Hearing:
The Crime, Terrorism and Homeland Security Subcommittee of the House Judiciary Hearing will meet on the Geolocational Privacy and Surveillance Act, H.R. 2168.
10 a.m., 2141 Rayburn Building

The proposed new and revised certification standards are part of the national effort to modernize our healthcare infrastructure under the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The goal is to provide better managed patient care through improved health information technology and electronic health records.

The Medicare and Medicaid Incentive Programs provide payments to eligible professionals and hospitals to help them adopt, implement, and upgrade their technologies. To receive incentive payments, healthcare providers must use certified technology. The certification gives healthcare providers the confidence that their IT systems and electronic health records will be secure, accurate, and interoperable with other providers. Patients can be assured that the providers are using certified technology to protect the security, privacy, and confidentiality of their health records.

USACM endorses the proposed enhancement to the certification standards to require accessibility of patients’ electronic health records. USACM agrees that all patients should have equal and meaningful access to their electronic health information. The proposed adoption of the Web Content Accessibility Guidelines (WCAG), an international technical standard for web accessibility, and its Level AA conformance criteria will enhance the ability of patients, including patients with mobility or visual impairments, to access their electronic health information. The international standard is technology-independent and is supported by freely available online documentation. Other federal agencies, including the Access Board, similarly are considering adopting WCAG and its Level AA conformance criteria as the minimum standard for web accessibility. Read the USACM and SIGCHI public comment to the Access Board in March 2012 on improving the accessibility of federal websites.

The new certification standards for health information technology and electronic health records, once adopted by the U.S. Department of Health and Human Services, will take effect for healthcare providers in fiscal year and calendar year 2014.

Hearing:
The Senate Commerce, Science and Transportation Committee will hold a hearing on the consumer privacy reports issued by the Federal Trade Commission and the Obama Administration.
2:30 p.m., 253 Russell Building

The House leadership has scheduled four cybersecurity bills for votes on Thursday and Friday of this week. The bills up for consideration concern information sharing between the government and the private sector, an overhaul of the law covering how federal government systems manage cybersecurity, and research and development in cybersecurity.

Arguably none of these bills are properly comprehensive, but House leadership opted for a strategy of handling a number of bills across the cybersecurity landscape. The Senate is focused on approving a single comprehensive bill, though some Republicans have placed their support behind another bill. The issues of contention for the Senate bills are the roles played by the Homeland Security Department and the National Security Agency, as well as the level of regulation in the bills.

Given the multiple bills at play (only some of which have been mentioned in this post), USACM has prepared this statement outlining its interests in cybersecurity legislation. It’s important that cybersecurity legislation ensures that:

• Any information sharing must include protections for personally identifiable information;
• Unnecessary restriction of cybersecurity risk management options;
• There are no broad certification requirements for cybersecurity professionals;
• Cybersecurity education should include systems analysis and design;
• There is continued federal support for cybersecurity research and development; and
• There are targeted sets of cybersecurity standards.

What happens later this week on the floor of the House will be the first part of a longer process. The next steps should follow in the Senate in a matter of weeks.

April 24 – Edited to add E-Verify hearing for April 27.

The House is expected to consider four cybersecurity bills on Thursday and Friday, April 26 and 27.

April 24

Hearing:
The Senate Commerce, Science and Transportation Committee will hold a hearing on the migration of video viewing from broadcast and cable television to internet-enabled transmission mechanisms.
10 a.m., 253 Russell Building

The Subcommittee on Oversight, Investigations and Management of the House Homeland Security Committee will hold a hearing on the need to act on cybersecurity.
2 p.m., 311 Cannon Building

April 26

Hearing:
Two subcommittees of the House Homeland Security Committee will hold a hearing on the cybersecurity threats posed by Iran.
10 a.m., 311 Cannon Building

April 27

Hearing has been postponed.
Hearing:
The Subcommittee on Immigration Policy and Enforcement of the House Judiciary Committee will hold a hearing on electronic employment verification.
9:15 a.m., 2141 Rayburn Building

April 18

Markup:
The House Oversight and Government Reform Committee will review a bill to update the Federal Information Security Management Act.
10 a.m., 2154 Rayburn Building

