Senate’s U.S. Tech Bill Takes Shape, Part II
Photo by Moritz Kindler on Unsplash
The combined legislation Senate committees have crafted to address the United States’ (U.S.) technology industry debuted in the Senate.
One of the few things on which Republicans and Democrats can agree is that action is needed against the People’s Republic of China (PRC).
Cocktail Party
The Senate is moving closer to sending a massive package to the House that would provide more than $50 billion for semiconductor incentives and programs and authorize more than $100 billion for a range of research and development programs. The impetus for the legislation is to ensure the U.S. maintains its place as the dominant power around the globe, especially in areas where the PRC has been encroaching. The House has started work on its own bill with an uncertain timeline.
Meeting
The Senate Majority Leader has pulled together a number of bills into a lengthy package of provisions that would ask the Biden Administration with implementing many new programs and initiatives. Odds of Senate passage look good, and the House may follow suit with its own bill soon. A conference committee could hammer out a final compromise bill.
Geek Out
Senate Majority Leader Chuck Schumer (D-NY) filed the consolidated tech bill, named the “United States Innovation and Competition Act of 2021” as a substitute amendment to S.1260. This new bill brings together the “Endless Frontier Act” (S.1260), the “Strategic Competition Act Of 2021” (S.1169) the “Securing America’s Future Act” (i.e., a number of bills the Senate Homeland Security and Governmental Affairs Committee marked up and reported out), and the “Meeting The China Challenge Act Of 2021.”
The impetus for the bill is succinctly explained in the U.S.-China Economic and Security Review Commission’s recent annual report to Congress:
In China’s most recent industrial policy wave, set by the 2016 Innovation-Driven Development Strategy, which includes the Made in China 2025 plan, policymakers have promoted the development of China’s digital ecosystem and accompanying regulatory architecture. The CCP believes China faces a rare historic opportunity to establish control over a cluster of revolutionary, networked technologies, including high-speed internet, sensors, telecommunications, artificial intelligence, robotics, and smart city infrastructure. Doing so could allow Beijing to leapfrog the United States and other powerful competitors and lead in the next generation of global innovation.
The Congressional Research Service (CRS) created this infographic to explain the PRC’s focus for the Made in China 2025 plan:
CRS further stated:
§ The plan prioritizes upgrading manufacturing through advances in technology innovation (smart manufacturing) and manufacturing-tied services. Specifically, China aims to:
o By 2025. Boost manufacturing quality, innovation, and labor productivity; obtain an advanced level of technology integration; reduce energy and resource consumption; and develop globally competitive firms and industrial centers.
o By 2035. Reach parity with global industry at intermediate levels, improve innovation, make major breakthroughs, lead innovation in specific industries, and set global standards.
o By 2049. Lead global manufacturing and innovation with a competitive position in advanced technology and industrial systems. (This date coincides with the 100th anniversary of the founding of the People’s Republic of China.)
It is against the backdrop of PRC plans to leapfrog the U.S. in key technologies, this legislation has come together. Of course, there are a number of other U.S.-PRC issues the bill addresses, and many non-PRC specific technology provisions.
There appears to be broad support for this package. Earlier this week, the Senate voted 86-11 on a key procedural vote, suggesting widespread support for the package. If it clears the Senate, it will go to the House, which will likely add provisions of its own, necessitating a reconciling of the two bills.
Yesterday, I covered Titles A, B, and C (i.e. the CHIPS Act (P.L. 116-283), the “Endless Frontier Act” (S.1260), the “Strategic Competition Act Of 2021” (S.1169)).
Before we turn to Titles D and E, the “Securing America’s Future Act” and the “Meeting The China Challenge Act Of 2021,” it bears mention and some discussion that a House committee has started working on counterpart legislation. On 13 May, the House Science, Space, and Technology Committee’s Research and Technology Subcommittee marked up the National Science Foundation for the Future Act (H.R.2225), a bill that would reauthorize National Science Foundation (NSF) programs and increase the authorization of appropriations for the NSF up to $72.65 billion. In a future piece, I’ll get into this bill, especially since it may be the vehicle for the House’s counterpart to the “United States Innovation and Competition Act of 2021.” And, should that be the case, House Republicans are already clamoring to ensure they will be able to shape such a bill. In a letter written to Speaker of the House Nancy Pelosi (D-CA) and House Majority Leader Steny Hoyer (D-MD), all the Ranking Members of House Committees asked:
As Congress considers actions regarding strategic competition with China, we write to urge you to move any such legislation through the House of Representatives under a process of regular order, and that we do not waste this opportunity to develop strong and thoughtful policy by shoehorning it through using reconciliation. As Ranking Members of the Committees engaged in this work, we believe it is vital that any such legislation be developed in a bipartisan, bicameral, open, and transparent process.
Typically, the party that controls the House seeks to first craft a bill members of its party can accept and then seek minority input, often on issues of broad agreement. It has occurred that the majority party has shut out the minority party altogether (e.g. House Republican’s 2017 legislation to repeal and replace the Patient Protection and Affordable Care Act.) It may come to pass that House Democratic leadership works with its committee chairs and key blocs to develop a bill that is brought straight to the floor and Republicans would only get to propose the amendments on which Democrats will allow votes.
