The Third Cyber Incident Notification Bill
Ransomware meeting yields agreement; DOJ to prosecute federal contractors with substandard cybersecurity; NCSC maps out her future course for the agency
Photo by Mathis Jrdl on Unsplash
Shortly after the House tucked a bill instituting a new cyber incident notification regime into its “National Defense Authorization Act for Fiscal Year 2022” (H.R.4350), a second Senate committee issued legislation that would broadly establish a similar system. And while these two bills are aligned on the features of a new, mandatory Department of Homeland Security (DHS) reporting system for critical cyber infrastructure, they are at odds with the first major bill introduced on this issue. Moreover, and more importantly, the sponsors of this latter bill lead a key Senate committee with leverage to sink a bill with which they disagree. However, this is not to say matters cannot be worked out; indeed, it is likely the sponsors of the two Senate bills arrive at an agreement before the Senate’s NDAA comes to the floor.
Before we turn to the latest bill, review would be helpful. Senate Intelligence Committee Chair Mark Warner (D-VA), Ranking Member Marco Rubio (R-FL), and Senator Susan Collins (R-ME) introduced the “Cyber Incident Notification Act of 2021” (S.2407) in late July (see here for more detail and analysis.) They explained in their press release that:
The legislation is in part a response to the hack of IT management firm SolarWinds, which resulted in the compromise of hundreds of federal agencies and private companies, and the May 2021 ransomware attack on the Colonial Pipeline, which halted pipeline operations temporarily and resulted in fuel shortages along the Atlantic seaboard of the United States, as well as a recent onslaught of ransomware attacks affecting thousands of public and private entities.
They may well have also added the hacks of Microsoft Exchange and Accellion to the reasons why such legislation is necessary. It also bears note that the bill has a number of high profile cosponsors, including Senators Dianne Feinstein (D-CA), Richard Burr (R-NC), Martin Heinrich (D-NM), James Risch (R-ID), Angus King (I-ME), Roy Blunt (R-MO), Michael Bennet (D-CO), Bob Casey (D-PA), Ben Sasse (R-NE), and Kirsten Gillibrand (D-NY). Two other cosponsors’ imprimaturs may carry more weight: Senator Joe Manchin (D-WV), the chair of the Senate Armed Services Committee’s Cybersecurity Subcommittee and Senator Jon Tester (D-MT), the chair of the Senate Appropriations Committee’s Defense Subcommittee. Nonetheless, despite all the cosponsors and being the first bill on the field, it ran into an obstacle: the fact that the Senate Homeland Security and Governmental Affairs Committee has jurisdiction over this issue, broadly speaking. But, more on this later.
As mentioned, in late September, the House added to its NDAA the “Cyber Incident Reporting for Critical Infrastructure Act of 2021” (H.R.5440), legislation that would establish a new office at the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) that would receive the cyber incident notifications the owners and operators of critical infrastructure would be required to submit and then distribute to federal agencies and private sector stakeholders (see here for detail and analysis). The legislation is bipartisan and was introduced by the chair and ranking member of subcommittee of the House Homeland Security subcommittee with jurisdiction and the chair and ranking member of the full committee (Representatives Yvette Clarke (D-NY), Andrew Gabarino (R-NY), Bennie Thompson (D-MS), and John Katko (R-NY) respectively.)
Shortly thereafter, the Senate Homeland Security and Governmental Affairs Committee got onto the field with their long awaited “Cyber Incident Reporting Act” (S.2875). Chair Gary Peters (D-MI) and Ranking Member Rob Portman (R-OH) introduced this bill in late September that was marked up on October 6. Since the committee has not issued the text of any amendments, including the amendment in the nature of a substitute for S.2875, it is not possible to know how the amended version differs from the original. Nonetheless, the accounts of the markup make no mention of significant alterations (e.g., here and here.) Consequently, my analysis will be of the bill as originally introduced.
As mentioned earlier, the Senate Homeland Security and Governmental Affairs Committee held Warner, Rubio, and Collins’ bill and passed legislation of its own. The two bills bear more than slight similarity.
