GOVERNMENT IT REPORT

Congress Backs Billions for Tech R&D Though Enactment Uncertain

The U.S. technology industry is guardedly supporting a massive legislative package designed to address a range of issues affecting the sector, including a federal commitment to add billions of dollars to government technology research and development programs.

The legislation, dubbed the U.S. Innovation and Competition Act (USICA), was approved June 8 by a rare bipartisan vote of 68-32 in the U.S. Senate.

A major factor driving the legislation is the contention that the U.S. has fallen behind China in a national effort to support technology development, including information technology and the digital economy. Sen. Todd Young, R-Ind., characterized the legislation as “a landmark bill to out-compete China in key emerging technology areas critical to our national security.”

Specific areas of focus in the bill include artificial intelligence, machine learning and other software advances; high performance computing, semiconductors, and advanced computer hardware; quantum computing and information systems; biotechnology, medical technology, genomics, and synthetic biology; cybersecurity, and energy innovation including battery technology.

Multiple Amendments

The package started out as the Endless Frontier Act, co-sponsored by Sen. Chuck Schumer, D-N.Y., and Sen. Young, among others. That bill was ambitious enough as first introduced in April. The bill focused on boosting funding for the National Science Foundation (NSF) including creation of a new NSF “Directorate for Technology.”

However, the bill attracted additional provisions during the legislative process, including some which were really complete stand-alone bills that were rolled into the final package, resulting in a 2,300-page proposal.

The legislation even includes the CHIPS for America program to provide $52 billion in federal support for domestic semiconductor development and production.

For companies involved in IT and the digital economy, an important part of the USICA bill deals with significantly boosting federal investments in technology through the National Science Foundation. Both the proposed funding levels and the government’s approach to managing those investments are critical issues requiring close attention for the IT sector.

Under the Senate USICA bill, NSF’s annual budget would nearly double to an average of $16 billion per year over five years from 2022 to 2026. The current fiscal 2021 budget is $8.5 billion. This huge boost in investment is largely related to funding a new NSF Directorate for Technology and Innovation at an average of nearly $6 billion annually from 2022 to 2026.

Private Sector Partnerships

Private sector IT and digital economy entities will be major beneficiaries of the new NSF directorate. The purpose of the directorate is to “strengthen U.S. leadership in critical technologies,” and to “accelerate technology commercialization.”

The legislation further provides that the proposed directorate should “direct basic and applied research, advanced technology development, and commercialization support in the key technology focus areas” listed in the bill. Through the directorate NSF is expected to form partnerships with other federal agencies as well as with “academia, the private sector, and nonprofit entities.”

The move to establishing closer ties between NSF and the private sector has raised concerns about the foundation’s traditional role of engaging in “pure” or basic research unfettered by commercial considerations.

Robert Atkinson, president of the Information Technology Innovation Foundation (ITIF) said soon after the NSF directorate was proposed there was “pushback.” The scientific community, he noted “resisted the idea that government would be asking them to do work related to a critical national mission, and to hold them accountable for ensuring that their work helped accomplish that mission.”

While ITIF supports the provisions in USICA which create the new NSF technology directorate, Atkinson told the E-Commerce Times that “an even more effective approach would be to establish such a directorate as a free-standing agency.”

A separate umbrella entity tuned in to the full range of federal technology activities would avoid any conflicts with the traditional missions of NSF and other agencies, while creating a national effort to support both government and commercial private sector technology development, he contends.

Atkinson favors the creation of a National Advanced Industry and Technology Agency, at the same size as NSF, to “analyze U.S. industry strengths, weaknesses, opportunities, and threats, and to respond with well-resourced solutions ranging from support for domestic research and development to production partnerships and investment in advanced research facilities.”

More than 50 other countries have established such agencies, he noted.

“It is clear that NSF and the science community are uneasy” with taking on applied science with commercial connections versus NSF’s traditional mission, Atkinson said, adding that NSF would “vastly prefer” just getting much larger appropriations.

