coordinate efforts’ of the Federal Government to ‘‘recognize, understand, expose, and counter foreign state and non-state propaganda and disinformation globally.’’ An additional $150 million would be authorized for this program as well.
The Department of State would be charged with engagement in Latin America and the Caribbean in pushing back on the PRC’s exporting its model for internal security to nations. The agency would need to help these nations understand the risks of adopting the PRC’s surveillance and tracking measures and assistance in mitigating risks from the use of these types of PRC technology.
This section of the America COMPETES Act also directs the Department of State and other agencies to deepen ties in Europe, Africa, the Middle East, South and Central Asia, and Oceana with an eye to countering the PRC’s influence.
The agencies with jurisdiction over export controls are directed to consider whether these need to be tightened to prevent items from being sent to the PRC to protect human rights against abuses involving:
§ censorship or social control;
§ surveillance, interception, or restriction of communications;
§ monitoring or restricting access to or use of the internet;
§ identification of individuals through facial or voice recognition or biometric indicators; or
§ DNA sequencing;
Regarding other PRC “digital authoritarianism,” the Department of State would to report on PRC entities that:
§ have operated, sold, leased, or otherwise provided, directly or indirectly, items or services related to targeted digital surveillance to—
o a foreign government or entity located primarily inside a foreign country where a reasonable person would assess that such transfer could result in a use of the items or services in a manner contrary to human rights; or
o a country or any governmental unit thereof, entity, or other person determined by the Secretary of State, in a notice published in the Federal Register, to have used items or services for targeted digital surveillance in a manner contrary to human rights; or
§ have materially assisted, sponsored, or provided financial, material, or technological support for, or items or services to or in support of [the aforementioned activities.]
Export controls would also be revised to address the threat of counterfeit recycled or repurposed electronics coming from the PRC as part of the global e-waste system.
The America COMPETES Act also includes significant non-PRC provisions. Turning to programs aimed at changing and improving the U.S. government, a cyber workforce rotation program would be established that would allow this personnel to have short term assignments at other agencies as means of spreading best cyber practices throughout the government.
The Privacy and Civil Liberties Oversight Board would get new authority to be looped into the use of artificial intelligence (AI) in counterterrorism activities in order to improve oversight, particularly as civil liberties and privacy are affected.
The Department of Homeland Security (DHS) would need to start requiring that some contractors offering software provide a bill of materials so that the agency can understand what it is buying and better address risks. This new program appears to cover all new information and communications technology (ICT) and telecommunications technology that DHS will buy in the future. Specifically, contractors must certify:
§ that each item listed on the submitted bill of materials is free from all known vulnerabilities or defects affecting the security of the end product or service identified in—
o the National Institute of Standards and Technology National Vulnerability Data- base; and
o any database designated by the Under Secretary, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, that tracks security vulnerabilities and defects in open source or third-party developed
o software.
Additionally, contractors would need to disclose known vulnerabilities and defects and its plan to mitigate these problems. DHS may draft and issue regulations to implement this new program.
DHS is also barred from buying unmanned aerial systems from certain nations, including the PRC, and this proscription includes components of UAS from such nations, too.
The package expands the Defense Production Act of 1950 to permit the President to use his authorities and funds under the program to address supply chain security with respect to critical components and technology.
It appears the House Energy and Commerce Committee have appended their bill that would “require online marketplaces to verify certain information regarding high-volume third party sellers of consumer products on such online marketplaces and to disclose to consumers certain contact and other information regarding such high-volume third party sellers” (H.R.5502) to the America COMPETES Act. I wrote extensively about this bill, its Senate counterpart, and Amazon’s changing stance on the legislation in November, but this summary suffices to explain the legislation:
At its core, the INFORM Consumers Act would require Amazon and like companies to collect contact information from larger third-party sellers and make it available to consumers. Amazon and its ilk would have to suspend those sellers that do not comply, and the Federal Trade Commission (FTC) and state attorneys general could hold them accountable if they fail to do so.
Finally, America COMPETES Act includes the “Merger Filing Fee Modernization Act of 2021” (S.228), a bill that would dramatically increase the fees companies would need to file with the Federal Trade Commission and Department of Justice for merger review. Part of these increased proceeds would be available to the FTC and DOJ as the bill authorizes $252 million for the DOJ’s Antitrust Division and the FTC. To put this funding into context, the FTC’s entire appropriation for last year was shy of $350 million. The agencies would then have vastly increased resources to investigate mergers for anti-competitive effects and then litigate to stop such deals. Moreover, the agencies could use this significant boost in funding to investigate activity that possibly violates antitrust and competition law.