The House Homeland Security Committee will review a bill on information sharing related to cybersecurity.
10 a.m., 311 Cannon Building

Hearing:
The Immigration Subcommittee of the House Judiciary Committee will hold a hearing on electronic employment eligibility systems and document fraud.
11:15 a.m., 2141 Rayburn Building

April 19

Hearing:
The Human Resources Subcommittee of the House Ways and Means Committee will hold a hearing on how technology can help better target benefits and reduce waste, fraud, and abuse.
10 a.m., 1100 Longworth Building

To that end, NTIA released a request for comment in early March (the deadline was extended to April 2), and USACM filed comments earlier today. Much like our comments on the governance of the National Strategy for Trusted Identities in Cyberspace (NSTIC), the request and our comments are focused on issues of process and focus.

In our comments we encourage the NTIA to focus not only on the technologies and applications identified in their request for comment, but also to consider the assessments of privacy risks associated with these technologies and applications. We also recommended that the process – both the meetings and the output of those meetings – be made available to the public in formats that are easily reusable. Much like with NSTIC, trust is going to be an important contributor to the success or failure of the consumer data privacy codes of conduct.

The final report retains the same general framework outlined in the December 2010 draft, and is broadly consistent with the effort to develop a Consumer Privacy Bill of Rights announced by the Obama Administration last month. In announcing the release of the report, the FTC indicated it would focus on the following areas in its online privacy work over the next several months.

Do-Not-Track – The Commission commends the progress made in this area: browser vendors have developed tools to allow consumers to limit data collection about them, the Digital Advertising Alliance has developed its own icon-based system and also committed to honor the browser tools, and the World Wide Web Consortium standards-setting body is developing standards. “The Commission will work with these groups to complete implementation of an easy-to-use, persistent, and effective Do Not Track system,” the report says.

Mobile – The FTC urges companies offering mobile services to work toward improved privacy protections, including disclosures. To that end, it will host a workshop on May 30, 2012 to address how mobile privacy disclosures can be short, effective, and accessible to consumers on small screens.

Data Brokers – The Commission calls on data brokers to make their operations more transparent by creating a centralized website to identify themselves, and to disclose how they collect and use consumer data. In addition, the website should detail the choices that data brokers provide consumers about their own information.

Large Platform Providers – The report cited heightened privacy concerns about the extent to which platforms, such as Internet Service Providers, operating systems, browsers and social media companies, seek to comprehensively track consumers’ online activities. The FTC will host a public workshop in the second half of 2012 to explore issues related to comprehensive tracking.

Promoting Enforceable Self-Regulatory Codes – The FTC will work with the Department of Commerce and industry stakeholders to develop industry-specific codes of conduct. To the extent that strong privacy codes are developed, when companies adhere to these codes, the FTC will take that into account in its law enforcement efforts. If companies do not honor the codes they sign up for, they could be subject to FTC enforcement actions.

Original Post:

March 27

Hearing:
The Technology and Innovation Subcommittee of the House Science, Space and Technology Committee will hold a hearing on the effect of federal policies on innovation.
10 a.m., 2318 Rayburn Building

March 28

Hearing:
The Communications and Technology Subcommittee of the House Energy and Commerce Committee will hold another hearing on cybersecurity and communications networks.
10 a.m., 2322 Rayburn Building

March 29

Hearing:
The Investigations and Oversight Committee of the House Science, Space and Technology Committee will hold a hearing on public access to federally funded research.
9:30 10 a.m., 2318 Rayburn Building

The Commerce, Manufacturing and Trade Subcommittee of the House Energy and Commerce Committee will hold a hearing on the interaction of online privacy and innovation.
10 a.m., 2123 Rayburn Building

Hearing:
The Subcommittee on Crime, Terrorism, and Homeland Security of the House Judiciary Committee will hold a hearing on the REAL ID Act’s standards for driver’s licenses and identification cards.
10 a.m., 2141 Rayburn Building

The Technology, Information Policy Intergovernmental Affairs and Procurement Reform Subcommittee of the House Oversight and Government Reform Committee will hold a hearing on technology and the Freedom of Information Action (FOIA).

“Judea Pearl’s work has transformed artificial intelligence (AI) by creating a representational and computational foundation for the processing of information under uncertainty. Pearl’s work went beyond both the logic-based theoretical orientation of AI and its rule-based technology for expert systems.

