November 15, 2021

U.S. Incident Reporting Mandate Moves to the NDAA – With a Notable Exception

The Cyber Incident Reporting Act of 2021 is a Senate bill that attempts to centralize critical infrastructure incident data in the Cybersecurity and Infrastructure Agency (CISA). It is facing pushback from the private sector. Will it go down, like some informed prognosticators say? When you can’t pass a law on its own merits, you can always stick it in the National Defense Authorization Act (NDAA), which legislators are loath to vote down. Text from the proposed legislation has now been introduced as an amendment to the omnibus 2022 NDAA. There is one interesting change, however: the DNS industry has been excluded from actors required to report:

“(C) Domain Name System.—The requirements under paragraphs (1), (2) and (3) shall not apply to an entity or the functions of an entity that the Director determines constitute critical infrastructure owned, operated, or governed by multi-stakeholder organizations that develop, implement, and enforce policies concerning the Domain Name System, such as the Internet Corporation for Assigned Names and Numbers or the Internet Assigned Numbers Authority.”

While the politically appointed CISA Director would make the final call, this can be interpreted as exempting registrars, registries, and perhaps root server operators from U.S. incident reporting. Their exclusion from reporting to a U.S. government agency makes sense. Governance by transnational multistakeholder organizations like ICANN is largely an attempt to transcend nation-state rivalries and jurisdictional fragmentation. A requirement that they report to one of the world’s governments could easily be seen as a threat by other governments, or could trigger dozens of duplicative mandates from other states. DNS actors were also excluded from the European Union’s NIS2 Directive after they raised a squawk about an attempt to pull root servers into EU jurisdiction. Whether or not government(s) can actually produce additional cybersecurity by collecting and reporting on incident data, an activity which already occurs extensively in the private sector, remains an unanswered question.

Euro Commission Cybersecurity Reg Angers Web Industry

Speaking of tensions between governments and transnational multistakeholder organizations, the Mozilla Foundation published a paper highly critical of a European Commission/ETSI proposal to intervene in the web trust ecosystem. Europe is trying to revise its 2014 regulations on “electronic identification and trust services for electronic transactions in the internal market,” known as the “eIDAS Regulation.” The EC’s revised Article 45 of the eIDAS regulation would force browsers to include government-designated “trust service providers” (TSPs) in their root stores. Speaking for the browser firms, Mozilla said, in effect: we will decide who we trust, not you. Mozilla wrote, “The security architecture that the revised Article 45 seeks to mandate has been shown to be ineffective and counterproductive when it comes to online security, and so no web browser has been able to support it.” It called on the EU to “drop the provisions of Article 45.2 that would override our ability to independently develop and enforce our independent Root Store security policies.” The Internet Society also weighed in.

But some analysis of Mozilla’s position has been critical. eIDAS QWAC has been painted as a standard focused on high-level identity assurance intended for online banking, e-government and other high-security operations. These forms of authentication, may not be compatible with the “tracked Web 2.0” practices which (or, at least, claims) loads 5 MB of Google Analytics, Google Adsense, Google CDN, Facebook, Twitter, stuff into the chain of authentication. “On such websites,” it was said, “the assumption of a “single [organizational] origin” indeed cannot be assured, but it’s not some kind of intrinsic web architecture requirement. It’s a widespread web implementation practice that receives a fair dose of justified criticism for being privacy intrusive and web bloat.” If so, it sounds like the EC regulations need to narrow their scope to some sub-category of websites.

Google Loses First Antitrust Appeal in Europe

Google lost its appeal against the European Commission’s (EC) ruling that the company violated antitrust law by using its search engine to favor its Google shopping over rival services. The General Court, the EU’s second-highest court, upheld the EC’s 2017 decision to fine Google and its parent company Alphabet 2.42 billion euros. It’s not clear whether Google will appeal to the European Court of Justice (ECJ). Google was fined in two other antitrust cases involving Android (2018) and AdSense (2019), and these have also been appealed.

The application of competition policy and law to the major digital platforms remains an ongoing topic in Europe and the U.S., with some political economists arguing that fault-based antitrust approaches are inappropriate responses to the rise of large digital platforms.