“But that would do little to help U.S. technology-based competitiveness,” he said. Establishing a separate agency would let NSF continue its mission while enabling applied and industry focused research to be funded elsewhere, he observed.

Advocates, Opponents Take Positions

Whether the USICA package represents a comprehensive approach to developing a national technology capability through government intervention — or a confusing legislative hodgepodge — is likely to be in the eye of the beholder. Differences related to NSF’s future mission aren’t the only potential stumbling blocks affecting eventual enactment of the USICA legislation.

For example, the Computer and Communications Industry Association (CCIA) approved the major USICA goal of supporting increased federal investments for technology research and development, but found other parts of the bill “worrisome.”

One section of the bill deals with “Country of Origin Labeling” (COOL) requirements associated with the internet marketing of internationally sourced products. While COOL especially impacts the U.S. retail marketing sector, digital economy entities have concerns as well.

Arthur Sidney, vice-president of CCIA noted that country of origin provisions in the bill present implementation challenges “given the volume of transactions and no consistent, uniform, and administrable definition” related to COO coverage. “Country of Origin in the international trade context is difficult to administer by customs and authorities, let alone a digital service,” he told the E-Commerce Times.

Sidney also expressed concern about the section of USICA aimed at curbing the use of censorship as a trade barrier tool. Language that would refer such activities to legal authorities for action was “scaled back” in the Senate bill, he contended. It was replaced by provisions which simply called for an annual report to Congress with a list of countries that use censorship as a barrier to digital trade and a description of the agencies efforts to address digital trade disruptions, he said.

While the U. S. Chamber of Commerce expressed general support for the bill in a June 9 statement, Neil Bradley, executive vice president and chief policy officer said the Chamber had “ongoing concerns,” about the bill. In a letter to the Senate in May, the Chamber advocated elimination of the Country of Origin section and expressed reservations about provisions that impact e-commerce such as “Cyber Shield, copyright, and information in the public domain.”

The Senate bill must now be considered by the House of Representatives where similar legislation was approved Monday. However, the House bill only focused on the research scope of NSF and the U.S. Department of Energy. The House bill also includes a new NSF technology solutions directorate but funded at a much lower level than the Senate version.

The ultimate outcome for USICA could take several paths. Since amendments to the Senate bill were added with relative ease, they could be scuttled just as easily, allowing the core NSF and national technology investment elements to be the focus for legislators. Or the collective controversies associated with the different versions of the legislation could stymie adoption.

Regarding chances for enactment of USICA, CCIA’s Sidney noted “We aren’t sanguine, but we are hopeful that this will see the light of day. While it’s not perfect, and we have some concerns, we are hopeful that it can help businesses, and serve as one of the building blocks to protect U.S. innovation and technology.”

John K. Higgins has been an ECT News Network reporter since 2009. His main areas of focus are U.S. government technology issues such as IT contracting, cybersecurity, privacy, cloud technology, big data and e-commerce regulation. As a freelance journalist and career business writer, he has written for numerous publications, includingThe Corps Report and Business Week.Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John K. Higgins
More in Government

E-commerce Times Channels

Lax Cyber Skills, Dev Blind Spots Behind Organizations’ AppSec Breakdowns

Government organizations and educational institutions, in particular, are increasingly in hackers’ crosshairs as severe web vulnerabilities spiral upward.

Remote code execution (RCE), cross-site scripting (XSS), and SQL injection (SQLi) are all top software offenders. All three increase or hover around the same alarming numbers year over year.

RCE, often the ultimate goal of a malicious attacker, was the main cause of IT scampering in the wake of the Log4Shell exploit. This vulnerability has seen a steady increase since 2018.

Enterprise security firm Invicti released its Spring 2022 AppSec Indicator report last month that revealed web vulnerabilities from over 939 of its customers worldwide. The findings come from an analysis of the largest dataset from the Invicti AppSec platform — with more than 23 billion customer application scans and 282,000 direct-impact vulnerabilities discovered.