…

“Equally significant is Pearl’s work on causal reasoning, where he developed a graph-based calculus of interventions that makes it possible to derive causal knowledge from the combined effects of actions and observations. This work has been transformative within AI and computer science, and has had major impact on allied disciplines of economics, philosophy, psychology, sociology, and statistics.”

The A.M. Turing Award is ACM’s most prestigious technical award. Each year the winner is invited to present a lecture at the ACM Awards Banquet, and thanks to the support of the Intel Corporation and Google, the winner receives a $250,000 prize.

2012 marks the centenary of Alan Turing’s birth, which ACM will celebrate in June. In addition to his contributions to code-breaking for the British during World War II, Turing is an important figure in modern computing, making advances in computer architecture, algorithms, formalization of computing, and artificial intelligence.

This “refresh” of the Draft Information and Communications Technology (ICT) Standards and Guidelines will jointly update the accessibility requirements under Section 508 of the Rehabilitation Act and Section 255 of the Telecommunications Act. The current standards were last updated in 2000 and went into effect in 2001.

The Section 508/255 Refresh seeks, in part, to ensure and improve accessibility in light of innovative and emergent developments within the computer and technology industries, such as webcasts, mobile applications and devices, interactive kiosks, laptop computers, onscreen keyboards, and wireless assistive devices. The Refresh also seeks to foster increased compliance through increased ease of use and understanding of the standards by federal agencies, their contractors, and equipment manufacturers.

“Innovative developments within the computer and technology industries will continue to revolutionize how the public, including people with disabilities, access federal government information and interact with government services,” said Harry Hochheiser, Chair of the USACM Accessibility Committee. “We strongly support the Access Board’s decision to adopt the leading international standard for web accessibility. We anticipate the result will be a broader range of cost-effective software and equipment options, automated testing and evaluation tools, and built-in accessibility features that will help federal agencies provide greater accessibility to government information and services.”

USACM Accessibility Committee member Jonathan Lazar is pleased with one significant change from past versions: “There is now an increased focus on satisfying functional performance requirements, even when technical design requirements are met. A technical requirement, when met, may theoretically provide access to information, but it does not guarantee that users will actually be able to effectively use that information resource. Performance-based requirements, which focus on outcomes rather than specific methods or technologies, provide greater flexibility to respond to the rapid changes in technologies.”

Highlights from the USACM/SIGCHI public comment include:

• Harmonization with International Standards
  We support the Access Board’s decision to incorporate by reference international standards, where appropriate, rather than creating duplicate or additional standards specific to the federal government. As many commercial companies already make products compliant to international standards for the private sector, a harmonized framework of accessibility requirements across public and private efforts will foster industry efficiencies, costs reductions, and increased built-in accessibility features in ICT services, products, and equipment. To allow for updates and evolutions of referenced international standards, we encourage the Access Board to include “or later” after references to a specific version of an international standard.

• Functional Performance Is Essential
  Requirements that focus on functional performance criteria rather than specific technical provisions will better promote the values of accessible participation, technical flexibility, and innovation. We concur with the proposed requirement that functional criteria must always be met, even when the technical requirements are met. Technologies must be not only accessible but also usable by people with disabilities.

• Technical Assistance to Federal Agencies
  The Access Board, as a trusted resource with technical expertise, should be ready to assist federal agencies by providing information about implementations, tools, and audit resources that will help covered entities achieve compliance. Ongoing assistance could include updates on best practices, case studies, examples of successful implementations, developer and authoring toolkits, testing and evaluation tools, training opportunities, and relevant online resources.

The Access Board will consider the public comments received and then issue a proposed Final Rule, followed by another round of public comment before it issues the Final Rule.

