White House Meets With Tech Companies and Others; Rival Cyber Incident Notification Bill Floated
PRC passes first data protection bill; CISA and FBI warn entities to be on guard for holiday cyber attacks
Photo by Kristina Volgenau on Unsplash
The Biden Administration hosted a meeting with some of the United States’ (U.S.) biggest technology companies and others in a cybersecurity summit of sorts. The White House unveiled a number of initiatives to bolster U.S. cybersecurity, most of which were commitments made by private sector entities.
In late July, the Biden Administration announced the meeting when Press Secretary Jen Psaki remarked during a press briefing:
Also, on August 25th, the President and members of his national security team and across the administration will hold a meeting with private sector leaders to discuss how we work together to collectively improve the nation’s cybersecurity. So that is a continuation of his effort to work in close partnership with the private sector.
A “senior administration official” explained the invitees and structure of the meeting:
From tech, the companies participating will be Google, Amazon, Apple, Microsoft, IBM, and ADP. You’ll note that we particularly included ADP because of the services they provide to thousands and thousands of small- and medium-sized companies.
From financial: JPMorgan Chase, Bank of America, TIAA, and U.S. Bancorp.
From insurance: Coalition, Vantage Group, Resilience, and Travelers.
From education, a creative set: Code.org, University of Texas System, Tougaloo College, Girls Who Code, and Whatcom Community College.
So, after the meeting with the President, participants will also join smaller meetings with various members of the President’s Cabinet and national security team for a more informal discussion on concrete steps we can take to improve national cyber posture.
Those discussions will occur in three parallel breakout sessions, specifically:
§ “Critical Infrastructure Resilience,” which will be co-chaired by Secretary Mayorkas and Secretary Granholm, with participants across energy, financial, and water
§ “Building Enduring Cybersecurity,” which is chaired by Secretary Raimondo and the Small Business Administrator Guzman — participants: tech and insurance. We really see insurance as a way to drive better cybersecurity practices.
§ And then the “Cybersecurity Workforce,” chaired by the National Cyber Director. Participants are education leaders.
No word on who would represent the above entities, suggesting the meeting and breakout sessions were more substantive and less public relations oriented. Moreover, there was no information released on the breakout sessions.
In its summary of the meeting, the White House articulated the purpose behind the meeting:
The White House’s fact sheet enumerated some of the “commitments and initiatives” that emerged from the meeting (although, in all likelihood White House staff have been negotiating these with the private sector entities for some time, which was confirmed in the background briefing: “this meeting is a sum-up of a lot of work in the last few weeks, working with participants to discuss initiatives.”):
· The Biden Administration announced that the National Institute of Standards and Technology (NIST) will collaborate with industry and other partners to develop a new framework to improve the security and integrity of the technology supply chain. The approach will serve as a guideline to public and private entities on how to build secure technology and assess the security of technology, including open source software. Microsoft, Google, IBM, Travelers, and Coalition committed to participating in this NIST-led initiative.
· The Biden Administration also announced the formal expansion of the Industrial Control Systems Cybersecurity Initiative to a second major sector: natural gas pipelines. The Initiative has already improved the cybersecurity of more than 150 electric utilities that serve 90 million Americans.
· Apple announced it will establish a new program to drive continuous security improvements throughout the technology supply chain. As part of that program, Apple will work with its suppliers — including more than 9,000 in the United States— to drive the mass adoption of multi-factor authentication, security training, vulnerability remediation, event logging, and incident response.
· Google announced it will invest $10 billion over the next five years to expand zero-trust programs, help secure the software supply chain, and enhance open-source security. Google also announced it will help 100,000 Americans earn industry-recognized digital skills certificates that provide the knowledge that can lead to secure high-paying, high-growth jobs.
· IBM announced it will train 150,000 people in cybersecurity skills over the next three years, and will partner with more than 20 Historically Black Colleges & Universities to establish Cybersecurity Leadership Centers to grow a more diverse cyber workforce.
· Microsoft announced it will invest $20 billion over the next 5 years to accelerate efforts to integrate cyber security by design and deliver advanced security solutions. Microsoft also announced it will immediately make available $150 million in technical services to help federal, state, and local governments with upgrading security protection, and will expand partnerships with community colleges and non-profits for cybersecurity training.
· Amazon announced it will make available to the public at no charge the security awareness training it offers its employees. Amazon also announced it will make available to all Amazon Web Services account holders at no additional cost, a multi-factor authentication device to protect against cybersecurity threats like phishing and password theft.
· Resilience, a cyber insurance provider, announced it will require policy holders to meet a threshold of cybersecurity best practice as a condition of receiving coverage.
· Coalition, a cyber insurance provider, announced it will make its cybersecurity risk assessment & continuous monitoring platform available for free to any organization.
· Code.org announced it will teach cybersecurity concepts to over 3 million students across 35,000 classrooms over 3 years, to teach a diverse population of students how to stay safe online, and to build interest in cybersecurity as a potential career.
· Girls Who Code announced it will establish a micro credentialing program for historically excluded groups in technology. The program will make scholarships and early career opportunities more accessible to underrepresented groups.
· University of Texas System announced it will expand existing and develop new short-term credentials in cyber-related fields to strengthen America’s cybersecurity workforce. A major part of this effort will be to upskill and reskill over 1 million workers across the nation by making available entry-level cyber educational programs through UT San Antonio’s Cybersecurity Manufacturing Innovation Institute. Credentials do not depend on traditional degree pathways, and should also contribute significantly to diversifying the pipeline.
· Whatcom Community College announced it has been designated the new NSF Advanced Technological Education National Cybersecurity Center, and will provide cybersecurity education and training to faculty and support program development for colleges to “fast-track” students from college to career. The nature of community colleges dispersed in every community in the nation makes them an ideal pipeline for increasing diversity and inclusion in the cybersecurity workforce.
The Administration can accomplish first two on the list, but the others will likely rely on the will and follow though of the entities making the commitments. These entities do not need to follow through, and given the delivery timeline, they may not for the focus inside the White House will almost certainly moved on and policymakers will be dealing with different problems and issues.
In his remarks, President Joe Biden said “my team is hosting a meeting, bringing together 30 of the nations — 30 nations to step up in their fight against ransomware.” However, neither the White House nor any major media sources have published additional information about this meeting. In the background briefing, the “senior administration official” noted “the President established the [ransomware] experts group, and we continue to meet and make progress in that forum.” It is probable that this meeting and related meetings will result in the launch of an international effort to combat ransomware, much of which would be driven through voluntary actions or actions the involved governments can persuade or require regulated entities to take.
In what is not a change from previous statements, the Biden Administration is operating from the position that the federal government’s hands are largely tied when it comes to enforcing standards on and issuing directives to the private sector. And based on current U.S. law and regulation this is largely true outside a few sectors. For example, the Transportation Security Administration does have the authority to issue directives to the pipeline industry, which is why two such orders were issued after the Colonial ransomware attack.
Of course, this begs the question as to why the Administration is not asking Congress for more authority given this gap in national security. The Australian with its center-right government is looking to enact changes to its regulation of critical infrastructure through its bill the “Security Legislation Amendment (Critical Infrastructure) Bill 2020” introduced in December 2020. Thus far, the Biden Administration has largely left these sorts of policy proposals to Congress, which also seems intent on maintaining the status quo.
In the background call mentioned above, the “senior administration official” asserted:
§ I want to emphasize that tomorrow is a call to action. The federal government can’t solve this complex, growing international challenge alone, and we can’t do it overnight.
