Rewrite of U.S. Government Cybersecurity May Be In The Cards In 2022, Part II
EDPS finds Parliament has violated EU data protection law; FCC floats rules to dole out $14.2 billion for connectivity; FTC ups civil fines
First, a bit of news. The Wavelength will transition to a paid product, but there will still be a free version available. The scope and shape of this change is still in the making but should be realized by January 2022.
Second, in observance of the holiday in the United States to honor the Rev. Martin Luther King Jr, The Wavelength will not publish on 17 January.
Photo by Christopher Burns on Unsplash
The United States (U.S.) House Oversight and Reform Committee held a hearing to kick off officially its effort to reform the foundational law that governs the cybersecurity and information security of U.S. agencies: the Federal Information Security Management Act (FISMA). Yesterday, I delved a bit in the background on efforts to reform FISMA emanating from the Senate in the form of an amendment that did not get added to the FY 2022 National Defense Authorization Act (NDAA) (P.L. 117-81). And, while it may superficially appear that only the Senate was ready to overhaul FISMA for the first time in seven years, it is highly unlikely the Senate Homeland Security and Governmental Affairs Committee was acting without agreement on the bill from the House Oversight and Reform and Homeland Security Committees. Be that as it may, as noted, the FISMA bill was omitted from the annual defense policy bill, and the committees of jurisdiction in the House are restarting the effort to update the U.S. government’s cybersecurity and information security laws.
In a background memorandum distributed in advance of the hearing, committee staff laid out the events prompting Congress to revisit FISMA:
The evolution of technology and information systems during the lifespan of FISMA has had profound ramifications for federal cybersecurity. According to OMB, federal agencies reported 30,819 cybersecurity incidents in Fiscal Year 2020—an increase of 8% compared to the previous year—and six major incidents. Since then, a series of major incidents and newly discovered vulnerabilities have profoundly affected the federal information security landscape:
§ SolarWinds Breach. In December 2020, a major breach was identified in software issued by SolarWinds, a technology company providing IT management products. The breach allowed Russian actors to infiltrate and roam the networks of at least nine federal agencies and 100 private sector companies for seven months prior to discovery of the breach.
§ Cyber Espionage by China. In March 2021, Microsoft announced an attack in which Hafnium, a group of hackers operating on behalf of China, exploited four vulnerabilities of the Microsoft Exchange Server to steal data and embed in compromised networks. The attack marked the eighth time in 12 months that Microsoft announced nation-state actors targeting institutions critical to civil society. In July, the United States joined the European Union, the United Kingdom, the North Atlantic Treaty Organization (NATO), and other allies in condemning China’s use of criminal contract hackers to conduct cyber espionage, including through the exploitation of the Microsoft Exchange Server vulnerabilities.
§ Major Ransomware Attacks. On May 7, 2021, a ransomware attack by DarkSide, a cybercrime group linked to Russia, on Colonial Pipeline Company shut down the largest fuel pipeline in the United States and limited fuel supplies to the East Coast. The company was breached through a dormant virtual private network account accessed using a leaked password that had been posted on the dark web, and DarkSide threatened to release 100 gigabytes of stolen data from Colonial. The company paid the demanded ransom of $4.4 million, about half of which was recovered by the Department of Justice. Additional major ransomware attacks were waged against JBS USA, a U.S.-based meat producer, and Kaseya, an American software firm, by REvil, a Russian ransomware-as-a- service organization.
§ Log4j Software Vulnerability. On December 9, 2021, a vulnerability was discovered in freely available and widely used open-source software provided by the Apache Foundation called Log4j. Mitigation is ongoing, but because the software has been used to build a vast array of web services for almost a decade, identifying vulnerable applications and servers is difficult. Deploying the remediated version of Log4j is complex. The Director of CISA has called the Log4j vulnerability the most serious vulnerability she has seen in her decades- long career.
And while it is true the recent spate of novel high profile attacks, penetrations, and exfiltrations have grabbed the attention of policymakers, the U.S. government’s dashboard has been flashing red for some time, so to speak. For example, in 2015, a few months after the current FISMA was enacted, the U.S. Government Accountability Office (GAO) found that federal information technology (IT) procurement and development needed to be added to its High Risk List and redoubled it’s view that the security of U.S. government systems and the personally identifiable information (PII) contained therein were at even more risk. Let us also not forget the massive hack of the Office of Personnel Management that resulted in the compromise of security clearance and personnel data of thousands of U.,S. government employees most likely by the People’s Republic of China (PRC) (see this Lawfare piece on the implications and this WIRED piece on the hack for background.) In its 2021 update to the High Risk List, the GAO flagged Ensuring the nation’s cybersecurity as an rea that has gotten worse.
