At a glance.
- The US Army looks at the Peoples Liberation Army's tactical information warfare doctrine.
- EU data regulations and trans-Atlantic data-sharing.
- FTC nominee and surveillance technology.
- NCCoE’s cyber guide for first responders is out.
The US Army’s view of Chinese tactical information ops doctrine.
Chapter Five of the US Army’s recently issued Army Techniques Publication (ATP) No. 7-100.3, “Chinese Tactics,” looks at People’s Liberation Army (PLA) “Tactical Information Operations.” The PLA sees information operations as cost-effective and “the new high ground of warfare,” something to be pursued “before, during, and after conflict” and universally integrated into operations. The CCP’s preferred line of attack is Marxist, manufacturing and exploiting divides between classes of people.
"In keeping with the teachings of Sun Tzu,” the document reads (and Leavenworth is positively in love with Sun Tzu), “the PLA considers information operations to be at least as important—if not more important—than maneuver or firepower. Deception, trickery, and concealment are to be employed extensively…to manipulate the enemy commander’s state of mind, the morale of enemy troops, and the enemy’s understanding of the battlefield.” Whereas the US develops mission-oriented ‘courses of action,’ the PLA works out ‘stratagems’ to manipulate adversaries’ mindsets.
Psychological warfare, a subset of information operations, the PLA prizes as a separate domain of conflict alongside land, sea, and air, and “as the operational element of the fundamental reason for conflict: a contest of wills.” The CCP perceives an advantage in its “political unity of purpose” in this domain.
Enforcing EU data regulations, and US-EU data-exchange negotiations.
Two Wall Street Journal articles delve into the headway EU and US officials are achieving with regard to trans-Atlantic data flows, and lingering complications stemming from US surveillance authorities and intra-EU jurisdictional turf wars. EU regulators are beginning to think about potential mechanisms for more streamlined and unified data privacy oversight and enforcement following a series of disputes over cases involving Twitter and WhatsApp. “This is always going to be an issue when you have 27 regulators trying to operate as one in a place that is as diverse as Europe,” said UK legal expert Eduardo Ustaran.
FTC nominee and surveillance technology.
The Washington Post reports that President Biden will nominate Alvaro Bedoya, founder of Georgetown Law’s Center on Privacy and Technology, to the Federal Trade Commission. Bedoya is a longtime critic of surveillance software. Boris Segalis, co-chair of Goodwin's Data, Privacy and Cybersecurity practice, offered some comment on the significance of the nomination. He thinks regulatory clarity is important, but that the FTC should govern itself reasonably:
“There is no question that privacy – as a key issue for businesses that create and use data-drive products and services – requires rules of the road. One of the key needs that’s unmet today is certainty in how government regulates privacy. That’s more important today than the nuances of where that certainty would end up because lack of certainty creates unreasonable burdens for businesses and is really antithetical to the American legal system. So it’s great to have people who make privacy a priority because focus on privacy at the FTC will being more certainty (though we hope for it to come from Congress). I don’t have an opinion on whether facial recognition technology is “good” or “bad” – it depends on the context and rules of the road. We can all agree that facial recognition and biometric identification have very positive use cases if the guardrails are in place. That’s not controversial for privacy or any other regulated space. The debate is where that should be. Here, I have comfort that the deliberative process is in place and Mr. Bedoya is part of that process. What we don’t want to see in the U.S. are rules like those promulgated in Europe under the GDPR, which rest on assumptions about privacy and consumer behavior that are not borne out in reality. Finally, anything that the FTC does in the privacy space is subject to judicial review. And given that the FTC regulates privacy under Section 5 – which doesn’t deal with privacy at all, but with unfairness and deceptiveness in dealing with consumers – the FTC ultimately has to tread lightly and pick cases that are egregiously unfair or deceptive to consumers, so the FTC hands are appropriately tied with the need to be reasonable.”
NIST's NCCoE releases authentication guidelines for first-responders.
The National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) released Special Publication (SP) 1800-13A, “Mobile Application Single Sign-On: Improving Authentication for Public Safety First Responders.” As first responders transition to sharing sensitive data like health and law enforcement information via smart devices and broadband networks, speedy and secure authentication across organizational divides becomes paramount. SP 1800-13A explores commercial single sign-on, identity federation, and MFA solutions to the challenge.
Jeremiah Gibber, Chief Marketing Officer at RiskLens, sees it as a response to a special case of managing a distributed workforce: "We continue to see a rapid escalation in ransomware and VPN-associated risks, exploiting the challenges associated with workforces becoming more distributed. The risks are significant and sometimes complex to manage given the various types of threats and third-party services company’s rely on to mitigate them.