See also: Statement by Harry Hochheiser and Jonathan Lazar on the USACM/SIGCHI Comments

Hearing:
The Science and Space Subcommittee of the Senate Commerce, Science and Transportation Committee will hold a hearing on research and development investments.
2:30 p.m., 253 Russell Building

March 7

Hearing:
The Communications and Technology Subcommittee of the House Energy and Commerce Committee will hold a hearing on communications networks and cybersecurity.
10 a.m., 2123 Rayburn Building

March 9

Meeting:
The President’s Council of Advisers on Science and Technology (PCAST) will meet.
10 a.m., Carnegie Endowment for International Peace, 1779 Massachusetts Avenue, NW

While this effort is a good start, as USACM noted in its comments, “developing directly usable guidance for researchers requires both broader and deeper
consideration of these issues” than can be found in the Menlo Report. We recommend that the DHS:

The work DHS is doing is important, but is not on its own. As reflected in our comments from last September, the Department of Health and Human Services is working out revisions on its own human subjects research regulations, and DHS would benefit from exploring that effort and using it to inform its own work.

We think the Menlo Report is necessary, research in computing and information technology needs to live up to its responsibilities concerning the human subjects affected by that research. USACM is willing and able to assist in furthering the work needed to do so.

Digesting the New Senate Cybersecurity Legislation

by Chris Bronk

Senators Joe Lieberman, Susan Collins, Jay Rockefeller, and Diane Feinstein introduced another cybersecurity bill in the U.S. Senate on February 14. “The Cybersecurity Act of 2012,” or S.2105, is yet another attempt by the Senate to bring to a vote a major piece of bipartisan legislation on information and communications security. There have been several efforts to produce new law on this front, but debate has often mired on serious sticking points. The “Internet kill switch,” where the President would have the authority to close off the Internet, standing as perhaps the most rhetorically threatening of them. There is no kill switch in S.2105.

Within S.2105, a broad set of issues was considered of interest to the federal government, the IT industry, and the operators of critical infrastructure. The bill lays out some pragmatic planks for determining responsibilities beyond the federal government, further bulking up national cyber security capabilities, and offering a roadmap for regulation of cyber security responsibility.

Significantly, S.2105 emphasizes the Secretary of the Department of Homeland Security (DHS) as the lead official on cybersecurity matters, with the usual exceptions for agencies in the Department of Defense and Intelligence Community. DHS has gradually grown a capability in cybersecurity, and S.2105 would expand it, combining the functions of DHS’s National Cyber National Cyber Security Division, the Office of Emergency Communications, and the National Communications System into a single National Center for Cybersecurity and Communications. Presumably, this new center would operate in a manner similar to the Office of the Director of National Intelligence’s inter-agency function-specific centers, such as the National Counter Terrorism Center.

Beyond the national center, S.2105 addresses another issue of great importance, the vulnerability of critical infrastructure – in both the public and private sectors – to cyber attack. The legislation lays out a process for designating critical infrastructure, assessing risks to it and “promulgat[ing] regulations to enhance the security of covered critical infrastructure against cyber risks.” This component will no doubt attract scrutiny as it assigns responsibilities and assesses liability – and the limitations thereof – with regard to the cybersecurity of critical infrastructure. (S.2105 also lays out standards on criticality, having to do with loss of life, service interruption, and severe economic damage among others).

Other elements of the bill consider the expanded staffing needs and the peculiarities of clearing non-government employees to handle sensitive or classified information. It also considers cybersecurity information sharing issues, reform of the Federal Information Security Management Act (FISMA), and education and R&D initiatives.

This bill may be able to clear previous obstacles and deliver to the President and the Department of Homeland Security the necessary authorities to move beyond piecemeal efforts in cyber security remedy and coordination. The Senate Homeland Security and Governmental Affairs Committee has already held a hearing on the bill, so there is interest in getting this legislation to a Senate vote sooner rather than later.

Hearing:
The Investigations and Oversight Subcommittee of the House Science, Space and Technology Committee will hold a hearing on cybersecurity at the National Aeronautics and Space Administration.
2 p.m., 2318 Rayburn Building

Hearing:
The Senate Homeland Security and Government Affairs Committee will hold a hearing on the Cybersecurity and Internet Freedom Act of 2012.
2:30 p.m., 342 Dirksen Building

February 17

Hearing:
The House Science, Space and Technology Committee will hold a hearing on science research and development funding for fiscal year 2013.
9:30 a.m., 2318 Rayburn Building

The House legislation aims to do just that, adding language to the existing law concerning cloud computing and cyber-physical systems, revising language concerning strategic planning for the program and its National Coordination Office and further encourages the National Science Foundation to use its programs to increase education in cybersecurity issues and to increase participation in the field by underrepresented groups.