And this brings us to the hearing. Chair Carolyn Maloney (D-NY) and Ranking Member James Comer (R-KY) struck bipartisan, very cooperative notes in their opening statements, calling for a vast revamp of FISMA. Maloney noted that the committee’s discussion draft “contains key similarities to its companion legislation in the Senate” and also asked that the Senate pass the “FedRAMP Authorization Act” (H.R.21), legislation to codify and reform how the U.S. government evaluates and uses cloud computing and similar services. Comer emphasized a number of times that agencies should not be saddled with more “red tape” and burdensome reporting requirements.
Venable Senior Director of Cybersecurity Services Grant Schneider asserted (watch his opening statement):
FISMA is focused on directing federal agencies to develop and implement risk management programs to secure federal information and information systems. There are many areas where agencies need to focus their attention. As you consider updates to this keystone piece of legislation, I encourage you to address five key areas.
1. Clarify key federal cybersecurity roles and responsibilities: Since the last update to FISMA, Congress has established the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security as well as the National Cyber Director(NCD)within the Executive Office of the President. These have been important additions to the federal cybersecurity ecosystem and require clarification of roles and responsibilities with respect to federal cybersecurity. I recommend Congress clarify the roles and responsibilities at a high level and direct the President to clarify them in more detail. At a high level I see the roles and responsibilities with respect to federal cybersecurity as:
§ NCD - Overall cybersecurity strategy of the United States
§ OMB – Policy development and oversight (including agency reporting and accountability) of federal cybersecurity
§ CISA - Operational cybersecurity coordination to assist federal agencies with the protection of their systems
§ NIST – Develop cybersecurity standards and guidelines
§ Agencies - Develop and implement their risk management programs
2. Codify the role of the Federal Chief Information Security Officer as a Presidentially appointed position within OMB with appropriate budget and oversight authorities, including:
§ Serve as Deputy National Cyber Director
§ Chair the Federal Acquisition Security Council (FASC)
§ Serve as a permanent member of the TMF board
§ Approval authority for the CISA budget
§ Approval authority of agency cybersecurity budgets
3. As part of their risk management programs, require agencies to have greater situational awareness of their technology environments. This includes real-time inventories of hardware and software; supply chain assessments of those inventories; understanding of the actions being performed within their environment; and fully inspecting network sessions to identify and mitigate the techniques used to compromise systems. All these items can contribute to or complement an agency’s move to a Zero Trust environment.
4. Hold OMB accountable for maintaining the definition of a major incident to ensure the right level of information is being reported to Congress. Additionally, an annual or bi- annual briefing from OMB, the NCD, and CISA to Congressional staff could be required to review federal cybersecurity incidents.
5. Require greater alignment of core cybersecurity requirements based on National Institute of Standards and Technology guidance for both National Security Systems and non- National Security Systems. This will help streamline industry’s ability to develop and provide solutions for the Department of Defense, the Intelligence Community, and Federal Civilian Agencies.
Information Technology Industry Council (ITI) Senior VP of Policy Gordon Bitko said (watch his opening statement):
Many federal agencies’ struggles with cybersecurity can be attributed to the nature of the current Federal Information Security Management Act (FISMA) and, in particular, three issues related to it:
1. 1) The existing law’s focus on inputs and compliance with planning requirements and process, rather than outcomes. In its current form, FISMA requires careful adherence to procedure and outputs like detailed inventories of systems, the use of approved security controls to protect information, and annual reports on the state of agency programs. But it has few direct provisions to actually evaluate and assess the effectiveness of those security measures in real time, and therefore does not promote real risk management.
2. 2) FISMA’s requirements that create duplication of effort across agencies. FISMA requires each agency to develop its own information security programs with no incentive for leveraging shared services or accepting security assessments or best practices from other agencies. This leads to significant duplication of effort across agencies, as agency security officials are frequently unable or unwilling to leverage work done elsewhere in the government.
3. 3) A lack of comprehensive real-time information under the current FISMA. Too much information collection across agencies is provided through manual processes, annual updates, and in accordance with agency specific interpretations or definitions. As a result, it is nearly impossible for CISA or OMB to obtain a clear and timely view of the state of information security across the whole of the federal enterprise, because so much work must go into managing the existing data and reports in very manual and inefficient ways. At the same time, the lack of standardization and inconsistent definitions makes cross agency re-use of information, such as what could be included in a security assessment, difficult to accomplish.
I offer the following recommendations for your consideration, which I am convinced are needed to ensure any reforms to FISMA are set up for success:
A) Promote a risk-based approach with a focus on outcomes;
B) Establish formal processes to promote the reciprocity of security reviews across government, focusing on accepting previously developed evidence supporting the system authorization process;
C) Ensure additional alignment between security requirements for national security systems and non-national security systems;
D) Ensure consistency through a holistic, governmentwide approach to updating FISMA in line with other federal cybersecurity frameworks, including drawing on best practices and lessons learned from private industry;
E) Drive automation of assessment processes, including adopting standardized information- sharing procedures across government; and
F) Improve audits of FISMA compliance through widespread and continuous monitoring.