Other Developments
Photo by Alexander Sinn on Unsplash
§ In a statement, the European Commission explained that it “is proposing to the European Parliament and Council to sign up to a declaration of rights and principles that will guide the digital transformation in the European Union (EU).” The EC explained:
o The draft declaration covers key rights and principles for the digital transformation, such as placing people and their rights at its centre, supporting solidarity and inclusion, ensuring the freedom of choice online, fostering participation in the digital public space, increasing safety, security and empowerment of individuals, and promoting the sustainability of the digital future.
o These rights and principles should accompany people in the EU in their everyday life: affordable and high-speed digital connectivity everywhere and for everybody, well-equipped classrooms and digitally skilled teachers, seamless access to public services, a safe digital environment for children, disconnecting after working hours, obtaining easy-to-understand information on the environmental impact of our digital products, controlling how their personal data are used and with whom they are shared.
o The declaration is rooted in EU law, from the Treaties to the Charter of Fundamental rights but also the case law of the Court of Justice. It builds on the experience of the European Pillar of Social Rights. Former European Parliament President David Sassoli promoted the idea of the access to the Internet as a new human right back in 2018. Promoting and implementing the principles set out in the declaration will be a shared political commitment and responsibility at both Union and Member State level within their respective competences. To make sure the declaration will have concrete effects on the ground, the Commission proposed in September to monitor progress, evaluate gaps and provide recommendations for actions through an annual report on the ‘State of the Digital Decade'.
§ The European Data Protection Board (EDPB) is requesting comments on the "Guidelines 01/2022 on data subject rights - Right of access” by 11 March 2022. The EDPB explained:
o The overall aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can be aware of and verify the lawfulness of the processing and the accuracy of the processed data. This will make it easier - but is not a condition - for the individual to exercise other rights such as the right to erasure or rectification.
o The right of access according to data protection law is to be distinguished from similar rights with other objectives, for example the right of access to public documents which aims at guaranteeing transparency in public authorities’ decision-making and good administrative practice.
o However, the data subject does not have to give reasons for the access request and it is not up to the controller to analyse whether the request will actually help the data subject to verify the lawfulness of the relevant processing or exercise other rights. The controller will have to deal with the request unless it is clear that the request is made under other rules than data protection rules.
o The right of access includes three different components:
§ Confirmation as to whether data about the person is processed or not,
§ Access to this personal data and
§ Access to information about the processing, such as purpose, categories of data and recipients,
§ duration of the processing, data subjects’ rights and appropriate safeguards in case of third country transfers.
§ The United States Federal Trade Commission (FTC) has filed suit “to block Lockheed Martin Corporation’s $4.4 billion proposed vertical acquisition of Aerojet Rocketdyne Holdings Inc, the last independent U.S. supplier of missile propulsion systems.” This is the second major suit the FTC has brought to block a major merger, a manifestation of new Chair Lina Khan’s more aggressive stance toward market consolidation and against any diminution of competition. In December 2021, the FTC sued to stop U.S. chip supplier Nvidia Corp.’s $40 billion deal to buy U.K. chip design provider Arm Ltd.. Regarding the Lockheed-Aerojet deal, the agency stated:
o The agency’s complaint alleges that if the deal is allowed to proceed, Lockheed will use its control of Aerojet to harm rival defense contractors and further consolidate multiple markets critical to national security and defense. This is the agency's first litigated defense merger challenge in decades.
o The U.S. Department of Defense (DOD) reviewed the acquisition and considered the potential impacts of the transaction on national security, the nation’s industrial and technological base, competition, and innovation. As part this assessment, the DOD facilitated a series of FTC-led interviews with DOD-impacted stakeholders. DoD’s assessment was provided to the FTC for its deliberations and final decision-making.
