Enforcement Agencies Should Better Leverage Information to Target Efforts Involving U.S. Universities

Over 2 million foreign students and scholars studied at U.S. universities in 2019, in many cases contributing to U.S. research. The U.S. government implements export controls to, among other things, mitigate the risk of foreign students' and scholars' obtaining controlled and sensitive information that could benefit foreign adversaries.

GAO was asked to review agencies' efforts to address risks associated with foreign students and scholars who may seek to evade export control regulations. This report examines the extent to which agencies are assessing universities' risk of unauthorized deemed exports to prioritize outreach.

GAO reviewed related laws and regulations; analyzed agency data; and interviewed agency officials in Washington, D.C., and 15 U.S. field offices. GAO based its selection of these offices on their proximity to research universities, their geographic dispersion, and other agencies' field office locations.

This is a public version of a sensitive report issued in March 2022 that included additional information on (1) challenges agencies face in efforts to enforce export control regulations, particularly for deemed exports at universities, and (2) the extent to which agencies coordinate their efforts and share information. Information that agencies deemed sensitive has been removed.

According to U.S. government agencies, foreign entities are targeting sensitive research conducted by U.S. universities and other institutions. Releases or other transfers of certain sensitive information to foreign persons in the United States are subject to U.S. export control regulations. Such releases or transfers, which are considered to be exports, are commonly referred to as deemed exports. A U.S. Assistant Secretary of State wrote in 2020 that greater attention needed to be paid to deemed exports. He noted that these transfers, including the “know how” of cutting-edge science and its applications, are what China's military–civil fusion strategy seeks in its attempts to mine and exploit U.S. academia's open knowledge system.

Agencies involved in enforcing export control regulations—the Departments of Commerce and Homeland Security (DHS) and the Federal Bureau of Investigation (FBI)—conduct outreach to universities to strengthen efforts to prevent sensitive technology transfers, including unauthorized deemed exports. According to officials, outreach increases awareness of threats to research security and builds stronger two-way relationships with university officials. The agencies identified this outreach as a key enforcement mechanism.

However, additional information about universities' risks could enhance the agencies' outreach efforts. For example, Commerce does not base its outreach on analysis of universities' risk levels and has not identified any risk factors to guide its outreach priorities. DHS has ranked roughly 150 U.S. universities for outreach, and FBI provides information to all of its field offices to guide their outreach priorities; however, both agencies base these efforts on only one risk factor. Identifying and analyzing any additional relevant risk factors could provide a more complete understanding of universities' risk levels and could further inform Commerce's, DHS's, and FBI's efforts to target limited resources for outreach to at-risk universities.

