Rewrite of U.S. Government Cybersecurity May Be In The Cards In 2022
Key U.S. tech agency gets new leadership; Court allows FTC suit against Facebook to proceed
First, a bit of news. The Wavelength will transition to a paid product, but there will still be a free version available. The scope and shape of this change is still in the making but should be realized by January 2022.
Photo by Maximalfocus on Unsplash
When the cyber incident reporting legislation was removed from the FY 2022 National Defense Authorization Act (NDAA) (P.L. 117-81), a sweeping reform of how the United States (U.S.) government secures its own networks was also jettisoned. This package would have extensively changed the statutes that govern how U.S. agencies assess and improve the cybersecurity of their information systems and those of federal contractors. The last major reform of these statutes was in 2014 when Barack Obama was in his second term.
Nonetheless, there are signs that proponents of reforming the “Federal Information Security Modernization Act” (FISMA) have regrouped and are planning their strategy to enact legislation this year. For example, the House Oversight and Reform Committee held a hearing yesterday titled “Cybersecurity for the New Frontier: Reforming the Federal Information Security Management Act” and floated a FISMA reform discussion draft.
As mentioned, this bill represents the most significant rewrite of U.S. government cybersecurity procedures and requirements since enactment of the “Federal Information Security Modernization Act of 2014” (P.L. 113-283) and, among other major changes, explicitly inserts bot the Cybersecurity Infrastructure and Security Agency (CISA) and National Cyber Director (NCD) into the laws agencies must heed and that give the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) dominion over government-wide matters in this area.
Before we get to the bill, some background would help. As a general precept in the world of U.S. government cybersecurity, many Democrats and Republicans agree that change is needed and can often even agree on the sorts of change that is needed. This article of faith was deepened as the fallout from the SolarWinds and Microsoft Exchange hacks unfolded in late 2020 and into 2021. The Senate Homeland Security and Governmental Affairs Committee started working on its bill in 2021, culminating in a 6 October markup.
In November, Senators Mark Warner (D-VA), Gary Peters (D-MI), Rob Portman (R-OH), and Susan Collins (R-ME) announced a compromise on cyber incident reporting legislation (see here for more detail on the bills and main impasse) they would offer as an amendment to the Senate’s National Defense Authorization Act (NDAA) for Fiscal Year 2022. In their press release, they stated:
§ The amendment is based on the Cyber Incident Reporting Act and Federal Information Security Modernization Act of 2021 authored by Peters and Portman, and advanced by the Homeland Security and Governmental Affairs Committee, where they serve as Chairman and Ranking Member, respectively.
In the amendment filed for consideration, Peters, Portman, Warner, and Collins unveiled the “Federal Information Security Modernization Act of 2021” (S.2902) as reported out of committee.
A considerable stretch of bill rewrites Chapter 35 of Title 44 of the U.S. Code (i.e. COORDINATION OF FEDERAL INFORMATION POLICY). In a number of spots in Chapter 35 as currently operative, the bill specifies that OMB must consult with CISA and the NCD in discharging its duties in overseeing federal cybersecurity. For example, 44 U.S.C. 3504 tasks OMB requires the agency to “oversee the use of information resources to improve the efficiency and effectiveness of governmental operations to serve agency missions, including burden reduction and service delivery to the public.” The FISMA reform package would task OMB with coordinating with CISA and the NCD with respect to the “security of information.” There many other such changes made throughout Chapter 35, probably too many to discuss except the most significant of them. In this vein, CISA and NCD would become statutory stakeholders in OMB policy on privacy and security, federal information technology (IT) generally, and the inventorying of major IT systems.
In terms of changing which entity owns cybersecurity and information security, 44 U.S.C. 3551, the first section on information security, explicitly gives CISA a prominent role given its status as “the lead entity for operational cybersecurity coordination across the Federal Government.” However, revisions to the same section make clear a government-wide approach is needed given the differences in information security needs and policies across the different agencies. Hence, the FISMA rewrite clarifies the roles of three key entities:
§ OMB is the leader for policy development and oversight of Federal cybersecurity;
§ CISA is the leader for implementing operations at agencies; and
§ the NCD is responsible for developing the overall cybersecurity strategy of the United States and advising the President on matters relating to cybersecurity.