In any event, turning back to the United States Innovation and Competition Act of 2021, Title D is the package of bills the Senate Homeland Security and Governmental Affairs Committee marked up earlier this month. The first section is titled the “Build America, Buy America Act,” (Subtitle A) that sets domestic content preferences for a range of infrastructure programs that U.S. agencies finance in whole or in part. “Infrastructure” is widely defined to include broadband and electrical transmission facilities and systems. Within six months of enactment, “the head of each Federal agency shall ensure that none of the funds made available for a Federal financial assistance program for infrastructure, including each deficient program, may be obligated for a project unless all of the iron, steel, manufactured products, and construction materials used in the project are produced in the United States.” There is a waiver process in case such materials are not available or produced in sufficient quantities. The Office of Management and Budget (OMB) “shall promulgate final regulations or other policy or management guidance, as appropriate, to standardize and simplify how Federal agencies comply with, report on, and enforce the Buy American Act.” If enacted before an infrastructure bill with funding for broadband, these provisions would likely be applicable and any recipients of funds would need to buy American products and materials or seek waivers.
Subtitle B of the first section has been titled the “BuyAmerican.gov Act of 2021,” that would require the General Services Administration (GSA) to establish a website to “include information on all waivers of and exceptions to Buy American laws since the date of the enactment of this Act that have been requested, are under consideration, or have been granted by executive agencies and be designed to enable manufacturers and other interested parties to easily identify waivers.” This website “website shall also include the results of routine audits to deter- mine data errors and Buy American law violations after the award of a contract” and “provide publicly available con- tact information for the relevant contracting agencies.”
The next relevant section of Title D is the “Advancing American AI Act.” OMB would receive additional direction in drafting guidance for federal agencies in using AI as detailed in the FY 2020 omnibus appropriations bill[1] (P.L. 116-260.) Specifically, OMB would need to consider—
§ the considerations and recommended practices identified by the National Security Commission on Artificial Intelligence in the report entitled ‘‘Key Considerations for the Responsible Development and Fielding of AI’’, as updated in April 2021;
§ the principles articulated in Executive Order 13960 (85 Fed. Reg. 78939; relating to promoting the use of trustworthy artificial intelligence in Government); and
§ the input of—
o the Privacy and Civil Liberties Oversight Board;
o relevant interagency councils, such as the Federal Privacy Council, the Chief Information Officers Council, and the Chief Data Officers Council;
o other governmental and nongovernmental privacy, civil rights, and civil liberties experts; and
o any other individual or entity the Director determines to be appropriate.
OMB would also need to require each agency to “prepare and maintain an inventory of the artificial intelligence use cases of the agency, including current and planned uses.” Agencies would then share these use cases with OMB which would then inventory them and determine which may be shared with other agencies.
This section tasks OMB with “identif[ing] 4 new use cases for the application of artificial intelligence-enabled systems to support interagency or intra-agency modernization initiatives that require linking multiple siloed internal and external data sources, consistent with applicable laws and policies, including those relating to the protection of privacy and of sensitive law enforcement, national security, and other protected information.” OMB would then conduct pilots of these 4 uses cases within three years of enactment.
The Department of Homeland Security (DHS) would have six months to draft and issue policies and procedures for DHS agencies for a range of AI considerations including how and when to buy and use these technologies.
The next section of this title, the “Cyber Response and Recovery Act” revises the Homeland Security Act of 2002 to authorize DHS, in consultation with the Cybersecurity and Infrastructure Security Agency (CISA), to declare that a “significant incident” has occurred, triggering a new suite of powers for these agencies to respond to events. And while the title of the section is clearly focused on cyber events, the definition of “significant incident” is so broadly written, other events could qualify. However, this definition explicitly excludes significant incidents that occur on U.S. government information systems, meaning only private sector and state, local, and tribal government systems are subject to these new powers. Moreover, DHS could declare a “significant incident” is about to occur, allowing the use of authority before something has actually happened.
Upon issuing such a declaration, DHS must “immediately notify the National Cyber Director and appropriate congressional committees.”
Once such a declaration is made, DHS can coordinate the “asset response activities” of all federal agencies. Additionally, a Cyber Response and Recovery Fund is established to coordinate activities during a declaration of a significant incident or to help private sector or state, local, and tribal governments respond and recover from such incidents. The fund would be financed by appropriations or reimbursement by entities which used DHS services. Nonetheless, $20 million would be authorized for appropriations to provide money for the fund.
Thereafter follow sections on federal technology workforce:
§ The “Facilitating Federal Employee Reskilling Act” that would provide federal employees opportunities to get “reskilled”
§ The “Federal Rotational Cyber Workforce Program Act of 2021” would allow and encourage federal cybersecurity personnel to have stints at different agencies
Another subsequent section, the “No TikTok on Government Devices Act” would, as the name indicates, bar the PRC app on U.S. government devices and require the removal from any such devices that currently have it.
The next section, the “National Risk Management Act” would require CISA to “establish a recurring process by which to identify, assess, and prioritize risks to critical infrastructure, considering both cyber and physical threats, the associated likelihoods, vulnerabilities, and consequences, and the resources necessary to address them” within twelve months of enactment. This assessment would then be submitted to the President and Congress, and within one year the President would need to submit to Congress “a national critical infrastructure resilience strategy designed to address the risks identified” by CISA.
