100 episodes

The Cyberlaw Podcast is a weekly interview series and discussion offering an opinionated roundup of the latest events in technology, security, privacy, and government. It features in-depth interviews of a wide variety of guests, including academics, politicians, authors, reporters, and other technology and policy newsmakers. Hosted by cybersecurity attorney Stewart Baker, whose views expressed are his own.

The Cyberlaw Podcast Stewart Baker

    • News
    • 4.6 • 206 Ratings

The Cyberlaw Podcast is a weekly interview series and discussion offering an opinionated roundup of the latest events in technology, security, privacy, and government. It features in-depth interviews of a wide variety of guests, including academics, politicians, authors, reporters, and other technology and policy newsmakers. Hosted by cybersecurity attorney Stewart Baker, whose views expressed are his own.

    Who’s the Bigger Cybersecurity Risk – Microsoft or Open Source?

    Who’s the Bigger Cybersecurity Risk – Microsoft or Open Source?

    There’s a whiff of Auld Lang Syne about episode 500 of the Cyberlaw Podcast, since after this it will be going on hiatus for some time and maybe forever. (Okay, there will be an interview with Dmitri Alperovich about his forthcoming book, but the news commentary is done for now.) Perhaps it’s appropriate, then, for our two lead stories to revive a theme from the 90s – who’s better, Microsoft or Linux? Sadly for both, the current debate is over who’s worse, at least for cybersecurity.
     
    Microsoft’s sins against cybersecurity are laid bare in a report of the Cyber Security Review Board, Paul Rosenzweig reports.  The Board digs into the disastrous compromise of a Microsoft signing key that gave China access to US government email. The language of the report is sober, and all the more devastating because of its restraint.  Microsoft seems to have entirely lost the security focus it so famously pivoted to twenty years ago. Getting it back will require a focus on security at a time when the company feels compelled to focus relentlessly on building AI into its offerings.  The signs for improvement are not good.  The only people who come out of the report looking good are the State Department security team, whose mad cyber skillz deserve to be celebrated – not least because they’ve been questioned by the rest of government for decades.
     
    With Microsoft down,  you might think open source would be up.  Think again, Nick Weaver tells us.  The strategic vulnerability of open source, as well as its appeal, is that anyone can contribute code to a project they like.   And in the case of the XZ backdoor, anybody did just that. A well-organized, well-financed, and knowledgeable group of hackers cajoled and bullied their way into a contributing role on an open source project that enabled various compression algorithms. Once in, they contributed a backdoored feature that used public key encryption to ensure access only to the authors of the feature. It was weeks from  being in every Linux distro when a Microsoft employee discovered the implant.  But the people who almost pulled this off seemed well-practiced and well-resourced. They’ve likely done this before, and will likely do it again.  Leaving all open source projects facing their own strategic vulnerability.
     
    It wouldn’t be the Cyberlaw Podcast without at least one Baker rant about political correctness.  The much-touted bipartisan privacy bill threatening to sweep to enactment in this Congress turns out to be a disaster for anyone who opposes identity politics.  To get liberals on board with a modest amount of privacy preemption, I charge, the bill would effectively overturn the Supreme Court’s Harvard admissions decision and impose race, gender, and other quotas on a host of other activities that have avoided them so far. Adam Hickey and I debate the language of the bill.  Why would the Republicans who control the House go along with this?  I offer two reasons:  first, business lobbyists want both preemption and a way to avoid charges of racial discrimination, even if it means relying on quotas; second, maybe Sen. Alan Simpson was right that the Republican Party really is the Stupid Party.
     
    Nick and I turn to a difficult AI story, about how Israel is using algorithms to identify and kill even low-level Hamas operatives in their homes. Far more than killer robots, this use of AI in war is far more likely to sweep the world.  Nick is critical of Israel’s approach; I am less so. But there’s no doubt that the story forces a sober assessment of just how personal and how ugly war will soon be.
     