Consequently, it appears that OMB would handle cybersecurity policy and oversee federal cybersecurity, CISA would be the lead entity on implementing cybersecurity policy and strategy, and the NCD would be charged with overall strategy. There is no mention of the Department of Defense (DOD) or Intelligence Community (IC), both of which are largely exempt from portions of FISMA as “national security systems” are outside the bill’s ambit.
Another interesting change in the federal cybersecurity organizational chart is that CISA is substituted for DHS in a number of spots, meaning the CISA Director would receive the authority the Secretary of Homeland Security would lose. In practice, the Secretary may not experience a diminution of authority, for the CISA Director serves under him or her and would be subject to his or her influence. Going forward, OMB would need to coordinate with CISA on designing and implementing information security policy and guidelines
Another change made throughout Chapter 35 in revised language and additional language is moving U.S. agencies to a posture of continually assessing and redressing their cybersecurity. The first enacted version of FISMA and even the update in 2014 have been roundly criticized for fostering the mindsets of compliance or checking boxes instead of spurring senior agency officials to continually being focused on cybersecurity and the rapidly changing threats the U.S. government faces. With the same goal in mind, OMB and CISA are also charged with continuously assess risks to the U.S. government Likewise there are numerous places in the bill that call on agencies to utilize automated means to identify and address risks and to change the focus from one of “trusted networks” to the “presumption of compromise and least privilege principles.”
In terms of revised agency head cybersecurity responsibilities, these officials will need to continuously conduct “system risk assessments that
§ identify and document the high value assets of the agency using guidance from [OMB];
§ evaluate the data assets inventoried under section 3511 for sensitivity to compromises in confidentiality, integrity, and availability;
§ identify agency systems that have access to or hold the data assets inventoried under section 3511;
§ evaluate the threats facing agency systems and data, including high value assets, based on Federal and non-Federal cyber threat intelligence products, where available;
§ evaluate the vulnerability of agency systems and data, including high value assets, including by analyzing—
o the results of penetration testing performed by the Department of Homeland Security under section 3553(b)(9);
o the results of penetration testing performed under section 3559A;
o information provided to the agency through the vulnerability disclosure program of the agency under section 3559B;
o incidents; and
o any other vulnerability information relating to agency systems that is known to the agency;
§ assess the impacts of potential agency incidents to agency systems, data, and operations based on the evaluations…and
§ assess the consequences of potential incidents occurring on agency systems that would impact systems at other agencies, including due to interconnectivity between different agency systems or operational reliance on the operations of the system or data in the system;
The agency’s existing responsibilities for “information security for the information and information systems” would be expanded to include these assessments, ideally creating an ongoing cycle of assessment and improvement of the security of systems, networks, and data. Additionally, agencies would be tasked with annual independent evaluation of their cybersecurity and information systems.
One thing that jumped out at me is that the Senate Homeland Security and Governmental Affairs Committee found it necessary to make explicit the need of agencies to heed CISA’s binding operational directives and emergency directives. This suggests that civilian agencies are perhaps not listening to CISA when it issues these commands. To be fair, the language granting DHS and CISA this authority does not state that agencies are obligated to heed the directives even though that is implied. Nonetheless, the FISMA rewrite would make all that explicit.
The FISMA reform package would establish a U.S. government system to respond to cyber incidents. In the event of a breach involving the authorized access to data or loss of such data, agencies would need to determine whether it is necessary to alert effected individuals 45 days after the agency has a reasonable basis from which to conclude a breach occurred. DHS, the Department of Justice (DOJ) or the Director of National Intelligence (DNI) could delay notification after a breach for up to 60 days on a number of grounds related to criminal investigations, national security, or intelligence matters. This delay could be renewed for additional 60 day periods without apparent statutory limit. No such notice would need to be disseminated if the data in question were encrypted or at low risk of exposure, but CISA would need to grant an exception to an agency before it could take this course of action.
