The Cyberlaw Podcast

Our guests this week are Paul Scharre from the Center for a New American Security and Greg Allen from the Defense Department’s newly formed Joint Artificial Intelligence Center. Paul and Greg have a lot to say about AI policy, especially with an eye toward national security and strategic competition. Greg sheds some light on the Defense Department’s activity, and Paul helps us understand how the military and policymakers are grappling with this emerging technology. But at the end of the day, I want to know: Are we at risk of losing the AI race with China? Paul and Greg tell me not all hope’s lost—and how we can retain technological leadership.

In what initially seemed like a dog-bites-man story, Attorney General Barr revived the “warrant-proof” encryption debate. He brings some thoughtful arguments to the table, including references to proposals by GCHQ, Ray Ozzie and Matt Tait. Nick Weaver is skeptical toward GCHQ’s proposal. But what really flew under the radar this week was Facebook’s apparent plan to drastically undermine end-to-end encryption by introducing content moderation to its messaging services. I argue that Silicon Valley is so intent on censoring its users that it is willing to sacrifice confidentiality and security (at least for anyone to the right of George W. Bush). News Roundup newcomer Dave Aitel thinks I’m wrong, at least in my attribution of Facebook’s motivations.

Mieke Eoyang, another News Roundup newcomer, brings us up to date on all the happenings in election security. Bob Mueller’s testimony brought Russian election meddling to the fore. His mistake, I argue, was testifying first to the hopelessly ideological House Judiciary Committee. Speaking of Congress, Mieke notes that the Senate Intel Committee released a redacted report finding that every state was targeted by Russian hackers in the 2016 election—and argues that we’re still not prepared to handle their ongoing efforts.

Congress is attempting to create a federal election security mandate through several different election security bills, but they likely will continue to languish in the Senate, despite what Mieke sees as a bipartisan consensus. Not all hope is lost, though. Director of National Intelligence Dan Coats, now on his way out, has established a new office to oversee and coordinate election security intelligence. Nick adds an extra reason to double down on election security: How else will we be able to convince the loser that he is indeed the loser?

In other news, NSA is going back to the future by establishing a new Cybersecurity Directorate. Dave tries to shed some light on the NSA’s history of reorganizations and what this new effort means for the Agency. Dave and I think there’s hope that this move will help NSA better reach the private sector—and even give the Department of Homeland Security a run for its money.

I also offer Dave the opportunity to respond to critics who argued that his firm, Immunity Inc., was wrong to include a version of the BlueKeep exploit in its commercial pentesting software. The long and the short of it: If a vulnerability has been patched, then that patch gives an adversary everything they need to know to exploit that vulnerability. It only makes sense, then, to make sure your clients are able to protect themselves by testing exploits against that vulnerability.

Mieke brings us up to speed on the cybercrime blotter. Marcus Hutchins, one of Dave’s critics, pleaded guilty to distributing the Kronos malware but was sentenced to time served thanks in part to his work to stop the spread of the WannaCry ransomware. Mieke says that Hutchins’s case is a good example that not all black hat hackers are irredeemable. I note that it was good for him that he made his transition before he was arrested. Dave and Nick support the verdict while lamenting how badly hackers are treated by U.S. law. 

We round out the News Roundup with quick hits: Facebook had a very bad week, not least because of the multibillion dollar fine imposed by the FTC; the Department of Justice is going to launch a sweeping antitrust investigation into Big Tech; there was a wild hacking conspiracy in Brazil involving cell phones and carwashes; Equifax reached a settlement with the FTC regarding its epic data breach. Speaking of which, we make a special offer to loyal listeners who can learn whether they are eligible to claim a $125 check (or free credit monitoring, if you really prefer). Just go here, and be sure to tell them the Cyberlaw Podcast sent you. Oh, and an anti-robocall bill finally made it through both houses of Congress.

 

Download the 274th Episode (mp3). 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-274.mp3
Category:general -- posted at: 10:11pm EST

Today, I interview Frank Blake, who as CEO brought Home Depot through a massive data breach. Frank is a former co-clerk of mine; a former deputy secretary of energy; and the current host of Crazy Good Turns, a podcast about people who have found remarkable, even crazy, ways to help others. In addition to his insights on what it takes to lead an organization, Frank offers his views on how technology can transform nonprofit charitable initiatives. Along the way, he displays his characteristic sense of humor, especially about himself.

In the News Roundup, I ask Matthew Heiman if Google could have had a worse week in Washington. First Peter Thiel raised the question of whether it’s treasonous for the company to work on AI with Chinese scientists, not the U.S. Defense Department, and then Richard Clarke, hardly a conservative, says he agrees with the criticism. Inevitably, President Trump weighed in with a Thiel-supporting tweet. Meanwhile, on the Hill, Google’s VP says the company has “terminated” Project Dragonfly, an effort to build a search engine that the Chinese government would approve. But that doesn’t prevent conservatives from lambasting the company for bias against conservatives and an unfair subsidy in the form of Section 230 of the Communications Decency Act. The only good news for Google is that, despite all the thunder, no lightning has yet struck. Or so we thought for about five minutes, at which time Gus Hurwitz noted that Google is likely to face multimillion-dollar fines in a Federal Trade Commission investigation of child Internet privacy violations, not to mention a rule-making designed to increase the probability of future fines.

