This episode features an interview with Jason Fagone, journalist and author of The Woman Who Smashed Codes: A True Story of Love, Spies, and the Unlikely Heroine Who Outwitted America's Enemies. I wax enthusiastic about Jason’s book, which features remarkable research, a plot like a historical novel, and deep insights into what I call the National Security Agency’s (NSA) “pre-history”—the years from 1917 through 1940 when the need for cryptanalysis was only dimly perceived by the US government. Elizebeth and William Friedman more or less invented American cryptanalysis in those years, but the full story was never known, even to NSAers. It was protected by a force even stronger even than classification—J. Edgar Hoover’s indomitable determination to get good press for the FBI even when all the credit belonged elsewhere. And, at all its crucial stages, that prehistory is a love story that lasted, literally, right to the grave. Don’t miss this (long!) interview with Jason Fagone, or his book.

Meanwhile, in the news roundup. Dmitri Alperovitch covers the latest events in what we just can’t call the SolarWinds hack any more. There’s no doubt that Microsoft code is at the center of the hack, though not because of unintended features; the hackers showed great interest in Microsoft’s code. Dmitri predicts multiple executive orders from Anne Neuberger’s review, and he hopes it means more centralization of federal civilian security monitoring and policy under the Cybersecurity and Infrastructure Security Agency. Dmitri and I agree that the Congressional effort to turn the cybersecurity director position into a Senate-confirmed White House office is more trouble than it’s worth.

The Maryland law imposing taxes on Google and Facebook ad revenue is ground-breaking, and for that reason, it will also be heavily litigated. First time caller, first time listener David Fruchtman explains the tax and the litigation it has already spawned.

Which came first, China’s dream of a rare-earth boycott or U.S. nightmares of a rare-earth boycott? We ask Jordan Schneider, who suggests that neither the dream nor the nightmare is likely to come true any time soon.

Is Australia going to war with Big Tech?  I take on Oz’s link fee and end up siding, improbably, with Mike Masnick and Facebook and against the fee. Meanwhile, the Australian infrastructure protection bill is drawing fire from Microsoft. Dmitri leans toward Microsoft’s view that the law should not give government authority to intervene when a private sector entity is unable or unwilling to respond to an attack.  I lean toward the government.

Jordan Schneider reviews the latest stories of tech companies getting a little too close for comfort to the Chinese surveillance state. The ByteDance censorship story is compelling but not new.  The Oracle story is compelling, new, and a clever piece of journalism by another alumna of the podcast, Mara Hvistendahl: Feeding the Beast: How Oracle Sells Repression in China 

Finally, in a series of quick bites, we cover:

• U.S. charges against three North Koreans who boosted national GDP appreciably with their hacks. 
• The ongoing Jones Day Doxtorsion. 
• France’s discovery that GRU hackers successfully targeted Centreon servers for years, and
• Sultan Meghji’s departure from The Cyberlaw Podcast for some damn thing or other.

And more!

Download the 350th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview this week is with Nicole Perlroth, The New York Times reporter and author of This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. It’s wide-ranging, occasionally confrontational and a great tour of the issues raised in the book about 0-day exploits, U.S. responsibility for the global cyber arms race and the colorful personalities whose hard choices helped shape the cybersecurity environment we all now live in.

In the news roundup, Nate Jones serves up a second helping of the SuperMicro story, a rerun of a much-maligned Bloomberg report from two years ago that SuperMicro gear had been elaborately compromised by China. This time, Nate reports, Bloomberg offers much more evidence, but probably not enough to completely satisfy the critics. Still, as we conclude, even giving the critics their due, this is a very bad story for SuperMicro—and for its customers. 

It seemed like a classic cybersecurity horror story, with hackers using access to the industrial control system to nearly poison Oldsmar, Florida’s water supply. But Nate and I both suspect that it will turn out to be a much more mundane horror story, one where the call is always coming from inside the house—and untraceable because all the employees use the same password and no firewall.

