A weekly podcast offering an opinionated roundup of the latest events in technology, security, privacy, and government and an in-depth interview of technology and policy newsmakers. Host Stewart Baker and regulars share their views - and not those of the firm.
Episode 364: Does Good Ransomware Policy Have To Be Boring?
We don’t get far into my interview with the authors of a widely publicized Ransomware Task Force report, before I object that most of its recommendations are “boring” procedural steps that don’t directly address the ransomware scourge. That prompts a vigorous dialogue with Philip Reiner, the Executive Director of the Institute for Security and Technology (IST), the report’s sponsoring organization, from Megan Stifel, of the Global Cyber Alliance, and Chris Painter, of The Global Forum on Cyber Expertise Foundation. And we in fact find several new and not at all boring recommendations among the nearly 50 put forward in the report.; In the news roundup, Dmitri Alperovitch has an answer to my question, “Is Putin getting a handle on U.S. social media?” Not just Putin, but every other large authoritarian government is finding ways to bring Google, Twitter, and Facebook to heel. In Russia’s case, the method is first a token fine, then a gradual throttling of service delivery that makes domestic competitors look better in comparison to the Silicon Valley brand.; Mark MacCarthy handicaps the Epic v. Apple lawsuit. The judge is clearly determined to give both sides reason to fear that the case won’t go well. And our best guess is that Epic might get some form of relief but not the kind of outcome they hoped for.; Dmitri and I marvel at the speed and consensus around regulatory approaches to the Colonial Pipeline ransomware event. It’s highly likely that the attack will spur legislation mandating reports of cyber incidents (and without any liability protection) as well as aggressive security regulation from the agency with jurisdiction – TSA. I offer a cynical Washington perspective on why TSA has acted so decisively.; Mark and I dig into the signing and immediate court filing against Florida’s social media regulation attacking common content moderation issues. Florida will face an uphill fight, but neither of us is persuaded by the tech press’s claim that the law will be “laughed out of court.” There is a serious case to be made for almost everything in the law, with the exception of the preposterous (and probably severable) exemption for owners of Florida theme parks.; Dmitri revs up the DeHyping Machine for reports that the Russians responded to Biden administration sanctions by delivering another cyberpunch in the form of hijacked USAID emails. It turns out that the attack was garden variety cyberespionage, that the compromise didn’t involve access to USAID networks, that it was launched before sanctions, and that it didn’t get very far.; Jordan Schneider explains the impact of S. government policy on the cellular-equipment industry, and the appeal of Open RAN as a way of end-running the current incumbents. U.S. industrial policy could be transformed by the shape-shifting Endless Frontier Act.; Jordan and Dmitri explain how. I ask whether we’re seeing a deep convergence on industrial policy on both sides of the Pacific, now that President XI has given a speech on tech policy that could have been delivered by half a dozen Republican or Democratic senators.; Finally, Dmitri reviews the bidding in cryptocurrency regulation both at the White House and in London.; In short hits, we cover:; The European Court of Human Rights decision squeezing but not quite killing GCHQ’s mass data interception programs and cooperation with the U.S. I offer a possible explanation for the court’s caution.; A court filing strongly suggesting that the Biden administration will not be abandoning a controversial Trump administration rule that requires visa applicants to register their social media handles with the U.S. government. I speculate on why.; A WhatsApp decision not to threaten its users to get them to accept the company’s new privacy terms. Instead, I suspect, WhatsApp will annoy them into submissio
Episode 363: Is Apple Storing its Dorian Gray Portrait Behind the Great Firewall?