Speaking of notice, agencies would now need to inform committees of jurisdiction within 72 hours of finding a reasonable basis to conclude a “major incident”[1] has occurred and file reports with detailed information. Agencies that suffer a major incident would be required to coordinate incident response and recovery with CISA and to chart a path to avoid major incidents in the future. Moreover, OMB would no longer alone have the power to define what constitutes a major incident and would need to consult with CISA and the NCD and develop guidance on what constitutes a major incident.
Also, agencies would be required to share detailed information on all cyber or security incidents with CISA and OMB, and CISA would need to distribute information on these incidents to agencies. Even agencies operating national security systems would need to share information on incidents with CISA consistent with U.S. policy on these systems.
Federal contractors and recipients of federal funds would have new responsibilities to report on incidents and breaches regarding federal information and systems unless their contract or grant instrument says otherwise. The language is a bit vague here, and it is unclear whether the intention is that agencies and contractors and grantees could essentially negotiate around this general requirement or the intention is that agencies could require these entities to report sooner than federal agencies through a contract or grant clause.
CISA would be required to start performing “continuous monitoring and quantitative and qualitative analyses of incidents at agencies” along a number of specified dimensions and then report to Congress its findings. This would be an ongoing responsibility.
The FISMA reform bill would touch other federal statutes and programs that bear on IT and cybersecurity. For example, the recently enacted “Modernizing Government Technology Act” that established the Technology Modernization Fund would be altered to change the criteria for project selection to emphasize cybersecurity and risk management.
The bill also addresses mobile security standards. OMB would need to:
§ evaluate mobile application security guidance promulgated by the Director; and
§ issue guidance to secure mobile devices, including for mobile applications, for every agency.
OMB would also need to institute a system for regular penetration testing through guidance that:
§ ‘requires agencies to use, when and where appropriate, penetration testing on agency systems; and
§ ‘requires agencies to develop an agency operational plan and rules of engagement
CISA would oversee implementation and guidance of the agency penetration testing systems.
CISA would also “establish a program to provide ongoing, hypothesis-driven threat-hunting services on the network of each agency.”
The bill codifies the vulnerability disclosure programs the Trump Administration directed agencies to establish and direct OMB, CISA, and the NCD to develop and issue guidance to agencies for sharing the vulnerabilities submitted to them.
OMB would be required to update Congress within one year after passage of the bill on the institution of the presumption that agency systems and networks are compromised and least privilege principles. OMB must detail progress on
§ shifting away from ‘‘trusted networks’’ to implement security controls based on a presumption of compromise;
§ implementing principles of least privilege in administering information security programs;
§ limiting the ability of entities that cause incidents to move laterally through or between agency systems;
§ identifying incidents quickly;
§ isolating and removing unauthorized entities from agency systems quickly;
§ otherwise increasing the resource costs for entities that cause incidents to be successful;
CISA would need to evaluate all existing cybersecurity metrics and update them or issue new ones as necessary.
One of the most significant changes in U.S. government cybersecurity would be the use of risk-based budgeting for the buying and funding of IT. The bill defines this concept as:
a budget…developed by identifying and prioritizing cybersecurity risks and vulnerabilities, including impact on agency operations in the case of a cyber attack, through analysis of threat intelligence, incident data, and tactics, techniques, procedures, and capabilities of cyber threats; and…that allocates resources based on the risks identified and prioritized
OMB, CISA, the NCD and the National Institute of Standards and Technology (NIST) must “develop a standard model for creating a risk-based budget for cybersecurity spending” within one year after enactment, and within two years after this model “is published, the head of each covered agency shall use the model to develop the annual cybersecurity and information technology budget requests of the agency.” Such a system would likely shift funding away from legacy IT systems, which now constitutes the bulk of U.S. government spending on IT.
Other Developments
Photo by Lars Kienle on Unsplash
§ The United States (U.S.) Senate confirmed Alan Davidson by a 60-31 vote as the Assistant Secretary of Commerce for Communications and Information and head the National Telecommunications and Information Administration (NTIA), the agency charged with establishing the grant programs through which most of $65 billion provided for broadband funding in the “Infrastructure Investment and Jobs Act” (P.L. 117-58) will flow.