Consultant Renee Wynn (watch her opening statement) stated:
As Congress contemplates the next iteration of FISMA, there are several areas ripe for consideration: cyber aspects of supply chain risk management, internet of things, and the interconnectivity of government operations.
The next iteration of FISMA should include provisions on addressing the cyber risks posed through the information and communications technology (ICT) supply chain used by the federal government. US federal government operations are dependent upon ICT solutions for mission and mission support delivery. To this end, the US government must assess the potential risk posed through the ICT supply chain prior to purchasing and deploying on federal networks. There are well-resourced nation state cyber threat actors that intentionally target all tiers of the ICT supply chain by imbedding malicious functionality. Adding to this risk is the fact that most US government procurements are public and open, and are thus more vulnerable to nation states because they know what to target. These attacks are often sophisticated and difficult to detect.
The advent of technological advances provides opportunities for government operations to be more effective and efficient. These advances also increase complexity and risk, including cybersecurity risk. The growth of telehealth and use of internet of things medical devices (for example blood pressure cuffs, scales, heart monitors) during the pandemic has allowed medical services to be delivered during a trying time, but they add risk. The next iteration of FISMA must mandate that the US federal government use secure IoT, especially for medical purposes. Mandates from law could accelerate the development of more secure IoT. Departments and Agencies should also report on the use of IoT and how it is being secured. These reports should not be made public because the more nation state threat actors know about federal operations; the operations become more vulnerable.
The US federal government relies upon networks and devices that are interconnected between Departments and Agencies. For example, there are only a few service centers for processing federal payments. Thus, every Department and Agency is connected to transmit payment data. These points of connection, if not properly upgraded, managed, and monitored, create greater cyber risk, including the easy transmission of malicious code amongst Departments and Agencies. Also, the data while in transit are at risk of compromise if poor cybersecurity practices are employed. A lack of attention to proper cybersecurity interconnectivity practices was a cause of the OPM breach in 2015. More and more government operations will be dependent upon cross-agency interconnectedness thus the laws must be updated to encompass this.
In addition to legislative changes, Congress must continue to hold the heads of Departments and Agencies accountable for addressing cybersecurity risks. This is about ensuring a culture attentive to cybersecurity risks. This doesn’t require legislative changes. Simply, Congress can include cybersecurity questions during budget, authorization, and large program hearings. Some questions for consideration are as follows: What are your biggest cybersecurity risks and what are you doing to mitigate them? Are they included in your enterprise risk management or program management strategies? What critical systems are being modernized? What’s the status of modernization? Congress has a role in advancing the federal government’s culture of cybersecurity through accountability.
GAO Director of Information Technology and Cybersecurity Jennifer R. Franks remarked (watch her opening statement):
Our preliminary results show that in fiscal year 2020, the 23 civilian CFO Act agencies reported progress toward meeting federal cybersecurity targets; nevertheless, a majority of the agencies reported not fully meeting the targets. In addition, IGs rated the majority of these 23 agencies as having ineffective IT security programs. Further, in our recent reports, we identified significant weaknesses in both government-wide cybersecurity initiatives and individual CFO Act agencies’ IT security programs.
According to our preliminary results, officials such as CIOs and CISOs at each of the 23 civilian CFO Act agencies and DOD reported that FISMA and its reporting process have enabled their agencies to improve the effectiveness of their information security programs. Even so, officials from most of the agencies identified impediments to implementing FISMA requirements and meeting the reporting metrics. In light of both these benefits and impediments, the officials made suggestions for improving the implementation of FISMA and its reporting process.
Agency officials also provided a number of suggestions for improving the effectiveness of the FISMA metrics, annual evaluations, and reporting process. Of the 24 CFO Act agencies, for example:
§ Update the metrics to increase their effectiveness. Officials at 11 agencies offered various suggestions for updating the FISMA metrics and keeping them current to enhance their effectiveness. In addition to general suggestions to update out-of-date metrics, agency officials discussed changing how metrics were scored, as well as adding metrics related to specific cybersecurity concerns. Officials from DHS who help develop the metrics agreed with the agencies’ suggestions to update the metrics, and stated that they work to annually update the metrics to address threats and vulnerabilities and to remove out-of-date metrics. The officials further stated that, during the annual update process, they obtain feedback about agencies’ concerns via meetings and email.
§ Focus FISMA reviews more on factors such as risk than compliance. Officials at 10 agencies stated that the annual FISMA inspectors general audits should be focused less on compliance with the metrics and more on other factors such as risk management. In December 2021, OMB issued guidance that attempts to shift the emphasis of FISMA reporting away from compliance and in favor of risk management.20 For example, the guidance encourages IGs to focus on the practical security impact of weak control implementation, rather than strictly evaluating from a view of compliance or the mere presence or absence of controls.
§ Increase the use of automation. Officials at eight agencies suggested that the FISMA reporting process include more automation instead of manual data calls. OMB’s December 2021 guidance emphasizes automation and the use of machine-readable data to speed up reporting, reduce the burden on agencies, and improve outcomes. The guidance further directs the development of a strategy to enable agencies to report performance and incident data in an automated, machine-readable manner.