§ Washington state Attorney General Bob Ferguson announced a $2.25 million with Amazon to “stop its “Sold by Amazon” third-party seller program.” He asserted:
o The Attorney General’s Office simultaneously filed a lawsuit and a legally binding resolution in King County Superior Court. As part of the legally enforceable consent decree, Amazon must stop the “Sold by Amazon” program nationwide and provide the Attorney General’s Office with annual updates on its compliance with antitrust laws. In addition, Amazon will pay $2.25 million to the Attorney General’s Office, which will be used to support the Attorney General’s antitrust enforcement, which does not receive general fund support.
o The “Sold by Amazon” program allowed the online retailer to agree on price with third-party sellers, rather than compete with them. Ferguson’s lawsuit asserted that the program violated antitrust laws. Amazon unreasonably restrained competition in order to maximize its own profits off third-party sales. This conduct constituted unlawful price-fixing.
o Amazon offered the “Sold by Amazon” program from 2018 through 2020 on an invitation-only basis. It invited several hundred third-party sellers with whom it had previously competed for online consumer sales on its online marketplace and other e-commerce platforms.
§ United States (U.S.) Senator Jon Tester (D-MT) introduced the “Agriculture Right to Repair Act”, “which will finally guarantee farmers the right to repair their own equipment and end current restrictions on the repair market.” Tester stated:
o With advanced technology now being incorporated into production agriculture, it has become more and more difficult for farmers and ranchers to fix their own equipment, hurting the bottom lines of both producers and local non dealer-certified repair shops. Tester’s legislation will combat the issue of right to repair by requiring original equipment manufacturers to make it easier for farmers to make these repairs and continue doing business in rural America.
o [His] legislation tackles consolidation in the repair market specifically by requiring equipment manufacturers to:
§ Make available any documentation, part, software, or tool required to diagnose, maintain, or repair their equipment.
§ Provide means to disable and re-enable an electronic security lock or other security-related function to effect diagnostics, repair, or maintenance.
§ Permit third party software to provide interoperability with other parts/tools, and to protect both the farmer’s data and equipment from hackers.
§ Ensure that when a manufacturer no longer produces documentation, parts, software, or tools for its equipment that the relevant copyrights and patents are placed in the public domain.
§ Ensure parts are replaceable using commonly available tools without causing damage to the equipment, or provide specialized tools to owners or independent providers on fair and reasonable terms.
§ Return data ownership to farmers. Manufacturers currently collect and sell all the data generated by farmers, and this data is the farmers’ “secret sauce” for how they conduct their business.
o The legislation will also empower the Federal Trade Commission (FTC) to treat any violations of the above provisions as an unfair or deceptive act. It also grants the FTC authority to promulgate regulations necessary to carry out this bill.
§ The Republican leadership on the two committees of jurisdiction over data privacy in the United States (U.S.) Congress have again written President Joe Biden urging him “to work with Congress to enact a nationwide consumer privacy and data security law this year.” U.S. House Energy and Commerce Committee Ranking Member Cathy McMorris Rodgers (R-WA) and Consumer Protection and Commerce Subcommittee Ranking Member Gus Bilirakis (R-FL) and U.S. Senate Commerce, Science, and Transportation Committee Ranking Member Roger Wicker (R-MS) and Consumer Protection, Product Safety, and Data Security Subcommittee Ranking Member Marsha Blackburn (R-TN) stated:
o Since we last wrote six months ago, we have neither received a response from you nor seen meaningful activity on the part of the executive branch to protect the data privacy of U.S. consumers. However, we have seen several troubling reports about the myriad ways Americans’ personal information is being misused and abused. Recent disturbing revelations about Big Tech companies exploiting the data and online habits of children and teens show just how urgent it is for Congress to act to protect the data privacy of our youth and the broader public.
o This is a national imperative for maintaining a strong and secure digital economy. We hope you will join us in this effort to give Americans more control over their personal information, provide meaningful safeguards over their data, and restore trust in the safety and security of our online ecosystem.
§ The United Kingdom’s (UK) Department for Digital, Culture, Media & Sport (DCMS) released a policy paper titled “2022 cyber security incentives and regulation review” The DCMS asserted:
o It is clear to the government that its previous approach, set out in the 2016 Regulation and Incentives Review, is not delivering the requisite change at sufficient pace and scale. Government cannot leave cyber security solely to the marketplace to deliver widespread improvements in cyber resilience. In order to improve cyber resilience across the economy and society, the government needs to be more proactive and interventionist. This paper sets out the evidence for this change in approach, and explains the proposed direction of travel for future government interventions across four key policy areas:
o Foundations - the provision of advice and guidance on cyber risk management and the promotion of trustworthy services.
o Capabilities - supporting skilled professionals capable of implementing advice and guidance.
o Market Incentives - engaging with market actors to create incentives for organisations to invest in cyber security measures.
o Accountability - holding organisations accountable for effective management of their cyber risk.
o The approach set out in this Review forms part of our plan to meet the outcomes of the recently-published National Cyber Strategy which include “Building a resilient and prosperous digital UK, reducing cyber risks and ensuring citizens feel safe online and confident that their data is protected.”