§ The same United States (U.S.) federal court that dismissed an antitrust suit brought by the U.S. Federal Trade Commission (FTC) against Facebook/Meta last year has greenlighted the renewed lawsuit. In its ruling, the U.S. District Court for the District of Columbia denied Facebook’s motion to dismiss and stated:
o Facebook nonetheless moves to dismiss once again, contending that the FTC’s latest effort is akin to rearranging the deck chairs on the Titanic. Although the agency may well face at all task down the road in proving its allegations, the Court believes that it has now cleared the pleading bar and may proceed to discovery. That holding flows from several conclusions. First, the FTC has now alleged enough facts to plausibly establish that Facebook exercises monopoly power in the market for PSN services. Second, it has adequately alleged that the company’s dominant market share is protected by barriers to entry into that market. Third, the agency has also explained that Facebook not only possesses monopoly power, but that it has willfully maintained that power through anticompetitive conduct — specifically, the acquisitions of Instagram and WhatsApp. The Court will not, however, allow the allegations surrounding Facebook’s interoperability policies (also known as the Platform policies) to move forward; they founder for the same fundamental reasons as explained before: Facebook abandoned the policies in 2018, and its last alleged enforcement was even further in the past.
§ Former New Zealand Privacy Commissioner John Edwards started his five year term as the United Kingdom’s Information Commissioner at the beginning of the year. Edwards succeeds outgoing Information Commissioner Elizabeth Denham. The agency’s press release stated:
o Mr Edwards’ appointment comes at the start of a busy year for information rights in the UK. The ICO will be actively engaging with the government over the proposed reforms to the Data Protection Act and introduction of the Online Safety Bill, as well as strengthening links with other digital regulators. The ICO will also continue to prioritise its work to protect children online, through the Age Appropriate Design Code, which has already prompted international tech companies to make changes to better respect children’s rights online.
§ The European Data Protection Supervisor (EDPS) “notified Europol of an order to delete data concerning individuals with no established link to a criminal activity (Data Subject Categorisation)…[that] concludes the EDPS’ inquiry launched in 2019.” The EDPS issued its Decision and “Frequently Asked Questions.” The EDPS explained in its press statement:
o In the context of its inquiry, the EDPS admonished Europol in September 2020 for the continued storage of large volumes of data with no Data Subject Categorisation, which poses a risk to individuals’ fundamental rights. While some measures have been put in place by Europol since then, Europol has not complied with the EDPS’ requests to define an appropriate data retention period to filter and to extract the personal data permitted for analysis under the Europol Regulation. This means that Europol was keeping this data for longer than necessary, contrary to the principles of data minimisation and storage limitation, enshrined in the Europol Regulation.
o In light of the above, the EDPS has decided to use its corrective powers and to impose a 6-month retention period (to filter and to extract the personal data). Datasets older than 6 months that have not undergone this Data Subject Categorisation must be erased. This means that Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline. The EDPS has granted a 12-month period for Europol to comply with the Decision for the datasets already received before this decision was notified to Europol.
§ A United States (U.S.) appeals court largely ruled in the U.S. Federal Communications Commission’s (FCC) favor on its move to open the “6 gigahertz (GHz) band of radiofrequency spectrum to unlicensed devices.” The U.S. Court of Appeals for the District of Columbia found:
o By order dated April 24, 2020, the Federal Communications Commission opened the 6 gigahertz (GHz) band of radiofrequency spectrum to unlicensed devices—routers and the devices they connect to, such as smartphones, laptops, and tablets. In doing so, the Commission required that such unlicensed devices be designed and operated to prevent harmful interference with licensees now using the 6 GHz band, i.e., commercial communications providers, electric utilities, public safety services, and network broadcasters. Those licensees, emphasizing that existing uses of the band involve vital public safety and critical infrastructure, argue that harmful interference could nonetheless occur and that the Order therefore runs afoul of both the Communications Act of 1934 and the Administrative Procedure Act. But as explained in this opinion, petitioners have failed to provide a basis for questioning the Commission’s conclusion that the Order will protect against a significant risk of harmful interference, just the kind of highly technical determination to which we owe considerable deference. We therefore deny the petitions for review in all respects save one. The exception relates to the petition brought by licensed radio and television broadcasters using the 6 GHz band. Because the Commission failed adequately to respond to their request that it reserve a sliver of that band exclusively for mobile licensees, we remand to the Commission for further explanation on that point.