§ For those of you who know me know that we’re sincere when we say that cybersecurity is a matter of national security, the public and private sectors must meet this moment together, and the American people are counting on us.
Despite cybersecurity being a matter of national security, there have been no public calls from the White House for increased authority. In response to a direct question about working with Congress on legislation, the “senior administration official” answered:
And then we want to work with the private sector and Congress to ensure these standards are adopted across the board. In other words, “Heads up. This is what we think is reasonable as a threshold of — since you’re an owner and operator of critical infrastructure.” We’re going to work to make sure that these standards are adopted across the board because, you know, we — we, as the government, owe that to the citizens we serve.
It appears the Biden Administration is willing to work within the status quo and then point to the limits on its authority when some new cyber development occurs.
Of course, Congress has turned to addressing at least one aspect of the U.S. cybersecurity. At present, most of those entities deemed critical cyber infrastructure have no responsibility to report attacks, penetrations, or incidents. And so, should a critical private sector entity be breached or compromised, in most case, it has no responsibility to alert the U.S. government. A notable exception are some Department of Defense contractors that have a duty under DOD regulations to report some cyber incidents within 72 hours to the Pentagon.
Some in Congress want to see a similar duty for all owners and operators of critical infrastructure. To this end, Senate Intelligence Committee Chair Mark Warner (D-VA) and Ranking Member Marco Rubio (R-FL), and Senator Susan Collins (R-ME) introduced the “Cyber Incident Notification Act of 2021” (S.2407), which tracks closely with the draft bill released in June (see here for more detail and analysis). In their press release, Warner, Rubio, and Collins contended that the “bipartisan legislation requiring federal agencies, government contractors, and critical infrastructure owners and operators to report cyber intrusions within 24 hours of their discovery.” They added:
§ The legislation is in part a response to the hack of IT management firm SolarWinds, which resulted in the compromise of hundreds of federal agencies and private companies, and the May 2021 ransomware attack on the Colonial Pipeline, which halted pipeline operations temporarily and resulted in fuel shortages along the Atlantic seaboard of the United States, as well as a recent onslaught of ransomware attacks affecting thousands of public and private entities.
§ Under existing law, there is currently no federal requirement that individual companies disclose when they have been breached, which experts have noted leaves the nation vulnerable to criminal and state-sponsored hacking activity. The bipartisan Cyber Incident Notification Act of 2021 would require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected so that the U.S. government can mobilize to protect critical industries across the country. To incentivize this information sharing, the bill would grant limited immunity to companies that come forward to report a breach, and instruct CISA to implement data protection procedures to anonymize personally identifiable information and safeguard privacy.
Thus far, this bill has not been acted upon, and until recently the House did not have a companion bill. However, at the end of last month, Representatives Yvette Clarke (D-NY) and John Katko (R-NY) floated a discussion draft, the “Cyber Incident Reporting for Critical Infrastructure Act of 2021” that takes a slightly different approach than the Warner-Rubio-Collins bill. Clarke and Katko are key stakeholders in the House as the former chairs the Cybersecurity, Infrastructure Protection, & Innovation Subcommittee, and the latter is the ranking member for the full committee. Consequently, their bill may well be the House’s position in talks with the Senate.
The Clarke/Katko bill is less directive than the Warner-Rubio-Collins bill and would give the Department of Homeland Security and critical cyber infrastructure owners and operators much more leeway in determining when a reporting duty exists, the deadline for reporting, and what must be reported. The Clarke/Katko bill gives the U.S. government few new tools to enforce the reporting requirement and would provide legal protection from those entities that do report significant cyber incidents no matter how reckless or negligent the entity was.
This bill would amend the section of the “Homeland Security Act of 2002” that established the Cybersecurity and Infrastructure Security Agency (CISA) and establish a new Cyber Incident Review Office. And this is even though DHS already has an entity receiving and distributing cyber information. However, there have been long documented problems with this entity inside CISA’s National Cybersecurity and Communications Integration Center (NCCIC). In September 2020, the DHS Office of the Inspector General (OIG) issued one of its periodic evaluations of DHS’ information sharing program and found continued problems:
It must be noted CISA largely concurred in these findings.
Nevertheless, it seems to be a bill establishing a new parallel reporting system and new entity inside DHS will necessarily complicate the enterprise of encouraging entities to report information. To be fair, the Clarke/Katko bill is designed to require critical cyber infrastructure entities to report significant cyber incidents, a different class of information from the cyber threat indicators and defensive measures. And perhaps industry has little to no faith in NCCIC’s system and starting fresh makes sense from at the very least a branding perspective. Having said all that, the bill’s drafters are looking to graft the new system onto the old system from the perspective of taxonomy and liability protection.
Most of the definitions come straight from Title I of the “Cybersecurity Act of 2015” (Division N of P.L. 114-113) except for a few, some of which will define the scope of the new reporting system. For example, who is a “covered entity” and what constitutes a “covered cybersecurity incident” and a “significant cyber incident” are definitions that CISA will need to hash out during a rulemaking process. In Congress delegating the responsibility to an agency to determine the scope of legislation, there is the benefit of allowing experts to figure out tough questions of the sort staff and Members lack the expertise to do. However, rulemakings are where the potentially regulated can work throughout the process to dilute and defang rules in ways that frustrate policymakers if the agency does not have the expertise or will to push back. It seems likely many crucial players will claim to the agency they should not be covered entities and only the most serious incidents should trigger the reporting requirement.
As noted, the Clarke/Katko bill establishes a Cyber Incident Review Office “to receive, aggregate, and analyze reports related to covered cybersecurity incidents submitted by covered entities…to enhance the situational awareness of cybersecurity threats across critical infrastructure sectors.” More specifically, this new Office would:
§ receive, aggregate, analyze, and secure reports from covered entities related to a covered cybersecurity incident to assess the effectiveness of security controls and identify tactics, techniques, and procedures adversaries use to overcome such controls;
§ facilitate the timely sharing between relevant critical infrastructure owners and operators and, as appropriate, the intelligence community of information relating to covered cybersecurity incidents, particularly with respect to an ongoing cybersecurity threat or security vulnerability;
§ for a covered cybersecurity incident that also satisfies the definition of a significant cyber incident, or are part of a group of related cyber incidents that together satisfy such definition, conduct a review of the details surrounding such covered cybersecurity incident or group of such incidents and identify ways to prevent or mitigate similar incidents in the future;
§ with respect to covered cybersecurity incident reports under subsection (d) involving an ongoing cybersecurity threat or security vulnerability, immediately review such reports for cyber threat indicators that can be anonymized and disseminated, with defensive measures, to appropriate stakeholders, in coordination with other Divisions within the Agency, as appropriate;
§ publish quarterly unclassified, public reports that describe aggregated, anonymized observations, findings, and recommendations based on covered cybersecurity incident reports under subsection (d); and
§ proactively identify opportunities, in accordance with the protections specified in subsections (e) and (f), to leverage and utilize data on cybersecurity incidents in a manner that enables and strengthens cybersecurity research carried out by academic institutions and other private sector organizations, to the greatest extent practicable.
In short, this new Office would recreate what DHS already has a system in place to do and hence critical cyber infrastructure entities could conceivably start receiving two sets of information about these sorts of incidents. Moreover, will this Office disseminate the information it receives on covered cyber incidents and significant cyber incidents to entities that do not qualify as critical cyber infrastructure? The bill is not clear on this point.