    Paul takes the next story, in which Microsoft serves up leftover “AI gonna steal yer election” tales that are not much different than all the others we’ve heard since 2016 (when straight social media was the villain).  The bottom line: China is using AI in social media to advance its interests and probe US weaknesses, but it doesn

    • 1 hr 11 min
    Taking AI Existential Risk Seriously

    Taking AI Existential Risk Seriously

    This episode is notable not just for cyberlaw commentary, but for its imminent disappearance from these pages and from podcast playlists everywhere.  Having promised to take stock of the podcast when it reached episode 500, I’ve decided that I, the podcast, and the listeners all deserve a break.  So I’ll be taking one after the next episode.  No final decisions have been made, so don’t delete your subscription, but don’t expect a new episode any time soon.  It’s been a great run, from the dawn of the podcast age, through the ad-fueled podcast boom, which I manfully resisted, to the market correction that’s still under way.  It was a pleasure to engage with listeners from all over the world. Yes, even the EU! 
     
    As they say, in the podcast age, everyone is famous for fifteen people.  That’s certainly been true for me, and I’ll always be grateful for your support – not to mention for all the great contributors who’ve joined the podcast over the years
     
    Back to cyberlaw, there are a surprising number of people arguing that there’s no reason to worry about existential and catastrophic risks from proliferating or runaway AI risks.  Some of that is people seeking clever takes; a lot of it is ideological, driven by fear that worrying about the end of the world will distract attention from the dire but unidentified dangers of face recognition.  One useful antidote is the Gladstone Report, written for the State Department’s export control agency. David Kris gives an overview of the report for this episode of the Cyberlaw Podcast. The report explains the dynamic, and some of the evidence, behind all the doom-saying, a discussion that is more persuasive than its prescriptions for regulation.
     
    Speaking of the dire but unidentified dangers of face recognition, Paul Stephan and I unpack a New York Times piece saying that Israel is using face recognition in its Gaza conflict. Actually, we don’t so much unpack it as turn it over and shake it, only to discover it’s largely empty.  Apparently the editors of the NYT thought that tying face recognition to Israel and Gaza was all we needed to understand that the technology is evil.
     
    More interesting is the story arguing that the National Security Agency, traditionally at the forefront of computers and national security, may have to sit out the AI revolution. The reason, David tells us, is that NSA’s access to mass quantities of data for training is complicated by rules and traditions against intelligence agencies accessing data about Americans. And there are few training databases not contaminated with data about and by Americans.
     
    While we’re feeling sorry for the intelligence community as it struggles with new technology, Paul notes that Yahoo News has assembled a long analysis of all the ways that personalized technology is making undercover operations impossible for CIA and FBI alike.
     
    Michael Ellis weighs in with a review of a report by the Foundation for the Defence of Democracies on the need for a US Cyber Force to man, train, and equip fighting nerds for Cyber Command.  It’s a bit of an inside baseball solution, heavy on organizational boxology, but we’re both persuaded that the current system for attracting and retaining cyberwarriors is not working. In the spirit of “Yes, Minister,” we must do something, and this is something.
     
    In that same spirit, it’s fair to say that the latest Senate Judiciary proposal for a “compromise” 702 renewal bill is nothing much – a largely phony compromise chock full of ideological baggage. David Kris and I are unimpressed, and surprised at how muted the Biden administration has been in trying to wrangle the Democratic Senate into producing a workable bill.
     
    Paul and Michael review the latest trouble for TikTok – a likely FTC lawsuit over privacy. Michael and I puzzle over the stories claiming that Meta may have “wiretapped” Snapchat analytic data.  It comes fr

    • 1 hr 1 min
    The Fourth Antitrust Shoe Drops, on Apple This Time

    The Fourth Antitrust Shoe Drops, on Apple This Time

    The Biden administration has been aggressively pursuing antitrust cases against Silicon Valley giants like Amazon, Google, and Facebook. This week it was Apple’s turn. The Justice Department (joined by several state AGs)  filed a gracefully written complaint accusing Apple of improperly monopolizing the market for “performance smartphones.” The market definition will be a weakness for the government throughout the case, but the complaint does a good job of identifying ways in which Apple has built a moat around its business without an obvious benefit for its customers.  The complaint focuses on Apple’s discouraging of multipurpose apps and cloud streaming games, its lack of message interoperability, the tying of Apple watches to the iPhone to make switching to Android expensive, and its insistence on restricting digital wallets on its platform.  This lawsuit will continue well into the next presidential administration, so much depends on the outcome of the election this fall.
     