§ The United States (U.S.) Federal Trade Commission warned that failing to patch the Log4j vulnerability could leave companies open to FTC enforcement action. The agency contended:
o Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services. Recently, a serious vulnerability in the popular Java logging package, Log4j (CVE-2021-44228) was disclosed, posing a severe risk to millions of consumer products to enterprise software and web applications. This vulnerability is being widely exploited by a growing set of attackers.
o When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action. According to the complaint in Equifax, a failure to patch a known vulnerability irreversibly exposed the personal information of 147 million consumers. Equifax agreed to pay $700 million to settle actions by the Federal Trade Commission, the Consumer Financial Protection Bureau, and all fifty states. The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.
§ The United States (U.S.) National Institute of Standards and Technology (NIST) has started an effort to address the problem posed by trees to 5G transmission that has “contributed to guidance issued by the International Telecommunication Union (ITU), the organization that creates guidelines for telecom standards….[that] appear[s] as a new section on trees in ITU’s Recommendation ITU-R P.833-10.” The agency explained:
o As 5G technology gets fully implemented over the next several years, cellphones and other wireless tech will grow more powerful with increased data flow and lower latency. But along with these benefits comes a question: Will your next-generation cellphone be unable to see the forest for the trees?
o That’s one way to describe the problem confronting cell network designers, who have to embrace both the benefits and shortcomings of a new class of signals that 5G will use: millimeter waves. Not only can these waves carry more information than conventional transmissions do, but they also usefully occupy a portion of the broadcast spectrum that communication technologies seldom use — a major concern in an age when broadcasters vie for portions of spectrum like prospectors staking out territory.
o However, millimeter waves also have drawbacks, including their limited ability to penetrate obstacles. These obstacles include buildings, but also the trees that dot the landscape. Until recently little was known about how trees affected millimeter wave propagation. And just as few of us would want to imagine a landscape without greenery, few designers would be able to plan networks around it without such a crucial fundamental detail.
o The National Institute of Standards and Technology (NIST) has set out to solve this problem by measuring trees’ effect on millimeter waves. The effort could make a profound difference in our next-generation devices’ ability to see the 5G antennae that may soon sprout.
§ The European Data Protection Board (EDPB) adopted s statement titled “EDPB cooperation on the elaboration of guidelines” in which it asserted:
o The deliberations of the EDPB often involve complex issues of principle and law. In seeking to ensure the consistent application of the GDPR, the process leading to consensus or majority positions on matters before the EDPB involves accounting for sometimes divergent views and analysis, as well as national case law and procedures. Within the framework provided by the GDPR, the Members of the Board work together in a respectful manner to reconcile and reach common meaningful decisions. That the starting point is not a unified view is not a failure of data protection authorities or a lack of integrity on the part of any of the authorities that hold one position or another – it is simply the GDPR working as intended. In this regard, although not binding in themselves, Guidelines and Recommendations of the EDPB reflect the common position and understanding which the authorities agree to apply in a consistent way. The EDPB Members, in their contributions to the work of the EDPB, act in compliance with the duty of sincere cooperation in the interest of the effective functioning of the EDPB.
§ New York Attorney General Letitia James announced “the results of a sweeping investigation into “credential stuffing” that discovered more than 1.1 million online accounts compromised in cyberattacks at 17 well-known companies…[and] released a “Business Guide for Credential Stuffing Attacks” that details the attacks — which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services — and how business can protect themselves.” James also issued a consumer alert on “credential stuffing” attacks.
§ The National Institute of Standards and Technology (NIST) issued a draft Cybersecurity White Paper, Combination Frequency Differencing, for comment. NIST explained:
o Combinatorial coverage measures have been defined and applied to a wide range of problems, including fault location and evaluating the adequacy of test inputs and input space models. More recently, methods applying coverage measures have been used in applications of artificial intelligence and machine learning for explainability and analyzing aspects of transfer learning. These methods have been developed using measures that depend on the inclusion or absence of t-tuples of values in inputs and test cases.
o This paper introduces a new method related to combinatorial testing and measurement, combination frequency differencing (CFD), and illustrates the use of CFD in machine learning applications. This method is particularly well-suited to artificial intelligence and machine learning applications, where training data sets used in learning systems are dependent on the prevalence of various attributes of elements of class and non-class sets. This paper illustrates the use of this method by applying it to analyzing physical unclonable functions (PUFs) for bit combinations that have a disproportionately strong influence on PUF response bit values. Additionally, it is shown that combination frequency differences provide a simple but effective algorithm for classification problems.
