Congress has finally agreed on funding for United States (U.S.) government operations for the current fiscal year (FY), some five months after the beginning of the year. This is not to say U.S. agencies have shuttered operations; rather, they have been funded through a series of continuing resolutions, which is to appropriations what autopilot is to aviation. It keeps things running, but it not good if conditions change quickly. Be that as it may, the FY 2022 omnibus appropriations bill funds all the crucial agencies that oversee technology policy and is stuffed with what one may term extraneous legislation, most notably for the technology world, “The Cyber Incident Reporting for Critical Infrastructure Act of 2022.”
The ” FY2022 Consolidated Appropriations Act” (H.R. 2471) would fund all U.S. government agencies for the remainder of FY 2022, which ends on 30 September 2022. The House and Senate Appropriations Committees made available a lot of material available explaining the bill:
The text of the spending package, H.R. 2471, is available here. Explanatory statements are available here. A full summary of the 12 regular appropriations bills is here. A summary of the Ukraine supplemental is here and a one-page fact sheet is here. A summary of the coronavirus supplemental is here and a one-page fact sheet is here.
Individual subcommittee summaries and one-page fact sheets are below:
Now, we will turn to the major funding programs with jurisdiction over technology. The quotes in this piece are from the Joint Explanatory Statement that accompanied the FY 2022 omnibus.
The Federal Trade Commission (FTC) would be provided with $376.53 million, some $25 million more than FY 2021, but less than House and Senate Democrats had wanted. The House’s bill would have given the FTC $389.8 million, a $38.8 million increase, and the Senate Appropriations Committee Democrats would have appropriated $384 million. The bill has additional programmatic directives for the agency in addition to those in the House’s committee report that are not contradicted or revised in the Joint Explanatory Statement (see here for excerpts on some of these requirements)
Notably, Congress calls on the FTC to work with them on a Section 13(b) fix even though the House passed a bill doing this that has not seen the light of day in the Senate because Republican opposition cannot be overcome:
Congress is also prompting the agency to examine subscriptions services, a prominent business model for many technology companies. I know because it took serious work for us to cancel Amazon Prime. In any event, here is what Congress said:
In the FY 2022 omnibus, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) would get $2.593 billion, $568.68 million more than FY 2021 and $460 million more than administration requested. This figure falls between what the House and Senate called for. In terms of CISA-directed mandates, Congress wants to be kept in the loop on how the agency will hand out $100 million in grant funds under the newly created Cyber Response and Recovery Fund (see here for more detail and analysis):
There are other directives for CISA, too many to include here, but among them are:
The Federal Communications Commission (FCC) would get $381.95 million for FY 2022, a 3.73% increase above last year (i.e., $13.95 million). The White House, House, and Senate were agreed on this funding level, which is probably possible because the Congress will not need to appropriate any funds for the agency. Instead it will be self-funded in a sense because it will use a portion of the money it pulls in from licensing, auctions, and the like.
Nevertheless, the Appropriations Committees had some programmatic direction for the FCC:
To no great surprise, broadband data maps is on Congress’ mind. Distribution of the $65 billion for broadband funding in the “Infrastructure Investment and Jobs Act” (P.L. 117-58) will hinge in large part on what the FCC’s forthcoming broadband map says about who has adequate broadband and who does not. And, again, to no great surprise, Congress is encouraging the FCC to pay special attention to rural broadband:
There is also directive language for the FCC on other areas that have been historically underserved with regard to broadband:
The Office of the National Cyber Director (NCD) did not receive any funding because an appropriation of $21 million was included in the “Infrastructure Investment and Jobs Act” (P.L. 117-58), and it is expected the NCD will be funded through regular appropriations in the coming fiscal year. In its FY 2022 budget request, the Biden Administration asked Congress for $15 million and 25 Full-Time Equivalents (FTE) to stand up the Office of the NCD. However, the CSC in making the recommendationthat Congress create such a position called for at least 50 FTE in this office. And so, the NCD will, for now at least, be smaller than the CSC envisioned. However, NCD Chris Inglis did tell an advisory committee this week he expects the NCD’s office will eventually have 85 FTEs.
