AI system operators and federal agencies must follow secure-by-design principles to ensure secure and resilient AI software development, the Cybersecurity and Infrastructure Security Agency (CISA) said Tuesday, outlining its plan to carry out President Joe Biden’s executive order on AI (see 2310300056). CISA released its Roadmap for AI, which includes agency and industry recommendations for responsible operation of AI systems. The roadmap lays out five lines of effort: using AI software to strengthen cyber defense; design assessment; government partnership on threat assessment; coordination with international partners; and AI workforce expansion.
The Biden administration should follow the tech industry’s lead and fund open source software efforts to help secure critical infrastructure and improve cybersecurity, Amazon, Google and Microsoft told the White House in comments posted through Thursday. The Office of the National Cyber Director requested public comment on the government’s “long-term focus and prioritization on open-source software security.” After the Log4Shell cyber attack, Google, Microsoft and Amazon funded Alpha-Omega, a grant program for open source software foundations. The foundations examine the top 10,000 security-critical open source packages and provide funding to fix them. Their efforts were “very promising,” but sustained funding is a “future challenge,” Amazon commented. The federal government should “fund and coordinate a similar exercise to support the most critical open source dependencies on a sector-by-sector basis,” said Google. Microsoft added that funding of $500,000 for each “critical” open source software project “can provide substantial security improvements, including third-party security reviews and remediation of identified issues.”
European digital identity wallets should be available to all Europeans by 2026, European Commission officials said at a Thursday virtual technical briefing. Following the European Parliament's and EU Council's provisional agreement on the regulation, people will have access to secure, privacy-enhancing identities as part of the EU digital agenda, officials said. Some lawmakers, however, warned the wallets would give governments a blank check to monitor citizens, a charge the EC denies. The wallets will be free for all EU citizens, use will be voluntary, and they will be accepted throughout the EU, officials said. They will be security- and privacy-oriented, allowing people to control and protect their identification, personal data and digital assets, and subject to the EU general data protection regulation. Individuals will be able to use the wallets for public and private services, store and present attestations such as driver's licenses, and sign and seal documents electronically. The applications will be governed by one set of standards and will be interoperable across borders and services. The regulation is expected to be adopted by early next year and to become available in Q3-4 of 2026. The EC is working with several countries with the goal of offering the wallet sooner, officials said. While governments today are free to do what they want about tracking citizens, the wallet will bar such activities, the EC stressed. Nevertheless, German European Parliament Member Patrick Breyer, of the Group of the Greens/European Free Alliance and the Pirate Party, emailed that the measure is a "blank cheque for surveillance of citizens online" that undermines browser security: "Entrusting our digital lives to the government instead of Facebook and Google is jumping out of the frying pan into the fire."
The Biden administration withdrew its support for World Trade Organization provisions on cross-border data flows and data localization to allow flexibility for domestic policy debate, an Office of U.S. Trade Representative spokesperson said in a statement Wednesday. USTR responded after nearly 50 organizations on Tuesday asked the White House to reverse its decision to withdraw support for WTO provisions on cross-border data flows, data localization and source code. Many countries are “examining” approaches to data and source code and the impact of trade rules, said USTR: “In order to provide enough policy space for those debates to unfold, the United States has removed its support for proposals that might prejudice or hinder those domestic policy considerations. The [Joint Initiative on E-Commerce] continues to be an important initiative and the United States intends to remain an active participant in those talks.” Groups including CTA, CTIA, the U.S. Chamber of Commerce, TechNet, BSA|The Software Alliance, the Computer & Communications Industry Association and the Entertainment Software Association said Tuesday they have “profound concern” about U.S. Trade Representative Katherine Tai withdrawing support for “disciplines that protect cross-border data flows; prohibit data localization mandates; preclude discrimination against American made digital products; and safeguard sensitive source code from forced disclosure mandates that enable malicious cyberactivity.” These “core disciplines” advance U.S. innovation and competitiveness, they said. This “sudden and perplexing decision of USTR to abandon its global leadership by pulling back from negotiating key digital rules at the WTO must be revisited,” CCIA Vice President-Digital Trade Jonathan McHale said in a statement.
Social media users should share stories about how platforms like Instagram, TikTok and Snapchat are “affecting the physical and mental health of young people,” Minnesota Attorney General Keith Ellison (D) said Monday. He invited state residents to share with his office stories about social media use and addiction among young users. This “will help us understand the harm these platforms are causing so we can better stop that bad behavior moving forward,” he said, citing his bipartisan investigatory work against companies like Meta and TikTok.
FCC Commissioner Brendan Carr joined House Republicans last week in urging the U.S. to take action against TikTok and its Chinese “brainwashing” of American youth. Rep. Mike Gallagher, R-Wis., in a Free Press opinion article Wednesday continued his call for Congress to ban the popular Chinese social media app (see 2303130042). He accused TikTok of brainwashing American youth and inspiring “morally bankrupt” views of the world. Gallagher cited a Harvard/Harris poll showing 51% of Americans ages 18-24 “believe Hamas was justified in its brutal terrorist attacks on innocent Israeli citizens on October 7.” Carr posted on X Thursday, saying Gallagher is “exactly right.” The U.S. “would never allow a foreign adversary to seize control of a vital means of broadcast communication without completing a national security review that neither TikTok nor the [Chinese Communist Party] could ever pass -- the outcome should be no different here,” said Carr. On Friday, Carr reposted comments from House Commerce Committee Chair Cathy McMorris Rodgers, R-Wash., who has called for a TikTok ban in the U.S. Gallagher is “right,” she posted Friday. “TikTok is a tool of the Chinese Communist Party to spy on and manipulate Americans. It's a serious threat to our national security. Congress must act to protect Americans from the CCP’s ‘digital fentanyl.’”