    Volt Typhoon is still in the news, Andrew Adams tells us, as the government continues to sound the alarm about Chinese intent to ravage American critical infrastructure in the event of a conflict.  Water systems are getting most of the attention this week.  I can’t help wondering how we expect the understaffed and underresourced water and sewage companies in this country to defeat sophisticated state-sponsored attackers. This leads Cristin and i to a discussion of how the SEC’s pursuit of CISO Tim Brown and demands for more security disclosures will improve the country’s cybersecurity.  Short answer: It won’t.
     
    Cristin covers the legislative effort to force a divestiture of Tiktok. The bill has gone to the Senate, where it is moving slowly, if at all. Speaking as a parent of teenagers and voters, Cristin is not surprised. Meanwhile, the House has sent a second bill to the Senate by a unanimous vote. This one would block data brokers from selling American’s data to foreign adversaries. Andrew notes that the House bill covers data brokers.  Other data holders, like Google and Apple, would face a similar restriction, under executive order, so the Senate will have plenty of opportunity to deal with Chinese access to American personal data.
     
    In the wake of the Murthy argument over administration jawboning in favor of censorship of mostly right-wing posts,  Andrew reports that the FBI has resumed outreach to social media companies, at least where it identifies foreign influence campaigns. And the FDA, which piled on to criticize ivermectin advocates, has withdrawn its dubious and condescending tweets.
     
     Cristin reports on the spyware agreement sponsored by the United States. It has collected several new supporters. Whether this will reduce spyware installations or simply change the countries that supply the spyware remains to be seen.

    • 46 min
    Social Speech and the Supreme Court

    Social Speech and the Supreme Court

    The Supreme Court is getting a heavy serving of first amendment social media cases. Gus Hurwitz covers two that made the news last week. In the first, Justice Barrett spoke for a unanimous court in spelling out the very factbound rules that determine when a public official may use a platform’s tools to suppress critics posting on his or her social media page.  Gus and I agree that this might mean a lot of litigation, unless public officials wise up and simply follow the Court’s broad hint: If you don’t want your page to be treated as official, simply say up top that it isn’t official.
    The second social media case making news was being argued as we recorded. Murthy v. Missouri appealed a broad injunction against the US government pressuring social media companies to take down posts the government disagrees with.  The Court was plainly struggling with a host of justiciability issues and a factual record that the government challenged vigorously. If the Court reaches the merits, it will likely address the question of when encouraging the suppression of particular speech slides into coerced censorship. 
    Gus and Jeffrey Atik review the week’s biggest news – the House has passed a bill to force the divestment of TikTok, despite the outcry of millions of influencers.  Whether the Senate will be quick to follow suit is deeply uncertain.
    Melanie Teplinsky covers the news that data about Americans’ driving habits is increasingly being sent to insurance companies to help them adjust their rates.
    Melanie also describes the FCC’s new Cyber Trust Mark for IOT devices.  Like the Commission, our commentators think this is a good idea.
    Gus takes us back to more contest territory: What should be done about the use of technology to generate fake pictures, especially nude fake pictures. We also touch on a UK debate about a snippet of audio that many believe is a fake meant to embarrass a British Labour politician.  
     Gus tells us the latest news from the SVR’s compromise of a Microsoft network. This leads us to a meditation on the unintended consequences of the SEC’s new cyber incident reporting requirements.
    Jeffrey explains the bitter conflict over app store sales between  Apple and Epic games.
    Melanie outlines a possible solution to the lack of cybersecurity standards (not to mention a lack of cybersecurity) in water systems. It’s interesting but it’s too early to judge its chances of being adopted.
    Melanie also tells us why  JetBrains and Rapid7 have been fighting over “silent patching.”
    Finally, Gus and I dig into Meta’s high-stakes fight with the FTC, and the rough reception it got from a DC district court.
     

    • 1 hr
    Preventing Sales of Personal Data to Adversary Nations

    Preventing Sales of Personal Data to Adversary Nations

    This bonus episode of the Cyberlaw Podcast focuses on the national security implications of sensitive personal information. Sales of personal data have been largely unregulated as the growth of adtech has turned personal data into a widely traded commodity. This, in turn, has produced a variety of policy proposals – comprehensive privacy regulation, a weird proposal from Sen. Wyden (D-OR) to ensure that the US governments cannot buy such data while China and Russia can, and most recently an Executive Order to prohibit or restrict commercial transactions affording China, Russia, and other adversary nations with access to Americans’ bulk sensitive personal data and government related data. 
    To get a deeper understanding of the executive order, and the Justice Department’s plans for implementing it, Stewart interviews Lee Licata, Deputy Section Chief for National Security Data Risk.