Nonetheless, Congress directed the NCD with respect to cyber workforce:
The Office of Management and Budget (OMB) also receives direction from Congress on technology policy. The appropriators are urging OMB to use wisely the windfall of funding received in the “American Rescue Plan Act of 2021” (P.L. 117-2) (i.e. $1 billion for the Technology Modernization Fund and $150 million for the General Services Administration’s Federal Citizen Services Fund (FCSF)):
The National Telecommunications and Information Administration (NTIA) will get $48.2 million, a modest increase above its current funding of $45.5 million but far short of the $79 million the House recommended and the $80.531 million the Senate earmarked for the agency. It should be noted the Biden Administration had asked for $89 million for the agency. Be that as it may, the NTIA will be doling out billions of dollars in grants to states for broadband expansion. Not surprisingly, Congress has direction and advice on broadband policy more generally.
The FY 2022 omnibus gives the National Institute of Standards and Technology (NIST) $1.23 billion, a bump from FY 2021 of $1.034 billion, but, as with other agencies, less than the administration wanted (i.e. $1.497 billion). NIST is given direction regarding artificial intelligence (AI) policy:
NIST is given other direction regarding technology policy:
It is somewhat surprising there is not language in the FY 2022 barring the Internal Revenue Service (IRS) from using facial recognition technology for filing tax returns as it had planned on doing before Members of Congress and others objected. The IRS then backtracked, but it is still planning on the possible use in of this technology in future years.
The cyber incident reporting bill in the omnibus tracks almost exactly with the provisions in a larger cybersecurity bill the Senate passed last week. Regarding “The Cyber Incident Reporting for Critical Infrastructure Act of 2022” (Division Y of the bill), splitting this legislation from the “Strengthening American Cybersecurity Act of 2022” (S.3600), a package the Senate sent to the House last week, may delay enactment of Federal Information Security Modernization Act (FISMA) reform, cyber incident reform legislation, and a codification of the Federal Risk and Authorization Management Program (FedRAMP), the two other component parts of that bill. There is reported resistance among House Republicans and industry stakeholders over what they see as overly burdensome and prescriptive requirements in the rewrite of how U.S. civilian agencies and their contractors must police their cybersecurity and information security. As far as I know, there has not been any public pronouncements from those in opposition to FISMA reform, but this is to be expected, for it would not be a good look politically to stand against a measure that purports to shore up the weaknesses Russian and Chinese hackers exploited in the recent past.
Back to the cyber incident reporting language in the FY 2022 omnibus, and as well-intended as the legislation is, there continue to be incentive problems. And by this, I mean if the goal of the bill is to get critical cyber infrastructure owners and operators to report cyber incidents that threaten U.S. cybersecurity, the bill’s incentives do not seem likely to bring about this result. Let me explain.
There is a 72 hour deadline for reporting “covered cyber incidents.” On the one hand, CISA has 24 hours to distribute reports received on covered cyber incidents, ransom payments, and voluntarily submitted information, entities obligated to make covered cyber incident reports (i.e. the most crucial cyber infrastructure in the U.S.) has 72 hours to notify CISA. Industry stakeholders objected to the 24 hour deadline in the Senate Intelligence Committee’s bill, a provision supported by CISA Director Jen Easterly and National Cyber Director Chris Inglis, and so the language in the two other bills mandating a 72 hour reporting window was put into the compromise language the Senate stakeholders settled on last fall.
In any event, the reporting responsibilities a covered entity must meet will hinge on a reasonable belief that a covered cyber incident has occurred. It will not surprise me if the Government Accountability (GAO), an Inspector General (IG), or a committee of Congress finds that some covered entities have delayed making the determination that a reasonable belief exists a covered cyber incident has occurred in the hopes of avoiding reporting. Why do I say this? Having been a lobbyist and still being a lawyer, I know those two words — reasonable belief —will be interpreted very, very liberally by covered entities. As a result, companies required to report cyber incidents may take time in making the determination they have a reasonable belief that a covered cyber incident has occurred. If this happens, it will take longer for CISA, other federal agencies, and other critical cyber infrastructure owners and operators to learn of a covered cyber incident.