The U.S. shouldn’t implement new cyber regulations until the Office of National Cyber Director has completed its formal process for harmonizing regulations across the government, industry groups told the White House in comments posted last week. The ONCD requested comments to “understand existing challenges with regulatory overlap” and harmonize regulations across agencies. USTelecom urged the administration to halt the issuance of new cyber regulations until the review is completed, except for regulations already subject to statutory deadlines. “This temporary pause prevents the introduction of additional, potentially conflicting regulations,” said USTelecom. CTIA suggested the ONCD coordinate with agencies and hold off on any new regulations until the harmonization work is “mature.” Promulgating new requirements may hinder ONCD’s “efforts to harmonize the already vast cybersecurity regulatory landscape,” said CTIA. BSA | The Software Alliance noted the Biden administration’s national cyber strategy “prioritizes regulatory harmonization,” but agencies continue to add more cyber regulations. “To be clear, this is not a call to end the regulation of cybersecurity but to pause new regulations as the US Government gains a wholistic understanding of the regulatory landscape,” said BSA. NCTA suggested the administration can look to NIST’s cybersecurity framework “to achieve design, implementation, operational, and compliance-related efficiencies.”
Forcing domestic AI companies to share datasets could handicap U.S. companies and encourage AI development abroad, TechNet said in comments to the Copyright Office this week. The Copyright Office is studying policy issues related to AI technology to determine whether legislative or regulatory action is needed. The CO requested comments on the use of copyrighted works in AI training models, “appropriate levels of transparency and disclosure with respect to the use of copyrighted works.” Comments are due Nov. 29. “Forcing AI companies to disclose the contents of these datasets would, in effect, force the publication of valuable and otherwise confidential commercial secrets,” said TechNet. This would help foreign competitors that aren’t subject to the same requirements, said TechNet. The Copyright Alliance, which represents individual creators, called for “appropriate transparency and record keeping” in its own comments. The Alliance said publicly available databases are essential for artists to determine whether their licensed work has been used by AI systems and to getting compensation. “Adequate and appropriate transparency and record-keeping benefit[] both copyright owners and AI developers in resolving questions regarding infringement, fair use, and compliance with licensing terms,” the alliance said.
FTC commissioners and the chair should publicly share written documentation on their reasoning for when they decline to follow agency official recommendations on recusals, industry groups told the agency in comments posted Friday (see 2309250029). The U.S. Chamber of Commerce filed an FTC petition in September raising concerns about Chair Lina Khan’s decision not to recuse herself from proceedings on Meta’s buy of Within Unlimited, despite an FTC ethics official’s recommendation that she do so (see 2309250029). The petition seeks new rules requiring commissioners to request and receive written legal guidance from agency ethics officials and share in writing any decisions not to follow their guidance. CTA and the Software & Information Industry Association backed the petition in filings. CTA commented: “This approach will benefit all stakeholders -- interested parties, the public, and the FTC itself -- by providing transparency, predictability, and accountability in recusal procedures, which have important stakes for the parties involved.” The current rules are “murky,” and at a “minimum the agency should have recusal standards that offer some criteria to guide Commissioners and avoid conflicts of interest,” said SIIA.
Evidence of a need for network usage fees is insufficient, the U.K. Office of Communications (Ofcom) said Thursday in a net neutrality review statement. "A charging regime would be a significant step" and it's not clear that approach would support net neutrality objectives. ISPs can't impose fees on over-the-top services under the current net neutrality regime because there's no legal or regulatory obligation on content providers to negotiate with them, Ofcom noted. While charging OTTs could theoretically have benefits because it might give them stronger incentives to make efficient decisions, the extent to which they determine the timing of traffic and the choice of delivery approach (that is, network providers' costs) can be limited. In addition, many content providers, including some of the biggest ones, are already making decisions and investments that tend to improve the efficiency of traffic delivery, the statement said. There's also "material uncertainty" about how a charging system could affect retail broadband prices and content subscription charges, as well as uncertainties about the scale of future network investment. Ultimately, Ofcom noted, any decision to allow content-carrying fees is up to Parliament and the government. The review, which began in 2021, found that the U.K. approach to net neutrality supports consumer choice and allows content providers to deliver content and services to consumers: "However, there are some areas where more clarity will enable ISPs to innovate and manage their networks more efficiently, which will improve consumer outcomes." Under the new guidance, ISPs can offer premium quality retail offers, such as for low latency, as long as they're transparent with consumers about what they can expect from the services. ISPs can develop new specialized services for delivering specific content and applications, such as real-time communications and virtual reality. The guidance updates how network providers can use traffic management for their networks to maintain a good quality of service. It allows most zero-rating offers (where the data used by a particular website or app isn't counted toward a customer's overall data allowance). The updated rules should give ISPs enough flexibility that a charging regime isn't needed, Ofcom added.