Speaking of which, European lightning struck Amazon this week in the form of new competition law scrutiny. Gus offers skepticism about the EU’s theory, over my counter-skepticism.

Nick Weaver is astonished at the way Julian Assange managed to turn the Ecuadorian embassy into a fist-fighting, feces-smearing, election-meddling command post.

Nick also predicts that Kazakhstan will lose its war with Silicon Valley browser makers over a man-in-the-middle certificate the Kazakh government is forcing on its citizens in order to monitor their Internet browsing. 

And in short hits, Gus questions whether $650 million is a harsh settlement of Equifax’s data breach liability; Nick closes the books on NSA hoarder Hal Martin’s 9-year prison sentence; and Nick explains the latest doxing of an intelligence agency—this time a contractor for the Russian FSB.

 

Download the 273rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-273.mp3
Category:general -- posted at: 1:02pm EST

What is the federal government doing to get compromised hardware and software out of its supply chain? That’s what we ask Harvey Rishikof, coauthor of “Deliver Uncompromised,” and Joyce Corell, who heads the Supply Chain and Cyber Directorate at the National Counterintelligence and Security Center. There’s no doubt the problem is being admired to a fare-thee-well, and some evidence it’s also being addressed. Listen and decide!

In the News Roundup, Nate Jones and I disagree about the Second Circuit ruling that President Trump can’t block his critics on Twitter. We don’t disagree about that ruling, but I’m a lot more skeptical than Nate that it will be applied to that other famous Washington tweeter, Rep. Alexandria Ocasio-Cortez.

GDPR still sucks, but now it bites, too. Matthew Heiman explains just how bad the bite was for Marriott and British Airways.

Gus Hurwitz reprises how much—or little—we know about the FTC and Facebook. We won’t know much, he says, until we answer the question, “Where’s the complaint?”

Talk about hard supply chain issues. Congress banned Chinese surveillance cameras from the federal supply chain, but that turns out to be a lot different from, you know, actually getting rid of them

For a change of pace, Gus and I rag on the U.S. Patent and Trademark Office (USPTO) for its petition that the Supreme Court overturn a Fourth Circuit ruling that adding “.com” to a generic term makes it trademarkable. You tell ‘em, USPTO! It’s not like adding “.com” to a word has the same creativity and distinctiveness as adding “i” in front of “phone” or “pod.”

Nate and I spar over whether Section 301 can be used to retaliate against France for its 3% digital tax.

Matthew tells us that the Trump administration isn’t sharing details on classified cyberattack rules with Congress, and after a modicum of mockery, we actually find ourselves agreeing with Congress’s demand to be briefed on the rules.

Finally, in quick hits, I flag the hypocrisy of those who claim to love the idea of privacy until it gets in the way of boycotting people they disagree with and the surprising ways that GDPR has enabled personal data breaches on an industrial scale.

Download the 272nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-272.mp3
Category:general -- posted at: 5:39pm EST

This week I interview Glenn Reynolds, of Instapundit and the University of Tennessee at Knoxville law school, about his new book, “The Social Media Upheaval.” In a crisp 64 pages, Glenn analogizes social media to a primeval city, where new proximity produces periodic outbreaks of diseases that more isolated people never experienced; traces social media’s toxicity to the desperate pursuit of engagement; and proposes remedies both for individual users and for society whole.  All that plus thoughtful advice on dietary supplements and deadlifts!

In the news roundup, Matthew Heiman dissects a recent Third Circuit ruling that Amazon can be held strictly liable for products it markets for third parties. Unlike Matthew, I am largely persuaded by the court’s ruling on products liability—but Matthew and I both have doubts about its use of Section 230 of the Communications Decency Act to protect Amazon from failure to warn liability.

Maury Shenk and Nick Weaver review the progress of the War on Facial Recognition. Opponents have rolled out the ultimate weapon in modern left ideology—ICE is using it! But facial recognition is still winning, mostly because its opponents are peddling undifferentiated fear of a technology that’s already being used for many very different purposes, from anonymously tracking shoppers moving through a store (where the store doesn’t need to know the shoppers’ identities) to boarding planes (where the airline damn well better know the passengers’ identities, and the tech only has a couple of hundred faces to match).

Matthew and Nick consider China’s seizing and installing spyware on travelers’ devices. Turns out, China’s practice isn’t all that different from most government efforts to extract data from phones, except that the Chinese leave the code on Android devices so that security researchers can reverse engineer China’s deepest fears. And what do they fear most? Japanese heavy metal, apparently. Almost makes you feel a bit of empathy for Beijing…

Maury also highlights Big Tech’s concerns about the UK’s particularly aggressive proposal for an online “duty of care.”