As mentioned, the most prominent sticking point in a final bill is how quickly covered entities would be required to report cyber incidents. Warner, Rubio, and Collins want a 24 hour deadline whereas the House and Senate Homeland Security Committees want a 72 hour window. Moreover, industry appears to side with the Homeland Security Committees if the testimony of four industry stakeholders at a 1 September hearing is representative. There are also differences on how the reporting requirements would be enforced.
Another key difference is the scope of the bills. Unlike the House and Senate Intelligence Committee bills, the Senate Homeland Security and Governmental Affairs Committee imposes reporting mandates on entities that pay ransoms to hackers that inflict ransomware on their systems.
Like the House’s bill, the Peters and Portman bill would establish a Cyber Incident Review Office inside CISA “to receive, aggregate, and analyze reports related to covered cyber incidents submitted by covered entities” to further DHS’ existing statutory missions of the Sector Risk Management Agencies], CISA’s Cybersecurity Division], and CISA’s National Cybersecurity and Communications Integration Center (NCCIC). CISA would be free to organize this office as it sees fit and to harmonize and integrate it with existing entities as it wishes. This new office would be tasked with a slate of new responsibilities, the majority of which would revolve around its raison d'être (i.e., to receive, process, and distribute information about intrusions and hacks in a timely and useful form.) However, the office would share reported information on cyber incidents and ransomware payments with other federal agencies within 24 hours. The new office would also need to investigate incidents and ransomware after the fact in order to derive whatever lessons may be found. This entity would do so proactively with all the data it receives, ideally in the hopes of getting ahead of future risks and vulnerabilities.
It should be kept in mind that neither the Peters and Portman bill nor the other two do so much as authorize additional appropriations for CISA to stand up the new Cyber Incident Review Office. So, again, as has been the recent trend for CISA in particular, and agencies generally, it will have new duties without dedicated funds to pay for the new activities. To be sure, the House Appropriations Committee is calling for almost $400 million more for CISA in FY 2022, pushing the agency’s overall funding from $2.024 billion in FY 2021 to $2.422 billion. The Senate’s bill would provide even more to CISA, giving it $2.638 billion. It is an open question of where these funds are to be allocated. Moreover, there are billions more in the “Infrastructure Investment and Jobs Act” (H.R.3684) and the “Build Back Better Act,” but the vast majority of this funding is earmarked for specific CISA programs.
Now we turn to the crux of the bill. S.2875 provides:
A covered entity shall report a covered cyber incident to the Director not later than 72 hours after the covered entity reasonably believes that a covered cyber incident has occurred
Additionally, covered entities would need to submit supplemental reports “if new or different information becomes available.”
While the central thrust of the bill is simple, it remains to be determined who will be covered entities, what shall be a covered cyber incident, and, given the propensity of lawyers (I’m one, too) to read language as favorably as possible, undoubtedly industry stakeholders will push to read “reasonably believes that a covered cyber incident has occurred” as loosely as possible. Indeed, Peters and Portman direct CISA to conduct a rulemaking to sort out these and other issues with a 14-month deadline for an interim final rule and 24 months for a final rule.
As noted, the Peters and Portman bill also would institute a reporting requirement for making ransomware payments:
An entity, including a covered entity and except for an individual or a small business, that makes a ransom payment as the result of a ransomware attack against the entity shall report the payment to the Director not later than 24 hours after the ransom payment has been made.
Ironically, Peters and Portman passed on a 24 hour deadline for reporting cyber incidents but opted for one for certain classes of ransomware payments. Additionally, “any Federal agency that receives a report from an entity of a cyber attack, including a ransomware attack, shall provide all such information to the Director of the Cybersecurity Infrastructure Security Agency not later than 24 hours after receiving the report.” Deepening the irony, if a covered entity experiences both a covered cyber incident and makes a ransomware payment, it may turn out that it needs to meet the 24 hour deadline depending on how CISA’s final regulations address this issue.
Like the other bills, entities, such as pipelines, with existing reporting requirements would not need to submit reports to CISA. The logic here is that presumably these other agencies will share such reports with CISA as they receive and process them.
What’s more, any entity may submit voluntary reports on incidents and ransomware payments that fall outside the mandatory scheme and still receive the legal protection for reporting to CISA.
In terms of enforcement, CISA would first seek more information from entities it believes have experienced covered incidents or have made payments. If they fail or refuse to respond, CISA could then issue subpoenas to compel disclosure. If the subpoenas are ignored, then CISA could ask that the United States (U.S.) Department of Justice (DOJ) to file a civil suit to have the non-compliant parties held in contempt. Moreover, for any entities that are federal contractors that fail to comply with a CISA subpoena, the agency can ask the General Services Administration to suspend or debar the entities.
In contrast, the Warner, Rubio, and Collins bill would empower CISA to “assess a civil penalty not to exceed 0.5 percent of the entity’s gross revenue from the prior year for each day the violation continued or continues.” Such language would be a significant expansion of CISA’s powers, and is almost certainly seen as the proverbial camel’s nose under the tent.
To varying degrees, all three bills would bar Federal, State, Tribal, or local governments from using cyber incident reports to investigate or take law enforcement action against an entity making the report. Likewise, the Peters and Portman bill extends this protection to ransomware reports.
However, a key difference exists in how cyber incident reports can be used for purposes of regulation. The House bill, the “Cyber Incident Reporting for Critical Infrastructure Act of 2021” (H.R.5440), provides that cyber incident reports “may not be used by any Federal, State, Tribal, or local government to regulate, including through an enforcement action, the lawful activities of any non-Federal entity.” However, there is an exception for using these reports for “the development or implementation of regulations relating to such systems.” In contrast, the Peters and Portman bill authorizes CISA to refer entities to the DOJ or an appropriate regulator if “the facts relating to the covered cyber incident or ransom payment at issue may constitute grounds for a regulatory enforcement action or criminal prosecution.” And yet,
A Federal, State, local, or Tribal government shall not use information about a covered cyber incident or ransom payment obtained solely through reporting directly to the Office in accordance with this subtitle to regulate, including through an enforcement action, the lawful activities of any non-Federal entity.
Consequently, matters get a little confused. It appears these governments could not rely solely on reports about covered cyber incidents and ransomware payments to move to punish reporting entities. Rather these governments could supplement information from these reports with their own investigation to pursue punishment of the unlawful activities of entities. And so, were it illegal for entities to have shoddy or inadequate data security under a state’s law, then a cyber incident report could be used in part to seek punishment, it appears. This reading is reinforced by Peters and Portman’s carveout of liability protection that “shall only apply to or affect litigation that is solely based on the submission of a covered cyber incident report or ransom payment report to the Office.” Moreover, the Peters and Portman bill does not “create a defense to a discovery request, or otherwise limit or affect the discovery of information from a cause of action authorized under any Federal, State, local, or Tribal law.” As a result, even entities that properly report cyber incidents to CISA in a timely fashion may face enforcement actions.
The Warner, Rubio, Collins bill is silent on the issue except for the liability shield from almost all criminal and civil actions against the reporting entity, suggesting CISA and other agencies could use cyber incident reports to write regulations.
The Peters and Portman bill task the National Cyber Director with leading a newly created “intergovernmental Cyber Incident Reporting Council, in coordination with the Director of the Office of Management and Budget and the Director of the CISA and in consultation with Sector Risk Management Agencies…and other appropriate Federal agencies, to coordinate, deconflict, and harmonize Federal incident reporting requirements, including those issued through regulations, for covered entities…and entities that make a ransom payment.”
Under S.2875, CISA would “establish a ransomware vulnerability warning program to leverage existing authorities and technology to specifically develop processes and procedures, and to dedicate resources, to identifying information systems that contain security vulnerabilities associated with common ransomware attacks, and to notify the owners of those vulnerable systems of their security vulnerability.” The National Cyber Director would “establish and chair the Joint Ransomware Task Force to coordinate an ongoing, nationwide campaign against ransomware attacks, and identify and pursue opportunities for international cooperation.” The National Cyber Director must also report to Congress on the “defensive measures that private-sector actors can take when countering ransomware attacks and what laws need to be clarified to enable that action.”
Additionally, CISA “shall conduct an outreach and education campaign to inform likely covered entities, entities that offer or advertise as a service to customers to make or facilitate ransom payments on behalf of entities impacted by ransomware attacks, potential ransomware attack victims, and other appropriate entities of the requirements” to report covered cyber incidents, ransomware payments, and make supplemental reports as needed.
Other Developments
Photo by Maximalfocus on Unsplash
§ After a meeting in Washington of more than 30 nations, the Biden Administration issued a “Joint Statement of the Ministers and Representatives from the Counter Ransomware Initiative Meeting.” These governments pledged:
o Governments recognize the need for urgent action, common priorities, and complementary efforts to reduce the risk of ransomware. Efforts will include improving network resilience to prevent incidents when possible and respond effectively when incidents do occur; addressing the abuse of financial mechanisms to launder ransom payments or conduct other activities that make ransomware profitable; and disrupting the ransomware ecosystem via law enforcement collaboration to investigate and prosecute ransomware actors, addressing safe havens for ransomware criminals, and continued diplomatic engagement.
§ The Biden Administration also highlighted its efforts to combat ransomware ahead of the aforementioned meeting. The White House said “The Administration's counter-ransomware efforts are organized along four lines of effort:
o Disrupt Ransomware Infrastructure and Actors: The Administration is bringing the full weight of U.S. government capabilities to disrupt ransomware actors, facilitators, networks and financial infrastructure;
o Bolster Resilience to Withstand Ransomware Attacks: The Administration has called on the private sector to step up its investment and focus on cyber defenses to meet the threat. The Administration has also outlined the expected cybersecurity thresholds for critical infrastructure and introduced cybersecurity requirements for transportation critical infrastructure;
o Address the Abuse of Virtual Currency to Launder Ransom Payments: Virtual currency is subject to the same Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) controls that are applied to fiat currency, and those controls and laws must be enforced. The Administration is leveraging existing capabilities, and acquiring innovative capabilities, to trace and interdict ransomware proceeds; and
o Leverage International Cooperation to Disrupt the Ransomware Ecosystem and Address Safe Harbors for Ransomware Criminals: Responsible states do not permit criminals to operate with impunity from within their borders. We are working with international partners to disrupt ransomware networks and improve partner capacity for detecting and responding to such activity within their own borders, including imposing consequences and holding accountable those states that allow criminals to operate from within their jurisdictions.
§ Deputy Attorney General Lisa Monaco announced “the launch of the department’s Civil Cyber-Fraud Initiative, which will combine the department’s expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.” The United States (U.S.) Department of Justice explained:
o The Civil Cyber-Fraud Initiative will utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients. The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations. The act includes a unique whistleblower provision, which allows private parties to assist the government in identifying and pursing fraudulent conduct and to share in any recovery and protects whistleblowers who bring these violations and failures from retaliation.
o The initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. The benefits of the initiative will include:
§ Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.
§ Holding contractors and grantees to their commitments to protect government information and infrastructure.
§ Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.
§ Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
§ Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.
§ Improving overall cybersecurity practices that will benefit the government, private users and the American public.
o The department will work closely on the Initiative with other federal agencies, subject matter experts and its law enforcement partners throughout the government.
§ The United Kingdom’s National Cyber Security Centre CEO Lindy Cameron spoke at Chatham House to mark her first year heading the agency “to review some of the major events we have seen, discuss the current threat picture we face and – most importantly – consider the future challenges that we are anticipating and how we intend to manage them.”