Paul Rosenzweig kicks off the news roundup by laying out the New York Times’s brutal overview of the many compromises Tim Cook’s Apple has made with an increasingly oppressive Chinese government. There is no way to square Apple’s aggressive opposition to US national security measures with its quiet surrender to much more demanding Chinese measures. I suggest that the disparity could not be greater if Tim Cook were Dorian Gray and storing his portrait behind the Great Firewall. Paul, Jamil Jaffer, and I note the tension between Apple’s past claim that it could not legally share data with the Chinese government and its new claim that it solved the problem by turning its data over to a Chinese government-owned corporation.; Ransomware hasn’t stopped making news, Paul tells us, Irish hospitals with the latest to go down. Nate Jones assesses the likelihood (low) that governments will effectively ban the payment of ransomware demands. And Paul points out that, while cryptocurrency may be facilitating crime, at least it’s also warming the planet, as an entire American power plant is taken out of mothballs to power cryptocurrency mining operations.; Governments are increasingly cracking down on cryptocurrency, and Paul gives us one week of news in new regulation: China has reiterated its opposition to unregulated access to crypto.; The IRS is threatening action against unreported transactions in cryptocurrency.; And Hong Kong plans to restrict crypto exchanges to professional investors.; Another 60+ pages from the FISA court approving the executive branch’s section 702 procedures.; With Nate on the job, you don’t need to read it all, or rely on the ideologically motivated criticism of privacy groups. Nate tells us that in approving the 702 procedures the FISA court has much less leeway than a court usually does in reviewing federal agency action (with a hat tip to a good analysis by NSA alum George Croner).; Jamil bemoans the enthusiasm sweeping Europe for sticking it to US (but not Chinese) tech companies under a variety of competition law theories. Google has been fined just over €100 million by Italy’s antitrust watchdog for abuse of a dominant market position in Android auto apps. Germany is readying big guns for an attack on Amazon’s market.; I point out that American policyholders seem to share this enthusiasm, at least judging from the questions the presiding judge in Epic v. Apple posed this week to Tim Cook.; Nate and I explore Apple’s apparent decision to let Parler back into the app store. (And, given the enthusiasm for regulating such dual-facing markets on antitrust grounds, that decision would be wise.) But Apple is still demanding that Parler block speech that Parler doesn’t think it should be.; We wrap up with a few quick hits:; Looking for a cheap way to defeat ransomware? Brian Krebs has a “might not work but what do you have to lose?” idea: install a Russian keyboard layout on your computer (although with my luck, the ransomware will translate all my files into Russian).; Andy Greenberg has a good retrospective on the seeds. OG supply chain hack: the Chinese theft of RSA’s core security.; Dangling the other shoe: The UK’s head of MI5 isn’t mincing words. Ken McCallum is accusing Facebook of giving a ‘free pass’ to terrorists by preparing to introduce end-to-end crypto on its messaging app. Sooner or later, this is going to end in tears.; And we all agree that the Biden administration was lucky to persuade Matt Olsen to leave Uber to become head of DOJ’s National Security Division.; And more!
Episode 362: The Biden Cybersecurity Executive Order – CISA as CISO
Our interview is with, Brandon Wales, acting head of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and Jen Daskal, Deputy General Counsel for Cyber and Technology Law at DHS. We dig deep into the latest Executive Order on cybersecurity. There’s a lot to say. The EO is focused largely on how the federal civilian government protects its networks, and it is just short of revolutionary in overriding longstanding turf fights, almost all of which are resolved in favor of CISA – to the point where it seems clear that CISA is on its way to being the civilian agencies’ CISO, or Chief Information Security Office. This is clearly CISA’s moment. It is getting new authorities from the President and new money from Congress. Whether it can meet all the expectations that these things bring is the question.; We also touch on parts of the EO that will touch the private sector, from the determined push for breach and other incident reporting in federal contracts to the formation of a Cyber Safety Review Board to investigate private sector incidents. I predict that the Board will need and will get subpoena power soon. Neither Brandon nor Jen takes the other side of that bet.; In the news, we get an update on the Colonial Pipeline ransomware attack from Nick Weaver and first-timer Betsy Cooper. Colonial has paid $5 million in ransom, gotten a bad decryption tool, and restarted operations anyway. Since it’s likely to end up as the second test case for the Cyber Security Review Board, Colonial may regret having waited five days to start sharing information with CISA.; Maury Shenk explains the 200-page Irish High Court decision allowing the Irish data protection regulator to begin an inquiry that could cut off its data exports to the United States. Facebook would love to forestall that day until EU-US talks on a new data export deal is done, but the Biden administration isn’t exactly making it a priority to bail out either Facebook or the US intelligence community, which has as much at stake in data flows as the companies.; One of the puzzles of recent weeks has been persistent but vague stories DHS wants more authority that to gather information from public postings on social media. Nick, Betsy, and I try to make sense of the story, and we’re not helped by the fact that much of the media and politicians have switched from condemning such intelligence operations to demanding them, and vice versa, since the Trump administration ended.; Nick can’t resist a story that leaves both bitcoin and Tor looking bad, so of course we cover the boom in Tor exit nodes configured to steal the cryptocurrency of Tor Betsy covers the unanimous view of chip making and consuming companies that the federal government should subsidize chip making in the US. Industrial policy is making a comeback, we note, but Betsy reminds us there’s a reason it went away. *cough*Solyndra*cough*; Betsy seizes on the latest WhatsApp tactic to lament the willingness of data-driven tech companies to annoy us into submission.; Nick and I cross swords over Apple’s firing of Antonio García Martínez, author of Chaos Monkeys, in my view one of the funniest and most insightful Silicon Valley books of the last decade. Part of its appeal is Garcia Martinez’s relentless burning of every bridge in his past business and personal life. How, you keep asking, can he recover from telling all those truths about Morgan Stanley, Facebook, Y Combinator, and AdTech? Turns out, he can’t. But it wasn’t any of those supposedly potent institutions that nailed him. Instead, it was his claim that the women of Silicon Valley are mostly "soft and weak, cosseted and naïve” and possessed of a “self-regarding entitlement feminism.”; Apple employees demanded that they be protected from Garcia Martinez, and he was summarily fired
Episode 361: Computers Will Soon Be Hacking Us. If They Aren’t Already.
Bruce Schneier joins us to talk about AI hacking in all its forms. He's particularly interested in ways AI will hack humans, essentially preying on the rough rules of thumb programmed into our wetware – that big-eyed, big-headed little beings are cute and need to have their demands met or that intimate confidences should be reciprocated. AI may not even know what it's doing, since machines are famous for doing what works unless there's a rule against it. Bruce is particularly interested in law-hacking – finding and exploiting unintended consequences buried in the rules in the U.S. Code. If any part of that code will lend itself to AI hacking, Bruce thinks, it's the tax code (insert your favorite tax lawyer joke here). It's a bracing view of a possible near-term future.; In the news, Nick Weaver and I dig into the Colonial Pipeline ransomware attack and what it could mean for more aggressive cybersecurity action in Washington than the Biden administration was contemplating just last week as it was pulling together an executive order that focused heavily on regulating government contractors.; Nate Jones and Nick examine the stalking flap that is casting a cloud over Apple's introduction of AirTags.; Michael Weiner takes us through a quick tour of all the pending U.S. government antitrust lawsuits and investigations against Big Tech. What's striking to me is how much difference there is in the stakes (and perhaps the prospects for success) depending on the company in the dock. Facebook faces a serious challenge but has a lot of defenses. Amazon and Apple are being attacked on profitable but essentially peripheral business lines. And Google is staring at existential lawsuits aimed squarely at its core business.; Nate and I mull over the Russian proposal for a UN cybercrime proposal. The good news is that stopping progress in the UN is usually even easier than stopping legislation in Washington.; Nate and I also puzzle over ambiguous leaks about what DHS wants to do with private firms as it tries to monitor extremist chatter online. My guess: This is mostly about wanting the benefit of anonymity or a fake persona while monitoring public speech.; And then Michael takes us into the battle between Apple and Fortnite over access to the app store without paying the 30% cut demanded by Apple. Michael thinks we've mostly seen the equivalent of trash talk at the