§ The United States Department of Commerce “released the results from the Risks in the Semiconductor Supply Chain Request for Information (RFI) issued in Sept. 2021.” The agency stated that the “[k]ey findings from the report provided data-driven information about the depths of the semiconductor shortage and underscored the need for the President’s proposed $52 billion in domestic semiconductor production.” The agency stated:
o Key Findings from the Semiconductor RFI
§ Demand for semiconductors is as much as 17 percent higher in 2021 than it was in 2019, and consumers aren’t seeing commensurate increases in the available supply.
§ The majority of semiconductor manufacturing facilities are operating at or above 90 percent utilization, meaning there is limited additional supply to bring online without building new facilities.
§ Bottlenecks are most concentrated in a specific semiconductor inputs and applications, including legacy logic chips (used in automobiles, medical devices, and other products), analog chips (used in power management, image sensors, and radio frequency), and optoelectronics chips (including for sensors and switches).
§ The main bottleneck that respondents identified is the need for additional fab capacity. Additional bottlenecks that respondents identified include a lack of raw material inputs for both semiconductors and the other components paired with semiconductors to assemble sub-parts for electric devices.
o The RFI asked all parts of the semiconductor supply chain – producers, consumers, and intermediaries – to voluntarily share information about inventories, demand, and delivery dynamics. With Secretary Raimondo’s engagement, more than 150 responses from the world responded to the RFI.
o The results of the RFI are included in a report and blog released by the Department of Commerce.
§ According to the White House, “President Joe Biden convened a meeting of the President’s Council of Advisors on Science and Technology (PCAST)…to discuss their ongoing work to help the Administration deliver on its science and technology priorities and drive American innovation.” The administration claimed:
o PCAST Co-Chairs Frances Arnold and Maria Zuber outlined four key areas of update for the President, including 1) how our Nation can use new scientific advances to assess and protect against physical and financial risks from climate change; 2) how to use science and technology to strengthen the Nation’s ability to detect, track, and fight wildfires; 3) what might be needed to reimagine the American public health system to address decades-old challenges laid bare by the pandemic; and 4) what steps are necessary to ensure America’s continued global leadership in science and technology innovation in the 21st century.
§ The National Institute of Standards and Technology (NIST) has issued Special Publication 800-53A Rev. 5, Assessing Security and Privacy Controls in Information Systems and Organizations, and the agency stated:
o Special Publication (SP) 800-53A, Assessing Security and Privacy Controls in Information Systems and Organizations, facilitates security control assessments and privacy control assessments conducted within an effective risk management framework. A major design objective for SP 800-53A is to provide an assessment framework and initial starting point for assessment procedures that are flexible enough to meet the needs of different organizations while providing consistency in conducting control assessments. Control assessment results provide organizational officials with:
§ Evidence of the effectiveness of implemented controls,
§ An indication of the quality of the risk management processes, and
§ Information about the security and privacy strengths and weaknesses of systems that are supporting organizational missions and business functions.
o The findings identified by assessors are used to determine the overall effectiveness of security and privacy controls associated with systems and their environments of operation and to provide credible and meaningful inputs to the organization’s risk management process. A well- executed assessment helps determine the validity of the controls contained in the organization’s security and privacy plans and subsequently employed in organizational systems and environments of operation. Control assessments facilitate a cost-effective approach to managing risk by identifying weaknesses or deficiencies in systems, thus enabling the organization to determine appropriate risk responses in a disciplined manner that is consistent with organizational mission and business needs.
o SP 800-53A is a companion guideline to [SP 800-53] Security and Privacy Controls for Systems and Organizations. Each publication provides guidance for implementing specific steps in the Risk Management Framework (RMF).1 SP 800-53 and [SP 800-53B] address the Select step of the RMF and provide guidance on security and privacy control selection (i.e., determining the controls needed to manage risks to organizational operations and assets, individuals, other organizations, and the Nation). SP 800-53A addresses the Assess and Monitor steps of the RMF and provides guidance on the security and privacy control assessment processes. SP 800-53A also includes guidance on how to build effective assessment plans and how to analyze and manage assessment results.