The section entitled the “Safeguarding American Innovation Act” would create a Federal Research Security Council that “shall develop federally funded research and development grant making policy and management guidance to protect the national and economic security interests of the United States.” This new body would consist of representatives from federal agencies , and they would implement policies and procedures to ensure U.S. science and research are not appropriated or stolen by other nations. This section is clearly meant to address the instances and allegations that the PRC is strategically pilfering U.S. university research through sending graduate and postdoctoral students to study in the U.S.
Nest is Division E, the “Meeting The China Challenge Act Of 2021,” the portion of the bill the Senate Banking, Housing, and Urban Affairs Committee contributed that would reorient U.S. sanctions and export control laws to address the PRC.
The first section of this title provides:
The Department of Justice, the Federal Trade Commission, the Department of the Treasury, and such other Federal agencies as the President determines appropriate shall establish a joint inter-agency task force to investigate allegations of systemic market manipulation and other potential violations of antitrust and competition laws in the United States by companies established in the People’s Republic of China, including allegations of efforts to illegally capture market share, fix or manipulate prices, and control the supply of goods in critical industries of the United States,
This bill expresses the sense of Congress that
The President should use the full range of authorities available to the President...to impose sanctions and other measures to combat malign behavior by the Government of the People’s Republic of China, entities owned or controlled by that Government, and other Chinese individuals and entities responsible for such behavior.
There are provisions directing the President to annually sanction individuals involved with PRC activities in “significant activities” to undermine the cybersecurity of any entity. Significant activities are defined to include:
§ significant efforts—
o to deny access to or degrade, compromise, disrupt, or destroy an information and communications technology system or network; or
o to exfiltrate, degrade, corrupt, destroy, or release information from such a system or network without authorization for purposes of—
§ conducting influence operations; or
§ causing a significant misappropriation of funds, economic resources, trade secrets, personal identifications, or financial information for commercial or competitive ad- vantage or private financial gain;
§ significant destructive malware attacks; or
§ significant denial of service activities.
The President would also receive authority to use sanctions against entities that steal U.S. trade secrets.
The Department of Commerce is directed to “conduct a review of items subject to controls for crime control reasons pursuant to...the Export Administration Regulations,” The agency must then “determine whether additional export controls are needed to protect human rights, including whether—
§ controls for crime control reasons pursuant to section 742.7 of the Export Administration Regulations should be imposed on additional items, including items with critical capabilities to enable human rights abuses involving—
o censorship or social control;
o surveillance, interception, or restriction of communications;
o monitoring or restricting access to or use of the internet;
o identification of individuals through facial or voice recognition or biometric indicators; or
o DNA sequencing; or
§ end-use and end-user controls should be imposed on the export, reexport, or in-country transfer of certain items with critical capabilities to enable human rights abuses that are subject to the Export Administration Regulations if the person seeking to export, reexport, or transfer the item has knowledge, or the Secretary determines and so informs that person, that the end-user or ultimate consignee will use the item to enable human rights abuses.”
The executive branch would be charged with drafting and submitting a range of reports to Congress on the PRC, including:
§ The PRC’s development and utilization of dual use technologies
§ The PRC’s financial payment and messaging apps
§ The PRC’s threat to global financial systems
§ The implementation process for the Committee on Foreign Investment in the United States sharing information with U.S. allies
Finally, in Title F, among other provisions, Senators Amy Klobuchar (D-MN) and Chuck Grassley’s (R-IA) “Merger Filing Fee Modernization Act of 2021” (S.228) is included that would increase and index for inflation the fees companies must file for pre-merger review. This bill also authorizes $252 million for the Antitrust Division of the Department of Justice and $418 million for the Federal Trade Commission to handle the increased volume of pre-merger applications.
Other Developments
Photo by Prateek Katyal on Unsplash
§ The White House has made a bit more information available on the specifics of the American Jobs Plan, some of which has been revealed elsewhere. In a fact sheet, the administration asserted “President Biden has made strengthening U.S. cybersecurity capabilities a top priority and has already taken action to advance it, including with last week’s Executive Order.” The White House claimed “[t]he American Jobs Plan will build on that work and deliver resilient infrastructure for the American people, including a renewed electric grid...[and] will allocate opportunities and resources to bolster cyber defenses.” The administration also issued a fact sheet on “the Future of Transportation and Manufacturing.” The White House summarized the cybersecurity funding and some programmatic changes it wants in an infrastructure package:
o Make $20 billion in Energy Infrastructure Investments for State, Local, and Tribal Governments Contingent on Cyber Modernization: Governors, mayors, and legislators have embraced ambitious energy system modernization goals that have already driven significant private investment into grid upgrades, clean electricity, and U.S. cybersecurity. This $20 billion investment in DOE-administered energy system modernization block grants would support critical infrastructure – additional grid resilience, clean electricity, and cybersecurity efforts – and spur early action by state and local governments that creates a favorable environment for increased private investment, creating jobs, reducing pollution, and boosting security.
o Promote a secure network with the American Jobs Plan’s historic $100 billion broadband investment. President Biden’s American Jobs Plan will bring affordable, reliable, high-speed broadband to every American. This historic investment will also promote network security. Grant recipients will be asked to source from “trusted vendors” and give preference to open, interoperable architecture where feasible, and implement cybersecurity consistent with approaches and priorities described in the Executive Order on Cybersecurity of May 12, 2021.