Digital regulators need to collaborate to “build forward better” after COVID

​​​​​​​​Bold regulatory approaches are needed to guide ground-breaking technology uptake, foster collaboration, and drive digital transformation in the post-COVID world, according to participants at the latest Global Symposium for Regulators (GSR-21) organized by the International Telecommunication Union (ITU).
The meetings brought together regulators from around the world to tackle the persistent, growing, global digital divide. In part, this involved adopting new guidelines for inclusive information and communication technology (ICT) regulation to “build forward better" and drive post-COVID recovery.
“Following the global social and economic disruption brought about by the COVID-19 pandemic, regulators have a unique opportunity to rethink and reshape policy principles and regulatory best practices to build ubiquitous, open and resilient digital infrastructure," said ITU Secretary-General Houlin Zhao.
Focus on holistic digital transformation
COVID-19 has prompted countries to seek more holistic, future-ready agendas for digital transformation. Accordingly, regulators discussed the need for collaborative leadership to ensure trust in the digital space; sufficient connectivity and regulatory enablers; financing to ensure affordable connectivity, meaningful access, and widespread use; safe digital inclusion; and partnerships for digital transformation.
“Effective regulation matters not just in times of crisis," said Doreen Bogdan-Martin, Director of ITU's Telecommunication Development Bureau. “To build forward better in the post-COVID digital world, we need agile and ground-breaking approaches and tools for digital regulation to accelerate the sustainable and inclusive growth of ICTs. Connectivity, access and use are ultimately at the heart of the digital transformation. Along with fit-for-purpose regulatory approaches, these are the predominant enablers of competitiveness and key to the future prosperity of people, communities, countries and regions everywhere."
New GSR-21 Best Practice Guidelines
Innovative tools and approaches are outlined in the newly released GSR-21 Best Practice Guidelines: Regulatory uplift for financing digital infrastructure, access and use. ​
Approaches to ICT regulation need to be globally consistent yet flexible, allowing each national framework to be tailored to meet local needs, regulators taking part in GSR-21 agreed.
Mercy Wanjau, Acting Director-General of the Communications Authority of Kenya and Chair of GSR-21, said: “The regulatory Best Practice Guidelines crafted and adopted by regulators and policy makers at GSR have been guiding all of us through challenges and new endeavours. I call upon regulators everywhere to leverage the GSR-21 Guidelines in adopting and implementing globally agreeable approaches that are relevant to their national circumstances and leverage collaboration across the board."
The guidelines emphasise the need for a collaborative, whole-of-government approach to regulation, focusing particularly on the role of effective and agile financing, prototyping regulatory patterns and approaches, and transformational leadership, to drive faster and more inclusive connectivity and ensure safe digital inclusion for all in the wake of the pandemic.
Key recommendations include:
- Alternative mechanisms for funding and financing digital infrastructures across economic sectors. Regulators should encourage investment and help to create competitive markets for future-proof broadband and digital services. Investment is also needed in non-commercial areas to make digital services available and affordable for all, while ensuring that basic regulatory needs are met.
- Promotion of local innovation ecosystems that enable the development of emerging technologies and business models. Regulators must create a safe space for digital innovation and experimentation. New approaches to regulation should protect consumers while encouraging market growth and ensuring resilience in future networks and services.
- Spectrum innovation and efficient use. New approaches may be needed to enhance regulatory foresight, harness data to target interventions, and create space for regulators and industry to experiment together. Spectrum innovation is just one such example.
- Ambitious yet executable regulatory roadmaps. The proposed best practices from GSR 21, if widely adopted, could help countries leapfrog ahead in economic development, maximize the benefits of ICT uptake, and ensure that these immense opportunities reach everyone.
In addition to the GSR-21 Best Practice Guidelines, GSR-21 saw the release of several new publications and platforms​:  Financing Universal Access to Digital Technologies and Services, Econometric Modelling in the context of COVID-19, collaborative case studies, and ICT Regulatory Tracker 2020​.

Cybersecurity for U.S. critical infrastructure a ‘national-security imperative'

Protecting U.S. critical infrastructure from the often-debilitating impacts of cyberattacks is a “national imperative” that will require cooperation between the government and private sector, according to Brian Scott, director of critical-infrastructure cybersecurity for the National Security Council (NSC).
Scott said variety of sources—nation-states, state-sponsored actors and cybercriminals—are responsible for the cyberattacks, and many of the impacts have been significant, as recent events have reinforced. Indeed, more than 18,000 entities were deemed vulnerable during the SolarWinds attacks first announced in December, and a ransomware attack on Colonial Pipeline resulted in the shutdown of more than 11,000 gas stations in the southeast U.S., he said.
“Public and private entities are increasingly under constant, sophisticated, malicious and often-unseen probing and attacks from nation-state adversaries and criminals,” Scott said last week during the “Cyber Defenders” online event hosted by Nextgov. “Today more than ever, cybersecurity is a national-security imperative.
“Adversaries and malicious cyber actors see U.S. government and U.S. commercial networks as particularly rich targets and are aggressively working to compromise them.”
Beyond the SolarWinds and Colonial Pipeline incidents, Scott cited compromises to Microsoft Exchange Servers and Pulse Secure VPNs as examples of the challenges facing public and private U.S. entities in an increasingly treacherous cyber environment.
Meanwhile, ransomware attacks last year generated average demands of more than $100,00, with the top ransom demands exceeding $10 million, Scott. And a 2019 study estimated that data breaches cost the company experiencing one an average of $13 million, as well as significant intellectual-property losses.
Full story: https://urgentcomm.com/2021/06/01/cybersecurity-for-u-s-critical-infrastructure-a-national-security-imperative-nsc-official-says/