§ Improve the IG evaluation process and the maturity-rating model. Officials at eight agencies suggested making changes to the IG evaluation process and the maturity ratings. For example, agency officials suggested that the overall IG rating be changed to include additional graduated levels between effective and not effective to reflect the degree of effectiveness. DHS officials stated that they were in favor of the suggestion to develop a gradient rating scale. Specifically, the officials stated that the effective/not effective binary rating did not adequately communicate the status of an information security program’s effectiveness.
§ Reduce the frequency of FISMA-required independent annual reviews/evaluations. Officials at seven agencies recommended lessening the frequency of FISMA-mandated audits to reduce the burden of the annual review cycle.. According to its December 2021 guidance, OMB will be implementing a new reporting cycle for the IG FISMA metrics. Specifically, the guidance states that OMB will select a core group of prioritized metrics that will still be evaluated annually; the other metrics will be evaluated on a 2-year cycle on a calendar agreed to by OMB and its partners.
Alliance for Digital Innovation Executive Director Ross Nodurft stated (watch his opening statement):
On the topic of FISMA reform, ADI believes that there are several important areas that warrant attention from the members of this committee. These include the need to:
§ Update and Align Cybersecurity Roles and Authorities – changes to FISMA should reflect the new roles and authorities of the National Cyber Director (NCD) as well as the responsibilities of the Federal CISO at OMB and the Director of the Cybersecurity and Infrastructure Security Agency (CISA), many of which have evolved in recent years;
§ Address Incident Response, Breach Notification, and Vulnerability Management – given the proliferation of incidents, breaches, and vulnerabilities, updated FISMA legislation should codify practices and policies that keep Congress informed in a way that will allow for effective oversight while giving departments and agencies the flexibility and time to respond to and report incidents, breaches, and vulnerabilities without disrupting or impacting their responses;
§ Reinforce the Government’s Shift to Commercial Technologies, Use of Automation and Meaningful Reciprocity – as the government’s information technology ecosystem shifts to more modern, cloud-based solutions, agencies should embrace technologies and services that enable security in these zero trust environments and leverage best-in-class industry partners to assist with the buildout of those environments. This bill should make it easier for agencies to issue authorizations to operate through strategies that include use of automation and offer reciprocity across agencies and across compliance regimes;
§ Effectively Budget for Cybersecurity and Invest in Risk Management – securing large enterprises, especially those that have legacy technology and modernization backlogs, can be expensive. Congress must encourage agencies to budget for technology and services that can effectively buy-down the risks to their environments. As agencies continue to modernize their systems, agencies should pivot their cybersecurity spend to move towards tools and services that enable zero trust environments; and
§ Modernize and Standardize Cybersecurity Performance Metrics and Measurements – as agencies modernize technology, move to cloud-based environments, take steps to enhance security, and migrate to zero trust architectures, oversight offices must also modernize the measurements used to track agency progress and measure security. Successful cybersecurity must be defined through outcomes, and those outcome-driven, risk-based metrics must be consistent across the various oversight entities.
Other Developments
Photo by Sandro Katalina on Unsplash
§ The European Data Protection Supervisor (EDPS) has sanctioned the European Parliament for using companies that have been transferring personal data to the United States (U.S.) in violation of Schrems II. This action flowed from a complaint filed by none of your business (noyb), which claimed in its press release:
o Complaint filed one year ago. In January 2021, noyb filed a complaint against the European Parliament on behalf of six Members of the European Parliament over an internal corona testing website. The issues raised were deceptive cookie banners, vague and unclear data protection notices, and the illegal transfer of data to the US. The EDPS investigated the matter and issued a reprimand on the Parliament for violation of the "GDPR for EU institutions" (Regulation (EU) 2018/1725 applicable only to EU institutions).
o Illegal data transfers to the US. In the so-called "Schrems II" case, the CJEU made clear that the transfer of personal data from the EU to the US is subject to very strict conditions. Websites must refrain from transferring personal data to the US where an adequate level of protection for the personal data cannot be ensured. The EDPS confirmed that the website actually transferred data to the US without ensuring an adequate level of protection for the data and highlighted: "the Parliament provided no documentation, evidence or other information regarding the contractual, technical or organisational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website."
o In August 2020 noyb has filed 101 complaints against EU companies that included Google and Facebook functions on their websites. After the forming of a "task force" by the relevant data protection authorities, noyb soon expects ruling for private websites the follow the EDPS decision.
o Confusing cookie banner. The Complaint also raised that the site’s cookie banners were unclear and deceptive. For example, not all cookies were listed by the banners and there was divergence between language versions. Consequently the users were not able to give valid consent. During the investigation, the Parliament removed all cookies from its website. noyb is currently working on similar complaints on cookie banners, which is supported by this decision.