Nick and I follow the problem of fake cancer cures being advertised on Facebook and YouTube down the usual ratholes—who should be responsible in the first place, and why does Silicon Valley think that algorithms will ever be able to discipline such content?

This Week in the U.S.-China trade war: No one seems to know exactly what President Trump’s concessions at the G-20 meeting amount to, but more and more U.S. tech companies have decided that moving 30% of their tech sourcing out of China is a good idea no matter how the trade war ends. This war isn’t good for U.S. companies, but it’s really not good for China’s. Which, come to think of it, is what President Trump has said right from the start.

Finally, if you’re looking for tough government action against contractors with bad cybersecurity, Customs and Border Patrol is your agency.  It has cut ties with Perceptics, the firm that was breached by Boris the Bullet-Dodger, and seems to be readying a debarment proceeding that will cut the firm off from future contracts. Matthew and I speculate that there may be something more behind this harsh remedy—perhaps a lack of prompt contractor candor about the breach. Whatever the context, this proceeding is likely to set a precedent that haunts other contractors long into future.

Download the 271st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-271.mp3
Category:general -- posted at: 8:40am EST

The theme this week is China’s growing confidence in using cyberweapons in new and sophisticated ways, as the U.S. struggles to find an answer to China’s growing ambition to dominate technology. Our interview guest, Chris Bing of Reuters, talks about his deep dive story on Chinese penetration of managed service providers like HP Enterprise—penetration that allowed them access to hundreds of other companies that rely on managed service providers for most of their IT. Most chilling for the customers are strong suggestions that the providers often didn’t provide notice of the intrusions to their customers—or that the providers’ contracts may have prevented their customers from launching quick and thorough investigations when their own security systems detected anomalous behavior originating with the providers. Chris also tells the story of an apparent Five Eyes intrusion into Yandex, the big Russian search engine.

Returning to China, in our News Roundup Nate Jones covers the latest in the U.S.-China trade war before diving into a Wall Street Journal article (by Kate O’Keeffe) that I call the Rosetta Stone for the last two years of cyber policymaking. Looking for the unifying theme in the lobbying fight over FIRRMA, the president’s executive orders on cyber and sanctions on companies like Sugon? Look no further than AMD, its aggressive accommodation of China’s ambitions in chip manufacture, and the Pentagon’s desperate effort to thwart the company’s plans. Nate and I also consider a possible new U.S. requirement that domestic 5G equipment be made outside China.

What is China planning to do with all that cyber power? Jordan Cannon lays out one little-followed story in which China seems to have taken an election-tilting page straight out of Vladimir Putin’s textbook. And Nate covers a newly patient Chinese hacking cadre willing to compromise a dozen telecomm companies for years just to collect metadata on as few as twenty telecomm customers.

Speaking of metadata, David Kris explains why Congress is more exercised over National Security Agency’s (NSA) access to American phone metadata than China’s. Congress took the view that NSA should not collect the metadata of innocent Americans, even if it only searched the data when it had a legal basis for doing so. Instead, Congress constructed a new Section 215 program that depended on each telecomm company to do searches of data that remained in their hands. Unsurprisingly, the companies have done that badly, sending the wrong data to NSA on more than one occasion. Naturally, Congress now blames NSA for “overcollecting.” 

Are you a conservative comforting yourself with the idea that Silicon Valley censorship is just a creature of platform monopoly that can be cured by more competition? Better stop reading the newspaper, as of last week. Two more conservative-hostile moves by Silicon Valley show that competition isn’t likely to end virtue signaling in the Valley. After Google banned Project Veritas’s video exposé of YouTube for, uh, privacy—that’s it, privacy—violations, its distant No. 2 competitor Vimeo responded to the competitive opportunity by also banning the video for, uh, defamation or something. And when Twitter competitor Parler offered a home to conservatives, Apple reportedly threatened (at least briefly) not to distribute the app unless it kicked some unspecified bad actors off the service.

Meanwhile, two Silicon Valley platforms that really do need at least a few conservatives were singing that famous C&W song, “I hate you. I need you. I hate that I need you.” And just to show their contempt for people they’re afraid to shut down completely, Reddit “quarantined” their wildly popular subreddit r/the_donald over posts the moderators said they’d never seen or had reported to them. And Twitter announced that it planned to salve its SJW conscience while still profiting from Trump’s tweets by attaching disapproving labels to them. Nate tries to hose me down, but it’s too late. 

Finally, in breaking news from 1993, David reports that the Trump Administration is considering an encryption crackdown but can’t choose between a toothless statement of principles and a feckless proposal of legislation that will not pass. I offer the suggestion that the statement of principles will be enough to undercut Silicon Valley’s campaign to stop encryption controls in countries like Australia, the UK and Germany. That’s where controls will eventually come from, David and I agree. I’m looking forward to all those folks who told us that GDPR was just the voice of civilization calling across the Atlantic saying the same about European encryption mandates.

 

Download the 270th Episode (mp3). 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-270.mp3
Category:general -- posted at: 10:23pm EST

1