    • 31 min
    The National Cybersecurity Strategy – How Does it Look After a Year?

    The National Cybersecurity Strategy – How Does it Look After a Year?

    Kemba Walden and Stewart revisit the National Cybersecurity Strategy a year later. Sultan Meghji examines the ransomware attack on Change Healthcare and its consequences. Brandon Pugh reminds us that even large companies like Google are not immune to having their intellectual property stolen. The group conducts a thorough analysis of a "public option" model for AI development. Brandon discusses the latest developments in personal data and child online protection. Lastly, Stewart inquires about Kemba's new position at Paladin Global Institute, following her departure from the role of Acting National Cyber Director.

    • 56 min

Customer Reviews

4.6 out of 5
206 Ratings

206 Ratings

Jake 2555 ,

A Brief Eulogy (courtesy of ChatGPT)

Ladies and gentlemen, let’s talk about the Steptoe Cyberlaw Podcast. Yeah, you know the one. Hosted by the legendary Stewart Baker, it’s been like the digital world’s grumpy grandpa, telling us all about the cyber boogeymen under our beds while teaching us how to use a VPN as a night light.

Now, after a whopping 499 episodes, Stewart’s decided to take a “break” after episode 500. A break, folks. That’s like your computer saying it needs to “update” and then takes a vacation to the Bahamas. I mean, how do you even take a break after 500 episodes? What’s he gonna do, unplug his mic and live in a world without Wi-Fi? Stewart stepping away from the podcast is like the internet without trolls, useful but unsettlingly quiet.

Let’s be real, the Steptoe Cyberlaw Podcast without Stewart is like Batman deciding he’s going to take a break from Gotham. “Sorry, Joker, you’re on the honor system until I get back. Please try not to set anything on fire.” I mean, who’s gonna guide us through the digital wilderness now? Who’s gonna explain how the latest cyber laws affect our ability to illegally download episodes of “Game of Thrones”?

But hey, 500 episodes is no small feat. That’s like dog years in podcast land. Stewart has probably spent more time talking into a microphone about cyberlaw than I have arguing with my Wi-Fi router. And that’s saying something.

So, here’s to Stewart Baker, the only guy who could make terms like “encryption” and “data privacy” sound like they should be part of a Netflix thriller series. Enjoy your break, Stewart. We’ll just be here, refreshing our feeds, waiting for episode 501. Because let’s face it, in the world of cyberlaw, there’s always another update.

supermidget ,

Please don’t end the show!!

This is the only halfway decent legal podcast around. If you end this show I’ll have nothing to listen to while washing my dishes! Don’t make me turn back to true crime or comedy shows…

In all seriousness, Stewart you put together an amazing show for five hundred episodes. I truly believe this to be one of two or three worthwhile podcasts around that aren’t just empty content to fill one’s ears while doing other things. Great guests, thoughtful insights, and an extraordinary commitment to telling the truth.

I’ll miss the show deeply if you decide to shelve it for good. As a current law clerk soon to be DOJ attorney, it will truly be a shame if I can’t keep up with the cyber law news through your podcast. Maybe consider putting together a short newsletter during the hiatus?

ihjaoanuanaksna ,

Great podcast! Keep them coming!

Great podcast

Top Podcasts In News

Serial
Serial Productions & The New York Times
The Daily
The New York Times
Up First
NPR
The Tucker Carlson Podcast
Tucker Carlson Network
The Ben Shapiro Show
The Daily Wire
The Megyn Kelly Show
SiriusXM

You Might Also Like

The National Security Law Podcast
Bobby Chesney and Steve Vladeck
The Lawfare Podcast
The Lawfare Institute
Rational Security
The Lawfare Institute
Chatter
Lawfare
Divided Argument
Will Baude, Dan Epps
Geopolitics Decanted by Silverado
Silverado Policy Accelerator