o Create a new tax credit for transmission infrastructure that will help finance cyber technologies for the electric grid. President Biden’s American Jobs Plan includes a targeted investment tax credit that incentivizes the buildout of at least 20 gigawatts of high-voltage capacity power lines and mobilizes tens of billions in private capital off the sidelines – right away. These tax credits will also encourage stronger cybersecurity capabilities.
o Safeguard critical infrastructure and grid resilience. The American Jobs Plan devotes $2 billion to support micro-grids and distributed energy infrastructure for grid resilience in areas with high risk of power outages, critical infrastructure, and front-line communities. These funds will also be used for transmission risk reduction, including planning grants, scale up grants, efforts for winterization and floods, and supply chain readiness (including equipment reserves). As cybersecurity is a core part of resilience, this funding will be contingent on meeting and maintaining compliance with modern sensor and reporting requirements, with a portion of the funding reserved for investments in standalone infrastructure and networks with tight cybersecurity controls, including tightly gated access to the Internet. And, similar to clean energy block grants and the tax credit for transmission infrastructure, these funds will require recipients to install cybersecurity capabilities that detect and block malicious cyber activity.
o Expand and improve the technology modernization fund. The President’s American Rescue Plan included $1 billion for the Technology Modernization Fund, which will be used to deploy immediate security upgrades, facilitate a shift to a secure cloud infrastructure, improve the foundational technology used across the federal government, and assist agencies in delivering services to the American people.
o Improve security monitoring and incident response activities. The American Rescue Plan provided $650M to the Cyber Security and Information Security Agency (CISA), which will be used to improve CISAs response capabilities, upgrade its ability to support security projects at agencies and departments, and deploy modern endpoint protections for the federal civilian networks.
§ The Federal Communications Commission (FCC) is “seeking comment on the impact the continuing global shortage of semiconductors may have on the U.S. communications sector and on FCC initiatives.” Specifically, the FCC’s the Wireless Telecommunications Bureau “seeks comment on the impact of semiconductor supply chain constraints and other supply chain challenges on the communications sector, on Commission priorities and initiatives, and on steps the Commission can take to ensure a resilient supply chain for communications technologies now and in the future” and posed these questions:
o Has the global semiconductor shortage spread to the communications sector? If so, to what segments? What are the impacts on lead times and costs of communications equipment and devices? Are there other industry trends that are relevant?
o What is the nature and extent of semiconductor shortages or shortages of other components that are critical to the communications sector? What is the short- and long-term capacity of manufacturers of semiconductors and semiconductor components to keep up with the communication sector’s demand? How long is the current shortage expected to last?
o Which semiconductor technology nodes in particular have been impacted or are expected to be impacted by the shortage? Which technology nodes are important to the short- and long-term needs of the communications sector?
o What are the factors impacting the supply of semiconductors and other manufacturing components which are critical to the communications sector? Commenters should consider the ongoing COVID-19 pandemic, the availability of materials, manufacturing capacity, shipping, rapidly increasing demand for particular types of products, excessive reliance on certain manufacturers for critical semiconductor components, and any other factors impacting these markets.
o To what extent are supply constraints impacting different uses of semiconductors, such as systems-on-a-chip, microprocessors, memory chips, and standard chips?
o What are the impacts of shortages of semiconductors or other critical components on the communications sector, including on consumers, enterprise system users, private network operators (such as critical infrastructure), and service providers? To what extent are these shortages driving changes to stakeholders’ plans and priorities and resulting in changes to the communications industry more broadly?
o What are the impacts of these shortages on the public interest? How do these challenges affect the security of the United States and its competitiveness in the global economy? How do these challenges impact the deployment of next-generation networks and technologies? How do these challenges affect communities of color, economically distressed areas, and small businesses?
o What are the effects of semiconductor shortages on remote learning, telehealth, and other services that have moved online during the pandemic?
o What are the potential impacts of the failure to sustain reliable access to semiconductors for the communications sector, including the impact on key vertical markets?
o What steps can be taken by the Commission, either working on its own or in concert with Federal partners, to help address these current challenges?
o What steps can be taken to prevent similar challenges in the future, particularly those challenges related to unanticipated, catastrophic, global events? How can the Commission help to ensure that the benefits of United States leadership in semiconductor manufacturing will flow to all Americans?
§ The United Kingdom’s Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) have published a joint statement on “Competition and data protection in digital markets.” The ICO and CMA explained:
o This document provides our shared view that our overlapping objectives regarding competition and data protection in the context of the digital economy are strongly aligned and complementary. There are several factors that support this conclusion:
§ First, more competitive markets will deliver the outcomes that consumers care about most, which increasingly includes enhanced privacy and greater control over personal data.
§ Second, we have concluded that this relationship is mutually reinforcing. Well-designed regulation and standards that preserve individuals’ privacy and place individuals in control of their personal data can promote positive competitive outcomes. In turn, with appropriate and targeted regulation, competitive pressures can be harnessed to incentivise responsible innovations that protect and support users.