Moreover, the compliance incentives are weak. It will not surprise me to a GAO or IG report in the future detailing the low volume of covered cyber incident reports being made within 72 hours or wide non-compliance with the new requirements. There are several reasons, but the foremost one is that if CISA suspects a covered entity failed to submit and report and reaches out for information, if the covered entity then chooses to comply, the DOJ cannot prosecute the covered entity not can its regulator proceed with an enforcement action. Hence, there is, in effect, a safe harbor for the clever covered entity to use. It need not report a covered cyber incident for fear of government action because it can always come clean when CISA contacts them. And it bears note that if a covered cyber incident occurred six months prior, and CISA is only now learning of it, the covered entity can still cure any liability by complying with CISA’s information request. Additionally, the same is true for failing to report ransomware payments.
Of course, holding out would entail reputational risk on the part of a covered entity and a possible tongue lashing before Congress if it is discovered that a covered up covered incident is not reported, but a critical infrastructure operator may be willing to gamble that the incident will not be discovered. Additionally, even if a covered entity stiff arms CISA when it serves a subpoena after it declined to respond to the agency’s information request, CISA would need to make the call that the action warrants prosecution. Next, the agency to which CISA refers the matter would also have to agree. Moreover, there is nothing in the bill giving CISA a chance to formally appeal an agency’s decision not to act in these circumstances. To be sure, the agency could reach out to the White House, but the staff at 1600 Pennsylvania Avenue may not want to get between agencies. And even if an agency agrees with CISA and decides to initiate an enforcement action, it is not clear what kind of penalties would be available to punish covered entities that failed to report covered cyber incidents.
One of the earlier version of cyber incident reporting would have addressed the enforcement problem differently. The Senate Intelligence Committee’s bill would allowed for CISA to impose civil fines for non-compliance:
If, on the basis of any information, the Director determines that a covered entity has violated, or is in violation of, the requirements of this subtitle, including rules promulgated under this subtitle, the Director may assess a civil penalty not to exceed 0.5 percent of the entity’s gross revenue from the prior year for each day the violation continued or continues
If covered entities were staring down the barrel of “0.5 percent of the entity’s gross revenue from the prior year for each day the violation continued or continues,” compliance would be much higher.
Another point during which the intent of the bill will surely be tested is through the rulemaking because Congress delegated to CISA the responsibility to make many of the crucial decisions about who and what is subject to the new reporting regime. For example, in this rulemaking, CISA must craft clear descriptions “of the types of entities constitute covered entities” and “the types of substantial cyber incidents that constitute covered cyber incidents.” One can be sure that many entities across the U.S. economy will try making the case they should not be covered entities and will try to persuade the agency to define a covered cyber incident as narrowly as possible.
To get deeper into the specifics, in determining which entities shall be covered, CISA must consider the following:
§ the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety;
§ the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and
§ the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.
I imagine some otherwise critical infrastructure entities could make the case the chances of being targeted by a malicious actor are so low as to justify omission among other claims meritorious or not.
To continue on the same theme, Congress also guides CISA on what a covered cyber incident should be, and the agency should:
§ at a minimum, require the occurrence
o a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes;
o a disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability, against
§ an information system or network; or
§ an operational technology system or process; or
o unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise;
I would expect quibbling over what constitutes a “substantial loss of confidentiality, integrity, or availability of such information system or network.” Likewise expect debate in the rulemaking process over what is “a serious impact on the safety and resiliency of operational systems and processes.”
Another pressure point in the rulemaking will be over the CISA’s construction of enforcement procedures, which may include “other available enforcement mechanisms including acquisition, suspension and debarment procedures.” Industry stakeholders, especially federal contractors will do their best to persuade the agency to use as light a touch as possible with respect to these possible enforcement mechanisms.