§ India’s Ministry of Electronics and Information Technology (MeitY) published its India Digital Ecosystem Architecture (InDEA) 2.0 for comments. MeitY explained that the document “harmonizes and builds upon the architectural frameworks developed during the last few years…[and] [w]hile codifying their principles, it provides a pragmatic approach to realize the concept of open digital ecosystems in an integrated and collaborative manner.” MeitY stated that “[i]t recommends a value-driven approach, a focus on capability building and above all, a preference to ‘enabling’ rather than ‘building’…[and] [i]t is an evolving and dynamic framework with continuous improvement as its mantra.”
§ New York Attorney General Letitia James “announced a $600,000 agreement with EyeMed that resolves a 2020 data breach that compromised the personal information of approximately 2.1 million consumers nationwide, including 98,632 in New York state.” James claimed:
o EyeMed — which provides vision benefits to members of vision plans offered by both licensed underwriters and employers — experienced a data breach in which attackers gained access to an EyeMed email account with sensitive customer information. The compromised information included consumers’ names, mailing addresses, Social Security numbers, identification numbers for health and vision insurance accounts, medical diagnoses and conditions, and medical treatment information. The intrusion permitted the attacker access to emails and attachments with sensitive customer information dating back six years prior to the attack.
o As part of the agreement, EyeMed is required to enact a series of measures to protect consumers’ personal information from cyberattacks in the future, including:
§ Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats, as well as regularly reporting to the company's leadership any security risks;
§ Maintaining reasonable account management and authentication, including requiring the use of multi-factor authentication for all administrative or remote access accounts, and reviewing such safeguards annually;
§ Encrypting sensitive consumer information that it collects, stores, transmits and/or maintains;
§ Conducting a reasonable penetration testing program designed to identify, assess, and remediate security vulnerabilities within the EyeMed network;
§ Implementing and maintaining appropriate logging and monitoring of network activity that are accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged; and
§ Permanently deleting consumers’ personal information when there is no reasonable business or legal purpose to retain it.
§ The Bureau Européen des Unions de Consommateurs (BEUC) announced that “the European Commission (EC) and the CPC-Network (the European network of consumer authorities) announced the launch of a dialogue with WhatsApp: the Facebook/Meta company has until March to provide clarifications about its practices which are suspected to be in breach of consumer protection rules.” The EC explained:
o Following an alert by the BEUC and eight of its member associations* in July 2021 on alleged unfair practices in the context of WhatsApp’s updates to their terms of service and privacy policy, the CPC Network launched a dialogue with WhatsApp. Under the lead of the Swedish Consumer Agency, with support from the European Commission, the CPC Network invites the company to clarify:
§ How WhatsApp ensures that consumers can understand the consequences of accepting the updated terms of service;
§ How WhatsApp uses consumers’ personal data for commercial purposes and whether consumers understand that WhatsApp shares this data with other Facebook/Meta companies or third parties;
§ How WhatsApp ensures that consumers can reject the new terms of service, especially as persistent in-app notifications prompt consumers to accept the respective changes;
§ Which measures WhatsApp intends to take concerning those consumers who have already accepted the updated terms of service on the false presumption that this was required to be able to continue using the application.
o WhatsApp has until March 2022 to reply to the CPC Network’s request for information. Based on the company’s reply, the CPC Network, with the support of the European Commission, will assess whether WhatsApp has taken appropriate steps to bring their conduct into full compliance with EU consumer protection law.
§ The United States (U.S.) Government Accountability Office (GAO) issued a report titled “Cybersecurity: Federal Response to SolarWinds and Microsoft Exchange Incidents” and stated:
o Federal agencies took several steps to coordinate and respond to the SolarWinds and Microsoft Exchange incidents including forming two Cyber Unified Coordination Groups (UCG), one for the SolarWinds incident and one for the Microsoft Exchange incident. Both UCGs consisted of the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Office of the Director of National Intelligence (ODNI), with support from the National Security Agency (NSA). According to UCG agencies, the Microsoft Exchange UCG also integrated several private sector partners in a more robust manner than their involvement in past UCGs.
o CISA issued emergency directives to inform federal agencies of the vulnerabilities and describe what actions to take in response to the incidents. To aid agencies in conducting their own investigations and securing their networks, UCG agencies also provided guidance through advisories, alerts, and tools. For example, the Department of Homeland Security (DHS), including CISA, the FBI, and NSA released advisories for each incident providing information on the threat actor’s cyber tools, targets, techniques, and capabilities. CISA and certain agencies affected by the incidents have taken steps and continue to work together to respond to the SolarWinds incident. Agencies have completed steps to respond to the Microsoft Exchange incident.
