Whatever else the pundits are saying about the use of cyberattacks in the Ukraine war, Dave Aitel notes, they all believe it confirms their past predictions about cyberwar. Not much has been surprising about the cyber weapons the parties have deployed, Scott Shapiro agrees. The Ukrainians have been doxxing Russia’s soldiers in Bucha and its spies around the world. The Russians have been attacking Ukraine’s grid. What’s surprising is that the grid attacks have not seriously degraded civilian life, and how hard the Russians have had to work to have any effect at all. Cyberwar isn’t a bust, exactly, but it is looking a little overhyped. In fact, Scott suggests, it’s looking more like a confession of weakness than of strength: “My military attack isn’t up to the job, so I’ll throw in some fancy cyberweapons to impress The Boss.”

Would it have more impact here? We can’t know until the Russians (or someone else) gives it a try. But we should certainly have a plan for responding, and Dmitri Alperovitch and Sam Charap have offered theirs: Shut down Russia’s internet for a few hours just to show we can. It’s better than no plan, but we’re not ready to say it’s the right plan, given the limited impact and the high cost in terms of exploits exposed.

Much more surprising, and therefore interesting, is the way Ukrainian mobile phone networks have become an essential part of Ukrainian defense. As discussed in a very good blog post, Ukraine has made it easy for civilians to keep using their phones without paying no matter where they travel in the country and no matter which network they find there. At the same time, Russian soldiers are finding the network to be a dangerous honeypot. Dave and I think there are lessons there for emergency administration of phone networks in other countries.

Gus Hurwitz draws the short straw and sums up the second installment of the Elon Musk v. Twitter story. We agree that Twitter’s poison pill probably kills Musk’s chances of a successful takeover. So what else is there to talk about? In keeping with the confirmation bias story, I take a short victory lap for having predicted that Musk would try to become the Rupert Murdoch of the social oligarchs. And Gus helps us enjoy the festschrift of hypocrisy from the Usual Sources, all declaring that the preservation of democracy depends on internet censorship, administered by their friends.

Scott takes us deep on pipeline security, citing a colleague’s article for Lawfare on the topic. He thinks responsibility for pipeline security should be moved from Transportation Security Administration (TSA) to (FERC), because, well, TSA. The Biden administration is similarly inclined, but I’m not enthusiastic; TSA may not have shown much regulatory gumption until recently, but neither has FERC, and TSA can borrow all the cyber expertise it needs from its sister agency, CISA. An option that’s also open to FERC, Scott points out.

You can’t talk pipeline cyber security without talking industrial control security, so Scott and Gus unpack a recently discovered ICS malware package that is a kind of Metasploit for attacking operational tech systems. It’s got a boatload of features, but Gus is skeptical that it’s the best tool for causing major havoc in electric grids or pipelines. Also, remarkable: it seems to have been disclosed before the nation state that developed it could actually use it against an adversary. Now that’s Defending Forward!

As a palate cleanser, we ask Gus to take us through the latest in EU cloud protectionism. It sounds like a measure that will hurt U.S. intelligence but do nothing for Europe’s effort to build its own cloud industry. I recount the broader story, from subpoena litigation to the CLOUD Act to this latest counter-CLOUD attack. The whole thing feels to me like Microsoft playing both sides against the middle. 

Finally, Dave takes us on a tour of the many proposals being launched around the world to regulate the use of Artificial Intelligence (AI) systems. I note that Congressional Dems have their knives out for face recognition vendor id.me. And I return briefly to the problem of biased content moderation. I look at research showing that Republican Twitter accounts were four times more likely to be suspended than Democrats after the 2020 election. But I find myself at least tentatively persuaded by further research showing that the Republican accounts were four times as likely to tweet links to sites that a balanced cross section of voters considers unreliable. Where is confirmation bias when you need it?

Download the 403rd Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The theme of this episode of the Cyberlaw Podcast is, “Be careful what you wish for.“ Techlash regulation is burgeoning around the world. Mark MacCarthy  takes us through a week’s worth of regulatory enthusiasm. Canada is planning to force Google and Facebook to pay Canadian news media for links. It sounds simple, but arriving at the right price—and the right recipients—will require a hefty dose of discretionary government intervention. Meanwhile, South Korea’s effort to regulate Google’s Android app store policies, which also sounds simple, is quickly devolving into such detail that the government might as well call it price regulation—because that’s what it is. And, Mark notes, even in China, which seemed to be moderating its hostility to tech platforms, just announced algorithm compliance audits for TenCent and ByteDance.

Nobody is weeping for Big Tech, but anybody who thinks this kind of thing will hurt Big Tech has never studied the history of AT&T—or Rupert Murdoch. Incumbent tech companies have the resources to protect themselves from regulatory harm—and to make sure their competitors will be crushed by the burdens they bear. The one missing chapter in the mutual accommodation of Big Tech and Big Government, I argue, is a Rupert Murdoch figure—someone who will use his platform unabashedly to curry favor not from the left but from the right. It’s an unfilled niche, but a moderately conservative Big Tech company is likely to find all the close regulatory calls being made in its favor if (or, more likely, when) the GOP takes power. If you think that’s not possible, you missed the last week of tech news. Elon Musk, whose entire business empire is built on government spending, is already toying with occupying a Silicon Valley version of the Rupert Murdoch niche. His acquisition of nearly 10 percent of Twitter is an opening gambit that is likely to make him the man that conservatives hail as the antidote to Silicon Valley’s political monoculture. Axios’s complaint that the internet is becoming politically splintered is wildly off the mark today, but it may yet come true.