Invicti’s research shows one-third of both educational institutions and government organizations experienced at least one occurrence of SQLi last year. Data from 23.6 billion security checks underscores a pressing need for a comprehensive application security approach, with government and education organizations still at risk of SQL injection this year.

The data shows that numerous commonplace and well-understood vulnerabilities continue to proliferate in web applications. It also shows the ongoing presence of these vulnerabilities present a serious risk to organizations in every industry.

Even well-known vulnerabilities are still prevalent in web applications, according to Invicti president and COO Mark Ralls. Organizations must gain command of their security posture to ensure that security is part of the DNA of an organization’s culture, processes, and tooling so that innovation and security work together.

“We saw that most severe web vulnerabilities continue to flourish, either holding steady or increasing in frequency over the past four years,” Ralls told TechNewsWorld.

Key Takeaways

The rampant escalation of incidents of SQL injection found among government and education organizations was the most surprising aspect of the research, noted Ralls.

Especially bothersome is the SQLi, which increased five percent in frequency over the past four years. This type of web vulnerability allows malicious actors to modify or replace queries an application sends to its database. That is particularly concerning for public sector organizations, which often store highly sensitive personal data and information.

RCEs are the crown jewel for any cyberattacker and the vector behind last year’s Log4Shell event. It, too, also increased by five percent since 2018. XSS saw six percent spike in frequency.

“These trends were echoed throughout the report findings, revealing a worrying state of affairs for cybersecurity,” said Ralls.

Skills Gap, Talent Shortage Involved

Another big surprise for researchers is an increase in the number of vulnerabilities reported from organizations that scan their assets. Numerous reasons could be the cause. But a lack of software developed trained in cybersecurity is one leading culprit.

“Developers, in particular, may need more education on avoiding these errors in the first place. We have seen that vulnerabilities are not being discovered even in the earliest stages of development when scanning,” explained Ralls.

When developers do not address vulnerabilities, they end up putting their organizations at risk. Automation and integration tools in place can help developers address these vulnerabilities more quickly and reduce the potential costs to the organization, he added.

Don’t Blame Web Apps Alone

Web apps per se are not becoming less secure. It is more a matter of developers being tired, overworked, and often not having enough experience.

Frequently, organizations hire developers who lack the necessary cybersecurity background and training. With the continuing push toward digital transformation, businesses and organizations are digitizing and developing apps for more aspects of their operations, according to Ralls.

“Plus, the number of new web applications that enter the market each day means that every extra app is a potential vulnerability,” he said. For example, if a company has ten applications, it is less likely to have one SQLi than if a company has 1,000 applications.

Applying the Cure

Business teams — whether developing or using software — require both the right paradigm and the right technologies. That involves prioritizing secure design models covering all the bases and baking security into the pre-code processes behind application architecture.

“Break down silos between teams,” Ralls advised. “Especially between security and development — and ensure organization-wide norms and standards are in place and upheld universally.”

Regarding investment in AppSec tools to stem the rising tide of faulty software, Ralls recommended utilizing robust tools that:

  • automate as much as possible;
  • integrate seamlessly into existing workflows;
  • provide analytics and reporting to show proof of success and where more work is needed.

Do not overlook the importance of accuracy. “Tools with low false-positive rates and clear, actionable guidance for developers are necessary. Otherwise, you waste time, your team will not embrace the tech, and your security posture will be no better off,” he concluded.

Blind Spots Partly at Play

Significant breaches and dangerous vulnerabilities continue to expose organizations’ blind spots, Ralls added. For proof, look at the whirlwind impacts of Log4Shell.

Businesses worldwide scrambled to check if they were susceptible to RCE attacks in the widely-used Log4j library. Some of these risks are going up in frequency when they should be going away for good. It comes down to a disconnect between the reality of risk and the strategic mandate for innovation.

“It is not always easy to get everyone on board with security, especially when it seems like security is holding individuals back in project completion or will be too costly to set up,” said Ralls.