Regulating for resilience: Reigniting ICT markets and economies post-COVID-19

As the COVID-19 pandemic continues its relentless spread, governments, regulators, academics, and the global information and communication technology (ICT) community keep rethinking policy and regulatory frameworks to mitigate the effects of the crisis and chart a way out of it.
The 7th Economic Experts Roundtable convened by ITU provided a platform to generate ideas and solutions to render ICT markets an even more important contributor to social and economic resilience in the face of COVID-19.
The current crisis has brought new challenges to the ICT sector. Regulatory frameworks need to be adjusted to stimulate investment while maintaining a moderate level of competition. Markets and consumer benefits are now examined by decision-makers through the lens of financial adversity and uncertain outlooks.
Amid disruption, policy-makers and regulators need evidence-based guidance that provides a solid ground for their reforms.
A new study released at the Roundtable provides fresh insights backed by authoritative data on the evolution of ICT regulation since 2007, the ICT Regulatory Tracker, and a global dataset on ICT markets economics.
The study shows that ICT regulation has had a measurable impact on the growth of global ICT markets over the past decade.
The analysis uses econometric modelling to pinpoint the impact of the regulatory and institutional frameworks on the performance of the ICT sector and its contribution to national economies.
It provides policy-makers and regulators with evidence to advance regulatory reform and address the challenges and gaps in current regulatory frameworks for digital services and applications.
Upgrading regulatory frameworks: What matters?
The new analysis points to regulatory features that can have a multiplier effect on ICT markets and consumer benefits.
• ICT regulation is positively linked with increases in telecommunication investment. An improvement of 10 per cent in the maturity of national ICT regulatory frameworks is associated with an increase of fixed and mobile investment of over 7 per cent. For this to happen, a country needs a separate, autonomous ICT regulator with a broad mandate, promoting competition and adopting best regulatory practices in ICT licencing, service quality monitoring, and spectrum sharing.
• Tax cuts are associated with a significant boost in capital investment, as they increase available financial resources for network deployment. Reducing profit tax by half leads to an increase of fixed and mobile investment of nearly 14 per cent.
• Streamlining government administrative processes is linked to a significant increase in capital investment, highlighting the importance of minimizing time to obtain network deployment permits, handling municipal network construction requirements, and reducing red tape costs. Slashing administrative processing times by half is linked to an increase in fixed and mobile investment of 17 per cent.
A regulatory power boost for mobile
For the mobile sector, open and collaborative regulatory policies appear to have a strong positive impact on investment. In turn, more investment triggers coverage gains and lower consumer prices, boosts ICT adoption and generates growth in national economies around two years after policy adoption.
• A digital agenda is crucial to accelerating innovation and boosting investment. The introduction of a national broadband plan with a strong implementation framework and leadership increases mobile investment and network coverage by some 15 per cent.
• Converged licensing frameworks maximize the financial returns of investments as they provide a flexible policy approach adapted to technological advances. Such frameworks are associated with a 10 per cent increase in mobile investment and network coverage.
• Allowing voluntary spectrum sharing agreements, thereby helping operators to maximize the opportunities to make investments profitable, creates strong incentives for network deployment. Such collaborative regulatory regimes see an 18 per cent increase in mobile investment and network coverage, and price reduction by close to 10 per cent compared to countries where this is not allowed.
• Openness to foreign operators increases access to capital for network development and modernization and enables technology and know-how transfer. An open mobile market can stimulate capital investment with increases of 14 per cent along with network coverage.
Policy-makers are encouraged to use this report as an evidence base underpinned by a deeper understanding of the linkages between regulatory and institutional contexts and ICT market outcomes, and of which policies can lead markets, consumers, and economies out of the current crisis.
[Source: ITU]

CISA releases the insider threat mitigation guide

The Cybersecurity & Infrastructure Security Agency (CISA) has released their Insider Threat Mitigation Guide for organizations who have individuals entrusted with access to or knowledge of their organization, who represent potential risks, which includes current or former employees or any other person who has been granted access, understanding, or privilege.
Organizations of all types and sizes are vulnerable to insider threats. The CISA Insider Threat Mitigation Guide is designed to assist individuals, organizations, and communities in improving or establishing an insider threat mitigation program. It offers a proven framework that can be tailored to any organization regardless of size. It provides an orientation to the concept of insider threat, the many expressions those threats can take, and offers an integrated approach necessary to mitigate the risk. The Guide shares best practices and key points from across the infrastructure communities.
"This Insider Threat Mitigation Guide is an evolution in the series of resources CISA makes available on insider threats. This Guide draws from the expertise of some of the most reputable experts in the field to provide comprehensive information to help federal, state, local, tribal, and territorial governments; non-governmental organizations; and the private sector establish or enhance an insider threat prevention and mitigation program."
"Moreover, this Guide accomplishes this objective in a scalable manner that considers the level of maturity and size of the organization. It also contains valuable measures for building and using effective threat management teams. Through a case study approach, this Guide details an actionable framework for an effective insider threat mitigation program: Defining the Threat, Detecting and Identifying the Threat, Assessing the Threat, and Managing the Threat." said Steve Harris, Acting Assistant Director for Infrastructure Security, Cybersecurity and Infrastructure Security Agency.
The full Guide can be downloaded at CISA.org >>