§ The United States (U.S.) Department of the Treasury’s Office of Foreign Assets Control (OFAC) “announced a settlement with Airbnb Payments, Inc…to settle its potential civil liability for apparent violations of sanctions against Cuba.” OFAC asserted:
o This activity included payments related to guests traveling for reasons outside of OFAC’s authorized categories as well as a failure to keep certain required records associated with Cuba-related transactions. The settlement amount reflects OFAC’s determination that Airbnb Payments’ apparent violations were voluntarily self-disclosed and were non-egregious.
§ The United States (U.S.) Government Accountability Office (GAO) issued a report titled “Technology Modernization Fund: Implementation of Recommendations Can Improve Fee Collection and Proposal Cost Estimates.” The GAO found:
o In March 2021, the American Rescue Plan Act of 2021 appropriated an additional
$1 billion to the TMF. In May 2021, the Office of Management and Budget (OMB)
provided updated TMF guidance to agencies regarding this $1 billion. Among other things, the guidance (1) prioritizes projects that cut across agencies and address immediate cybersecurity gaps, and (2) allows agencies to apply for a partial or minimal reimbursement of the TMF funds provided (partial is agencies repaying 25 to 100 percent of the award while minimal is greater than zero but less than 25 percent). On September 30, 2021, the General Services Administration (GSA) announced the approval of seven new projects with awards totaling at least $311 million (one of the seven projects is classified; no award figure is publicly available). In deciding on these seven, the Technology Modernization Board received 113 project proposals requesting a total of more than $2.3 billion.o Regarding TMF operating costs and fees collected to offset those costs, as of
August 2021, GSA had received fee payments totaling about $810,000, or about
29 percent of its operating expenses of $2.8 milliono A key reason for this shortfall is that six of the seven initially approved projects narrowed their scopes. This led to reduced award amounts transferred to agencies, which in turn resulted in about a $1.12 million reduction in anticipated fees. Relatedly, OMB and GSA have not yet implemented GAO’s prior recommendation to develop and implement a plan to fully recover operating expenses with fee collection. Doing so would provide greater assurance that fees collected would be sufficient to offset operating costs. OMB funding guidelines require projects to include a reliable estimate of any project-related savings. However, most of the TMF projects’ reported savings estimates derived from cost estimates continue to be unreliable. Specifically, three of the four projects reviewed did not fully incorporate best practices for a reliable cost estimate, as defined in OMB Circular A-11 (which references GAO’s Cost Estimating and Assessment Guide)
o Given the significant expansion in available TMF funds, it is increasingly
important that GSA implement GAO’s prior recommendation to improve the
instructions for the TMF cost estimate template required of each proposal. Such action would help ensure that the TMF board is reviewing documentation that is complete, accurate, and reliable.
§ The National Institute of Standards and Technology (NIST) “has released NIST Internal Report (NISTIR) 8403, Blockchain for Access Control Systems, for public comment.” NIST stated:
o Protecting system resources against unauthorized access is the primary objective of an access control system. As information systems rapidly evolve, the need for advanced access control mechanisms that support decentralization, scalability, and trust – all major challenges for traditional mechanisms – has grown.
o Blockchain technology offers high confidence and tamper resistance implemented in a distributed fashion without a central authority, which means that it can be a trustable alternative for enforcing access control policies. This document presents analyses of blockchain access control systems from the perspectives of properties, components, architectures, and model supports, as well as discussions on considerations for implementation.
§ New Zealand’s Office of the Privacy Commissioner issued “guidance on how the Privacy Act applies to sensitive personal information.” The agency stated:
o Sensitive personal information is information about the individual that has some real significance to them, is revealing of them, or generally relates to matters that an individual might wish to keep private. This can be contrasted with routine or mundane information that is about a person but is either not particularly revealing or does not reveal information that is very intimate or “private”.