CISA would then have 400 days (14 months of so) to establish through an interim final rule the system to:
§ require covered entities to submit to the Office reports containing information relating to covered cybersecurity incidents; and
§ establish procedures that clearly describe—
o the types of critical infrastructure entities determined to be covered entities;
o the types of cybersecurity incidents determined to be covered cybersecurity incidents;
o the mechanisms by which covered cybersecurity incident reports under subparagraph (A) are to be submitted, including—
§ the contents, described in paragraph (4), to be included in each such report, including any supplemental reporting requirements;
§ the timing relating to when each such report should be submitted; and
§ the format of each such report;
o describe the manner in which the Office will carry out enforcement actions under subsection (g), including with respect to the issuance of subpoenas, conducting examinations, and other aspects relating to noncompliance; and
o any other responsibilities to be carried out by covered entities, or other procedures necessary to implement this section.
CISA would need to coordinate with what were called the Sector-Specific Agencies (now known as Sector Risk Management Agencies) and other agencies as appropriate in establishing this reporting system. Also, CISA would have to take comments on the interim final rule and publish a final rule, meaning possible changes, within a year after the interim rule is published.
As part of this rulemaking, CISA would need to determine “which types of critical infrastructure entities are covered entities” and in defining who is a covered entity must consider
§ the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety;
§ the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country;
§ the extent to which damage, disruption, or unauthorized access to such and entity will disrupt the reliable operation of other critical infrastructure assets; and
§ the extent to which an entity or sector is subject to existing regulatory requirements to report cybersecurity incidents, and the possibility of coordination and sharing of reports between the Office and the regulatory authority to which such entity submits such other reports.
And so, instead of just deeming all entities regulated by Sector Risk Management Agencies (i.e. the 16 Critical Infrastructure Sectors), CISA would need to pick and choose based on the above criteria. From one point of view, if an entity is in a critical sector would not an attack or disruption pose a danger to other critical entities? Apparently, the bill’s drafters think otherwise and believe CISA should focus on the highest risk entities, which would have the likely effect of forcing hackers to exploit entities deemed lower risk and their inevitable connections to higher risk entities.
Moreover, the criteria seem to lend themselves to not deeming as covered entities those companies that currently have reporting requirements. And so, certain Defense Industrial Base (DIB) contractors have reporting responsibilities and depending on how well the DOD would share these with CISA, DIB entities would not be covered entities? Or maybe they would become covered entities and then need to report to both agencies. Entities in the electric grid also have some mandatory reporting requirements, namely “cyber security incidents that either compromise or attempt to compromise Electronic Security Perimeters, Electronic Access Control or Monitoring Systems, and Physical Security Perimeters associated cyber systems.”
Also, the DIB and electric grid reporting requirements are not as broad as the new ones CISA puts in place, possibly leading to a system in which two critical sectors either under report incidents through the current system or face duplicative reporting requirements. The latter, while not perfect, is preferable from the view of cybersecurity.
In establishing the new reporting system CISA will have to determine which cyber incidents shall be covered cyber incidents that trigger a reporting requirement. The bill provides criteria the agency must use along with “minimum thresholds.” To wit, Clarke and Katko would require CISA to consider:
§ the sophistication or novelty of the tactics used to perpetrate such an incident, as well as the type, volume, and sensitivity of the data at issue;
§ the number of individuals directly or indirectly affected or potentially affected by such an incident; and
§ potential impacts on industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.
The language suggests CISA may be making determinations on what is a covered cyber incident on a case by case basis, but it seems more likely CISA needs to determine the “types” of cyber incidents that would be covered cyber incidents.
But the bill takes an odd turn in specifying “minimum thresholds” for what are covered cyber incidents” and requires “a cybersecurity incident shall, at a minimum, include at least one of the following:
§ Unauthorized access to an information system or network that leads to loss of confidentiality, integrity, or availability of such information system or network, or has a serious impact on the safety and resiliency of operational systems and processes.
§ Disruption of business or industrial operations due to a distributed denial of service attack, a ransomware attack, or exploitation of a zero-day vulnerability, against—
o an information system or network; or
o an operational technology system or process.
§ Unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by a compromise of, a cloud service provider, managed service provider, other third-party data hosting provider, or supply chain attack.
The first of the minimum thresholds seems like an easy bar to clear for most notable cyber incidents, and it may be the agency comes to lean heavily on this criterion in making this determination. The second criterion seems oddly specific in a way that could render it obsolete as other attacks arise. The third one seems broad enough for most attacks and seems fine. However, all three criteria seem to contemplate actual or successful attacks and potential attacks may be outside the definition of covered cybersecurity incident.
However, that CISA must use the above minimum thresholds in determining what types of attacks are covered cyber incidents raises other questions. Must the agency formulate a definition so that prospectively covered entities will know what types of incidents must be reported? Or is this to be a determination CISA will make from as attacks are discovered? Surely, the agency would articulate guidelines or criteria in the interim final rule to put potentially covered entities on notice? However, the bill is not clear on this point. Moreover, even if this supposition is right, would this not create an opportunity for covered entities to argue with CISA about whether the incident is, in fact, covered and requires reporting and disclosure? It would seem so.
The agency must also establish a timeline for reporting covered cybersecurity incidents “but in no case may [CISA] require reporting by a covered entity earlier than 72 hours after confirmation that a covered cybersecurity incident has occurred.” The Warner-Rubio-Collins bill requires reporting within 24 hours of confirmation of a cybersecurity intrusion or potential cybersecurity intrusion. Nonetheless, the Clarke/Katko bill would require CISA to keep in mind other, current reporting requirements and its need for situational awareness visa vis a covered entity’s need to investigate and respond to incidents.
Also of concern is allowing covered entities to confirm a covered cybersecurity incident has occurred. This could result in entities delaying notification for any number of reasons, including concerns about reputational risk or legal consequences. I think the language should be revised to require reporting upon suspicion that a covered cyber incident has occurred with supplemental reporting to follow.
Strangely, the Clarke-Katko bill would permit covered entities to submit reports of covered incidents through third parties or Information Sharing and Analysis Organizations (ISAO). Why this is necessary is not discernible from the bill. Surely covered entities could report cyber intrusions directly and involving a third party seems like it would add complexity and difficulties.
Next comes a weird section, which I will quote in full:
Covered entities shall submit promptly to the Office an update or supplement to a previously submitted covered cybersecurity incident report if new or different information becomes available that would otherwise have been required to have been included in such previously submitted report. In determining reporting timelines, the Director may choose to establish a flexible, phased reporting timeline for covered entities to report information in a manner that aligns with investigative timelines and allows covered entities to prioritize incident response efforts over compliance.
The first sentence makes sense. Covered entities should need to submit more information to supplement initial reports. It is the second sentence that seems out of place and somewhat inexplicable. It would appear this is a drafting or organizational error, for the intent appears that CISA would have discretion to permit covered entities to use a “flexible, phased reporting timeline” that allows covered entities to prioritize investigation and response over compliance. It appears this would refer to the entire reporting timeline and not just supplemental reports. This, too, is not clear. However, surely a covered entity can walk and chew gum at the same time and inform CISA of the incident while tending to the organization’s needs.
The bill lays out the type of information covered entities must include in their reports and shall “coordinate with the Office to the extent necessary to comply with this section, and, to the extent practicable, cooperate with the Office in a manner that supports enhancing the Agency’s situational awareness of cybersecurity threats across critical infrastructure sectors.”
CISA also has the responsibility of harmonizing the new reporting system with existing systems and other agencies with existing reporting systems.