Paying for news links is suddenly all the rage among Western governments. I’d link to the Australian stories about their new law, but I’m afraid they’d want me to pay them. Mark MacCarthy says that risk is overrated, but the prospect for such payment schemes is pretty good. Not just Australia, but also the European Union is moving in this direction.

And Microsoft has expressed its willingness to let Google pay such a fee in the U.S. I suggest that this is all part of restoring an establishment of “authoritative narrative shapers,” in an internet age, noting that the critical question will be which publishers can attach themselves to the flow of internet funding—a question already causing angst among French publishers.

Paul Rosenzweig summarizes the work done by a lot of smart people on the question of how to think about Chinese technology platforms operating in the United States. He also summarizes the current state of litigation over Chinese technology platforms operating in the United States. In a word, it’s mostly on hold, waiting for the Biden administration to run a laborious interagency review.

Nate says the process has already begun for a related topic—how to secure the U.S. tech supply chain, particularly manufacturing semiconductors.

Meanwhile, the U.S. Court of Appeals for the First Circuit has taken on the question of border searches of mobile phones, ruling against a coalition of cyberleft organizations. There is now a circuit conflict that could bring the Supreme Court into the fray—soon if the cyberleft losers are imprudent enough to seek cert but not much longer than that if the Solicitor General picks a favorable case to lose in the U.S. Court of Appeals for the Ninth Circuit.

In short hits, I wonder at just how bad open source security has gotten, noting a clever hack that pawned many companies by providing a public (and compromised) package in a public repository, thereby trumping the companies’ private packages.

Luckily, NIST is all over open source security. Or not. It turns out that NIST is actually offering a host of insecure open source  products with known flaws. The purpose of the products? Better computer security, naturally. 

The creative policing award of the week goes to the Beverly Hills cop who expresses his unhappiness with being filmed on the job by playing background snippets of songs that will get the video taken down by copyright bots if it is ever posted. 

In the “about time” category, a Canadian woman who defamed dozens of ordinary people in online vendettas has been arrested in Toronto.  

And EncroChat, the phone that promised criminals absolute security but delivered them into the hands of law enforcement has spawned a complicated debate about whether stealing messages from memory was wiretapping or hacking. 

Finally, either The Cyberlaw Podcast has hit a new height or the Harvard Law Review has hit a new low: Looking for a way to sum up the European Court of Justice’s ruling in Schrems II , a student note in the review quotes from the podcast, characterizing Schrems II as “solipsistic Europocrisy meets judicial imperialism.” Couldn’t have said it better myself!

And more!

Download the 349th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode features a deep dive into the National Security Agency’s (NSA) self-regulatory approach to overseas signals intelligence, or SIGINT. Frequent contributor David Kris takes us into the details of the SIGINT Annex that governs NSA’s collections outside the U.S. It turns out to be a surprising amount of fun as we stop to examine the SIGINT turf wars of the 1940s, the intelligence scandals of the 1970s, and how they shaped NSA’s corporate culture.

In the news roundup, Bruce Schneier and I review the privacy commissioner’s determination that Clearview artificial intelligence (AI) violated Canadian privacy law by scraping Canadians’ photos from social media.

Bruce thinks Clearview had it coming; I’m skeptical, since it appears that pretty much everyone has been scraping public face data for their machine learning collections for years.

David Kris explains why a sleepy investment review committee with practically no staff is now being compared to a SWAT team. The short answer is “CFIUS.”

More and more, Gus Hurwitz and I note, Big Tech CEOs are being treated like comic book supervillains in Washington.  But have they met their match? Sen. Amy Klobuchar is clearly campaigning to be, if not attorney general, then their nemesis. Like Doc Ock, she’s throwing punch after punch at Big Tech, not just in antitrust legislation but Section 230 reform as well.

We’re not done with SolarWinds yet, and Bruce Schneier thinks that’s fair. He critiques the company for milking profits from its software niche without reinvesting in security.