§ Third, the creation of a level playing field is fundamental for enabling effective competition to thrive. Data protection law helps to achieve a level playing field with regards to data access, by ensuring that processing of personal data by all parties is fair and lawful and individual rights are upheld.
o The agencies added:
§ We are confident that any areas of perceived tension between competition and data protection can be overcome through careful consideration of the issues on a case-by-case basis, with consistent and appropriate application of competition and data protection law, and through close cooperation between our two organisations.
§ Reaching these conclusions has been an important step towards achieving regulatory coherence for the digital economy, but we do not intend to stop here. We recognise that digital markets are complex and can evolve quickly, and we therefore intend to continue to work together to further develop our thinking, to ground our conclusions in the context of real-world examples, and to ensure that our approach keeps pace with market developments.
§ We also recognise that these matters are of global relevance, and we will continue to engage with our respective international counterparts and relevant fora around the world to build consensus and promote global regulatory coherence and collaboration.
§ We will also continue the work we set out to undertake in the DRCF’s recently published workplan including developing a more holistic view of how the digital advertising sector, and advertising funded business models, interact with potential consumer and citizen harms.
§ Our ongoing collaboration will not be confined to building understanding. We have provided two examples in this statement of projects where we are committed to consulting one another to ensure the synergies identified in this statement can be maximised, and any tensions overcome.
§ Our views will evolve as we progress this work and we will keep under review the benefits of expanding on this statement in the future.
§ The Department of Homeland Security’s (DHS) National Security Telecommunications Advisory Committee (NSTAC) issued a report on Communications Resiliency. NSTAC explained:
o In May 2020, the Executive Office of the President tasked NSTAC with examining the resilience of the Nation’s communications infrastructure to better understand and address these challenges moving forward.
o The focus of this report has shifted since the original tasking in May 2020. While the report outlines some of the challenges the Nation faces, it highlights the evolution of the ICT ecosystem toward a highly resilient environment of federated, hyperconnected, distributed networks managed via software. With the advent of 5G and other network advances, the Nation now stands at a point where not only can the ICT providers create meshed and highly resilient operating environments, but enterprises (both Government and commercial) can avail themselves of these capabilities as well. NSTAC contends the resiliency benefits of new technologies and innovations referenced in this report and supported by expert briefings throughout the study period will position the Nation’s economy to not only derive cost and operational efficiencies, but to create an environment for U.S. innovation and leadership in the global economy. As such, the recommendations in this report suggest actions the Administration can take to support the deployment, adoption, and mastery of these key technologies, putting the Nation in a better position to support the Nation’s security, economic security, and emergency preparedness goals.
§ The United Kingdom’s (UK) Department for Digital, Culture, Media and Sport (DCMS) “is calling for views on a number of measures to enhance the security of digital supply chains and third party IT services, used by firms for things such as data processing and infrastructure management.” The DCMS added:
o The government wants views on the existing guidance for supply chain cyber risk management and is also testing the suitability of a proposed security framework for firms which manage organisations’ IT infrastructure, known as ‘Managed Service Providers’.
o The proposals could require Managed Service Providers to meet the current Cyber Assessment Framework - a set of 14 cyber security principles designed for organisations that play a vital role in the day-to-day life of the UK.
o The framework sets out measures organisations should take, such as:
§ Having policies to protect devices and prevent unauthorised access
§ Ensuring data is protected at rest and in transit
§ Keeping secure and accessible backups of data
§ Training staff and pursuing a positive cyber security culture.
o The department seeks industry feedback on examples of good supplier risk management, building on government advice set out in the Supply Chain Security Guidance and Supplier Assurance Questions.
§ Senators Amy Klobuchar (D-MN), John Kennedy (R-LA), Joe Manchin (D-WV), and Richard Burr (R-NC) reintroduced the “Social Media Privacy Protection and Consumer Rights Act” “to protect the privacy of consumers’ online data.” Bill text was not made available, but see here for more detail and analysis on the version introduced in the last Congress. In their press release, they asserted:
o As online platforms capture user behavior and personal data for advertising purposes, this bill aims to enhance data privacy protections by ensuring companies give consumers control over how their personal data is being used. Specifically, the bill would give the Federal Trade Commission and state attorneys general the tools they need to hold big tech companies accountable for misuse of consumers’ data. The bill would also increase transparency and require companies to have privacy security programs.
o The Social Media Privacy Protection and Consumer Rights Act would:
§ Give consumers the right to opt-out and keep their information private by disabling data tracking and collection;
§ Provide users greater access to and control over their data;
§ Require terms of service agreements to be in plain language;
§ Ensure users have the ability to see what information about them has already been collected and shared;
§ Mandate that users be notified of a breach of their information within 72 hours;
§ Offer remedies for users when a breach occurs; and
§ Require that online platforms have a privacy program in place.
§ The Department of Homeland Security (DHS) issued its “Privacy Impact Assessment for the Use of Administrative Subpoenas for Cybersecurity Vulnerability Identification and Notification,” an authority the agency pushed to receive from Congress that was finally granted in the “National Defense Authorization Act for Fiscal Year 2021” (P.L. 116-283). The agency explained:
o The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Division (CSD) has established a process that permits CISA, pursuant to statutory authority, the use of administrative subpoenas for cybersecurity vulnerability identification and notification. This process allows CISA to issue administrative subpoenas and receive customer or subscriber contact information from service providers to identify and notify owners or operators of covered systems and devices related to critical infrastructure that have a specific security vulnerability. CISA is conducting this Privacy Impact Assessment (PIA) because responses to administrative subpoenas will include the personally identifiable information (PII) of individuals identified by subpoenaed service providers, such as Internet Service Providers (ISPs), as relevant points of contact.
o Once a subpoena is approved and issued and CISA has received a response, CISA must notify the at-risk entity identified by the subpoena no later than seven (7) days after receiving the customer or subscriber information. The notification to the at-risk entity includes a discussion or statement that responding to or engaging with CISA is voluntary, and information about the process through which CISA identifies security vulnerabilities. CISA places no requirement on the entity to take any action on the identified vulnerability.
o Law requires the destruction of information determined to be unrelated to critical infrastructure immediately upon providing notice to the entity, and the destruction of all PII not later than six (6) months after the date on which the subpoena response is received. When PII relates to an individual, the individual may consent to CISA retaining his or her information for future communication --- but this consent will result in a new record. Upon consent for retention, the contact information will be retained in accordance with DHS/ALL/PIA-006 DHS General Contact Lists4 and DHS/ALL-002 Department of Homeland Security (DHS) Mailing and Other Lists Systems.
o All information obtained through a subpoena must only be shared with (1) another federal department or agency for a cybersecurity purpose under the limited circumstances described below or (2) with the Department of Justice for enforcement of the subpoena. CISA may share nonpublic information obtained through the subpoena with a federal agency if CISA identifies or is notified of a cybersecurity incident involving the entity and the incident is related to the vulnerability which led to the issuance of the subpoena in the first place; CISA determines that sharing the information is necessary to allow the federal department or agency to take a law enforcement or national security action or action related to mitigating or otherwise resolving such incident; and the entity is notified (to the extent practicable consistent with national security or law enforcement interests), and consents to the sharing (although exceptions to the consent requirement may apply).
§ The Federal Trade Commission (FTC) submitted a report to Congress titled “Nixing the Fix: An FTC Report to Congress on Repair Restrictions.” The FTC explained:
o The Commission’s concern with repair restrictions dates back more than forty years, to when the Commission’s then-Chairman testified in favor of the anti-tying provision of the Magnuson-Moss Warranty Act (the “MMWA”). The anti-tying provision, Section 102(c) of the MMWA, prohibits a warrantor of a consumer product from conditioning its warranty on the consumer’s using any article or service which is identified by brand name unless the article or service is provided for free or the warrantor obtains a waiver from the Commission. This provision, for example, bars an automobile manufacturer from voiding a warranty if a consumer has scheduled maintenance performed by someone other than the dealer, prohibits a printer manufacturer from conditioning its warranty on the purchaser’s use of the manufacturer’s branded ink, and forbids a smartphone manufacturer from voiding a warranty when a consumer has a new battery installed at a kiosk at the mall. In short, the anti-tying provision bars manufacturers from using access to warranty coverage as a way of obstructing consumers’ ability to have their consumer products maintained or repaired using third-party replacement parts and independent repair shops.
o [W]e conclude by explaining that, based on the record before us, it is clear that repair restrictions have diluted the effectiveness of Section 102(c) and steered consumers into manufacturers’ repair networks or to replace products before the end of their useful lives. Based on a review of comments submitted and materials presented during the Workshop, there is scant evidence to support manufacturers’ justifications for repair restrictions. Moreover, the specific changes that repair advocates seek to address manufacturer repair restrictions (e.g., access to information, manuals, spare parts, and tools) are well supported by comments submitted for the record and testimony provided at the Workshop. While the car manufacturing industry has taken important steps to expand consumer choice, other industries that impose restrictions on repairs have not followed suit. The Commission will consider reinvigorated regulatory and law enforcement options, as well as consumer education. In addition to the FTC’s pursuit of efforts under its authority, the Commission stands ready to work with legislators, either at the state or federal level, to ensure that consumers and independent repair shops have appropriate access to replacement parts, instructions, and diagnostic software.
§ The Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) submitted a report to the Judiciary, Intelligence, and Homeland Security committees in Congress titled “Strategic Intelligence Assessment and Data on Domestic Terrorism.” The FBI and DHS asserted:
o Preventing terrorist attacks remains a top priority for both the FBI and the Department of Homeland Security (DHS). The threat posed by international and domestic threat actors has evolved significantly since 9/11. The greatest terrorism threat to the Homeland we face today is posed by lone offenders, often radicalized online, who look to attack soft targets with easily accessible weapons. Many of these violent extremists are motivated and inspired by a mix of socio-political goals and personal grievances against their targets. With this report, we are providing our strategic intelligence assessments on domestic terrorism (DT), a detailed discussion of our procedures and methods to address DT threats, as well as data on DT incidents and our investigations.
o The FBI and DHS offered the following by way of recommendations:
§ The Biden Administration has announced a comprehensive review of domestic violent extremism, to include a review of resources, and policies within the federal government. The FBI, DHS, National Counterterrorism Center (NCTC,) and Department of Justice (DOJ) are actively participating in this review. Pending completion of this review and further consultation with DOJ leadership, the FBI has no recommendations at this time.