o Agencies also identified multiple lessons from these incidents. For instance,
§ coordinating with the private sector led to greater efficiencies in agency incident response efforts;
§ providing a centralized forum for interagency and private sector discussions led to improved coordination among agencies and with the private sector;
§ sharing of information among agencies was often slow, difficult, and time consuming and;
§ collecting evidence was limited due to varying levels of data preservation at agencies.
o Effective implementation of a recent executive order could assist with efforts aimed at improving information sharing and evidence collection, among others.
Further Reading
Photo by Kostiantyn Li on Unsplash
§ “The Battle for the World’s Most Powerful Cyberweapon” By Ronen Bergman and Mark Mazzetti — The New York Times. In June 2019, three Israeli computer engineers arrived at a New Jersey building used by the F.B.I. They unpacked dozens of computer servers, arranging them on tall racks in an isolated room. As they set up the equipment, the engineers made a series of calls to their bosses in Herzliya, a Tel Aviv suburb, at the headquarters for NSO Group, the world’s most notorious maker of spyware. Then, with their equipment in place, they began testing.
§ “F.B.I. Secretly Bought Israeli Spyware and Explored Hacking U.S. Phones” By Michael Levenson — The New York Times. It is widely regarded as the world’s most potent spyware, capable of reliably cracking the encrypted communications of iPhone and Android smartphones. The software, Pegasus, made by an Israeli company, NSO Group, has been able to track terrorists and drug cartels. It has also been used against human rights activists, journalists and dissidents.
§ “Microsoft Deal for Activision to Be Reviewed by FTC in U.S.” BY David McLaughlin — Bloomberg. The U.S. antitrust review of Microsoft Corp.’s proposed acquisition of Activision Blizzard Inc. will be handled by the Federal Trade Commission, according to a person familiar with the matter, putting the deal in the hands of an agency that has vowed more aggressive policing of deals.
§ “Meta is winding down its low-cost WiFi program for developing countries” By Steve Dent — Endgadget. Meta is ending its Express Wi-Fi program designed to provide low-cost internet in developing countries through partnerships with local communities, mobile operators and businesses. Launched in 2016, it wasn't free like Meta-owned Facebook's failed Free Basics program, struck down by Indian courts for violating net neutrality. Instead, it was designed to be inexpensive, starting at around 15 cents for 100MB or $5 for 20GB.
§ “Twitter says it has quit taking action against lies about the 2020 election” By Daniel Dale — CNN. Twitter quit taking action to try to limit the spread of lies about the 2020 election, the company said on Friday -- a day after another social media platform, YouTube, removed a Republican congressman's campaign ad because it included a 2020 lie.
§ “How Russia Has Turned Ukraine Into a Cyber-Battlefield” By Dmitri Alperovitch — Foreign Affairs. Every day brings ominous new signs of an imminent Russian invasion of Ukraine. Moscow has amassed over 100,000 troops on the Ukrainian border, withdrawn the families of diplomats from the Russian embassy in Kyiv, and deployed troops to neighboring Belarus for unplanned joint military exercises with the Belarusian military, suggesting that it could attack Ukraine on multiple fronts.
§ “The Unnerving Rise of Video Games that Spy on You” By Ben Egliston — WIRED. Tech conglomerate Tencent caused a stir last year with the announcement that it would comply with China’s directive to incorporate facial recognition technology into its games in the country. The move was in line with China’s strict gaming regulation policies, which impose limits on how much time minors can spend playing video games—an effort to curb addictive behavior, since gaming is labeled by the state as “spiritual opium.”
§ “State Department Confirms ‘Defect’ Led to Resolved Global IT Outage” By Brandi Vincent — Nextgov. A global information technology services outage that left many State Department officials without access to their email and digital work tools late last week is officially resolved. “The department’s applications have been returned to normal operations,” a spokesperson told Nextgov via email.
§ “Senate introduces bill to allow farmers to fix their own equipment” By Louise Matsakis and Olivia Solon — NBC News. Scott Potmesil, a fourth-generation farmer who raises cattle in Sandhills, Nebraska, recently bought a John Deere tractor that is over 25 years old. He said he purposely went looking for the older device in 2020 because he believed it would be easier to repair than newer models, which can often be fixed only by authorized dealerships.