The bill, H.R. 3834, now moves to the full House for a vote.

Markup:
The House Science, Space and Technology Committee will review pending legislation, including a bill to amend the High Performance Computing Act of 1991.
10 a.m., 2318 Rayburn Building

February 8

Hearing:
The Communications and Technology Subcommittee of the House Energy and Commerce Committee will hold a hearing on the cybersecurity of communications networks.
9:30 a.m., 2322 Rayburn Building

Markup:
The Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies of the House Homeland Security Committee will mark up legislation on cybersecurity and information sharing.
10 a.m., 311 Cannon Building

With a membership whose professional output relies on sound, enforceable intellectual property rights, USACM supports reasonable efforts to address criminal violations of intellectual property rights, but the technological mandates required in both SOPA and PIPA cause grave concern. In letters submitted this week to the Senate and House Judiciary Committees, USACM outlines our analyses the technological impact of both PIPA and SOPA, concluding that the bills’ approach to disrupting rogue sites by removing them from indexing and search sites will prove problematic and ineffective.

Furthermore, the portions of the legislation dealing with DNS (Domain Name System), would undermine years of sound technical work by the international community as well as inhibit substantial progress made by many parties, including the federal government, to address security flaws in the existing DNS system. Any actions that interfere with or weaken any aspect of DNSSEC (DNS Security Extensions), a foundation for Internet security, should be viewed with grave concern. That is why USACM is encouraged by recent statements from the sponsors of SOPA and PIPA, Rep. Lamar Smith and Senator Patrick Leahy, that the provisions on DNS blocking will be reconsidered, if not removed from the bills.

The proposed legislation, including the manager’s amendment in SOPA, will impose significant negative consequences on the proper functioning of DNS, and especially with the ongoing implementation of DNSSEC. The bill’s approach would ultimately prove ineffective in addressing the legislation’s goals, which are already easily bypassed, would impose cost burdens on innocent third parties, and would interfere with progress in reducing on-line fraud and espionage.

After thorough analysis, USACM echoes the White House’s sentiments that any proposed laws “must not tamper with the technical architecture of the Internet through manipulation of DNS.” When addressing online piracy, legislation should seek to avoid technological mandates. Computing technology evolves quickly, and innovations often render technologies moot before legislation has time to be fully implemented. Mandated technological approaches, such as those outlined in SOPA and PIPA, are likely to be rendered obsolete in short order and may in fact chill or prevent research and innovation in the U.S., while having little impact on U.S. competitors and domestic firms outside the U.S. Given the current economy and the vital role being played by information technology firms, such potential outcomes should be carefully considered.

Hearing:
The Subcommittee on Communications and Technology of the House Energy and Commerce Committee will hold a hearing on ICANN’s top-level domain program.
9 a.m., 2123 Rayburn Building

Hearing:
The Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee of the House Homeland Security Committee will hold a hearing on a draft legislative proposal on cybersecurity.
10 a.m., 311 Cannon Building

News: Society
Remaking American Medicine by Neil Savage
A review of recent reports on health information technology from the President’s Council of Advisers on Science and Technology.

Viewpoint: Law and Technology
Remix Nation by Rebecca Tushnet
A discussion of how the anti-circumvention provisions of the Digital Millennium Copyright Act influence the practice of fair use.

Emerging Markets
Corporate Social Responsibility and Global IT Outsourcing by Ron Babin, Steve Briggs, and Brian Nicholson
The article summarizes the increasing participation in corporate social responsibility projects by companies involved in global information technology outsourcing.

Contributed Articles
Protecting Users of the Cyber Commons by Stephen Lukasik
A discussion of the need for both top-down and bottom-up schemes for improving cybersecurity.

The letter notes how information technology and computing have contributed to U.S. economic prosperity over the last few decades. Besides providing a critical boost to the nation’s economy, computing and information technology also help the country maintain and improve its security and safety. This investment should be made in both education and research.

Recognizing the challenges facing the Committee, the letter argues for not injuring investments in innovation (including computing) in the cuts that it recommends to the full Congress. The final vote must take place in Congress by December 23, so time is running short.