§ The DHS is continuing to review authorities, expertise, and resources at its disposal to identify, prevent, and mitigate threats to the Homeland from Domestic Violent Extremists (DVEs). The DHS is committed to expanding its ability to collect DVE and DT information that is publicly available through social media and other platforms, while simultaneously safeguarding privacy, civil rights, and civil liberties of all persons, in order to enhance the Department’s ability to rapidly analyze and communicate DVE and DT threats so that policy makers and our homeland security partners are enabled to take appropriate action.
Further Reading
§ “China Threatens Retaliation Against Ericsson if Sweden Doesn’t Drop Huawei 5G Ban” By Stu Woo — The Wall Street Journal. Beijing is giving Sweden one last chance to reverse its ban on telecommunications-equipment giant Huawei Technologies Co., a Chinese state media outlet said, before it could retaliate against rival Ericsson AB. Ericsson’s participation in the next round of China’s massive 5G build-out is linked to whether Stockholm changes its stance on Huawei, according to the Global Times, a Chinese Communist Party publication.
§ “The government wants to pay your Internet bill for a few months. Here’s what you need to do.” By Geoffrey Fowler — The Washington Post. Washington wants to pick up the tab for tens of millions of Americans’ Internet connections. That may include yours. The Emergency Broadband Benefit, or EBB, was launched Wednesday to help a surprisingly wide range of people hit economically by the coronavirus pandemic. It can pay $50 every month toward the cost of your Internet service, and it is available to all families who lost some income in the last year and earn less than $198,000, among others. With $3.2 billion up for grabs, the EBB is the largest federal program to help with Internet bills in the three decades Americans have been going online.
§ “Racing the Sun to Protect America” By Dana Goward — Nextgov. One hundred years ago, on the fifteenth of May 1921, random telegraph and telephone offices in the United States and around the world suddenly burst into flames. Fuses were blown, equipment damaged, connections severed. Undersea telegraph cable service was interrupted. Aurora—as in “the northern lights”—appeared in Pasadena, California. The night sky in Boston was so bright you could read a newspaper.
§ “China’s New Privacy Regulation Reforms Tech Giants Social Retail Scene” By Tiffany Lung — Forbes. China’s five-day-long May Day ‘Golden Week’ has seen revenge spending at full effect, with domestic travels predicted to see 265 million trips made during the period, surpassing 2019 levels. Further to that, several municipalities in China such as Shanghai launched the ‘Double Five Shopping Festival’ with over 1,900 events and branded partnerships lined up for two months across shopping, tourism and entertainment venues. Beijing’s own ‘2021 Consumer Season’ also saw the government distribute billions of yuan in various coupons to stimulate consumer spending offline and online. Several major e-commerce platforms such as Tencent, JD.com, Pinduoduo and others are also supporting the program with their own digital coupons.
§ “Yahoo and AOL, Early Internet Pioneers, Are Sold to Private Equity Firm” By Edmund Lee and Lauren Hirsch — The New York Times. Yahoo and AOL, kings of the early internet, saw their fortunes decline as Silicon Valley raced ahead to create new digital platforms. Google replaced Yahoo. AOL was supplanted by cable giants. Now they will become the property of private equity. Verizon, their current owner, agreed to sell them to Apollo Global Management in a deal worth $5 billion, the companies announced Monday.
§ “Taiwan accuses Beijing of waging economic war against tech sector” — Al Jazeera. Taiwan’s government has accused China of waging economic warfare against the Chinese-claimed island’s technology sector by stealing intellectual property and enticing away engineers, as its parliament considers strengthening legislation to prevent such alleged activity.
§ “UK tools up against China’s intel gathering” By Cristina Gallardo and Stuart Lau — Politico EU. The U.K. has realized it is going to need more than James Bond to counter Chinese influence and espionage. Beijing’s massive state-backed effort to infiltrate British companies and research institutions in the race to develop key technologies is mostly not the stuff of traditional spying. And Britain has realized that its response needs to go well beyond the intelligence services.
§ “Cybersecurity Ignorance Is Dangerous” By Tara Wheeler — Foreign Policy. In one of the biggest tech book launches of 2021, Nicole Perlroth, a cybersecurity reporter at the New York Times, published This Is How They Tell Me The World Ends to cheers from the general public, plaudits from fellow journalists, and a notable wave of criticism from many in the cybersecurity community.
§ “Chinese TV maker Skyworth under fire for excessive data collection that users call spying” By Xinmei Shen — South China Morning Post. Chinese television maker Skyworth has issued an apology after a consumer found that his set was quietly collecting a wide range of private data and sending it to a Beijing-based analytics company without his consent.
Coming Events
§ On 20 May, the House Appropriations Committee’s Defense Subcommittee will hold a closed hearing on the Intelligence Community’s World Wide Threat Assessment and the FY 2022 National Intelligence Program/Military Intelligence Program Posture with these witnesses:
o The Honorable Avril Haines, the Director of National Intelligence
o The Honorable David M. Taylor, Performing Under Secretary of Defense for Intelligence & Security, Department of Defense
§ The Commerce, Science, and Transportation Committee will consider Eric Lander’s nomination to be the Director of the Office of Science and Technology Policy (OSTP) on 20 May.
