The UK’s Telecommunications (Security) Bill Advances to the House of Commons
European Parliament calls on EC to keep court rulings in mind when crafting an EU-U.S. data transfer agreement; GAO details the state of DOD's efforts on GPS alternatives.
Image by E. Dichtl from Pixabay
The British Parliament has advanced its bill to secure its current and future telecommunications networks.
The Johnson government is trying to get legislation through Parliament to secure the country’s 5G networks.
Cocktail Party
After a long lead up over the last few years, London is moving on telecommunications legislation that would limit and even remove “high risk vendors,” a term of art to describe questionable equipment, hardware, and software. In reality, this legislation aims to limit the use of Huawei and ZTE gear on British networks, especially its 5G networks.
Meeting
The “Telecommunications (Security) Bill” would rewrite Sections 105A to 105D of the Communications Act 2003. British telecommunications providers will need to meet new duties to implement security measures, take measures to respond to security compromises, and inform users of risks of security compromise, Failures to meet these new duties would open such providers to the Office of Communication’s increased enforcement and civil liability. The Department for Digital, Culture, Media and Sport would also receive powers to enforce the new regime.
Geek Out
The United Kingdom’s (UK) bill advances in the House of Commons to drive better security in its telecommunications sector, especially for its 5G rollout. Concern about the People’s Republic of China’s (PRC) growing role in 5G has been driving this bill, and members of the ruling party have pushed Prime Minister Boris Johnson’s government to take more stringent action than it initially proposed. Action from the previous government in Washington also pushed London to take more drastic steps than it initially intended. The British government and its regulators crafted a phrase they apparently hope will incur less of the PRC’s wrath: “high-risk vendors.” Thus, the UK is looking to mitigate and lessen the impact and presence of such high-risk vendors on British telecommunications networks, almost all of which has been built and is maintained by private companies.
In late 2020, the Department for Digital, Culture, Media and Sport (DCMS) explained:
The Telecommunications (Security) Bill takes forward the government’s commitments within the Telecoms Supply Chain Review Report to establish an enhanced legislative framework for telecoms security, and to provide the government with the powers to take action on the use of high risk vendors on national security grounds.
DCMS released the first version of the “Telecommunications (Security) Bill” at the same time and also a number of factsheets to explain the legislation. In an overview factsheet, the government asserted the rationale for the legislation is:
Currently there is a lack of incentives for telecoms providers to apply security best practices where there are no clear commercial incentives for investment. Providers face tensions between commercial priorities and security concerns, particularly when these impact on investment decisions. As wider UK Critical National Infrastructure becomes more dependent on the UK’s telecoms networks with the roll-out of full-fibre and 5G, it is vital that security concerns are properly accounted for and addressed.
Note the lack of reference to the companies and nations that will supply the UK’s telecommunications providers the equipment, hardware, and software.
However, in debate in the House of Commons, the government made clear the PRC is indeed one of the nations driving this legislation. Secretary of State for Digital, Culture, Media, and Sport Oliver Dowden stated:
§ This Bill acts on the recommendations of the United Kingdom telecoms supply chain review, which in turn was informed by the expert technical advice at the National Cyber Security Centre in GCHQ. First, it establishes a tough new security framework for all the UK’s public telecoms providers. This will be overseen by the Office of Communications (OFCOM or Ofcom) and the Government, and they will have a legal duty to design and manage their networks securely. Rigorous new security requirements will be set out in secondary legislation, and codes of practice will set technical guidance on how providers should meet the law, and where providers are found wanting, Ofcom will have the power to impose steep fines. For example, under the current regime fines for failing to protect security are limited to just £2 million or £20,000 per day, while under the new regime they will rise significantly, to up to 10% of turnover or £100,000 per day. Under the current regime Ofcom has limited monitoring and enforcement powers. Under the new regime it will have the power to enter premises of telecoms providers, to interview staff and to require technical systems tests.
§ If we pass this Bill, few other countries in the world will have a tougher enforcement regime, and the point of this Bill is not just to tackle one high-risk vendor; it raises the security bar across the board and protects us against a whole range of threats. According to the NCSC, the past two years have seen malicious cyber-activity from Russia and China as well as North Korea and Iranian actors. While I know that telecoms providers are working hard to protect our networks against this hostile activity, the Government have lacked the power to ensure they do so. This Bill puts a robust security framework in place, guaranteeing the protection of our networks.
This month, the “Telecommunications (Security) Bill” advanced from committee to the floor of the House of Commons giving Members of Parliament a chance to debate and amend the bill. The legislation would amend the sections of “The Communications Act 2003” that gave OFCOM the power to regulate and enforce the requirement that “public telecommunications providers...take measures to protect the security and resilience of their networks and services.”