Further Reading
Photo by Marek Studzinski on Unsplash
§ “Apple’s Private Relay Roils Telecoms Around the World” By Matt Burgess — WIRED. When Apple pushed iOS 15 out to more than a billion devices in September, the software update included the company’s first VPN-like feature, iCloud Private Relay. The subscription-only privacy tool makes it harder for anyone to snoop on what you are doing online, by routing traffic from your device through multiple servers. But the tool has faced pushback from mobile operators in Europe—and more recently, by T-Mobile in the US.
§ “Apple under fire over iPhone encryption tech” By Ben Woods and James Titcomb — The Telegraph. Mobile operators have become locked in a power struggle with Apple after urging regulators to outlaw the iPhone maker's encryption technology over claims it will undermine "digital sovereignty". Some of Europe's biggest mobile operators want the European Commission to stop Apple using "private relay" on the grounds that it will also prevent them from managing their networks.
§ “How one of South America’s biggest dams became a Bitcoin battleground” By Laurence Blair — Rest of the World. After the Covid-19 pandemic reached Paraguay in 2020, Christian Kaatz was working 12-hour days to keep his company, a local internet service provider (ISP), afloat. Looking for something to help him de-stress, he bought a high-powered PC with an advanced graphics card to play games.
§ “Investment Impact of $1 Trillion Infrastructure Measure Seen as Mixed” By Luis Garcia — The Wall Street Journal. The recently enacted $1 trillion infrastructure measure is likely to create more investment opportunities for private-equity firms in areas they already favor, such as telecommunications, while doing little to expand their presence in the government-dominated transportation sector, industry lawyers and consultants said.
§ “Regulating the tech giants may finally be within reach” By Marguerite Reardon — C/net. For nearly five years, lawmakers on both sides of the aisle have promised to rein in the power and influence of Big Tech. Increasingly alarmed by the power that giants like Amazon, Apple, Google, Facebook and Twitter wield, they've targeted how these companies harm consumers by allegedly choking competition from smaller players, exploiting personal data for profit and controlling what is shared and consumed online.
§ “Feds' spending on facial recognition tech expands, despite privacy concerns” By Tonya Riley — cyberscoop. The FBI on Dec. 30 signed a deal with Clearview AI for an $18,000 subscription license to the company’s facial recognition technology. While the value of the contract might seem just a drop in the bucket for the agency’s nearly $10 billion budget, the contract was significant in that it cemented the agency’s relationship with the controversial firm. The FBI previously acknowledged using Clearview AI to the Government Accountability Office but did not specify if it had a contract with the company.
§ “YouTube is major conduit of fake news, factcheckers say” By Dan Milmo — The Guardian. YouTube is a major conduit of online disinformation and misinformation worldwide and is not doing enough to tackle the spread of falsehoods on its platform, according to a global coalition of factchecking organisations.
§ “What using an iPhone for 15 years has done to your brain” By Io Dodds — The Telegraph. The man was smartly and stylishly dressed, like a rock star’s bodyguard on a TV show. He said he worked for ‘someone famous’ – maybe a rapper or a sporting legend – and he had an offer to make: $500 (£378) to take David Barnard’s place in line for an iPhone. This was 29 June, 2007, and Barnard had been camping all night outside the Apple Store in San Antonio, Texas, with his brother Sam and a small group of fellow diehards to get their hands on the very first Apple phone (the UK would not get it until November).
§ ““It’s five times more difficult”: The challenges of operating an Airbnb in Cuba” By Leo Schwartz — Rest of the World. Mario Otero Acosta was studying tourism and hospitality at the University of Havana when President Obama announced that he would ease restrictions on travel to Cuba in January 2015. It was perfect timing; after graduating that year, Otero began leading tour groups catering to the new flood of American tourists. But he had his sights set on a bigger venture: renovating his father’s run-down apartment and listing it on Airbnb. He ended up launching the listing in 2018, charging $30–-$50 a night for guests to stay at the centrally located home in the Centro Habana neighborhood.