§ The House Select Committee on the Climate Crisis will hold a 20 May hearing titled “Powering Up Clean Energy: Investments to Modernize and Expand the Electric Grid” with these witnesses:
o Linda Apsey, President and CEO, ITC Holdings Corp. Apsey is responsible for the strategic vision and overall business operations of ITC, the largest independent electricity transmission company in the United States. Based in Michigan, the company owns and operates high-voltage transmission infrastructure in Michigan, Iowa, Minnesota, Illinois, Missouri, Kansas and Oklahoma, with plans underway to expand to Wisconsin.
o Donnie Colston, Director, Utility Department, International Brotherhood of Electrical Workers (IBEW). Colston manages issues related to collective bargaining agreements, working conditions, safety-related work practices, and apprenticeship training. A utility lineman, he started his career in transmission and distribution construction before working as an electric troubleman. He has been a member of the IBEW Local Union 2100, which represents the employees of Louisville Gas and Electric Company (LG&E) and Kentucky Utilities Company (KU), for more than four decades.
o Michael Skelly, Founder and President, Grid United. Skelly is a renewable energy entrepreneur and pioneer in the U.S. wind industry who currently leads Grid United, an early-stage transmission development company. He was previously the founder and president of Clean Line Energy, a company that successfully permitted some of the longest transmission lines in the United States in the last 50 years.
o Emily Sanford Fisher, General Counsel, Corporate Secretary & Senior Vice President, Clean Energy Edison Electric Institute (EEI). Sanford Fisher manages EEI’s litigation and legal affairs at EEI, an association that represents all investor-owned electric companies in the United States. She also oversees and coordinates strategic clean energy engagement across EEI and across the federal government.
§ The House Armed Services Committee’s Cyber, Innovative Technologies, and Information Systems Subcommittee will hold a 20 May hearing titled “Reviewing Department of Defense Science and Technology Strategy, Policy, and Programs for Fiscal Year 2022: Fostering a Robust Ecosystem for Our Technological Edge” with these witnesses:
o Ms. Barbara McQuiston, Acting, Under Secretary of Defense for Research and Engineering (USD(R&E)), Office of the Secretary of Defense
o Dr. Philip Perconti, Deputy Assistant Secretary of the Army for Research and Technology (DASA R&T), Department of the Army
o Ms. Joan “JJ” Johnson, Deputy Assistant Secretary of the Navy Research, Development, Test, and Engineering (DASN RDTE), Department of the Navy
o Ms. Kristin Baldwin, Assistant Secretary of the Air Force for Acquisition, Technology and Logistics for Science Technology, and Engineering (SAF/AQR), Department of the Air Force
§ On 20 May, the House Veterans Affairs Committee’s Technology Modernization Subcommittee will hold a hearing titled “Cybersecurity and Risk Management at VA: Addressing Ongoing Challenges and Moving Forward” but no witnesses have been announced.
§ On 20 May, the Federal Communications Commission (FCC) will hold an open meeting with this tentative agenda:
o Reducing Interstate Rates and Charges for Incarcerated People – The Commission will consider a Third Report and Order, Order on Reconsideration, and Fifth Notice of Proposed Rulemaking that, among other actions, will lower interstate rates and charges for the vast majority of incarcerated people, limit international rates for the first time, and seek comment on further reforms to the Commission’s calling services rules, including for incarcerated people with disabilities. (WC Docket No. 12-375)
o Strengthening Support for Video Relay Service – The Commission will consider a Notice of Proposed Rulemaking and Order to set Telecommunications Relay Services (TRS) Fund compensation rates for video relay service (VRS). (CG Docket Nos. 03-123, 10-51)
o Shortening STIR/SHAKEN Extension for Small Providers Likely to Originate Robocalls – The Commission will consider a Further Notice of Proposed Rulemaking to fight illegal robocalls by proposing to accelerate the date by which small voice service providers that originate an especially large amount of call traffic must implement the STIR/SHAKEN caller ID authentication framework. (WC Docket No. No 17-97)
o Section 214 Petition for Partial Reconsideration for Mixed USF Support Companies – The Commission will consider an Order on Reconsideration to relieve certain affiliates of merging companies that receive model-based and rate-of-return universal service support from a “mixed support” merger condition cap. (WC Docket No. 20-389)
o Enforcement Bureau Action – The Commission will consider an enforcement action.
o Enforcement Bureau Action – The Commission will consider an enforcement action.
§ On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.
[1] SEC. 104. GUIDANCE FOR AGENCY USE OF ARTIFICIAL INTELLIGENCE. (a) Guidance.--Not later than 270 days after the date of enactment of this Act, the Director, in coordination with the Director of the Office of Science and Technology Policy in consultation with the Administrator and any other relevant agencies and key stakeholders as determined by the Director, shall issue a memorandum to the head of each agency that shall--
(1) inform the development of policies regarding Federal acquisition and use by agencies regarding technologies that are empowered or enabled by artificial intelligence, including an identification of the responsibilities of agency officials managing the use of such technology;
(2) recommend approaches to remove barriers for use by agencies of artificial intelligence technologies in order to promote the innovative application of those technologies while protecting civil liberties, civil rights, and economic and national security;
(3) identify best practices for identifying, assessing, and mitigating any discriminatory impact or bias on the basis of any classification protected under Federal nondiscrimination laws, or any unintended consequence of the use of artificial intelligence, including policies to identify data used to train artificial intelligence algorithms as well as the data analyzed by artificial intelligence used by the agencies; and
(4) provide a template of the required contents of the agency plans described in subsection (c).