o Unclear and irrelevant information. In addition, the complaint noted that the privacy policy was not clear and transparent since it referred to the COVID testing of the Brussels airport or to a wrong legal basis. During the investigation, the Parliament changed its policy but made it partly even worse. noyb raised the different inconsistencies in the new privacy policy of the EP. The EDPS agreed that the information provided by the Parliament was violating the obligation of transparency, which is a basic legal requirement under data protection law. Finally, the EDPS also held that the Parliament did not adequately reply to the access request of the complainants.
o No fine, but a reprimand and an order to comply. The EDPS issued a reprimand against the Parliament for the different violations of the Data Protection Regulation applicable to the EU institutions. Contrary to national DPAs under the GDPR, the EDPS can only issue a fine in limited circumstances that were not met in this case. In addition, the EDPS gave the Parliament one month to update its data protection notice and address the remaining issues regarding transparency.
§ The United States (U.S.) Federal Communications Commission’s (FCC) Chair Jessica Rosenworcel “circulated and released to the public a draft Report and Order and Further Notice of Proposed Rulemaking that, if adopted, would establish the rules for the $14.2 billion Affordable Connectivity Program, pursuant to Congressional directives in the Infrastructure Investment and Jobs Act of 2021” per her press release.
§ The United Kingdom’s Department for Digital, Culture, Media & Sport (DCMS) issued guidance for Project Gigabit
§ The United States (U.S.) Federal Trade Commission (FTC) updated the “the maximum civil penalty dollar amounts for violations of 16 provisions of law the agency enforces, as required by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.” The FTC bumped up the “[t]he maximum civil penalty amount…from $43,792 to $46,517 for violations of Sections 5(l), 5(m)(1)(A), and 5(m)(1)(B) of the FTC Act, 7A(g)(l) of the Clayton Act and Section 525(b) of the Energy Policy and Conservation Act. It has increased from $576 to $612 for violations of Section 10 of the FTC Act. The maximum civil penalty amount has increased from $1,246,249 to $1,323,791 for violations of Section 814(a) of the Energy Independence and Security Act of 2007.” This is noteworthy because the first category of civil fines is the one referenced in almost all the data privacy bills as being the financial liability entities would face per violation of a new privacy regime. Moreover, at present, the FTC can seek these types of penalties under the Health Breach Notification Rule.
§ The United States (U.S.) Department of the Treasury explained in its press statement that it has “issued the Final Rule for the State and Local Fiscal Recovery Funds (SLFRF) program, enacted as a part of the American Rescue Plan, which delivers $350 billion to state, local, and Tribal governments to support their response to and recovery from the COVID-19 pandemic.” Treasury stated:
o To date, Treasury has distributed more than $245 billion to state, local, and Tribal governments as a part of the SLFRF program, accounting for over 99% of funds eligible to be disbursed in 2021 – including funds to many communities that had not received federal assistance since the onset of the pandemic. Recipients of funds were encouraged to begin using funds under the interim final rule, which was released in May 2021.
o The final rule – which takes effect on April 1, 2022 – provides state and local governments with increased flexibility to pursue a wider range of uses, as well as greater simplicity so governments can focus on responding to the crisis in their communities and maximizing the impact of their funds.
The State and Local Fiscal Recovery Funds Program final rule provides additional clarity and flexibility for recipient governments, including:§ First, Treasury has expanded the non-exhaustive list of uses that recipients can use to respond to COVID-19 and its economic impacts – ensuring states and localities can adapt quickly and nimbly to changing public health and economic needs. This includes clarifying that recipients can use funds for certain capital expenditures to respond to public health and economic impacts and making services like childcare, early education, addressing learning loss, and affordable housing development available to all communities impacted by the pandemic.
§ Second, Treasury has expanded support for public sector hiring and capacity, which is critical for the economic recovery and in maintaining vital public services for communities.
§ Third, Treasury has streamlined options to provide premium pay for essential workers, who bear the greatest health risks because of their service in critical sectors.
§ Fourth, Treasury has broadened eligible water, sewer, and broadband infrastructure projects – understanding the unique challenges facing each state and locality in delivering clean water and high-speed broadband to their communities.
§ In addition to these expansions, Treasury has greatly simplified the program for small localities – many of whom have received a historic federal investment in their communities through this program – including through the option to elect a standard allowance for revenue loss rather than calculating revenue loss through the full formula.
§ The United States (U.S.) Federal Aviation Administration (FAA) “released the list of 50 airports that will have buffer zones when wireless companies turn on new 5G C-band service on January 19” as explained in their press release. The FAA added:
o Many airports are not currently affected by the new 5G deployment, even though they are not on this list. These include airports not in the 46 markets where the new service will be deployed and airports that do not currently have the ability to allow low-visibility landings.
o The wireless companies agreed to turn off transmitters and make other adjustments near these airports for six months to minimize potential 5G interference with sensitive aircraft instruments used in low-visibility landings.
o The FAA continues to work with the aerospace manufacturers and wireless companies to make sure 5G is safely deployed and to limit the risk of flight disruptions at all airports.
§ The United States (U.S.) General Services Administration (GSA) issued an “interim rule implements certain provisions of the DOTGOV Act of 2020… that transfer ownership, management and operation of the DotGov Domain Program from the General Services Administration (GSA) to the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).”
§ United States (U.S.) Senators Rob Portman (R-OH), Jacky Rosen (D-NV), Roger Wicker (R-MS), and others wrote “Secretary of Homeland Security Alejandro Mayorkas ??and Secretary of Transportation Pete Buttigieg requesting information about the two Departments’ ability to meet their responsibilities, as co-Sector Risk Management Agencies (SRMA), to detect, prevent, and respond to cyber threats to the nation’s critical transportation infrastructure” according to their press release. They claimed:
o We write to request information on the implementation of the U.S. Department of Homeland Security (DHS) and U.S. Department of Transportation’s (DOT) responsibilities as Co-Sector Risk Management Agencies (co-SRMAs) for the nation’s critical transportation infrastructure. In anticipation of increasing cybersecurity threats to transportation systems, DHS and DOT must have the capabilities and resources to prevent and address these threats. As such, we request information about DHS and DOT’s security-related processes to detect, prevent, and respond to cyber threats, including the responsibilities of each component agency under the Transportation Systems Sector-Specific Plan to secure the nation’s critical infrastructure.
o Cyberattacks on American transportation infrastructure are escalating in frequency and severity, as evidenced by the ransomware attack earlier this year on Colonial Pipeline, one of the nation’s largest pipelines, which led to the shutdown of a network that carries nearly half the gasoline, diesel, and jet fuel for the East Coast. At the same time, many state and local transit agencies are not fully equipped to implement more than basic cybersecurity protections. In fact, a study by the Mineta Transportation Institute found that only 60% of transit agencies had a cybersecurity plan in place last year. Nevertheless, other entities in the extensive and diverse transportation sector, which includes aviation, highways, motor carriers, maritime transportation, railroads, rail transit, and pipelines, have been implementing comprehensive cybersecurity plans for decades in collaboration with Federal agencies. As such, federal efforts to ensure that our nation is properly prepared to address cybersecurity threats to the transportation system require a delicate balance to provide critical assistance to entities that need new or additional cybersecurity support, while recognizing effective practices that some entities already have in place.
§ Representative Kathy Castor (D-FL) and Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL) wrote “to all of the Children’s Online Privacy Protection Act (COPPA) Safe Harbor programs requesting information to ensure that they are fulfilling their legal obligations to provide “substantially the same or greater protections for children” as those detailed in the COPPA Rule as well as soliciting feedback on how best to improve the Safe Harbor program.” They argued:
o Unfortunately, there are signs that COPPA Safe Harbor organizations are not adequately doing their job. Former FTC Commissioner Chopra, in prepared remarks on April 4, 2019, and in a statement on May 19, 2020, said that the FTC and Congress need to take steps to “[beef] up oversight of the COPPA Safe Harbor program.” Some of the actions then-Commissioner Chopra proposed include: “Limiting conflicts of interest by COPPA Safe Harbors by restricting additional fee-based consulting offered by affiliates of the Safe Harbor to participating websites and apps,” and “Disclosing COPPA Safe Harbor performance data to the public, including complaints handled and disciplinary actions taken.”
o Congress and the FTC need to consider all options to protect our children online. As members of the House Committee on Energy and Commerce, which has jurisdiction over the COPPA Safe Harbor Program, we are committed to conducting oversight to guarantee the participants in this program are fulfilling their legal obligations to provide “substantially the same or greater protections for children” as those detailed in the COPPA Rule. We are also committed to exploring ways in which Congress can strengthen COPPA and the COPPA Rule.
§ The United States (U.S.) Department of Commerce’s Bureau of Industry and Security has delayed until March 2022 the effective date of a rule “that establishes new controls on certain cybersecurity items for National Security (NS) and Anti-terrorism (AT) reasons, along with a new License Exception, Authorized Cybersecurity Exports (ACE), that authorizes exports of these items to most destinations.”
§ A new version of the “New York Privacy Act” (A680B/S6701A) has been introduced, and the legislative intent is:
o This act seeks to help New York consumers regain their privacy. It gives New York consumers the ability to exercise more control over their personal data and requires businesses to be responsible, thoughtful, and accountable managers of that information. To achieve this, this act provides New York consumers a number of new rights, including clear notice of how their data is being used, processed and shared; the ability to access and obtain a copy of their data in a commonly used electronic format, with the ability to transfer it between services; the ability to correct inaccurate data and to delete their data; and the ability to challenge certain automated decisions. This act also imposes obligations upon businesses to maintain reasonable data security for personal data, to notify New York consumers of foreseeable harms arising from use of their data and to obtain specific consent for that use, and to conduct regular assessments to ensure that data is not being used for unacceptable purposes. These data assessments can be obtained and evaluated by the New York State Attorney General, who is empowered to obtain penalties for violations of this act and prevent future violations. This act also grants New York consumers who have been injured as the result of a violation a private right of action, which includes reasonable attorneys' fees to a prevailing plaintiff.
Further Reading
Photo by Pawel Czerwinski on Unsplash
§ “Lithuania secures extra $1B pledge from Taiwan amid China blockade” By Stuart Lau — Politico EU. Taiwan Tuesday substantially stepped up its financial pledges to Lithuania with a $1 billion credit fund to bolster the Baltic nation in its showdown with China. The initiative came just days after Taipei announced a $200 million fund to invest in strategic sectors in Lithuania, which is facing a full trade embargo from Beijing. Reacting furiously to warming ties between Vilnius and Taipei, China is not only blocking Lithuanian goods but also products from other EU states that use Lithuanian-made components.
§ “Cable TV Is the New Landline” By Shira Ovide — The New York Times. People have been predicting the death of cable TV for a long time, but this really might be it. As recently as a decade ago, nearly all Americans — more than 85 percent of U.S. households — paid for packages of TV channels from cable or satellite companies. That started to decline haltingly at first and then far more quickly in the past few years.
§ “Your Google home speakers are about to get slightly worse because Sonos sued and won” By Mitchell Clark — The Verge. If you have multiple Google smart speakers in your house, you might want to be aware of a certain legal ruling — because it’s going to affect how your speaker groups work. After the US International Trade Commission ruled that it was infringing on Sonos’ patents, Google has already announced software workarounds including the “need to adjust each speaker individually instead of using the group volume controller,” and that users will no longer be able to adjust a speaker group’s volume with their phone’s volume rocker. It blames this change on “a recent legal ruling,” one which you can read all about right here.
§ “New Lawsuit Seeks to Hold Facebook Liable in Shooting Death of Federal Security Guard” By Justin Scheck and Zusha Elinson — The Wall Street Journal. A lawsuit filed Wednesday seeks to hold Facebook’s parent company liable in the 2020 killing of a federal security guard, in the latest effort to challenge the protections given to websites hosting user-generated content.
§ “CEOs make final push to ban targeted ads” By Clothilde Goujard — Politico EU. A coalition of business leaders and advocates is making a final attempt to ban key forms of targeted advertising online — a push that, if successful, would disrupt the internet economy as we know it. The push comes as the European Parliament is set to vote next week in a plenary session on the Digital Services Act, a law that aims to rein in illegal content online. So far, supporters of a ban on targeted advertising have failed to gather a majority in favor, and France's digital minister, Cédric O, told POLITICO yesterday that his country — which holds the EU's rotating presidency — has no intention of banning targeted ads.
§ “FBI Honeypot Phone Company Anom Shipped Over 100 Phones to the United States” By Joseph Cox — Vice. Anom, the encrypted phone company secretly commandeered by the FBI and which surreptitiously provided all of its users’ messages to the authorities, shipped many more devices into the U.S. than previously understood, according to multiple files obtained by Motherboard.
§ “Google is manipulating browser extensions to stifle competitors, DuckDuckGo CEO says” By Cristiano Lima — The Washington Post. Google is already facing mounting legal challenges from regulators globally who accuse the tech giant of maintaining an illegal monopoly over its search and digital advertising businesses. But now one of its most prominent rivals is alleging that the titan is abusing browser extensions to favor its products and stifle competitors, adding a new wrinkle to the high-stakes antitrust debate and momentum to calls for new regulation.
§ “Macron goes after online platforms, foreign ‘propaganda’ media” By Laura Kayali — Politico EU. French President Emmanuel Macron says online platforms and foreign "propaganda" media are the main drivers behind the spread of disinformation in the country — and he wants to rein them in. "Online platforms, influencers, and also citizens who sometimes take a considerable place in the public debate precisely through these new platforms ... must have a framework of responsibility that is yet to be built," he said Tuesday during the annual new year speech before the country's press corps. "The same must apply to foreign media authorized to broadcast on French soil," the president added, in a clear allusion to Russian outlets such as Sputnik and RT.
§ “Slow Uptake of 5G Goes Beyond FAA Delay” By Suman Bhattacharyya — The Wall Street Journal. The delay in the rollout of 5G is only the latest of several factors making companies cautious on deploying the next-generation wireless service in their operations, analysts and industry executives say. On Monday, AT&T Inc. and Verizon Communications Inc. agreed to postpone their 5G rollouts until Jan. 19 to give the Federal Aviation Administration more time to assess whether the new wireless signals interfere with flight control systems.
§ “FAA Lists 50 Airports Exempt From New 5G Rollout” By Alexandra Kelley — Nextgov. Following the dramatic back-and-forth between Verizon, AT&T, the Federal Communications Commission and the Department of Transportation over the safety of 5G deployment last week, the Federal Aviation Administration formally listed 50 airports that will be exempt from the new C-band service.
§ “Net neutrality will make a comeback in 2022” By Marguerite Reardon — C/net. A new chapter in the ongoing saga of net neutrality and who governs the internet will take shape over the next year thanks to another shift in power at the Federal Communications Commission. With new appointees from President Joe Biden firming up a Democratic majority at the agency, reinstating Obama-era net neutrality rules thrown out under the Trump administration will be a top priority for the agency.
§ “Tech antitrust bills’ make or break moment” By Margaret Harding McGill and Ashley Gold — Axios. Lawmakers and lobbyists anticipate a major fight over antitrust bills meant to tame Big Tech, before the midterms put an unofficial end to the legislative effort.
§ “UK data watchdog seeks talks with Meta over child protection concerns” By Dan Milmo — The Guardian. The UK’s data watchdog is seeking clarification from Mark Zuckerberg’s Meta about parental controls on its popular virtual reality headset, as campaigners warned that it could breach an online children’s safety code.
§ “Germany: Antitrust regulator says ready to tackle Google” — Deutsche Welle. Germany's Federal Cartel Office on Wednesday paved the way for action to curb any potentially anti-competitive actions by Google and its owner, Alphabet, through new powers it has gained under an amendment of the German Competition Act.
Coming Events
§ 13 January3
o The United States (U.S.) Senate Judiciary Committee will hold a hearing to consider judicial nominations and the “American Innovation and Choice Online Act” (S.2992) (see here for a press release summarizing the bill.)
§ 17-28 January
o The United Nations (UN) Ad hoc committee established by General Assembly resolution 74/247 will meet. The UN explained:
§ Through its resolution 74/247, the General Assembly decided to establish an open-ended ad hoc intergovernmental committee of experts, representative of all regions, to elaborate a comprehensive international convention on countering the use of information and communications technologies for criminal purposes, taking into full consideration existing international instruments and efforts at the national, regional and international levels on combating the use of information and communications technologies for criminal purposes, in particular the work and outcomes of the open-ended intergovernmental Expert Group to Conduct a Comprehensive Study on Cybercrime.
§ 18 January
o The European Data Protection Board will hold a plenary meeting.
§ 19 January
o The United States (U.S.) House Science, Space, and Technology Committee will markup legislation, including:
§ The “Bioeconomy Research and Development Act of 2021” (H.R. 4521)
§ The “Promoting Digital Privacy Technologies Act” (H.R. 847)
§ The “Microelectronics Research for Energy Innovation Act” or “Micro Act” (H.R. 6291)
§ 20 January
o The United States (U.S.) Federal Trade Commission (FTC) will hold an open meeting with this tentative agenda:
§ Staff Presentation on Identity Theft and Available Resources for Consumers: Staff will present on the identity theft program, recent trends consumers have reported, and the resources available at IdentityTheft.gov and RobodeIdentidad.gov. The presentation will also highlight the upcoming initiatives during Identity Theft Awareness Week
o The United States (U.S.) House Energy and Commerce Committee’s Oversight and Investigations Subcommittee will hold a hearing titled “Cleaning Up Cryptocurrency: The Energy Impacts of Blockchains.”
§ 27 January
o The United States (U.S.) Federal Communications Commission (FCC) will hold an open meeting with this agenda:
§ Empowering Broadband Consumers Through Transparency. The Commission will consider a Notice of Proposed Rulemaking that would propose to require that broadband internet access service providers display, at the point of sale, labels to disclose to consumers certain information about their prices, introductory rates, data allowances, broadband speeds, and management practices, among other things. (CG Docket No. 22-2)
§ Connecting Tribal Libraries. The Commission will consider a Report and Order that would amend the definition of library in the Commission’s rules to clarify that Tribal libraries are eligible for support through the E-Rate Program. (CC Docket No. 02-6)
§ Updating Outmoded Political Programming and Record-Keeping Rules. The Commission will consider a Report and Order to update outmoded political programming rules. (MB Docket No. 21-293)
§ Facilitating Better Use of ‘White Space’ Spectrum. The Commission will consider a Second Order on Reconsideration and Order resolving pending issues associated with white space devices and the white spaces databases, enabling unlicensed white space devices to continue operating efficiently while protecting other spectrum users. (ET Docket Nos. 04-186, 14-165)
§ Updating Equipment Authorization Rules. The Commission will consider a Notice of Proposed Rulemaking that would propose to update existing equipment authorization rules to reflect more recent versions of the technical standards that are incorporated by reference and incorporate by reference a new technical standard so that our equipment authorization system can continue to keep pace with technology developments. (ET Docket Nos. 21-363, 19-48)
§ Restricted Adjudicatory Matter. The Commission will consider a restricted adjudicatory matter.
§ National Security Matter. The Commission will consider a national security matter.
§ Enforcement Bureau Action. The Commission will consider an enforcement action.
§ 22 February
o The European Data Protection Board will hold a plenary meeting.
§ 16-17 June
o The European Data Protection Supervisor will hold a conference titled “The future of data protection: effective enforcement in the digital world.”