Gus revives the theme of Big Tech at bay, noting that Australia may start charging Google when it links to Australian news stories and that the new administration seems quite willing to join the rest of the world in imposing more taxes on tech profits.

David covers the flap between India and Twitter, which is refusing to follow an Indian order to suppress several Twitter accounts. That’s probably, I suggest, because there is insufficient proof that the accounts in question belong to Republicans.

IBM seems to be bailing on blockchain, and Bruce thinks it’s about time.  In some ways, IBM is the most interesting of tech companies, since it has less of a moat around its business than most and must live by its wits, which are formidable. Bruce offers quantum computing as an example of IBM doing the right things well.

Bruce and Gus help me with a preview of an upcoming interview of Nicole Perlroth as we cover an op-ed pulled from her new book. Bruce also offers a quick assessment of the draft report of the National Security Commission on Artificial Intelligence. The short version: There isn’t enough there there.

Finally, Gus reminds us that a prophet who predicts the attention economy but then refuses to play by its rules is almost guaranteed to end up as an attention Cassandra, as Michael Goldhaber has.  

And more!

Download the 348th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The U.S. has never really had a “cyberczar.” Arguably, though, the U.K. has. The head of the National Cyber Security Center (NCSC) combines the security roles of the National Security Agency and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. To find out how cybersecurity issues look from that perspective, we interview Ciaran Martin, the first director of the NCSC.

In the news roundup, Paul Rosenzweig sums up recent successes in taking down the NetWalker  and Emotet hacking networks: It’s a win, and that’s good, but we will need more than this to change the overall security status of the country.

Jordan Schneider explains the remarkable trove of leaked Chinese police records and the extraordinary surveillance now being imposed on the Uighur minority in China.

Enthusiasts for end-to-end encryption should be worried, Mark MacCarthy and I conclude. First, the EU—once a firm advocate of unbreakable encryption—is now touting “security through encryption and security despite encryption.” You can only get the second with some sort of lawful access, an idea that has now achieved respectability inside Brussels government circles, despite lobbying by e2e messaging firms based in Europe. On top of that, there’s a growing fifth column of encryption skeptics inside the firms, whose sentiments can be summarized as, “I’m all for cop-proof encryption as long as it isn’t used by lawbreakers who voted for Trump.” 

Paul brings us up to speed on the Office 36—I mean the SolarWinds—attack. Turns out lots of companies were compromised without any connection to SolarWinds. The episode shows that information sharing about exploits still has a ways to go. And if you’re a lawyer who’s been paying ten cents a page for downloads from the federal courts’ electronic filing system, whatever you’ve been paying for, it isn’t security. The attackers got in there, and as a result, we’ll be making sensitive filings on paper.  First voting, then suing—more and more of our lives are heading off line.

Does China want your DNA, and why? I have a truly scary suggestion, and Jordan tries to talk me down.

The Facebook Oversight Board has issued its first decisions. Paul and Mark touch on the highlights. I predict that the board will overrule Trump’s deplatforming, to surprisingly little dissent. 

Jordan and I dig into two overviews of U.S. tech and military competition. It starts to feel a little incestuous when it turns out we all know the authors—and that Jordan has invited them all to be on his excellent podcast, ChinaTalk.

In short hits, I predict that Beijing will fight CFIUS to the last dollar of TikTok revenue. And could easily win. I question YouTube’s demonetization of the Epoch Times, but Jordan has less sympathy for the paper. I’m less flexible about Google’s hard-to-justify decision to block the ads of a group that (like most Americans) opposes Democratic proposals to pack the Supreme Court. And if you’re wondering how dumb stuff like this happens, the L.A.Times gives an object lesson. Faced with a campaign to recall California Governor Gavin Newsom, the Times dug into the online organizations supporting recall. Remarkably, it found that the groups included a lot of the same kinds of folks who came to Washington in January to protest President Biden’s victory. Shortly after that drive-by festival of guilt by association, Facebook banned ads supporting the recall movement.

And more!

Download the 347th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.