§ “The vaguely dystopian technology fueling China’s Olympic Games” By Meghan Tobin — Rest of the World. The Olympics aren’t just about sport, they’re a showcase for the host country. And this year’s Winter Games are no different, as China hopes to demonstrate its advancements in technology with an entire town’s worth of machine-made snow, the rollout of the world’s largest digital currency — and, if all goes to plan, zero Covid-19 transmission.
Coming Events
Photo by Gabriel Benois on Unsplash
§ 1 February
o The European Data Protection Board (EDPB) will hold a plenary meeting with this agenda.
o The United Kingdom’s House of Commons’ Digital, Culture, Media and Sport Committee will hold a “Formal meeting (oral evidence session): Influencer culture.”
o The United Kingdom’s House of Commons’ Business, Energy and Industrial Strategy Committee will hold a “Formal meeting (oral evidence session): Post-pandemic economic growth: State Aid and Post Brexit Competition Policy” to ask “questions about possible changes to competition policy that could arise from the increasing dominance of tech giants in digital markets.”
o The United Kingdom’s House of Commons’ Digital, Culture, Media and Sport Sub-committee on Online Harms and Disinformation will hold a “Formal meeting (oral evidence session): Online safety and online harms.”
o The United States Senate Homeland Security and Governmental Affairs Committee will hold a hearing on the nominations of Shalanda Young to be the Director of the Office of Management and Budget and Nani Coloretti to be the Deputy Director of the Office of Management and Budget.
o The United States Senate Budget Committee will hold a hearing on the nominations of Shalanda Young to be the Director of the Office of Management and Budget and Nani Coloretti to be the Deputy Director of the Office of Management and Budget.
o The United States House Rules Committee will hold a hearing on the “America Creating Opportunities for Manufacturing, Pre-Eminence in Technology and Economic Strength Act of 2022” (aka the America COMPETES Act of 2022) (H.R.4521).
o The United States Senate Appropriations Committee’s Commerce, Justice, Science Subcommittee will hold a hearing titled “Expanding Broadband Access: Department of Commerce Broadband Programs in the Infrastructure Investment and Jobs Act.”
§ 2 February
o The United States Senate Commerce, Science, and Transportation Committee will hold a hearing to consider a number of nominations including:
§ Alvaro Bedoya, to be a Commissioner of the Federal Trade Commission
§ Gigi Sohn, to be a Commissioner of the Federal Communications Commission
o The United States Senate Homeland Security and Governmental Affairs Committee will mark up a number of bills, including the “Improving Cybersecurity of Small Organizations Act of 2021” (S. 2483)
o The United States House Oversight and Reform Committee will mark up a number of bills, including the “Federal Information Security Modernization Act of 2022” (H.R. 6497).
o The United States House Transportation and Infrastructure Committee’s Highways and Transit Subcommittee will hold a hearing titled “The Road Ahead for Automated Vehicles.”
o The United States Senate Judiciary Committee’s Competition Policy, Antitrust, and Consumer Rights Subcommittee will hold a hearing titled “Competition Policy, Antitrust, and Consumer Rights.”
§ 3 February
o The United States Senate Homeland Security and Governmental Affairs Committee will hold a hearing on the nominations of William Valdez to be the Under Secretary of Homeland Security for Management; Dimitri Kusnezov to be the Under Secretary of Homeland Security for Science & Technology; and Kenneth Wainstein to be the Under Secretary of Homeland Security for Intelligence & Analysis.
o Canada’s House of Commons’ Standing Committee on Access to Information, Privacy and Ethics will hold a hearing titled “Collection and Use of Mobility Data by the Government of Canada” because of reports “of the Public Health Agency of Canada collecting, using or possessing Canadians' private cellphone data, without their knowledge or consent.”
o The United States Senate Judiciary Committee will consider nominations and bills, including the Open App Markets Act (S. 2710) and the EARN IT Act of 2022.
o The United States House Transportation and Infrastructure Committee’s Aviation Subcommittee will hold a hearing titled “Finding the Right Frequency: 5G Deployment & Aviation Safety.”
§ 22 February
o The European Data Protection Board (EDPB) will hold a plenary meeting.
§ 16-17 June
o The European Data Protection Supervisor will hold a conference titled “The future of data protection: effective enforcement in the digital world.”