In any event, there will be teams of lawyers and lobbyists working all sorts of creative angles to take in commenting on CISA’s rules to effectuate the cyber incident reporting regime. Moreover, if other significant recent rulemakings are any guide and some industry stakeholders do not care for the final regulations, we may well see litigation that prevents CISA from moving forward with the new cyber incident reporting system will the judicial process plays out.
The United States (U.S.) Securities and Exchange Commission “proposed amendments to its rulesto enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies” per its press release.
The United Kingdom’s (UK) Department for Digital, Culture, Media & Sport (DCMS) announced “[n]ew legislation set to make digital identities more trustworthy and secure” along with the government’s responseto the comments made during its digital identity consultation.
The Australian Competition and Consumer Commission, Australian Communications and Media Authority, Office of the Australian Information Commissioner, and Office of the eSafety Commissioner announced the formationof the Digital Platform Regulators Forum and issued the terms of reference.
The European Parliament formed “three new committees to look into the use of spyware by EU governments, malicious foreign interference, and lessons from the pandemic” and issued a “report by the Special Committee on Foreign Interference in all Democratic Processes in the European Union, including Disinformation (INGE) says that a general lack of awareness of the severity of foreign interference and information manipulation, overwhelmingly carried out by Russia and China, is exacerbated by loopholes in legislation and insufficient coordination between EU countries.”
United States (U.S.) Senators John Cornyn (R-TX) and Amy Klobuchar (D-MN) introduced the “Safely Accessing Telecommunications (SAT) Act,” which would authorize the U.S. State Department and Department of Defense to enter into contracts with satellite cellular and internet providers to provide direct connectivity in conflict regions.
The United Kingdom’s (UK) Information Commissioner’s Office (ICO) started a consultation on its fourth chapter of its Anonymisation, pseudonymisation and privacy enhancing technologies guidance.
The European Union Agency for Cybersecurity (ENISA) explored in a report “how CSIRTs, law enforcement agencies and the judiciary cooperate and how they can train together to better tackle cyber incidents and respond to cybercrime.”
The United States (U.S.) Government Accountability Office (GAO) issued two reports: and Data Center Optimization: Agencies Continue to Report Mixed Progress Against OMB's Targets and Leading Practices: Agency Acquisition Policies Could Better Implement Key Product Development Principles.
Access Now, Wikimedia Foundation, and over 35 civil society organizations “called onU.S. President Biden and his administration to ensure the people of Russia and Belarus are not cut off from the internet.”
The chair and ranking member of the United States (U.S.) House Energy and Commerce Committee’s Communications & Technology Subcommittee wrote an op-ed titled “Aviation conflict highlights the need for spectrum management reform.”
United States (U.S.) Senators Richard Blumenthal (D-CT) and Ed Markey (D-MA) wrote the National Telecommunications and Information Administration (NTIA) “to encourage the Agency to prioritize and protect competition, high quality jobs, affordability, and consumer protection standards in its grant programs” including the billions in broadband funds the agency will be giving to states.