As a baseline, agencies may not retain, use, or disclose information submitted to CISA unless the agency determines “disclosure, retention, or use is necessary for
§ a cybersecurity purpose;
§ the purpose of identifying—
o a cybersecurity threat, including the source of such threat; or
o a security vulnerability;
§ the purpose of responding to, or otherwise preventing, or mitigating a specific threat of—
o death;
o serious bodily harm; or
o serious economic harm, including a terrorist act or a use of a weapon of mass destruction;
§ the purpose of responding to, investigating, prosecuting, or otherwise preventing or mitigating a serious threat to a minor, including sexual exploitation or threats to physical safety; or
§ the purpose of preventing, investigating, disrupting, or prosecuting an offense related to a threat—
o described in subparagraphs (B) through (D); or
o specified in section 105(d)(5)(A)(v) of the Cybersecurity Act of 2015[1]
CISA would have a lot of latitude to justify keeping, sharing, and deploying the information covered entities submit. However, if the Office determines “the incident that is the subject of such report is connected to an ongoing cybersecurity threat or security vulnerability,” it may “use such report to identify, develop, and rapidly disseminate to appropriate stakeholders actionable, anonymized cyber threat indicators and defensive measures” without a determination from CISA.
However, the bill bars Federal, State, Tribal, or local governments from using information in reports submitted to the Office for any regulatory use “including through an enforcement action, the lawful activities of any non-Federal entity.” However, there is one exception. These reports “may, consistent with Federal or State regulatory authority specifically relating to the prevention and mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such systems.” And so any federal agency or state government agency would need to have existing authority aside and apart from the bill to use the information in a report to fashion regulations to develop and implement rules to mitigate cyber threats to information systems. This seems like fighting with an arm tied behind one’s back. It seems like a natural use of this information to craft and improve cybersecurity regulation.
The Clarke/Katko bill would extend the liability protection from the “Cybersecurity Act of 2015” entities have for monitoring their information systems and sharing information with NCCIC. Consequently, covered entities required to submit information and even entities that voluntarily submit information would be shielded from lawsuits on the basis of the information in their reports on cyber incidents. These reports are also exempted from federal and state freedom of information statutes and “considered the commercial, financial, and proprietary information of the covered entity when so designated by the covered entity.”
Incidentally, the Clarke/Katko bill requires CISA and the Office to hew to the privacy and civil liberties standards DHS developed for its information sharing program per the “Cybersecurity Act of 2015.”
The enforcement provisions are weak. If CISA catches wind of a cyber incident that may be a covered cybersecurity incident that a covered entity did not report, the agency is supposed to ask the entity for information to determine whether the incident is indeed a covered cybersecurity incident. But, this information would still receive all the same legal protection as if the covered entity had submitted it in a report to the Office. If after a week, the covered entity has not responded CISA can issue a subpoena to compel production of the requested information. If the entity thumbs its nose at CISA’s subpoena, the agency may seek enforcement of the subpoena in federal court. If the court agrees with CISA, a failure to comply would place the entity in contempt of court. If CISA determines “the facts relating to the cybersecurity incident at issue may constitute grounds for a regulatory enforcement action or criminal prosecution,” it may refer the case to the Department of Justice, which is not obligated to investigate or prosecute.
There is a provision that would allow non-covered entities to voluntarily submit information on cyber incidents to the Office, and, as mentioned, these reports would receive the same legal protection as reports required to be filed by covered entities. Might non-covered entities use this as a means to acquire liability protection to possibly shield them from lawsuits?
If CISA “receives information regarding a cybersecurity incident impacting a Federal agency relating to unauthorized access to data provided to such Federal agency by a covered entity, and with respect to which such incident is likely to undermine the security of such covered entity or cause operational or reputational damage to such covered entity,” the agency must notify the covered entity and provide the information necessary for the entity to address the risks posed by the intrusion. CISA’s responsibility extends to mere cybersecurity incidents and not the smaller universe of covered cybersecurity incidents.
Once the reporting system has been establish, CISA must conduct outreach to inform covered entities about the new requirements.
Other Developments
§ The People’s Republic of China’s (PRC) National People’s Congress (NPC) Standing Committee passed the “Personal Information Protection Law” (PIPL), legislation experts are calling the PRC’s first comprehensive data protection law. Stanford University’s DigiChina Cyber Policy Center translated PIPL and asserted:
o In digesting the new law, two overriding points are important to keep in mind. First, the PIPL is a framework law that is not intended to provide granular detail on the majority of the policy matters it covers, but rather sets out broad principles, objectives, mandates, and responsibilities. To make these generalities concrete and specific, regulators such as the Cyberspace Administration of China will draft and issue implementing regulations, and standards-setting organizations will issue technical standards and specifications. This is why the PIPL is much shorter and less detailed than its main international counterpart, the European General Data Protection Regulation (GDPR), and detailed answers to regulatory questions—let alone the question of how the law may be enforced—may be months or years away. Indeed, regulations issued this month on "critical information infrastructure" added missing detail to provisions of the Cybersecurity Law more than four years after it entered force.
o Second, while the PIPL addresses many issues frequently discussed in the context of personal privacy worldwide, it does not directly address "privacy" (隐私), which is a separate concept in Chinese law. The law's focus is on protecting individuals, society, and national security from harms stemming from abuse and mishandling of personal information—targeting both the private sector and government functions.
§ The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a cybersecurity advisory “to highlight precautions and mitigation steps that public and private sector organizations can take to reduce their risk to ransomware and other cyber attacks, specifically leading up to holidays and weekends.” The agencies claimed “[t]his advisory is based on observations on the timing of high impact ransomware attacks that have occurred previously rather than a reaction to specific threat reporting.” CISA and the FBI argued:
o Cyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months. The FBI and CISA do not currently have specific information regarding cyber threats coinciding with upcoming holidays and weekends. Cyber criminals, however, may view holidays and weekends—especially holiday weekends—as attractive timeframes in which to target potential victims, including small and large businesses. In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time.
o In May 2021, leading into Mother’s Day weekend, malicious cyber actors deployed DarkSide ransomware against the IT network of a U.S.-based critical infrastructure entity in the Energy Sector, resulting in a week-long suspension of operations. After DarkSide actors gained access to the victim’s network, they deployed ransomware to encrypt victim data and—as a secondary form of extortion—exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.
o In May 2021, over the Memorial Day weekend, a critical infrastructure entity in the Food and Agricultural Sector suffered a Sodinokibi/REvil ransomware attack affecting U.S. and Australian meat production facilities, resulting in a complete production stoppage.
o In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked a U.S.-based critical infrastructure entity in the IT Sector and implementations of their remote monitoring and management tool, affecting hundreds of organizations—including multiple managed service providers and their customers.