The growing number of effective cybersecurity strategies and scanning technologies can make persistent threats less frequent and make it easier to close the gap between security and innovation.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Enterprise Security

Marketers: Beware Florida’s Mini-TCPA

If you do electronic marketing of any kind, you’ve been a captive audience to the ever-changing requirements of the federal Telephone Consumer Protection Act, known familiarly as the “TCPA.” But now, the state of Florida has amended its Telemarketing Act, creating what is being called the “Mini-TCPA.” Florida’s new law changes electronic and telemarketing in significant ways — even if you’re not in Florida.

Years of litigation over the federal TCPA has taught most companies to understand the different forms of consent, how to distinguish sales calls from informational calls, what kinds of call could legally gather information from consumers without straying into highly restricted “sales calls,” and what in the world constitutes an automated telephone dialing system (ATDS).

Now, just as we thought the law was settled — or at least settling — the new Florida state law overturns the apple cart. Many of our prior understandings are out the window. Telemarketing practices will have to change substantially, and the costs of violating the Florida law will be substantial.

Law Applies Even if You Don’t Do Business in Florida

The new statute covers any call made to any device with a Florida area code no matter where the receiving phone is located, and calls made to a person who happens to be in Florida at the time they receive a covered call.

In either case, the calling company will be considered to be “doing business in Florida” and therefore subject to the Mini-TCPA. That’s true even if the calling company has no way to know that these seemingly non-Floridian numbers in fact have some relationship to Florida.

In either scenario, there is a “rebuttable presumption” that the calls are covered by the Florida statute. “Rebuttable presumption” means as a practical matter that government regulators or class action plaintiffs can make you spend lots of money in attorney’s fees trying to prove that the calls weren’t covered.

For economic reasons, many businesses will end up making the business decision to settle these cases rather than litigating the law’s application to them.

Role of the ‘Private Right of Action’

The big danger presented by this statute is the claims that may be made by private parties, not government enforcement actions. That’s because the new Mini-TCPA contains a “private right of action.” Any consumer can sue you claiming you violated the statute. Those suits can be class actions, real or threatened.

Although the statute appears to limit recoverable damages to a maximum of only $500 per violation, that figure is a red herring for a couple of reasons. Plaintiffs tend to claim that each individual call to their phone is a separate violation. One consumer’s calls can quickly become multiple violations and therefore multiples of $500.

In addition, under some circumstances, the law trebles damages. The Mini-TCPA provides for triple the damages and attorney’s fees if the violation was intentional. Since marketing and informational calls are both generally the result of a pre-planned marketing campaign, every call is going to be asserted to be intentional.

Moreover, general Florida consumer law allows recovery of attorney’s fees and, potentially, statutory additional punitive damages.

The ATDS Rabbit Trail

All the noise generated by litigation around the federal TCPA about automated telephone dialing systems may have given businesses the impression that if you avoid using particular kinds of ATDS, you can be sure of avoiding liability. But here again, Florida’s new law changes the game.

Instead of diving into the controversy over what constitutes a covered ATDS machine, Florida simplifies the issue — and expands the danger zone. The new statute focuses its attention simply on “automated systems.” The definition of “automated system” under the Mini-TCPA is much broader than the federal TCPA’s.

As defined by the Mini-TCPA, it encompasses any system that does any one of three things: it either selects the persons to be called, or it dials calls, or it plays recorded messages. It’s hard to imagine a telephonic machine (including the one in your pocket) that isn’t potentially covered by this definition.

Mini-TCPA Goes Beyond Classic Telemarketing

Many businesses’ response to warnings about the applicability of the TCPA to their operations was “we don’t do telemarketing.” That’s because a distinction between telemarketing calls and informational calls has been enshrined in telemarketing regulation since the enactment of the TCPA law. Telemarketing calls were the bad ones; informational calls were the good ones. Later generations of FCC regulations, rules, and orders focus on this difference.