In the Explanatory Notes, the Parliament provided an overview of the bill:
§ The Telecommunications (Security) Bill (“the Bill”) takes forward the Government’s commitment in the UK Telecoms Supply Chain Review Report1to introduce a new security framework for the UK telecoms sector to ensure that public telecommunications providers operate secure and resilient networks and services and manage their supply chains appropriately.
§ The Bill amends the Communications Act 2003 by establishing a new telecommunications security framework, including new security duties on public telecommunications providers and new powers for the Secretary of State to make regulations and issue codes of practice. It includes provisions strengthening Ofcom’s regulatory powers, allowing them to enforce the new framework.
§ The Bill also introduces new national security powers for the Government to impose, monitor and enforce controls on public communications providers’ use of designated vendors’ goods, services and facilities within UK telecommunications networks.
It was further explained:
§ As outlined in the Future Telecoms Infrastructure Review (FTIR), the widespread deployment of 5G and full fibre networks is a primary Government objective. These networks will help to drive future economic growth, enabling a wide range of new products and services that require faster speeds and more processing power. 5G has the potential to connect a vast network of people, objects and communication systems, including those within critical sectors.
§ The development of 5G and full fibre networks also creates new security challenges. The speed, scale and processing power of the UK’s future digital infrastructure will create new economic and social opportunities for greater connectivity, including across the UK Critical National Infrastructure (CNI) sectors that are likely to have a greater dependence on 5G infrastructure compared to that of legacy arrangements (2G/3G/4G). The technical characteristics of 5G networks increase their risk profile compared to previous generations of networks. 5G networks will run at much faster data speeds and will be based on software running on commodity hardware, rather than proprietary hardware. Over time, to achieve the full potential of 5G, some of the ‘core’ functions will move closer to the ‘edge’4 of the network. As this happens, it will be necessary to ensure security arrangements are able to protect both the edge and core of the network.
§ The security of telecoms infrastructure needs to be considered within an international context. Certain state, state-sponsored and other actors have the intent and capability to carry out espionage, sabotage and destructive or disruptive cyber-attacks, including through access to the telecoms supply chain. Since 2017, the UK Government has, based on National Cyber Security Centre (NCSC) assessments, attributed a range of malicious cyber activity to Russia and China, as well as North Korean and Iranian actors.
British telecommunications providers would need to undertake a new duty “to take security measures.” These entities “must take such measures as are appropriate and proportionate for the purposes of—
§ identifying the risks of security compromises occurring;
§ reducing the risks of security compromises occurring; and
§ preparing for the occurrence of security compromises.”
DCMS would get discretionary authority to issue regulations directing British telecommunications providers to “take specified measures or measures of a specified description.”
UK telecommunications companies would also have a new duty “to take measures in response to security compromises.” Specifically, such companies “must take such measures as are appropriate and proportionate for the purpose of preventing adverse effects (on the network or service or otherwise) arising from the security compromise.” Additionally, “[i]f the security compromise has an adverse effect on the network or service, the provider of the network or service must take such measures as are appropriate and proportionate for the purpose of remedying or mitigating that adverse effect.”
DCMS would also be given the authority to issue regulations “that, where a security compromise of a specified description occurs in relation to a public electronic communications network or a public electronic communications service, the provider of the network or service must take specified measures or measures of a specified description.”
DCMS may also issue codes of practice for the aforementioned duties that could help shield telecommunications companies from liability in the event they are sued. Courts must take into account adherence to the DCMS codes of practice, but not using a code of practice is not automatically considered evidence the company failed to meet its statutory duties. OFCOM must also take into account compliance with a code when considering enforcement actions. But if OFCOM has reason to suspect a telecommunications has failed to meet a code of practice it may direct a company to explain its failure.
In the event “where there is a significant risk of a security compromise,” British telcos “must take such steps as are reasonable and proportionate for the purpose of bringing the relevant information, expressed in clear and plain language, to the attention of persons who use the network or service and may be adversely affected by the security compromise.” OFCOM must also be informed. If there is a “serious threat” to the safety of the public, to public health, or to national security or other grounds, OFCOM must inform the DCMS. If there is a lesser level of risk, OFCOM may but does not need to tell DCMS as well as others, including the regulators in other nations, other companies, and users of the possibly compromised telecommunications network.
OFCOM is given the statutory duty to ensure telecommunications providers comply with the new security measures. OFCOM may assess how these entities are meeting their new duties that includes the performance of a range of actions to prove compliance. Additionally, OFCOM would have powers to direct companies to comply with a duty if urgency requires. Any telecommunications that receives such an order may challenge it in court.