§ The United Kingdom’s (UK) Information Commissioner’s Office (ICO) filed a response to the Department for Digital, Culture, Media & Sport’s (DCMS) consultation titled “Data: a new direction,” the government’s process to implement “reforms to the UK’s regime for the protection of personal data” according to a government minister. In the foreword, outgoing Information Commissioner Elizabeth Denham stated:
o Three years have passed since the introduction of the Data Protection Act 2018, and the pace and scale of innovation means the data landscape has changed significantly. How we deliver high standards cannot be static. Digital technologies are one of the engines driving the UK’s economic growth. The digital sector contributed £151bn in output and accounted for 1.6 million jobs in 2019. In June this year it was announced that the UK now has one hundred tech companies valued at $1bn or more, more than the rest of Europe combined.
o It is important government ensures the UK is fit for the future and able to play a leading role in the global digital economy. I therefore support this review and the intent behind it.
o As the proposals are developed, the devil will be in the detail. It will be important that Government ensures the final package of reforms clearly maintain rights for individuals, minimise burdens for business and safeguard the independence of the regulator.
§ The European Digital Rights (EDRi) and 41 other organizations “call[ed] on the members of the European Parliament to vote against the new amendments, which enable discriminatory predictive policing and biometric mass surveillance.” EDRi and the other groups stated:
o In our open letter, we urge the MEPs to support the LIBE Committee’s original report, which we strongly believe took the most balanced and proportional stance on artificial intelligence (AI) in law enforcement from a fundamental rights perspective. AI in the field of law enforcement offers particular challenges for fundamental rights, in particular rights to liberty, security, privacy, a fair trial and non-discrimination, and as such, require particular fundamental rights scrutiny and democratic oversight.
§ Amazon settled a case brought by two former employees before the United States National Labor Relations Board (NLRB). The company had fired the two employees “after they criticized the company for its climate policies and warehouse safety record.” In a statement, the two former employees stated:
o We are thrilled to announce that we have reached an agreement to settle the charge against Amazon at the National Labor Relations Board (NLRB) alleging that the company illegally fired us for speaking up about warehouse workers' conditions during COVID. This is a win for protecting workers’ rights, and shows that we were right to stand up for each other, for justice, and for our world. Amazon will be required to pay us our lost wages and post a notice to all of its tech and warehouse workers nationwide that Amazon can't fire workers for organizing and exercising their rights.
§ The United States Department of Justice (DOJ) Office of the Inspector General (OIG) issued its audit of the “Federal Bureau of Investigation’s Execution of Its Woods Procedures for Applications Filed with the Foreign Intelligence Surveillance Court Relating to U.S. Persons.” The OIG found:
o The FBI’s Woods Procedures are designed to ensure FISA applications are “scrupulously accurate” and require agents to document support for all factual assertions contained in them. However, our audit found numerous instances where this did not occur. In March 2020, we issued a Management Advisory Memorandum (MAM) to report that our audit had identified Woods Procedures non-compliance in all 29 FISA applications we reviewed, which were approved by the Foreign Intelligence Surveillance Court (FISC) between fiscal years 2015 and 2019. DOJ thereafter notified the FISC of 209 errors in those applications, 4 of which DOJ deemed material. Our further audit work identified over 200 additional instances of Woods Procedures non-compliance—where Woods Files did not contain adequate supporting documentation for statements in the 29 applications—although the FBI and NSD subsequently confirmed the existence of available support elsewhere. We also identified at least 183 FISA applications for which the required Woods File was missing or incomplete.
§ The National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-214, 2020 Cybersecurity and Privacy Program Annual Report, “which details the Information Technology Laboratory (ITL) Cybersecurity and Privacy Program’s responses to numerous challenges and opportunities in security and privacy.”
§ The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released an “information sheet Selecting and Hardening Standards-based Remote Access VPN Solutions to address the potential security risks associated with using Virtual Private Networks (VPNs).”
§ A group of advocacy organizations wrote Congressional leadership regarding the environmental costs of cryptocurrency. They claimed:
o As Congressional leadership thinks through changes in the regulatory landscape for crypto, an important part that is often left out are the real negative climate and environmental justice effects, which merit close attention by policymakers. We, the more that 65 climate, economic, racial justice, business and local organizations write to you today to urge Congress to take steps to mitigate the considerable contribution portions of the cryptocurrency markets are making to climate change and the resulting greenhouse gas (GHG) emissions, environmental, and climate justice impacts it will have.
§ The United States Department of Commerce issued a press statement, claiming to “Take Action on Semiconductor Chip Shortage.” Among the actions the department highlighted are:
o U.S. Secretary Gina Raimondo has been laser-focused on addressing the semiconductor chips shortage in particular and the supply chain disruptions overall, including working across party lines in both the House and Senate to support the bipartisan CHIPs for America Act to incentivize domestic semiconductor investment. In September, the Commerce Department launched a voluntary Request for Information to understand and quantify where bottlenecks may exist, and earlier this week, the Department launched an early alert system to coordinate U.S. government resources to help resolve supply chain bottlenecks.
o Last week, the Commerce Department stood up a Microelectronics Early Alert System for COVID-related shocks to the semiconductor supply chain. The new system is up and running and already receiving input from companies.
o And at a September convening of semiconductor industry participants, the Commerce Department announced the launch of a Request for Information (RFI) that is asking all parts of the supply chain – producers, consumers, and intermediaries – to voluntarily share information about inventories, demand, and delivery dynamics. This will advance Commerce’s effort to improve transparency, trust, and communication across the supply chain. The goal of is to understand and quantify where bottlenecks may exist, helping provide the private sector with the information they need to address the shortage. Firms have 45 days to reply to the survey.
Further Reading
Photo by Alex Haney on Unsplash
§ “Facebook Says AI Will Clean Up the Platform. Its Own Engineers Have Doubts.” By Deepa Seetharaman, Jeff Horwitz and Justin Scheck — The Wall Street Journal. Facebook Inc. executives have long said that artificial intelligence would address the company’s chronic problems keeping what it deems hate speech and excessive violence as well as underage users off its platforms. That future is farther away than those executives suggest, according to internal documents reviewed by The Wall Street Journal. Facebook’s AI can’t consistently identify first-person shooting videos, racist rants and even, in one notable episode that puzzled internal researchers for weeks, the difference between cockfighting and car crashes.
§ “Facebook disputes report that its AI can’t detect hate speech or violence consistently” By Kim Lyons — The Verge. Facebook vice president of integrity Guy Rosen wrote in blog post Sunday that the prevalence of hate speech on the platform had dropped by 50 percent over the past three years, and that “a narrative that the technology we use to fight hate speech is inadequate and that we deliberately misrepresent our progress” was false. “We don’t want to see hate on our platform, nor do our users or advertisers, and we are transparent about our work to remove it,” Rosen wrote. “What these documents demonstrate is that our integrity work is a multi-year journey. While we will never be perfect, our teams continually work to develop our systems, identify issues and build solutions.”
§ “Facebook’s policing of vitriol is even more lackluster outside the US, critics say” By Aisha Gani — The Guardian. On a cloudy evening in Nairobi, Berhan Taye is scrolling through a spreadsheet in which she has helped document more than 140 Facebook posts from Ethiopia that contain hate speech. There are videos of child abuse, texts of hate speech against different ethnic groups, and hours-long live streams inciting hatred. These posts breach Facebook community guidelines in any context. Yet for Taye and her colleagues, this is what Facebook’s news feed has looked like for years in Ethiopia. Because there aren’t enough content moderators focused on Ethiopia, it has been up to Taye, an independent researcher looking at technology’s impact on civil society, and a team of grassroots volunteers to collect and then report misinformation and hate speech to Facebook.
§ “Apple fires employee who raised awareness of workplace misconduct allegations at the company” By Reed Albergotti — The Washington Post. Apple fired an employee Thursday who was critical of the company’s handling of workplace misconduct allegations. Janneke Parrish, a product manager on Apple Maps who is based in Texas, was involved in #AppleToo, a movement aimed at improving working conditions at the company, particularly for traditionally underrepresented groups. Parrish has been running the #AppleToo digest, a collection of anonymous stories from Apple employees who offered personal stories alleging discrimination and other labor violations at the company.
§ “U.S. pursues a unique solution to fight hackers. It revolves around esports.” As the United States seeks to shore up its defenses against cyberattacks, the country is seeking to harness the skills of some of the country’s most promising young minds using a model that mirrors competitive video gaming, also known as esports. U.S. Cyber Games, a project founded in April and funded by the National Institute of Standards and Technology’s National Initiative for Cybersecurity Education, has assembled a team of 25 Americans, ages 18 to 26, who will compete against other countries in the inaugural International Cybersecurity Challenge, scheduled to be held in Greece in June 2022.
§ “How to Fix Facebook, Instagram and Social Media? Change the Defaults” By Joanna Stern — The Wall Street Journal. Quick homework assignment: Open Instagram, tap the head icon at the bottom right, then the three lines in the top right corner, then Settings, then Privacy. (Almost there, I promise!) Tap Posts and switch on “Hide Likes and View Counts.” A few of you hopefully followed along. Most of you probably ignored me like the airline’s automated call system when I scream, “Representative!” That’s OK. You’ve proven my point: Most people don’t change the default settings in their social-media apps—or any apps.
§ “Social media misinformation stokes a worsening civil war in Ethiopia” By Lee Hale and Eyder Peralta — National Public Radio. As Tamu Shatallah walked past the inauguration stage draped in gold, his thoughts were on the deadly civil war that has plagued Ethiopia for nearly a year. It's a war "between brothers, between sisters," Tamu said. A war that, as far as he can tell, has done nothing for his country. That stage in Ethiopia's capital city Addis Ababa was where Prime Minister Abiy Ahmed sat last week as he watched a procession of military bands, having just been elected to a second five-year term last week. Behind him, written in large letters was a message: "A new beginning."
§ “Amazon Challenges Record $865 Million EU Data-Protection Fine” By Stephanie Bodoni — Bloomberg. Amazon.com Inc. appealed a record 746 million-euro ($865 million) penalty for allegedly violating the European Union’s tough data-protection rules. The appeal was filed at the Luxembourg Administrative Tribunal on Friday, according to Luxembourg court spokesman Henri Eippers.
§ “Facebook Should Clarify Terms of Service, Irish Privacy Regulator Says” By Catherine Stupp — The Wall Street Journal. A draft ruling from Ireland’s privacy regulator would require Facebook Inc. to change how it informs users about its data processing but disregards complaints that the social-media giant needs to obtain direct consent for its activities. If the decision is finalized, Facebook would also face a fine of between €28 million and €36 million (equivalent to $32.4 million to $41.7 million) for failing to be transparent with users. The case stems from a 2018 complaint filed by Austrian privacy lawyer Max Schrems, whose nonprofit organization NOYB published the draft decision on Wednesday. The Irish Data Protection Commission hasn’t made the decision public.
§ “Digital divide fix at risk as $1.2 trillion infrastructure bill stalls” By Marguerite Reardon — c/net. As Democrats in Congress wrestle over President Joe Biden's multitrillion-dollar package targeting everything from roads to child care, hanging in the balance is a small but critical sliver of the infrastructure bill seen as a possible salve to our digital divide problem. For more than two weeks, Democrats have been at an impasse over two bills at the center of Biden's domestic agenda, leaving in limbo the fate of the $1.2 trillion bipartisan infrastructure bill that the Senate passed in August. This legislation provides long-overdue funding to upgrade traditional infrastructure, such as roads, bridges and electrical grids. But also included in the bill is a proposal for $65 billion in federal funding for broadband investment.
§ “Amazon Delivery Partners Rage Against the Machines: ‘We Were Treated Like Robots’” By Spencer Soper — Bloomberg. Three years ago, Amazon.com Inc. issued an invitation that seemed too good to pass up: Start your own company and earn as much as $300,000 a year delivering packages for the world’s largest online retailer. The offer had strong appeal for would-be entrepreneurs. With an upfront investment of as little as $10,000, these new “delivery service partners” could have a fleet on the road in weeks. Amazon pledged to use its negotiating power to help the fledgling companies get better deals on vehicle insurance, classified ads and leases for its signature blue vans. Tens of thousands of people applied, eager to draft off of Amazon’s seemingly unstoppable growth. Today some 2,500 of these small businesses—captained by military vets, construction contractors, retired college professors—employ more than 150,000 drivers in the U.S. and around the world.
Coming Events
Photo by Matty Adame on Unsplash
§ 26 October
o The Federal Communications Commission (FCC) will hold an open meeting with this agenda:
§ National Security Matter. The Commission will consider a national security matter.
§ Updating Digital Television Table of Allotments. The Commission will consider an Order that will update the digital television Table of Allotments, and delete or revise rules rendered obsolete by the broadcast incentive auction and the digital television transition. (GN Docket No. 12-268)
§ Selecting Third Round of Applicants for Connected Care Pilot Program. The Commission will consider a Public Notice announcing the third round of selections for the Commission’s Connected Care Pilot Program to provide Universal Service Fund support for health care providers making connected care services available directly to patients. (WC Docket No. 18-213)
§ Disaster Communications Field Hearing. The Commission will conduct a virtual field hearing on communications recovery and resiliency during disasters. The Commission will hear testimony about communications issues during and following Hurricane Ida and other recent disasters.
o The United Kingdom’s House of Commons’ Digital, Culture, Media and Sport Sub-committee on Online Harms and Disinformation will hold a hearing regarding its inquiry “Online safety and online harms.”
o The House Agriculture Committee’s Livestock and Foreign Agriculture and Biotechnology, Horticulture, and Research Subcommittees will hold a joint hearing titled “Agricultural Biotechnology: 21st Century Advancements and Applications.”
o The House Financial Services Committee’s Investor Protection, Entrepreneurship, and Capital Markets Subcommittee will hold a hearing titled “Taking Stock of ‘China, Inc.’: Examining Risks to Investors and the U.S. Posed by Foreign Issuers in U.S. Markets.”
o The House Homeland Security Committee will markup a number of bills, including:
§ The "National Cybersecurity Preparedness Consortium Act of 2021" (S. 658)
§ The "DHS Office of Civil Rights and Civil Liberties Authorization Act" (H.R. 4349)
§ The “DHS Roles and Responsibilities in Cyber Space Act” (H.R. 5658)
o The Senate Commerce, Science, and Transportation Committee’s Consumer Protection, Product Safety, and Data Security Subcommittee will hold a hearing titled “Protecting Kids Online: Snapchat, TikTok, and YouTube.”
o The House Veterans' Affairs Committee’s Technology Modernization Subcommittee will hold a hearing titled “Next Steps: Examining Plans for the Continuation of the Department of Veterans Affairs Electronic Health Record Modernization Program.”
o The House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee will hold a hearing titled “Transportation Cybersecurity: Protecting Planes, Trains, and Pipelines from Cyber Threats.”
§ 27 October
o The United States (U.S.) Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure and Security Agency (CISA) will hold the fourth of four events for the 4th Annual National Cybersecurity Summit: The Power of Partnership.
o The House Select Committee on the Modernization of Congress will hold a hearing titled “Strengthening the Lawmaking Process: How Data Can Inform and Improve Policy.”
o The Senate Homeland Security and Governmental Affairs Committee’s Government Operations and Border Management Subcommittee will hold a hearing titled “Strategies for Improving Critical Energy Infrastructure.”
§ 28 October
o The Senate Homeland Security and Governmental Affairs will hold a hearing titled “Social Media Platforms and the Amplification of Domestic Extremism & Other Harmful Content.”
§ 2 November
o The United Kingdom’s House of Lords’ Communications and Digital Committee will hold a “Formal meeting (oral evidence session): Digital regulation.”
§ 16 November
o The Senate Judiciary Committee will hold a hearing titled “Oversight of the Department of Homeland Security.”