Nick Weaver brings us back to earth with a review of the FBI’s successful (for now) takedown of the Cyclops Blink botnet—a Russian cyber weapon that was disabled before it could be fired. Nick reminds us that the operation was only made possible by a change in search and seizure procedures that the Electronic Frontier Foundation (EFF) and friends condemned as outrageous just a decade ago. Last week, he reports, Western law enforcement also broke the Hydra dark market. In more good news, Nick takes us through the ways in which bitcoin’s traceability has enabled authorities to bust child sex rings around the globe.

Nick also brings us This Week in Bad News for Surveillance Software: FinFisher is bankrupt. Israeli surveillance software smuggled onto EU ministers’ phones is being investigated; and Google has banned apps that use particularly intrusive data collection tools, outed by Nick’s colleagues at the International Computer Science Institute.

Finally, Europe is building a vast network to do face recognition across the continent. I celebrate the likely defeat of ideologues who’ve been trying to toxify face recognition for years. And I note that one of my last campaigns at the Department of Homeland Security (DHS) was a series of international agreements that lock European law enforcement into sharing of such data with the United States. Defending those agreements, of course, should be a high priority for the State Department’s on-again off-again new cyber bureau.

Download the 402nd Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Spurred by a Cyberspace Solarium op-ed, Nate Jones gives an overview of cybersecurity worries in the maritime sector, where there is plenty to worry about. I critique the U.S. government’s December 2020 National Maritime Cybersecurity Strategy, a 36-page tome that, when the intro and summary and appendices and blank pages are subtracted, offers only eight pages of substance. Luckily, the Atlantic Council has filled the void with its own report on the topic.

Of course, the maritime sector isn’t the only one we should be concerned about. Sultan Meghji points to the deeply troubling state of industrial control security, as illustrated by at “10 out of 10” vulnerability recently identified in a Rockwell Automation ICS system. 

Still, sometimes software rot serves a good purpose. Maury Shenk tells us about decay in Russia’s SORM—a site-blocking system that may be buckling under the weight of the Ukraine invasion. Talking about SORM allows me to trash a nothingburger story perpetrated by three New York Times reporters who ought to know better. Adam Satariano, Paul Mozur and Aaron Krolik should be ashamed of themselves for writing a long story suggesting that Nokia did something wrong by selling Russia telecom gear that enables wiretaps. Since the same wiretap features are required by Western governments as a matter of law, Nokia could hardly do anything else. SORM and its abuses were all carried out by Russian companies. I suspect that, after wading through a boatload of leaked documents, these three (three!) reporters just couldn’t admit there was no there, there. 

Nate and I note the emergence of a new set of secondary sanctions targets as the Treasury Department begins sanctioning companies that it concludes are part of a sanctions evasion network. We also puzzle over the surprising pushback on proposals to impose  sanctions on Kaspersky. If the Wall Street Journal is correct, and the reason is fear of cyberattacks if the Russian firm is sanctioned, isn’t that a reason to sanction them out of Western networks? 

Sultan and Maury remind us that regulating cryptocurrency is wildly popular with some, including Sen. Elizabeth Warren and the EU Parliament. Sultan remains skeptical that sweeping regulation is in the cards. He is much more bullish on Apple’s ability to upend the entire fintech field by plunging into financial services with enthusiasm. I point out that it’s almost impossible for a financial services company to maintain a standoffish relationship with the government, so Apple may have to change the tune it’s been playing in the U.S. for the last decade.

Maury and I explore fears that the DMA will break WhatsApp encryption, while Nate and I plumb some of the complexities of a story Brian Krebs broke about hackers exploiting the system by which online services provide subscriber information to law enforcement in an emergency. 

Speaking of Krebs, we dig into Ubiquiti’s defamation suit against him. The gist of the complaint is that Krebs relied on a “whistleblower” who turned out to be the perp, and that Krebs didn’t quickly correct his scoop when that became apparent. My sympathies are with Krebs on this one, at least until Ubiquiti fills in a serious gap in its complaint—the lack of any allegation that the company told Krebs that he’d been misled and asked for a retraction. Without that, it’s hard to say that Krebs was negligent (let alone malicious) in reporting allegations by an apparently well-informed insider. 

Maury brings us up to speed on the (still half-formed) U.K. online harms bill and explains why the U.K. government was willing to let the subsidiary of a Chinese company buy the U.K.’s biggest chip foundry. Sultan finds several insights in an excellent CNN story about the Great Conti Leak.

And, finally, I express my personal qualms about the indictment (for disclosing classified information) of Mark Unkenholz, a highly competent man whom I know from my time in government. To my mind the prosecutors are going to have to establish that Unkenholz was doing something different from the kind of disclosures that are an essential part of working with tech companies that have no security clearances but plenty of tools needed by the intelligence community. This is going to be a story to watch.

Download the 401st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.