Tweet of the Day
“Russian sanctions drive renewed focus on Asia semiconductor reliance” By Hans Nichols and Andrew Solender — Axios
“Microsoft’s Pursuit of Climate Goals Runs Into Headwinds” By Peter Eavis — New York Times
“Welcome to Airspace: How Silicon Valley helps spread the same sterile aesthetic across the world” By Kyle Chayka — The Verge
“TikTok’s biggest Chinese competitor bets big on Brazil” By Andrew Deck and Marília Marasciulo — Rest of the World
“TikTok has long tried to stay out of politics. Russia’s invasion is making that harder.” By Gerrit De Vynck, Cat Zakrzewski and Elizabeth Dwoskin — Washington Post
“Uber isn’t happy drivers found a hack to dodge commission fees in South Africa” By Ray Mwareya — Rest of the World
“Australia pressured Google and Facebook to pay for journalism. Is America next?” By Bill Grueskin — Columbia Journalism Review
“Meta’s head of youth product initiatives departs the company.” By Ryan Mac — New York Times
“More Than 80% of Cyberattacks Worldwide Happening in Russia or Ukraine” By Frank Konkel — Nextgov
“E.U. sanctions demand Google block Russian state media from search results” By Gerrit De Vynck — Washington Post
“Carmakers Race to Control Next-Generation Battery Technology” By Jack Ewing and Eric Lipton — New York Times
§ 9-10 March
o The Information Security and Privacy Advisory Board (ISPAB) will hold a quarterly open meeting and the agenda is expected to include the following items:
§ Briefing from NIST on recent activities from the Information Technology Laboratory,
§ Presentation from NIST on the Artificial Intelligence Risk Management Framework,
§ Discussion on Cryptographic Brittleness and issues in implementations,
§ Presentation from NIST on Open Source Cybersecurity Assessment Language (OSCAL),
§ Discussion on the United States Government participation in National and International Standards Development Organizations,
§ Briefing on NIST Cybersecurity Updates,
§ Public Comments.
§ 10 March
o The United States (U.S.) Senate Intelligence Committee will hold open and closed hearings on worldwide threats.
o New Zealand’s Parliament’s Economic Development, Science and Innovation will hold a private session on the Digital Identity Services Trust Framework and a “Briefing on cybersecurity.”
§ 11 March
o The United States (U.S.) Federal Communications Commission (FCC) will hold the “first of a series of virtual public hearings as a part of its broadband consumer labels rulemaking proceeding” “will be part of the record in response to the FCC’s recent Notice of Proposed Rulemakingwhich sought comment on a requirement that broadband providers display simple-to-understand labels that disclose, at the point of sale, accurate information about prices, introductory rates, data allowances, broadband speeds, and management practices, among other things.”
§ 16 March
o The United States Federal Communications Commission (FCC) will hold an open meeting with this agenda:
§ Preventing Digital Discrimination. The Commission will consider a Notice of Inquiry that would commence a proceeding to prevent and eliminate digital discrimination and ensure that all people of the United States benefit from equal access to broadband internet access service, consistent with Congress’s direction in the Infrastructure Investment and Jobs Act. (GN Docket No. 22-69)
§ Resolving Pole Replacement Disputes. The Commission will consider a Second Further Notice of Proposed Rulemakingthat would seek comment on questions concerning the allocation of pole replacement costs between utilities and attachers and ways to expedite the resolution of pole replacement disputes. (WC Docket No. 17-84)
§ Selecting Final Round of Applicants for Connected Care Pilot Program. The Commission will consider a Public Notice announcing the fourth and final round of selections for the Commission’s Connected Care Pilot Program to provide Universal Service Fund support for health care providers making connected care services available directly to patients. (WC Docket No. 18-213)
§ Restricted Adjudicatory Matter. The Commission will consider a restricted adjudicatory matter.
§ National Security Matter. The Commission will consider a national security matter.
o The European Union’s Parliament’s Committee on the Internal Market and Consumer Protection will hold a hearing titled “Risks from the use of Dark Patterns for consumers and the Digital Single Market” that “will provide valuable input to the discussions and negotiations on the draft legislation being amended in IMCO, such as the Digital Services Act, the Digital Markets Act and the Data Act.”
§ 17 March
o The European Union Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) will hold a hearing on the “General Data Protection Regulation implementation, enforcement and lessons learned”
o The United States (U.S.) Federal Trade Commission (FTC) will hold an open meeting with this tentative agenda:
§ Staff Presentation on the E-Cigarette Report for 2015-2018: Staff will present findings from a report on the sales and marketing of e-cigarettes, with a particular focus on the use of these products by youth.
§ 15-16 May
o The United States-European Union Trade and Technology Council will reportedly meet in France.
§ 16-17 June
o The European Data Protection Supervisor will hold a conference titled “The future of data protection: effective enforcement in the digital world.”