§ “Privacy myths busted: Protecting your mobile privacy is even harder than you think” By Rae Hodge — C/net. With increasingly invasive digital surveillance from advertisers and law enforcement over the past few years, securing your mobile phone from privacy threats in 2022 should be a key resolution. But don't stop short. Changing a few settings in your phone and apps isn't enough. To get the most privacy, the key ingredient to add is a suite of encrypted apps.
§ “How the Log4j Vulnerability is Forcing Change in Federal Cybersecurity Policy” By Miriam Baksh — Nextgov. If there is a silver lining to all the hours cybersecurity personnel spent over the holiday break—and will continue to spend months into the future—working to secure their systems from log4j vulnerabilities, it could be in how the government approaches the remediation of such bugs going forward.
Coming Events
§ 12 January
o The United States (U.S.) Senate Indian Affairs Committee will hold a roundtable discussion titled “Closing the Digital Divide in Native Communities through Infrastructure Investment.”
o The United States (U.S.) House Agriculture Committee will hold a hearing titled “Implications of Electric Vehicle Investments for Agriculture and Rural America.”
o The United Kingdom’s House of Commons’ Science and Technology Committee will hold a “Formal meeting (oral evidence session): UK space strategy and UK satellite infrastructure” as part of its inquiry.
o The United Kingdom’s House of Lords’ Justice and Home Affairs Committee will hold a “Formal meeting (oral evidence session): New technologies and the application of the law” as part of its inquiry.
§ 17-28 January
o The United Nations (UN) Ad hoc committee established by General Assembly resolution 74/247 will meet. The UN explained:
§ Through its resolution 74/247, the General Assembly decided to establish an open-ended ad hoc intergovernmental committee of experts, representative of all regions, to elaborate a comprehensive international convention on countering the use of information and communications technologies for criminal purposes, taking into full consideration existing international instruments and efforts at the national, regional and international levels on combating the use of information and communications technologies for criminal purposes, in particular the work and outcomes of the open-ended intergovernmental Expert Group to Conduct a Comprehensive Study on Cybercrime.
§ 18 January
o The European Data Protection Board will hold a plenary meeting.
§ 27 January
o The United States (U.S.) Federal Communications Commission (FCC) will hold an open meeting with this agenda:
§ Empowering Broadband Consumers Through Transparency. The Commission will consider a Notice of Proposed Rulemaking that would propose to require that broadband internet access service providers display, at the point of sale, labels to disclose to consumers certain information about their prices, introductory rates, data allowances, broadband speeds, and management practices, among other things. (CG Docket No. 22-2)
§ Connecting Tribal Libraries. The Commission will consider a Report and Order that would amend the definition of library in the Commission’s rules to clarify that Tribal libraries are eligible for support through the E-Rate Program. (CC Docket No. 02-6)
§ Updating Outmoded Political Programming and Record-Keeping Rules. The Commission will consider a Report and Order to update outmoded political programming rules. (MB Docket No. 21-293)
§ Facilitating Better Use of ‘White Space’ Spectrum. The Commission will consider a Second Order on Reconsideration and Order resolving pending issues associated with white space devices and the white spaces databases, enabling unlicensed white space devices to continue operating efficiently while protecting other spectrum users. (ET Docket Nos. 04-186, 14-165)
§ Updating Equipment Authorization Rules. The Commission will consider a Notice of Proposed Rulemaking that would propose to update existing equipment authorization rules to reflect more recent versions of the technical standards that are incorporated by reference and incorporate by reference a new technical standard so that our equipment authorization system can continue to keep pace with technology developments. (ET Docket Nos. 21-363, 19-48)
§ Restricted Adjudicatory Matter. The Commission will consider a restricted adjudicatory matter.
§ National Security Matter. The Commission will consider a national security matter.
§ Enforcement Bureau Action. The Commission will consider an enforcement action.
§ 22 February
o The European Data Protection Board will hold a plenary meeting.
§ 16-17 June
o The European Data Protection Supervisor will hold a conference titled “The future of data protection: effective enforcement in the digital world.”
[1] OMB most recently defined this term to be either:
I. Any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people. Agencies should determine the level of impact of the incident by using the existing incident management process established in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61, Computer Security Incident Handling Guide,
OR,
II. A breach that involves personally identifiable information (PII) that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people.