§ Apple and plaintiffs have proposed a settlement in a suit brought on account of Apple’s App Store practices. This lawsuit was working in parallel fashion to the actions brought by Epic Games over many of the same claims in the United States, United Kingdom, European Union, and Australia. The judge still needs to rule on the settlement, however.
o In its press release, Apple claimed the settlement does the following:
§ The agreement clarifies that developers can share purchase options with users outside of their iOS app; expands the price points developers can offer for subscriptions, in-app purchases, and paid apps; and establishes a new fund to assist qualifying US developers. The updates constitute the latest chapter of Apple’s longstanding efforts to evolve the App Store into an even better marketplace for users and developers alike.
o However, the Coalition for App Fairness, a group that includes Epic Games wand was formed in response to Google and Apple’s app store practices, contended in a statement:
§ Apple’s sham settlement offer is nothing more than a desperate attempt to avoid the judgment of courts, regulators, and legislators worldwide. This offer does nothing to address the structural, foundational problems facing all developers, large and small, undermining innovation and competition in the app ecosystem. Allowing developers to communicate with their customers about lower prices outside of their apps is not a concession and further highlights Apple’s total control over the app marketplace. If this settlement is approved, app makers will still be barred from communicating about lower prices or offering competing payment options within their apps. We will not be appeased by empty gestures and will continue our fight for fair and open digital platforms.
o The plaintiffs filed a motion in support of the proposed settlement and asserted:
§ Plaintiffs Donald Cameron and Pure Sweat Basketball, Inc. (“Developer Plaintiffs”), on behalf of themselves and other members of the proposed Settlement Class, are pleased to report their proposed Settlement with Apple Inc. The Settlement, if approved, would resolve the claims of a Settlement Class consisting of approximately 67,000 iOS developers earning more than $0 but less than $1 million from transactions annually in the App Store during the Class Period. Nearly all domestic iOS developers with paid app transactions—more than 99 percent—fall within the Settlement Class and would recover under the Settlement. These small developers are the backbone of the iOS app economy, developing apps of all types that improve the functionality and performance of iOS devices. And they all stand to recover substantial benefits under the Settlement, both from direct monetary payments and structural relief that, going forward, will make iOS app development a more productive enterprise.
§ The proposed Settlement establishes a $100 million non-reversionary monetary fund from which Settlement Class members will receive direct distributions. Individual Settlement Class Members will receive a minimum payment of $250; higher payments will be tiered based on historic proceeds, with the highest minimum payment tier providing $30,000. The Settlement also contains valuable structural relief. It acknowledges (properly) that this lawsuit was one driver behind Apple’s 2021 launch of its Small Business Program, under which small developers qualify for a lower 15 percent commission rate. Under the Settlement, Apple has committed to maintain the Small Business Program’s 15 percent rate for at least another three years. Apple has also committed to revise its “anti-steering” Guidelines to permit app developers to communicate directly with their customers regarding alternative payment options. Apple has further agreed to institute and maintain a range of structural reforms that will enable developers to better create, distribute, and monetize their apps. These structural reforms are valuable. Developer Plaintiffs conservatively estimate that the Small Business Program element of the Settlement alone adds at least $35.44 million in value.
o In its motion in support of the settlement, Apple claimed:
§ Apple is confident that if this litigation were to continue, Apple would defeat class certification and/or Apple would prevail at trial. The Court is aware from the Epic trial, including the testimony of Apple’s most senior executives, of Apple’s commitment to building and maintaining the App Store as a great place for both developers and consumers to transact in apps and in-app purchases. The evidence of record establishes that the practices challenged in this and other cases are both lawful and well-justified by business necessity—including the protection of Apple’s intellectual property, and protecting the security and privacy of Apple’s customers.
§ Nevertheless, Apple would rather work with developers than litigate against them. Accordingly, after extensive arms-length negotiations, Apple and the Developer Plaintiffs reached a solution that, if approved by the Court, will avoid the expense and distraction of further litigation while providing real assistance to the small developers who are so important to the burgeoning app economy.
§ A bill to tighten California’s laws regarding the collection and use of health information by non-healthcare providers has apparently stalled. AB-1436 “Information privacy: digital health feedback systems.” A key committee in the Senate may have paused the bill in late August. A summary of the legislation explained:
o Certain information and transactions, however, are expressly exempt from the California Consumer Privacy Act of 2018 (CCPA). As related to health care, the CCPA does not apply to the following:
§ Medical information governed by the Confidentiality of Medical Information Act (CMIA) or protected health information (PHI) that is collected by a “covered entity” or “business associate,” as defined and governed by the privacy, security, and breach notification rules under HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH).
§ A provider of health governed by the CMIA or a covered entity governed by HIPAA.
§ Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects (Common Rule), pursuant to good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the U.S. Food and Drug Administration.
o The bill’s sponsor, Assemblyman Ed Chau (D) explained the problem the bill is designed to solve:
§ These tech companies are after all sorts of personal medical information — your heart rate, your blood pressure, your sleep habit. As it stands, they’re circumventing medical privacy laws.
o Per the most recent summary, AB 1436 “would prohibit a business that offers a “personal health record system” from knowingly using or disclosing the “personal health record information” of a person without first obtaining a signed authorization.” More specifically,
§ This bill would:
§ Prohibit a business that offers a personal health record system from knowingly using, disclosing, or permitting the use or disclosure of personal health record information without the individual having first signed an authorization.
§ Require the authorization to be in the same form as that required by an employer to disclose medical information, with “personal health record system” substituting “employer.” Specifically, the authorization must be all of the following:
· Handwritten by the person who signs it or is in a typeface no smaller than 14-point type.
· Clearly separate from any other language present on the same page and is executed by a signature that serves no purpose other than to execute the authorization.
· Signed and dated by the patient, the patient’s legal representative, or the beneficiary or personal representative of a deceased patient.
· State the limitations, if any, on the types of medical information to be disclosed. o State the name or functions of the personal health record system or person authorized to disclose the medical information.
· State the names or functions of the persons or entities authorized to receive the medical information.
· State the limitations, if any, on the use of the medical information by the persons or entities authorized to receive the medical information.
· State a specific date after which the personal health record system is no longer authorized to disclose the medical information.
· Advise the person who signed the authorization of the right to receive a copy of the authorization.
§ Require a business that possesses an authorization to furnish a true copy of the authorization upon demand by the patient or the person who signed the authorization.
§ Require a business that offers a personal health record system to communicate to the person or entity to which it discloses the medical information or personal health record information any limitations in the authorization regarding the use of the medical information or personal health record information. A good faith attempt by a business to comply with this requirement would protect the business from liability for any unauthorized use of the medical information or personal health record information by the person or entity to which the business disclosed the medical information or personal health record information.
§ Provide that this bill is not to be construed to prevent a person who could sign the authorization from canceling or modifying an authorization and that any cancellation or modification is effective only after received in writing by the business.
§ Prohibit a recipient of medical information or personal health record information pursuant to an authorization from further disclosing that medical information or personal health record information unless in accordance with a new authorization or as specifically required or permitted by law.
§ Subject a business that offers a personal health record system or a recipient of medical information or personal health record information to specified administrative fines and civil penalties for any violation of the provisions of this bill.
§ Define “personal health record system” to mean a product or device, commercial website, online service, or mobile application that is used by an individual and that is specifically designed to collect and transmit, directly or indirectly, the individual’s personal health record information.
§ Define “personal health record information” to mean individually identifiable information, in electronic or physical form, about an individual’s mental or physical condition that is collected by a personal health record system through a direct measurement of an individual’s mental or physical condition or through user input regarding an individual’s mental or physical condition into a personal health record system for the purposes of allowing the individual to manage their information or for the diagnosis, treatment, or management of a medical condition of the individual.
§ The Department of Homeland Security (DHS) will be conducting a “pathfinder assessment” to determine the degree to which DHS contractors are meeting the Cyber Hygiene clauses in contracts. DHS explained:
o In 2015, DHS incorporated Cyber Hygiene clauses into its contracts and agreements to require contractor compliance with certain cyber standards and protections. In light of recent events, DHS seeks to advance our process in assessing industry compliance with Cyber Hygiene clause requirements. DHS has been closely monitoring the Department of Defense’s implementation of the Cybersecurity Maturity Model Certification (CMMC) program to identify lessons learned and best practices for consideration by DHS as we advance our process. Our end goal is to have a means of ensuring a contractor has key cybersecurity and cyber hygiene practices in place as a condition for contract award. This process is a critical step in our progress towards protecting the Homeland.
o As an immediate first step, DHS is conducting a pathfinder assessment to establish a path forward. Upon conclusion of the pathfinder effort, the Department will have further information and next steps to share. We look forward to continuing to collaborate with you on this matter.
§ The Defense Department (DOD) the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) published a final rule “to implement the U.S. Access Board's revisions by strengthening [the Federal Acquisition Regulation (FAR)] requirements for accessibility to electronic and information technology (now generally referred to as “information and communication technology” or “ICT”) provided by the Federal Government.” The agencies explained:
o This rule does not create new solicitation provisions or contract clauses or impact any existing provisions or clauses. This rule amends FAR part 39, Acquisition of Information Technology, and other references to Government requirements for information and communication technology. The objective of the rule is to update the FAR text to align with the accessibility standards revisions made by the Access Board at 36 CFR 1194.1. The accessibility standards are currently applicable to all information and communication technology acquisitions. As such, determinations and findings under 41 U.S.C. 1905 to 1907 regarding the applicability of this rule to acquisitions at or below the Simplified Acquisition Threshold (SAT) or to acquisitions for commercial and Commercially Available Off-the-Shelf (COTS) items are not required.
o Section 508 requirements will continue to apply when acquiring ICT through contracts at or below the SAT, or contracts for the acquisition of commercial items, including COTS items.
o The Access Board completed a multiyear effort to “refresh” its initial, existing set of accessibility standards under section 508 to address advances in ICT, harmonize with accessibility standards developed by standards organizations worldwide, and ensure consistency with the Access Board's regulations that had been promulgated since the late 1990s. The revised section 508 Accessibility Standards support the access needs of individuals with disabilities, while also considering the costs of procuring ICT that complies with section 508.
o The Access Board's final rule was published in the Federal Register at 82 FR 5790 on January 18, 2017. This final rule updates the FAR to ensure that the updated standards are appropriately considered in Federal ICT acquisitions. The final rule includes a “safe harbor” provision for existing (i.e., legacy) ICT, which considers legacy ICT in existence on or before January 18, 2018, to be compliant if it meets the earlier standard issued pursuant to section 508 of the Rehabilitation Act of 1973 (see E202.2 of Revised Standards) and the legacy ICT is not altered after January 18, 2018. In other words, such “untouched” ICT need not be modified or upgraded to conform to the revised 508 standards as long as it already conforms to the original 508 standards. However, ICT acquired on or before January 18, 2018, will need to be upgraded or modified to conform to the new standard if such ICT is altered after January 18, 2018, or does not comply with the original 508 standards. In addition, ICT acquired after January 18, 2018, must be upgraded or modified to conform to the new standard. The upgrades and modifications would be included in requirements documents issued by the agency
§ The United States (U.S.) Department of Homeland Security (DHS) is encouraging U.S. state and local governments to sign up for the .gov top level domain (TLD) the Cybersecurity and Infrastructure Security Agency (CISA) is now administering. CISA asserted:
o Using a .gov domain for your online services helps the public quickly identify your website as a trusted government source. This is different from other well-known TLDs, where anyone in the world can register for a fee.
o Malicious actors know this, and have sought to impersonate election organizations using non .gov domains.
o Additionally, using .gov increases your security:
§ Multi-factor authentication is enforced on all accounts in the .gov registrar, which may not be the case for other commercial registrars.
§ .gov domains are ‘preloaded’, which requires browsers to use only a secure HTTPS connection with your website. This helps protect your visitors’ privacy and helps ensure the content you publish is exactly what’s received.
§ You can add a security contact for your domain, making it easier for the public to tell you about a potential security issue with your online services.
§ The Center for Countering Digital Hate (CCDH) published a report titled “Failure to Protect: How social media firms fail to act on user reports of antisemitism,” in which the CCDH claimed “that social media platforms took no action on 84% of posts containing antisemitic conspiracies, extremism and abuse reported to them using their own tools for reporting malignant content, despite promises to crack down on anti-Jewish hatred.” As explained he CCDH made these findings:
o CCDH researchers collected and reported 714 posts containing anti-Jewish hatred. Collectively, they had been viewed at least 7.3 million times. Posts were collected from Facebook, Instagram, TikTok, Twitter & YouTube between May-June.
o 84% of posts containing anti-Jewish hatred were not acted upon by social
media companies. Facebook performed worst, failing to act on 89%, despite
announcing new rules to tackle the problem.o Platforms fail to act on 89% of antisemitic conspiracy theories about 9/11, the Covid pandemic and Jewish control of world affairs.
o Extremist anti-Jewish hate is not acted on: platforms failed to act on 80% of posts containing Holocaust denial, 74% of posts alleging the blood libel, 70% of racist caricatures of Jewish people and 70% of neo-Nazi posts.
o Instagram, TikTok and Twitter allow hashtags used for antisemitic content such as #rothschild, #fakejews and #killthejews that were used in posts identified by our report that gained over 3.3 million impressions.
o TikTok removes just 5% of accounts that directly racially abuse Jewish users for example by sending them messages denying the Holocaust.
o Earlier reports by CCDH show platforms have similarly failed to act on
dangerous Covid and vaccine misinformation reported by users.o CCDH made these recommendations:
§ 1. Introduce financial penalties to incentivize proper moderation. Platforms have profited from the proliferation of hate and misinformation on their platforms. Financial incentives will ensure they no longer invest the bare minimum in content moderation.
§ 2. Hire, train and support moderators to remove hate. Current efforts by tech companies to moderate their platforms are clearly inadequate.
§ 3. Remove groups dedicated to antisemitism. CCDH identified groups dedicated to sharing antisemitism with a total of 38,000 members.
§ 4. Instagram, Tiktok and Twitter must act on antisemitic hashtags that their own analytics show have been used for content viewed millions of times.
§ 5. Ban accounts that send racist abuse directly to Jewish users.
§ House Foreign Affairs Committee Ranking Member Michael McCaul (R-TX) wrote “to Commerce Secretary Gina Raimondo asking that the End-User Review Committee (ERC) designate Honor Device Co. Ltd. to the Department of Commerce Entity List.” He and 13 other Republicans asserted “Honor Device Co. was formerly a part of Huawei, and was spun off in an effort to evade U.S. export control policies meant to keep U.S. technology and software out of the hands of the Chinese Communist Party (CCP) and their military, the People’s Liberation Army (PLA).” McCaul and his colleagues argued:
o With its access to U.S. technology and software cut off, Honor was sold to a PRC state-led consortium, including majority ownership by the Shenzhen government. Analysts have noted that selling Honor gave it access to the semiconductor chips and software it relied on and would have presumably been blocked had the divestiture not gone through. The Center for Strategic and International Studies suggests that the PRC state with guidance from the Chinese Communist Party (CCP) stepped in as an “investor of first resort” to rescue a national asset in a strategic sector from U.S. sanctions. The visible hand of the Party-state intervened to shield Honor from U.S. export controls.
o This coordinated divesture and acquisition reveal the extent to which nominally private entities, such as Honor, are deeply embedded within a PRC ecosystem that leverages interconnections among the CCP, state owned banks, local governments, and venture capital for strategic objectives. The sale of Honor was not a market-based outcome, but rather orchestrated by the Party-state. The same concerns about technology exports to Honor when it was part of Huawei should apply under its current state-backed ownership structure. If we move too slowly and focus only on discrete entities rather than networks and ecosystems, the CCP’s novel Party-state economy can outmaneuver U.S. sanctions.