Again, Florida’s Mini-TCPA breaks new ground. While the new Florida statute regulates “telephonic sales calls” made for the traditional TCPA and telemarketing purposes, it appears that the new statute goes further. It now seems to include calls marketing products and services that were in the grey area of TCPA coverage. For example, extensions of credit.

“Non-commercial” calls are going to be exempt from coverage by the Mini-TCPA, but only if the caller has some level of licensure or certification e.g., IRS Section 501(c) and Florida state registration.

However, some authorities say that the statute also covers calls made for ultimate purpose of obtaining information for later use in sales. If this is the case, any calls used to harvest consumers’ personal information for later use in sales will require the called party’s prior express written consent under this statue.

Much of this sits squarely in a grey area. Litigation and additional legislation will certainly affect what the law will actually say. The true application to your individual marketing strategy is going to be hard to predict. Seeking legal counsel is going to be crucial to making wise decisions in this area.

Establishig Consent

If the TCPA taught us any clear lesson, it was that to make (almost) any call “legal” all you needed to do was get the called party’s consent.

What constitutes the appropriate level of consent under TCPA depends on various factors: kinds of calls, call technologies, kind of phone called, who was making the call, etc. For that reason, determining what level of consent is required for any given call under TCPA can require a complicated and troublesome analysis.

The new Florida law simplifies all of this: it mandates that the only acceptable consent for all covered calls is prior express written consent. It then carefully defines what prior express written consent must look like, with several required qualifying elements:

The consent must be in writing, bear the signature of the called party, “clearly authorize” a call using an automated system, include the authorization to call a particular number specified by the calling party, and inform the called party of certain enumerated rights.

In addition, the call must provide to consumers identifying information about the calling party. The new statute also requires that the calling party must maintain records of calls made and the consent obtained.

Sleeper Provisions

The Mini-TCPA, like the federal TCPA, is long and convoluted. There’s too much in the law to cover all the provisions in this short article. So here are some other provisions that may be worth a look:

  • Limitations on call frequency and timing;
  • the way information mining calls will be treated;
  • the liability of a company for the violations of its third-party contractors;
  • the requirements for callers to transmit identifying information; and
  • potential criminal penalties for certain activity.

There is good news, nonetheless: the Mini-TCPA law provides a long list of types of calls which are exempt from coverage by the new statute. However, the exemptions are many and complicated. Many provisions provide an exemption from liability under the statute, then take the exemption away with exceptions to the exemptions.

Competent legal counsel is a must before deciding that a company’s telemarketing is exempt from the statute.

A Final Thought

It’s easy to think that the real threat of this statute is actual litigation. It’s not. It’s the Hobson’s choice presented when your company receives a claim from either government or a private party.

When you receive a claim under the statute, if you weigh the costs of fighting it or settling it, you will quickly come to an ugly realization. Every claim can cost you upwards of $1500, plus attorney’s fees for the claimant, on top of paying your own attorney, plus trebled damages, and other possible damages.

It will almost always turn out that the potential out-of-pocket cost to fight even a bogus claim is going to be much larger than the settlement demands from a plaintiff. Given the possible downsides of litigation, good counsel may well urge you to settle any claim as quickly and as cheaply as possible. If you consider the economics when determining how to respond to a claim, this makes sense.

All of that puts a higher premium on prevention. Talk to your lawyer about how this statute might apply to you, what your exposure is, and how you might bullet-proof your marketing strategy.

The only sure way to win at these claims it to prevent them from being filed.

This article is provided for informational purposes and does not constitute legal advice. The purpose is merely to make the reader aware of some issues that must be addressed by legal counsel. This article cannot substitute for the advice of competent legal counsel addressing the reader’s specific situation.

Brad Elbein is a partner in the Atlanta office of Culhane Meadows, PLLC and is co-chair of the Government, Regulatory and Compliance Practice Group. Brad guides clients through matters involving telemarketing, electronic marketing, advertising, consumer laws (FTC Act, FDCPA, FRCA, TILA, and more), and defense of consumer law claims by government and by consumers.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories