NDAA 2021 – NOT JUST ABOUT BOMBS & PLANES ANYMORE
On New Year’s Day, and as if daring 2021 to a fight, both houses of Congress overturned President Trump’s veto of H.R.6395, A.K.A. NDAA FY21, ensuring that the $741 billion bill will become law. Ignoring the irrelevant political implications, the NDAA FY21 contains the various promises to study this v. that but may create ripples in the cybersecurity world across various industries.
Media outlets only seem to report the failure of NDAA FY21 to repeal §230 immunity under the Telecommunications Act for social media platforms. 47 U.S.C. §203, specifically subsection (c), prohibits interactive computer platforms (an outdated definition) from being “treated as the publisher or speaker of any information provided by another information content provider” or being subject to civil liability for restricting access or allowing another to restrict access to such content. In other words, these protected entities under §230 cannot be held liable for censorship or defamation in the same manner as journalists.
Apart from its omissions, there are some interesting details buried within the 1480 pages of NDAA FY21, which summarily point toward the following: 1) Greater federal regulation of artificial intelligence (boo for now); 2) Larger, expanded DoD investment in telehealth services and expanded availability of telemedicine within Department of Veterans Affairs; 3) Revival of the Department of Treasury’s FinCEN information sharing program, with signals of future compulsory regulations; and 4) A disclosure that neither SIPRNet nor NIPRNet were properly encrypted! See below:
Introducing the National Artificial Intelligence Initiative Act of 2020, which defines “artificial intelligence” and devotes resources to applying and utilizing AI within the Department of Education, the Department of Energy, Department of Commerce etc. However, NDAA FY21 signals the coming increase in federal regulations of AI in stating that it will focus on the “accountability and legal rights, including matters relating to oversight of artificial intelligence systems using regulatory and nonregulatory approaches, the responsibility for any violations of existing laws by an artificial intelligence system, and ways to balance advancing innovation while protecting individual rights” over the next 12 months. Currently, AI is largely unregulated throughout the United States.
The Department of Defense (DoD) is looking to lean more on telehealth and telemedicine services. The Comptroller General will be looking to deliver mental health treatment to servicemembers through telemedicine during the pandemic. DoD will also be looking to use telehealth for a wider variety of programs “such as remote diagnostic testing and evaluation tools that contribute to the medical readiness of military medical providers.” The NDAA FY21 contains a special appropriation of $4,000,000 for a bilateral cooperative program with Israel that awards grants for telehealth development. And, the Department of Veterans Affairs is amending 38 U.S.C. §1730C to allow “postgraduate health care employee[s]” or “health professions trainee[s]” who are under the supervision of a health care professional, to administer telehealth services. Each of these changes signals a significant interest in the U.S. Govt. expanding its use and investment in telehealth.
After threatening to fine victims of ransomware for paying demands earlier this year, the Department of Treasury looks to issue regulations to encourage information sharing by and between financial institutions subject to Gramm-Leach Bliley Act and their regulators to combat money laundering and the inadvertent funding of terrorism. Moreover, the NDAA FY21 seeks to revive the FinCEN exchange program, which is another permissive information sharing program, between the private sector and the Department of Treasury in which the U.S. Government promises that the “[i]nformation received by a financial institution … shall not be used for any purpose other than identifying and reporting on activities that may involve the financing of terrorism, money laundering, proliferation financing, or other financial crimes.” Any information received from the FinCEN exchange will be kept encrypted. Without reading too much in between the lines of NDAA FY 21, there appears to be groundwork for future compulsory information sharing regulations. Remember, there is significant leverage wielded by the SEC and FTC over financial institutions.
And finally, SECDEF must submit a report to congress within 180 days on the cost, mission impact, and an implementation timeline of ensuring full disk encryption across Non-classified Internet Protocol Router Network (NIPRNet) and Secretary Internet Protocol Router Network (SIPRNet) endpoint computer systems. (Honestly, it is frustrating this was not previously implemented).
Curious to see what the future RFIs and RFPs on telehealth will contain.