In terms of other powers, OFCOM’s power to levy fines would be increased in some instances to £50,000-100,000 per day or a total of £10 million. OFCOM would be able to require covered entities to take “interim steps” if it has reasonable grounds to believe
§ a security compromise has occurred as a result of the contravention;
§ there is an imminent risk of a security compromise or (as the case may be) a further security compromise occurring as a result of the contravention;
Additionally, the DCMS would be empowered to issue “designated vendor directions” if the DCMS Secretary of State determines national security requires such an order and the direction in the order is proportional to the goal of the order. DCMS could then order OFCOM to monitor the telecommunications provider’s compliance with the directions. DCMS may also enforce the direction if the provider fails to heed the order, the government could levy a fine of £50,000-100,000 per day with a maximum of 10% of worldwide turnover.
DCMS may also issue urgent enforcement directions if the DCMS Minister determines
§ there are reasonable grounds for believing that the person is contravening, or has contravened—
o a requirement imposed by a designated vendor direction; or
o a requirement not to disclose imposed under section 105Z25;
there are reasonable grounds for suspecting that the case is an urgent case; and
the urgency of the case makes it appropriate for the Secretary of State to take action under this section.
This section provides that “[a] case is an urgent case for the purposes of this section if the contravention has resulted in, or creates an immediate risk of—
a serious threat to national security; or
significant harm to the security of a public electronic communications network, a public electronic communications service or a facility that is an associated facility by reference to 40 such a network or service.”
Last year, the UK’s National Cyber Security Centre (NCSC), which is housed within the Government Communications Headquarters (GCHQ), issued a summary of its security analysis of the U.K.’s telecommunications sector. This document “summarises the NCSC’s technical recommendations for improving the security of the UK’s telecoms sector, alongside a description of our technical security analysis that we used to derive these recommendations.” In a blog posting, NCSC Technical Director Dr. Ian Levy explained that “[d]ue to security and market sensitivities, it’s not possible to publish the full analysis and response, but we do want to explain the work behind our cyber security advice to ministers.”
NCSC has long been grappling with the security issues posed by Huawei. During his February 2019 CyberSec speech in Brussels, then NCSC CEO Ciaran Martin spoke on the rollout of 5G and continued cooperation with European partners aside and apart from Brexit. Regarding Huawei, Martin stated that “Huawei’s presence is subject to detailed, formal oversight, led by the NCSC.” He said that “[b]ecause of our 15 years of dealings with the company and ten years of a formally agreed mitigation strategy which involves detailed provision of information, we have a wealth of understanding of the company.” Martin explained that “[w]e also have strict controls for how Huawei is deployed…[i]t is not in any sensitive networks – including those of the government…[and] [i]ts kit is part of a balanced supply chain with other suppliers.”
In 2019, Huawei responded to a British Parliament committee and explained that it would spend $2 billion over five years in large part to remediate the shortcomings turned up by a British government oversight board. Huawei stated that this funding will “help ensure that our products are better prepared for a more complex security environment both now and in the future.” In January 2019, the Chair of the House of Commons Science and Technology Committee wrote Huawei with his concerns about the United Kingdom’s communications infrastructure in light of three Five Eyes nations’ actions to reduce the roles of Chinese firms in their systems and China’s recently enacted National Intelligence Law. In its annual report in July 2018, the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board found that “[d]ue to areas of concern exposed through the proper functioning of the mitigation strategy and associated oversight mechanisms, the Oversight Board can provide only limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated.”
In April, HCSEC released its fifth annual report and found that Huawei has failed to address the issues turned up in the 2018 report. Notably, in its 2018 report, the Board stated “[d]ue to areas of concern exposed through the proper functioning of the mitigation strategy and associated oversight mechanisms, the Oversight Board can provide only limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated.” In this year’s report, the Board stated that “[n]o material progress has been made on the issues raised in the previous 2018 report.”
In mid-2020, the UK cited two policy changes in the United States (U.S.) as the reason to further minimize its use of Huawei equipment and systems. It was announced that the GCHQ’s NCSC would conduct a new security review of Huawei in light of the tightened restrictions announced in Washington that will likely cut off the flow of U.S. semiconductors to Huawei. A spokesperson for the British government stated “[f]ollowing the U.S. announcement of additional sanctions against Huawei, the NCSC is looking carefully at any impact they could have to the UK’s networks.”
In concert with this announcement, a number of Conservative Ministers of Parliament announced their intentions to oppose Prime Minister Boris Johnson’s plan to push legislation through parliament limiting Huawei equipment and systems to 35%. The Conservative MPs are of the mind, reportedly, that risk cannot be minimized if there any Huawei equipment on the UK’s 5G or telecommunications networks. There appeared to be a sufficient number of MPs to block Johnson’s plan, and so his government changed tack and is looking to phase out current Huawei 3G and 4G equipment by the end of 2023, which would cost more than £7-8 billion. In March 2020, Johnson came within 13 votes of losing on an amendment barring Huawei equipment to a telecommunications bill.
Moreover, it has been reported that a number of Conservatives are angry with Beijing for passing a new security law for Hong Kong, a former British colony, which has pushed UK-PRC relations lower than they were in January when Johnson announced his plan.
DCMS Secretary Oliver Dowden made a “statement on telecoms” in the House of Commons, explaining the government’s change in plans regarding Huawei in particular. Dowden stated:
In January, we set out to this House our conclusions on how we would define and restrict high risk vendors, keeping them outside the network’s core and away from critical infrastructure and sites.
We have been clear-eyed from the start that the Chinese-owned vendors Huawei and ZTE were deemed to be high risk.
And we made clear that the National Cyber Security Centre (NCSC) would review and update its advice as necessary.
He declared that “[s]ince January the situation has changed.” He added that “[o]n the 15th of May the US Department of Commerce announced that new sanctions had been imposed against Huawei through changes to the foreign direct product rules...a significant, material change - and one that we have to take into consideration.”
Dowden claimed:
This morning, the Prime Minister chaired a meeting of the National Security Council. Attendees at that meeting took full account of the NCSC’s advice, together with the implications for UK industry and wider geostrategic considerations.
The government agrees with the NCSC’s advice: the best way to secure our networks is for operators to stop using new affected Huawei equipment to build the UK’s future 5G networks.
So to be clear, from the end of this year, telecoms operators must not buy any 5G equipment from Huawei. And once the Telecoms Security Bill is passed it will be illegal for them to do so.
In a blog post and a summary, the NCSC explained in much more detail its analysis of the risks of using Huawei’s equipment, which derive mostly from the implications of US action and less from inherent risks.
NCSC Technical Director Dr Ian Levy explained “[i]n May, the US changed a subtle and detailed export control rule called the ‘Foreign-Produced Direct Product Rule’ (FDPR).” He added that “[t]he amended rule says that no-one, anywhere in the world, can send Huawei-designed chips to Huawei if US technology was used in the design tools or manufacture processes...[and] [t]his doesn’t just mean that Huawei can’t use design tools that contain US technology...[i]t also means:
no-one else can take a Huawei design and turn it into chip manufacture instructions (usually something called a GDS2) using tools that contain US technology
even if you’ve already got the GDS2 for a Huawei chip, you can’t actually turn it into a chip if your foundry process uses US technology (and for modern process nodes, US technology is pretty pervasive) or if the GDS2 was produced using US technology
Levy stated
The FDPR change wasn’t in effect in January. It is now, and that’s a material change to the facts on the ground that has led us to revisit our analysis. The NCSC now believes that there are only three things that can happen to help Huawei in response to this action. In our recent consultations with them, Huawei haven’t disagreed with this analysis. Those options are:
1. Someone breaks US law and continue to manufacture. This is pretty unlikely. Huawei have always publicly said that they’ll follow applicable law, but the impact on any design house or foundry that went this way would be huge. Also - given there’d be a reasonable expectation that the chips broke US law - any organisation buying the equipment would be taking a significant risk.
2. Huawei switch chips in equipment designs to ones that aren’t Huawei-designed, but perform the same sort of function. This is a big task. Assuming you can find someone to design a chip that’s near enough to the original, the integration into the wider product is a very complex job. This can’t be a direct replacement for a Huawei-designed chip, because then at least some of the design will be Huawei’s, and so likely caught by the rule. This is a really complex engineering task. And given Huawei’s continued lack of security or engineering quality as described in the Oversight Board reports, this is highly likely to introduce security and reliability problems into the equipment for the next few years at least.
3. Someone makes new design tools and manufacturing processes for chips that don’t use any US technology and so can provide Huawei what they need. Good luck doing that quickly. You need to invent some new ways of doing really complex things (extreme UV lithography, multi-patterning etc.) while being bound by the laws of physics. The precise mechanisms the foundry uses to make these tiny transistors dictate the design rules your EDA tools have to enforce. As a cartoon example, if the foundry process produces some fuzziness around the edges of transistors, your design tool will need to leave more space between them, or the performance of the chip could be affected. The performance and capability of your EDA tools dictate what the foundry can build reliably. If your EDA tools can't do lots of Maxwell's equation solving, you'll need to route wires differently round the chip and simplify your design. You don’t need to understand how a FinFET works or what a hi-K dielectric is to know that’s a ton of work that’s likely to fail a few times.
Levy explained “[t]oday, we are publishing guidance, supported by government, as to what this all means for the future telecoms network builds and to help operators understand the impacts of this decision...[and] [t]he guidance says that:
existing Huawei equipment in the UK can continue to be used, subject to the HRV policy and our mitigation strategy
operators need to procure enough spares to maintain the equipment for the expected lifetime
operators should seek to cease procuring and deploying Huawei 5G access equipment, all transport equipment, and other miscellany to manage the long-term risks of the newly designed products (practically, procurements are likely to cease by the end of 2020)
operators should seek to cease procuring and deploying Huawei FTTP (Fibre to the Premises) access equipment. It may take a bit longer for rollouts to cease in this case, so the Department for Digital, Culture, Media & Sport (DCMS) are going to work with industry to establish a manageable timeframe
In mid-May 2020, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) “announced plans to protect U.S. national security by restricting Huawei’s ability to use U.S. technology and software to design and manufacture its semiconductors abroad” per the agency’s press release. BIS released an interim final rule that takes effect as of 15 May, but the agency is accepting comments through 14 July, meaning there will be a final rule issued at some point in the future once the comments have been analyzed and addressed. Nevertheless, Commerce claimed the BIS interim final rule “cuts off Huawei’s efforts to undermine U.S. export controls.”
Commerce stated
BIS is amending its longstanding foreign-produced direct product rule and the Entity List to narrowly and strategically target Huawei’s acquisition of semiconductors that are the direct product of certain U.S. software and technology.
Since 2019 when BIS added Huawei Technologies and 114 of its overseas-related affiliates to the Entity List, companies wishing to export U.S. items were required to obtain a license.[1] However, Huawei has continued to use U.S. software and technology to design semiconductors, undermining the national security and foreign policy purposes of the Entity List by commissioning their production in overseas foundries using U.S. equipment.
Specifically, this targeted rule change will make the following foreign-produced items subject to the Export Administration Regulations (EAR):
(i) Items, such as semiconductor designs, when produced by Huawei and its affiliates on the Entity List (e.g., HiSilicon), that are the direct product of certain U.S. Commerce Control List (CCL) software and technology; and
(ii) Items, such as chipsets, when produced from the design specifications of Huawei or an affiliate on the Entity List (e.g., HiSilicon), that are the direct product of certain CCL semiconductor manufacturing equipment located outside the United States. Such foreign-produced items will only require a license when there is knowledge that they are destined for reexport, export from abroad, or transfer (in-country) to Huawei or any of its affiliates on the Entity List.
Commerce added that “[t]o prevent immediate adverse economic impacts on foreign foundries utilizing U.S. semiconductor manufacturing equipment that have initiated any production step for items based on Huawei design specifications as of May 15, 2020, such foreign-produced items are not subject to these new licensing requirements so long as they are reexported, exported from abroad, or transferred (in-country) by 120 days from the effective date.”
The PRC’s Commerce Ministry posted a statement, arguing “[t]he U.S. uses state power, under the so-called excuse of national security, and abuses export control measures to continuously oppress and contain specific enterprises of other countries.” The Ministry vowed the PRC will “take all necessary measures to resolutely safeguard the legitimate rights and interests of Chinese enterprises.”
Other Developments
Image by StockSnap from Pixabay
§ In an overwhelming vote, the European Parliament urged the European Commission (EC) to craft “clear” transfer guidelines under the next adequacy decision allowing for the transfer of personal data to the United States (U.S.) in a resolution. In its press release, the Parliament asserted:
o In a resolution adopted with 541 in favour, 1 against and 151 abstaining, the European Parliament urges the Commission to issue guidelines on making data transfers compliant with recent EU Court of Justice rulings. The court considered US data transfers to be inconsistent with the General Data Protection Regulation (GDPR), notably because US authorities may access personal data in bulk.
o MEPs stress the Commission should not conclude new adequacy decisions with third countries without taking into account the implications of EU court rulings and ensuring full GDPR compliance. Data storage capabilities must be developed within Europe, MEPs point out, to achieve true autonomy in data management.
o MEPs welcome the EDPB’s guidelines (e.g. its recommendations for data transfers and a Joint Opinion with the European Data Protection Supervisor on the issue) for safeguards related to third country data transfers and call on the Commission to fully integrate these in its proposals, alongside relevant EU court judgments. In the end, businesses and individuals should have at their disposal a toolbox of measures to bring protection up to the level required by the GDPR.
§ The United States (U.S.) Department of Defense (DOD) published a memorandum “Creating Data Advantage.” The DOD declared “[d]ata is a strategic asset” and stated “[t]ransforming the DOD to a datacentric organization is critical to improving performance and creating decision advantage at all echelons from the battlespace to the board room, ensuring U.S. competitive advantage.” The DOD stated “[t]o accelerate the Department's efforts, leaders must ensure all DOD data is visible, accessible, understandable, linked, trustworthy, interoperable, and secure.” The DOD said “[t]o generate the transformative proficiency and efficiency gains across the DOD Data Strategy's focus areas of Joint All Domain Operations, Senior Leader Decision Support, and Executive Analytics, the Department will apply the following five 'DOD Data Decrees':
o 1. Maximize data sharing and rights for data use: all DOD data is an enterprise resource.
o 2. Publish data assets in the DOD federated data catalog along with common interface specifications.
o 3. Use automated data interfaces that are externally accessible and machine-readable; ensure interfaces use industry-standard, non-proprietary, preferably open-source, technologies, protocols, and payloads.
o 4. Store data in a manner that is platform and environment-agnostic, uncoupled from hardware or software dependencies.
o 5. Implement industry best practices for secure authentication, access management, encryption, monitoring, and protection of data at rest, in transit, and in use.
§ The General Services Administration (GSA) “is asking for industry feedback through the release of a Request for Information (RFI)...[that] will detail GSA’s acquisition strategy to deliver a multiple-award blanket purchase agreement (BPA) for commercial Software-As-A-Service (SaaS), Platform-As-A-Service (PaaS), and Infrastructure-As-A-Service (IaaS) on a pay-as-you-go basis.” GSA stated “[a]nything-As-A-Service (XaaS) offerings may be considered, as new innovations are developed in future procurement offerings.” GSA also made available a draft Market Research Cloud Strategy and a Market Research Notice.
§ The Government Accountability Office (GAO) published a report the Senate Armed Services Committee requested titled “Defense Navigation Capabilities: DOD is Developing Positioning, Navigation, and Timing Technologies to Complement GPS.” The GAO stated:
o The Department of Defense (DOD) plans to keep the Global Positioning System (GPS) at the core of its positioning, navigation, and timing (PNT) solution, using other PNT technology to complement GPS or as an alternative for when GPS is degraded or unavailable. DOD’s alternative PNT science and technology portfolio explores two approaches: improved sensors to provide relative PNT information, and external sources to provide absolute positioning and navigation. Relative PNT technologies include inertial sensors and clocks to allow a platform to track its position and keep track of time without an external signal like GPS. However, relative PNT technologies require another PNT technology to correct errors that can accumulate with such systems. Absolute PNT technologies allow a platform to use external sources of information to determine its position but rely on the availability of those external sources. Absolute PNT technologies include celestial and magnetic navigation as well as the use of very low radiofrequencies or low Earth orbit satellites to transmit information.
o The GAO offered the following suggestions:
§ Increase Collaboration. Policymakers could consider mechanisms to coordinate across DOD to clarify responsibilities and authorities in prioritizing the need for alternative PNT technologies
§ Focus on Resiliency. Policymakers could consider selecting the most resilient technologies as the cornerstone of the PNT suite for military missions, rather than defaulting to GPS.
§ Clarify Requirements. Policymakers could consider opportunities for DOD to clarify what level of PNT performance is actually needed for missions, rather than defaulting to requirements that match GPS performance.
§ Coordinate with Industry. Policymakers could consider ensuring that DOD and commercial industry coordinate so industry is prepared to meet DOD’s needs, and DOD can leverage industry advances
§ Institutionalize Open Architecture. Policymakers could consider making the open architecture initiative more permanent, including providing funding.
§ Analyze Vulnerabilities. Policymakers could consider having DOD conduct ongoing analysis of vulnerabilities of different PNT systems.
§ Representative Lori Trahan (D-MA), Senator Ed Markey (D-MA), Representative Kathy Castor (D-FL), Senator Richard Blumenthal (D-CT) issued a statement “calling on Facebook to abandon its plans to develop a version of Instagram for children after the company failed to make meaningful commitments to protecting kids online in a recent response to the lawmakers’ query.” They stated:
o Facebook has a clear record of failing to protect children on its platforms. In its response to our recent letter, the company refused to make meaningful commitments about how it will ensure that its proposed Instagram Kids app does not harm young users’ mental health and threaten their privacy. When it comes to putting people before profits, Facebook has forfeited the benefit of the doubt, and we strongly urge Facebook to abandon its plans to launch a version of Instagram for kids
§ The National Institute of Standards and Technology (NIST) posted a solicitation for a contractor “to collect, assess, compile, and make recommendations on information that will be received in response to a Federal Register Request for Information (RFI).” NIST explained that “[t]he RFI will seek information on the policies of the People’s Republic of China and coordination among industrial entities within the People’s Republic of China on international bodies engaged in developing and setting international standards for emerging technologies.” NIST added “[a] firm fixed price purchase order with a one year period of performance is anticipated for the Contractor to perform a qualitative review of information, compile the information into a comprehensive report and incorporate derived conclusions and recommendations regarding the following:
o The role of the People’s Republic of China in international standards setting organizations over the previous 10 years, including leadership roles in standards drafting technical committees, and the quality or value of that participation;
o The effect of the standardization strategy of the People’s Republic of China, as identified in the ‘‘Chinese Standard 2035’’, on international bodies engaged in developing and setting standards for select emerging technologies, such as advanced communication technologies or cloud computing and cloud services;
o An examination of whether international standards for select emerging technologies are being designed to promote interests of the People’s Republic of China that are expressed in the ‘‘Made in China 2025’’ plan to the exclusion of other participants;
o An examination of how the previous practices that the People’s Republic of China has used, while participating in international standards setting organizations, may foretell how the People’s Republic of China is likely to engage in international standardization activities of critical technologies like artificial intelligence and quantum information science, and what may be the consequences; and/or
o Recommendations on how the United States can take steps to mitigate the influence of the People’s Republic of China and bolster United States public and private sector participation in international standards-setting bodies.
§ Verizon released its 2021 Data Breach Investigations Report (DBIR) and explained:
o This year we analyzed 79,635 incidents, of which 29,207 met our quality standards and 5,258 were confirmed data breaches, sampled from 88 countries around the world. Once again, we include breakouts for 11 of the main industries, the SMB section, and we revisit the various geographic regions studied in the prior report to see how they fared over the last year. We also include our Center for Internet Security (CIS) Controls® recommendation mapping, because the world being unpredictable and uncertain doesn’t mean your security strategy has to be.
§ The Federal Trade Commission (FTC) explained that “[r]eports to the FTC’s Consumer Sentinel suggest scammers are cashing in on the buzz around cryptocurrency and luring people into bogus investment opportunities in record numbers.” The FTC stated:
o Since October 2020, reports have skyrocketed, with nearly 7,000 people reporting losses of more than $80 million on these scams. Their reported median loss? $1,900. Compared to the same period a year earlier, that’s about twelve times the number of reports and nearly 1,000% more in reported losses.
§ The United States (U.S.) Department of Defense (DOD) extended the duration of its directive-type memorandum “Interim Policy and Guidance for Defense Support to Cyber Incident Response.” The DOD explained the document “[p]rovides supplementary policy guidance, assigns responsibilities, and details procedures for providing Defense Support to Cyber Incident Response (DSCIR).”
§ The Microsoft Security Response Center announced:
o Microsoft’s Section 52, the Azure Defender for IoT security research group, recently uncovered a series of critical memory allocation vulnerabilities in IoT and OT devices that adversaries could exploit to bypass security controls in order to execute malicious code or cause a system crash.
o These remote code execution (RCE) vulnerabilities cover more than 25 CVEs and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology (OT), and industrial control systems.
o The vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. These findings have been shared with vendors through responsible disclosure led by the Microsoft Security Response Center (MSRC) and the Department of Homeland Security (DHS), enabling these vendors to investigate and patch the vulnerabilities.
o For a full list of affected products and CVEs, please visit the DHS website: ICSA-21-119-04 Multiple RTOS .
§ The RAND Corporation published a report titled “Detecting Conspiracy Theories on Social Media: Improving Machine Learning to Detect and Understand Online Conspiracy Theories.” RAND explained:
o Conspiracy theories circulated online via social media contribute to a shift in public discourse away from facts and analysis and can contribute to direct public harm. Social media platforms face a difficult technical and policy challenge in trying to mitigate harm from online conspiracy theory language. As part of Google's Jigsaw unit's effort to confront emerging threats and incubate new technology to help create a safer world, RAND researchers conducted a modeling effort to improve machine-learning (ML) technology for detecting conspiracy theory language. They developed a hybrid model using linguistic and rhetorical theory to boost performance. They also aimed to synthesize existing research on conspiracy theories using new insight from this improved modeling effort. This report describes the results of that effort and offers recommendations to counter the effects of conspiracy theories that are spread online.
o Key Findings
§ The hybrid ML model improved conspiracy topic detection.
§ The hybrid ML model dramatically improved on either single model's ability to detect conspiratorial language.
§ Hybrid models likely have broad application to detecting any kind of harmful speech, not just that related to conspiracy theories.
§ Some conspiracy theories, though harmful, rhetorically invoke legitimate social goods, such as health and safety.
§ Some conspiracy theories rhetorically function by creating hate-based "us versus them" social oppositions.
§ Direct contradiction or mockery is unlikely to change conspiracy theory adherence.
o Recommendations
§ Engage transparently and empathetically with conspiracists.
§ Correct conspiracy-related false news.
§ Engage with moderate members of conspiracy groups.
§ Address fears and existential threats.
Further Reading
§ “White House, Republicans remain far apart on infrastructure” By Jessica Wehrman — Roll Call. The White House on Friday lowered its original $2.2 trillion infrastructure proposal by roughly $500 billion, calling it an effort to attract bipartisan support. Republican lawmakers said the parties remain far apart.
§ “How Apple screwed Facebook” By Margaret Taylor — WIRED. It is not unusual for the bosses of Apple and Facebook to be at loggerheads with each other over privacy. Back in 2018 Facebook chief executive Mark Zuckerberg accused his Apple counterpart Tim Cook of being “extremely glib” for making scathing remarks about Facebook’s involvement in the Cambridge Analytica scandal. Weeks later Apple introduced privacy controls that hampered Facebook’s ability to collect user data via Apple devices.
§ “German Intelligence Puts Coronavirus Deniers Under Surveillance” By Christopher F. Schuetze — The New York Times. Germany’s domestic intelligence service said on Wednesday that it would surveil members of the increasingly aggressive coronavirus denier movement because they posed a risk of undermining the state.
§ “China Warns Large Tech Firms as Industry Faces Rising Oversight” By Lingling Wei and Stephanie Yang — The New York Times. China is reining in the ability of the country’s internet giants to use big data for lending, money-management and similar businesses, ending an era of rapid growth that authorities said posed dangers for the financial system.
§ “RCMP Secret Facial Recognition Tool Looked for Matches with 700,000 ‘Terrorists’” By Bryan Carney — The Tyee. RCMP units in British Columbia broke the force’s own rules when they secretly subscribed to a facial recognition service that claims to help identify terrorists, documents newly obtained by The Tyee show.
§ “Delivery Drivers Are Using Grey Market Apps to Make Their Jobs Suck Less” By Rida Qadri — Vice. The McDonald’s on Jalan Salemba Raya, Jakarta’s crowded main thoroughfare, is a magnet for food delivery orders. On any given day, a dozen or so app-based delivery drivers—locally called ojol—wait in the parking lot. Inch by inch, they try to move as close as they can to the center of the lot, desperate to have the matching algorithms recognize their proximity and assign them an order.
§ “Oracle VP Ken Glueck Suspended by Twitter for Doxing an Intercept Reporter” By Shoshana Wodinsky — Gizmodo. A tweet from Oracle Executive VP Ken Glueck goading his followers into harassing a female reporter was found to violate Twitter’s policies, the company told Gizmodo on Wednesday. Glueck, who’s previously made headlines as one of the top lobbyists under Oracle, was forced to take down the tweet and have his account suspended in a read-only mode for the next 12 hours, a Twitter spokesperson said.
§ “Progressive Lawmakers Praise Biden’s Plan for Cybersecurity Labels” By Mariam Baksh — Nextgov. Sen. Ed Markey, D-Mass, and Rep. Ted Lieu, D-Calif., were pleased to see flashes of legislation they’ve proposed—the Cyber Shield Act—in an executive order the Biden administration released to address widespread hacking campaigns that affected federal agencies and private-sector organizations.
§ “German Authorities Break Up International Child Sex Abuse Site” By Melissa Eddy — The New York Times. German prosecutors have broken up an online platform for sharing images and videos showing the sexual abuse of children, mostly boys, that had an international following of more than 400,000 members, they said on Monday. The site, named “Boystown,” had been around since at least June 2019 and included forums where members from around the globe exchanged images and videos showing children, including toddlers, being sexually abused. In addition to the forums, the site had chat rooms where members could connect with one another in various languages.
§ “Belgium’s government network goes down after massive DDoS attack” By Catalin Cimpanu — The Record. Most of the Belgium government’s IT network has been down today after a massive distributed denial of service (DDoS) attack knocked offline both internal systems and public-facing websites. The attack targeted Belnet, a government-funded ISP that provides internet connectivity for Belgian government organizations, such as its Parliament, educational institutes, ministries, and research centers.
Coming Events
§ On 25 May, the House Science, Space, and Technology Committee’s Investigations and Oversight and Research and Technology Subcommittees will hold a joint hearing titled “SolarWinds and Beyond: Improving the Cybersecurity of Software Supply Chains” with these witnesses:
o Mr. Matthew Scholl, Chief, Computer Security Division of the Information Technology Laboratory, National Institute of Standards and Technology (NIST)
o Dr. Trey Herr, Director, Cyber Statecraft Initiative, Atlantic Council
o Ms. Katie Moussouris, Founder and CEO, Luta Security
o Mr. Vijay D’Souza, Director, Information Technology and Cybersecurity, Government Accountability Office (GAO)
§ The Senate Appropriations Committee’s Commerce, Justice, Science Subcommittee will hold a hearing on the Department of Commerce’s FY 2022 budget request on 26 May.
§ On 26 May, the Senate Appropriations Committee’s Homeland Security Subcommittee will hold a hearing on the Department of Homeland Security’s FY 2022 budget request.
§ On 27 May, the House Science, Space, and Technology Committee will hold a hearing titled “Overview of the Science and Energy Research Enterprise of the U.S. Department of Energy” with Secretary of Energy Jennifer Granholm.
§ On 2-3 June, the National Institute of Standards and Technology (NIST) will hold a virtual workshop “to enhance the security of the software supply chain and to fulfill the President’s Executive Order (EO) on improving the Nation’s Cybersecurity, issued on May 12, 2021.”
§ On 17 June the Senate Appropriations Committee will hold a hearing on the Department of Defense’s FY 2022 budget request.
§ On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.