§ The United States (U.S.) The Securities and Exchange Commission (SEC) announced that “that Pearson plc, a London-based public company that provides educational publishing and other services to schools and universities, agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber intrusion involving the theft of millions of student records, including dates of births and email addresses, and had inadequate disclosure controls and procedures.” The agency stated:
o The SEC's order finds that Pearson made misleading statements and omissions about the 2018 data breach involving the theft of student data and administrator log-in credentials of 13,000 school, district and university customer accounts. In its semi-annual report, filed in July 2019, Pearson referred to a data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion had already occurred. And in a July 2019 media statement, Pearson stated that the breach may include dates of births and email addresses, when, in fact, it knew that such records were stolen, and that Pearson had "strict protections" in place, when, in fact, it failed to patch the critical vulnerability for six months after it was notified. The media statement also omitted that millions of rows of student data and usernames and hashed passwords were stolen. The order also finds that Pearson's disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach.
o "As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company's data protections," said Kristina Littman, Chief of the SEC Enforcement Division's Cyber Unit. "As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents."
o The SEC's order found that Pearson violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Exchange Act of 1934 and Rules 12b-20, 13a-15(a), and 13a-16 thereunder. Without admitting or denying the SEC's findings, Pearson agreed to cease and desist from committing violations of these provisions and to pay a $1 million civil penalty.
§ The Office of the Inspector General (OIG) for the United States Postal Service (USPS) issued a report titled “Step into Tomorrow: The U.S. Postal Service and Emerging Technology” and explained:
o Since 2011, the U.S. Postal Service Office of Inspector General (OIG) has produced over 30 white papers on emerging technologies to analyze their potential impact on and application for the Postal Service. Our research focused on four technology categories: mail innovations, data analytics, autonomous technologies, and intelligent infrastructure.
o In this paper, we revisit some of the technological developments discussed in our previous work to assess which remain relevant today, where the Postal Service has implemented or piloted new technology, and which are important for the Postal Service to consider for implementation in the future.
o We found that, over the past decade, the Postal Service has focused its technology development efforts on two areas: mail innovations and data analytics. Postal experts agreed that advancements in these areas will continue to lead transformation in the postal industry going forward.
o The Postal Service’s recently released “Delivering for America: Our Vision and Ten-Year Plan to Achieve Financial Sustainability and Service Excellence” indicates that these technologies are and will continue to be a priority going into the future.
o Other emerging technologies that have not yet had a major impact on the Postal Service, either in terms of revenue or cost efficiencies, are blockchain, Internet of Things, and autonomous vehicles. The Postal Service’s engagement
with these technologies has been limited to research and testing so far. Experts, however, believe these innovations will become increasingly impactful in the coming years.o Despite facing constraints that other competitors in the postal marketplace do not, the Postal Service has managed to integrate many of the latest technological innovations into its business practices to improve the efficiency and quality of the service it provides to its customers. Its size prevents it from being as nimble as smaller players in the postal industry. In addition, the Postal Service faces legal, technical, financial, and regulatory hurdles. However, these challenges can be mitigated within the boundaries of the Postal Service’s current regulatory, operational, and financial framework.
o Making effective use of new and emerging technologies, as well as successfully addressing the challenges to innovation will enable the Postal Service to become a more efficient organization that exceeds its customers’ expectations.
§ The Offices of Inspector General (OIG) for the Department of Defense (DOD) and the National Security Agency (NSA) announced “a joint evaluation…to assess the National Security Agency's integration of artificial intelligence into signals intelligence operations in accordance with DOD and Intelligence Community guidance for artificial intelligence.”
§ The National Institute of Standards and Technology (NIST) issued a number of crosswalks between its Privacy Framework and some of the most influential privacy laws:
o
Crosswalk:
o
Crosswalk:
o
Crosswalk:
Fair Information Practice Principles (FIPPs) Crosswalk
o
Crosswalk:
§ Consumer Reports asserted the Uniform Law Commission’s (ULC) “finalized Uniform Personal Data Protection Act (UPDPA), approved last month, misses the mark” even though the ULC “has been working on a model privacy law for several years.” Consumer Reports issued an analysis of the UPDPA and contended:
o The model law would do little to reform companies’ inappropriate data collection and sharing behaviors — including by explicitly exempting behavioral advertising from the protections in the bill. If such a bill were to be implemented, it could be worse than doing nothing at all, as it could forestall future privacy legislation that is more beneficial to consumers and holds companies accountable.
o The model law would do little to reform companies’ inappropriate data collection and sharing behaviors — including by explicitly exempting behavioral advertising from the protections in the bill. If such a bill were to be implemented, it could be worse than doing nothing at all, as it could forestall future privacy legislation that is more beneficial to consumers and holds companies accountable.
o American consumers have few protections with respect to the data collection, use, and sharing of their personal information, especially as there is no federal privacy law providing baseline protections over data privacy and security. Consumers need strong legislation that limits collection, use, and sharing of data to what is reasonably necessary to provide the service requested by the consumer, with strong enforcement to back it up. In the absence of federal action, states like California and Colorado have stepped in and adopted baseline privacy legislation that gives consumers the right to access, delete, and stop the sale of personal information, spurring interest in legislation across the country. But industry has pushed back. Companies have used bad faith interpretations to ignore the CCPA’s opt out with respect to targeted advertising, further highlighting the need for clear guidelines and strong enforcement. While Virginia also signed into law a privacy bill, the legislation is weaker than the CCPA thanks to pressure from industry, making it more difficult for consumers to control their data.
§ The University of Toronto’s Citizen Lab issued a new report on government surveillance with the new one focused on Bahrain. Citizen Lab listed its key findings and summarized the report titled “From Pearl to Pegasus: Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits:”
o We identified nine Bahraini activists whose iPhones were successfully hacked with NSO Group’s Pegasus spyware between June 2020 and February 2021. Some of the activists were hacked using two zero-click iMessage exploits: the 2020 KISMET exploit and a 2021 exploit that we call FORCEDENTRY.
o The hacked activists included three members of Waad (a secular Bahraini political society), three members of the Bahrain Center for Human Rights, two exiled Bahraini dissidents, and one member of Al Wefaq (a Shiite Bahraini political society).
o At least four of the activists were hacked by LULU, a Pegasus operator that we attribute with high confidence to the government of Bahrain, a well-known abuser of spyware. One of the activists was hacked in 2020 several hours after they revealed during an interview that their phone was hacked with Pegasus in 2019.
o Two of the hacked activists now reside in London, and at least one was in London when they were hacked. In our research, we have only ever seen the Bahrain government spying in Bahrain and Qatar using Pegasus; never in Europe. Thus, the Bahraini activist in London may have been hacked by a Pegasus operator associated with a different government.
o We shared a list of the targeted phone numbers we identified with Forbidden Stories. They confirmed that numbers associated with five of the hacked devices were contained on the Pegasus Project’s list of potential targets of NSO Group’s customers, data that Forbidden Stories and Amnesty International describe as dating from 2016 up to several years ago.
Further Reading
§ “China's Microsoft Hack May Have Had A Bigger Purpose Than Just Spying” By Dina Temple-Raston — NPR. Steven Adair hunts hackers for a living. Back in January, in a corner-of-his-eye, peripheral kind of way, he thought he saw one in his customer's networks — a shadowy presence downloading emails. Adair is the founder of a cybersecurity company called Volexity, and he runs traps to corner intruders all the time. So he took a quick look at a server his client was using to run Microsoft Exchange and was stunned to "see requests that we're not expecting," he said. There were requests for access to specific email accounts, requests for confidential files.