weigh-in so far, and the real fight will begin with the economists' testimony this week. Nick indulges a little trash talk of his own about the claim that Apple’s app review process provides a serious benefit to users, citing among other things the litigation-driven disclosure that Apple never send emails to users of the 125 million buggered apps it found a few years back.; Nick and I try to make sense of stories that federal prosecutors in 2020 sought phone records for three Washington Post journalists as part of an investigation into the publication of classified information that occurred in 2017.; I try to offer something new about the Facebook Oversight Board's decision on the suspension of President Trump’s account. To my mind, a telling and discrediting portion of the opinion reveals that some of the board members thought that international human rights law required more limits on Trump's speech – and they chose to base that on the silly notion that calling the coronavirus a Chinese virus is racist. Anyone who has read Nicholas Wade's careful article knows that there's lots of evidence the virus leaked from the Wuhan virology lab. If any virus in the last hundred years deserves to be named for its point of origin, then, this is it. Nick disagrees.; Nate previews an ambitious task force plan on tackling ransomware. We'll be having the authors on the podcast soon to dig deeper into its nearly 50 recommendations.; Signal is emerging a Corporate Troll of the Year, i
Episode 360: The Robot Apocalypse and You
Our interview is with Kevin Roose, author of Futureproof: 9 Rules for Humans in the Age of Automation debunks most of the comforting stories we use to anaesthetize ourselves to the danger that artificial intelligence and digitization poses to our jobs. Luckily, he also offers some practical and very personal ideas for how to avoid being caught in the oncoming robot apocalypse.; In the news roundup, Dmitri Alperovitch and I take a few moments to honor Dan Kaminsky, an extraordinary internet security and even more extraordinarily decent man. He died too young, at 42, as Nicole Perlroth demonstrates in one of her career-best articles.; Maury Shenk and Mark MacCarthy lay out the EU's plan to charge Apple with anti-competitive behaviour in running its app store.; Under regulation-friendly EU competition law, the more austere U.S. version, it sure looks as though Apple is going to have trouble escaping unscathed.; Mark and I duke it out over Gov. DeSantis's Florida bill on content moderation reform.; We agree that it will be challenged as a violation of the First Amendment and as preempted by federal section 230. Mark thinks it will fail that test. I don’t, especially if the challenge ends up in the Supreme Court, where Justice Thomas at least has already put out the "Welcome" mat.; Dmitri and I puzzle over the statement by top White House cyber official Anne Neuberger that the U.S. reprisals against Russia are so far not enough to deter further cyberattacks. We decide it's a "Kinsley gaffe" – where a top official inadvertently utters an inconvenient truth.; This Week in Information Operations: Maury explains that China may be hyping America’s racial tensions not as a tactic to divide us but simply because it’s an irresistible comeback to U.S. criticisms or Chinese treatment of ethnic minorities. And Dmitri explains why we shouldn’t be surprised at Russia's integrated use of hacking and propaganda. The real question is why the US has been so bad at the same work.; In shorter stories: Mark covers the slooow rollout of an EU law forcing one-hour takedowns of terrorist content; Dmitri tells us about the evolution of ransomware into, full-service doxtortion as sensitive files of the C. Police Department are leaked online; Dmitri also notes the inevitability of more mobile phone adtech tracking scandals, such as the compromise of US military operations; Maury and I discuss the extent to which China's internet giants find themselves competing, not for consumers, but for government favor, as China uses antitrust law to cement its control of the tech sector; Finally, Dmitri and I unpack the latest delay in DOD's effort to achieve cybersecurity maturity through regulatory-style compliance, an effort Dmitri believes is doomed; And more!; As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!; The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
Episode 359: The Cybersecurity Benefits of Desk Drawers
The Casablanca casino joke is so played. Please no more.
Informative and Entertaining
A show for people who are interested in the law and policy of computer security, privacy, and related topics. The discussions on this podcast are usually interesting and, as best I can tell, well informed. Baker often has highly qualified guests such as Bruce Schnier or Mark McCarthy.
I can’t wait for the next episode.
The Cyberlaw Podcast is witty, always informative, and cutting edge.