§ “Apple loosens rules for developers in major concession amid antitrust pressure” By Rachel Lerman, Cat Zakrzewski, and Heather Kelly — The Washington Post. Apple announced it would make major changes to its App Store as part of a proposed lawsuit settlement with developers, following years of mounting regulatory scrutiny and legal challenges. The company will let developers tell its iPhone and iPad customers about ways to pay outside the official App Store, it said in a news release late Thursday. It also expands the types of prices that developers can offer for subscriptions, in-app purchases and paid apps, among other initiatives. The settlement still needs to be approved by the court. The change is in response to a suit brought by small app developers, in which they alleged Apple’s pricing tiers and lack of outside purchasing options were monopolistic. Apple is also expecting an imminent judgment in a suit by Epic Games over similar allegations in front of the same judge in federal court in the Northern District of California.
§ “This vulnerability puts the future of U.S. warfighting at risk” By Shaun Waterman — ReadMe. The U.S. military is betting on technological revolution to win the wars of the 21st century. Pentagon futurists are working toward a digitally managed battlefield where commanders use cloud-based software tools to direct autonomous weapons systems anywhere on the globe and even launch coordinated attacks by land, sea and air with the swipe of a finger. It’s been called the Uber-ization of warfare, but officially the Department of Defense dubs this vision Joint All-Domain Command and Control, or JADC2. And it’s going to fundamentally rewire the military — not just their IT systems, but their guns and bombs, too. Later this year, the Joint Chiefs of Staff will publish new requirements that all weapons systems must be compatible with JADC2 networking requirements to receive funding.
§ “Stop using Zoom, Hamburg’s DPA warns state government” By Natasha Lomas — Tech Crunch. Hamburg’s state government has been formally warned against using Zoom over data protection concerns. The German state’s data protection agency (DPA) took the step of issuing a public warning yesterday, writing in a press release that the Senate Chancellory’s use of the popular videoconferencing tool violates the European Union’s General Data Protection Regulation (GDPR) since user data is transferred to the U.S. for processing.
§ “Facebook used facial recognition without consent 200,000 times, says South Korea's data watchdog” By Laura Dobberstein — The Register. Facebook, Netflix and Google have all received reprimands or fines, and an order to make corrective action, from South Korea's government data protection watchdog, the Personal Information Protection Commission (PIPC). The PIPC announced a privacy audit last year and has revealed that three companies – Facebook, Netflix and Google – were in violations of laws and had insufficient privacy protection.
§ “New York man sentenced to 3 years for stealing students' nude photos after hacking their accounts” By Tonya Riley — cyberscoop. A federal judge sentenced a New York man to three years in federal prison for hacking the accounts of dozens of female college students to access private nude photos, the Justice Department said Thursday. Nicholas Farber, of Rochester, pleaded guilty in February to working with a co-conspirator between 2017 to 2019 to access the school emails of dozens of female SUNY Plattsburgh students. He then leveraged access to those accounts in order to access students’ Facebook, Snapchat and cloud accounts from which he stole private nude photographs and movies. Farber then traded the images online with an unnamed number of individuals.
§ “Google hit with more than 20,000 geofence warrants from 2018 to 2020” By Richard Nieva — c/net. Google received more than 20,000 geofence warrants in the US in the last three calendar years, making up more than a quarter of all warrants the tech giant received in that time, the company said Thursday. With geofence warrants, a controversial law enforcement tool, police can carve out a specific area and time period and ask Google to gather information about the devices that were present during that window. The information is anonymous, but police can analyze it and narrow it down to a few devices they think might be relevant to the investigation. Then Google reveals those users' names and other data.
§ “Google Dragnets Gave Cops Data On Phones Located At Kenosha Riot Arsons” By Thomas Brewster — Forbes. A year after the Kenosha riots, following the police shooting of Black citizen Jacob Blake, Google has handed over data on any phones that were located in the vicinity of two arson attacks during the public disorder, even though some protesters were trying to stop the fires. In the latest example of police applying for a so-called digital dragnet, just-unsealed court orders reveal that Google was ordered to hand over data from users of any of its location services who were near a Kenosha library and museum that were set on fire during the August 2020 unrest. Known as geofence or reverse location warrants, they asked Google to scoop up information on any device at the sites over a period of two hours at the public library and 25 minutes at the Kenosha Dinosaur Discovery Museum.
§ “Disinfection robots and thermal body cameras: welcome to the anti-Covid office” By Kate Connolly — The Guardian. Not so long ago it may have seemed more like a futuristic vision of the workplace – or a hospital. But the hands-free door handles, self-cleaning surfaces, antimicrobial paint, air-monitoring display tools, UV light disinfection robots, and 135 other measures at an office block in Bucharest are here to stay, say the creators behind what they are touting as one of the world’s most virus-resilient workplaces, which they hope will become the new normal in office design.
§ “The State Department Has Reportedly Been Hacked” By Jody Serrano — Gizmodo. The U.S. State Department was purportedly the victim of a serious cyber attack in recent weeks, according to a Fox News report published on Saturday. The extent of breach and when it was discovered are currently unknown. Citing an unnamed source, the outlet stated that the Department of Defense’s Cyber Command had issued notifications of a possibly serious breach. Although it’s unclear whether the State Department’s operations have been affected by the attack, Fox reported that the department’s work to evacuate thousands of Americans and Afghans from Kabul, Afghanistan amid the withdrawal of U.S. forces had not been affected.
§ “Damning COVIDSafe report shows government ignored contact tracer frustrations, app's major shortfalls” By Sarah Basford Canales — Canberra Times. The federal government has defended its COVIDSafe app as playing a "very important" role in the pandemic despite being handed a damning report warning it was adding up to two hours to contact tracing workloads for little-to-no benefit. A secret report on the $8 million COVIDSafe app, handed to Health Minister Greg Hunt in March this year, warned contact tracers were finding the government's early technological solution to controlling outbreaks was not helping.
Coming Events
Photo by Jessey Bijl on Unsplash
§ 7 September
o The California Privacy Protection Agency Board hold a public meeting.
§ 8 September
o Australia’s Select Committee on Australia as a Technology and Financial Centre will hold a hearing on its inquiry.
o The California Privacy Protection Agency Board hold a public meeting.
§ 9 September
o The House Science, Space, and Technology Committee will mark up its portion of the FY 2022 budget reconciliation package.
§ 10 September
o The House Agriculture Committee will mark up its portion of the FY 2022 budget reconciliation package.
§ 14 September
o The European Data Protection Board (EDPB) will hold a plenary meeting.
§ 28 September
o The Information Security and Privacy Advisory Board (ISPAB) will hold an open meeting and “The agenda is expected to include the following items:
§ —Board Discussion on Executive Order 14028, Improving the Nation's Cybersecurity (May 12, 2021) deliverables and impacts to date,
§ —Presentation by NIST, the Department of Homeland Security, and the General Services Administration on upcoming work specified in Executive Order 14028,
§ —Presentation by the Office of Management and Budget on Executive Order 14028 directions and memoranda to U.S. Federal Agencies,
§ —Board Discussion on recommendations and issues related to Executive Order 14028.
§ 30 September
o The Federal Communications Commission (FCC) will hold an open meeting. No agenda has been announced as of yet.
[1] (v) the purpose of preventing, investigating, disrupting, or prosecuting an offense arising out of a threat described in clause (iii) or any of the offenses listed in— (I) sections 1028 through 1030 of title 18 (relating to fraud and identity theft); (II) chapter 37 of such title (relating to espionage and censorship); and (III) chapter 90 of such title (relating to protection of trade secrets).