In the news roundup, David Kris digs into rumors that Chinese malware attacks may have caused a blackout in India at a time when military conflict was flaring on the two nation’s Himalayan border. This leads us to Russia’s targeting of the U.S. grid and to uneasy speculation on how well our regulatory regime is adapted to preventing successful grid attacks.

The Biden administration is starting to get its legs under it on cybersecurity. In its first major initiative, Maury Shenk and Nick Weaver tell us, it has called for a set of studies on how to secure the supply chain in several critical products, from rare earths to semiconductors. As a reflection of the rare bipartisanship of the issue, the president’s order is weirdly similar to Sen. Tom Cotton’s to “beat China” economically. 

Nick explains the most recent story on how China repurposed an NSA attack tool to use against U.S. targets. Bottom line: It’s embarrassing for sure, but it’s also business as usual for attack teams. This leads us to a surprisingly favorable review of the Cyber Threat Alliance’s recent paper on how to run a Vulnerability Equities Process.

Maury explains the new rules that Facebook, WhatsApp and Twitter will face in India. 

Among other things, the rules will require Indi-based “grievance officers”to handle complaints. I am unable to resist snarking that if ever there were a title that the wokeforce at these companies should aspire to, it’s Chief Grievance Officer.

Nick and I make short work of two purported scandals—ICE investigators using a private utility database to enforce immigration law and the IRS purchasing cellphone location data. I argue that the first is the work of ideologues who would loudly protest ICE access to the White Pages. And the second is a nonstory largely manufactured by Sen. Wyden. 

In a story that isn’t manufactured, David and I predict that the Supremes will agree to decide the scope of cellphone border searches.  More than that, we conclude, the Ninth Circuit will lose. The hard question is how broadly the Court decides to rule once it has kicked the Ninth Circuit rule to the curb.

Maury reports that Facebook and Google have pushed the Aussie government into a compromise on paying Aussie media fees for links. 

Facebook gets the credit for being willing to shoot the family members the government was holding hostage (although in Facebook’s case, the hostage was probably a second cousin once removed). 

Maury predicts that the negotiations will be tougher once the European Union starts rounding up its hostages.  

In quick hits, I claim credit for pointing out years ago that sooner or later the crybullies would come for  “quantum supremacy.” And they have.

Maury and I note the rise of audits for AI bias. 

He’s mildly favorable; I am not. And I close by noting the surprisingly difficult choices illustrated by Pro Publica’s story on how the content moderation sausage was made at Facebook when the Turkish government demanded that a Kurdish group’s postings be taken down. 

And more!

Download the 351st Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode features an interview with Jason Fagone, journalist and author of The Woman Who Smashed Codes: A True Story of Love, Spies, and the Unlikely Heroine Who Outwitted America's Enemies. I wax enthusiastic about Jason’s book, which features remarkable research, a plot like a historical novel, and deep insights into what I call the National Security Agency’s (NSA) “pre-history”—the years from 1917 through 1940 when the need for cryptanalysis was only dimly perceived by the US government. Elizebeth and William Friedman more or less invented American cryptanalysis in those years, but the full story was never known, even to NSAers. It was protected by a force even stronger even than classification—J. Edgar Hoover’s indomitable determination to get good press for the FBI even when all the credit belonged elsewhere. And, at all its crucial stages, that prehistory is a love story that lasted, literally, right to the grave. Don’t miss this (long!) interview with Jason Fagone, or his book.

Meanwhile, in the news roundup. Dmitri Alperovitch covers the latest events in what we just can’t call the SolarWinds hack any more. There’s no doubt that Microsoft code is at the center of the hack, though not because of unintended features; the hackers showed great interest in Microsoft’s code. Dmitri predicts multiple executive orders from Anne Neuberger’s review, and he hopes it means more centralization of federal civilian security monitoring and policy under the Cybersecurity and Infrastructure Security Agency. Dmitri and I agree that the Congressional effort to turn the cybersecurity director position into a Senate-confirmed White House office is more trouble than it’s worth.

The Maryland law imposing taxes on Google and Facebook ad revenue is ground-breaking, and for that reason, it will also be heavily litigated. First time caller, first time listener David Fruchtman explains the tax and the litigation it has already spawned.

Which came first, China’s dream of a rare-earth boycott or U.S. nightmares of a rare-earth boycott? We ask Jordan Schneider, who suggests that neither the dream nor the nightmare is likely to come true any time soon.

Is Australia going to war with Big Tech?  I take on Oz’s link fee and end up siding, improbably, with Mike Masnick and Facebook and against the fee. Meanwhile, the Australian infrastructure protection bill is drawing fire from Microsoft. Dmitri leans toward Microsoft’s view that the law should not give government authority to intervene when a private sector entity is unable or unwilling to respond to an attack.  I lean toward the government.

Jordan Schneider reviews the latest stories of tech companies getting a little too close for comfort to the Chinese surveillance state. The ByteDance censorship story is compelling but not new.  The Oracle story is compelling, new, and a clever piece of journalism by another alumna of the podcast, Mara Hvistendahl: Feeding the Beast: How Oracle Sells Repression in China 

Finally, in a series of quick bites, we cover:

• U.S. charges against three North Koreans who boosted national GDP appreciably with their hacks. 
• The ongoing Jones Day Doxtorsion. 
• France’s discovery that GRU hackers successfully targeted Centreon servers for years, and
• Sultan Meghji’s departure from The Cyberlaw Podcast for some damn thing or other.

And more!

Download the 350th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview this week is with Nicole Perlroth, The New York Times reporter and author of This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. It’s wide-ranging, occasionally confrontational and a great tour of the issues raised in the book about 0-day exploits, U.S. responsibility for the global cyber arms race and the colorful personalities whose hard choices helped shape the cybersecurity environment we all now live in.

In the news roundup, Nate Jones serves up a second helping of the SuperMicro story, a rerun of a much-maligned Bloomberg report from two years ago that SuperMicro gear had been elaborately compromised by China. This time, Nate reports, Bloomberg offers much more evidence, but probably not enough to completely satisfy the critics. Still, as we conclude, even giving the critics their due, this is a very bad story for SuperMicro—and for its customers. 

It seemed like a classic cybersecurity horror story, with hackers using access to the industrial control system to nearly poison Oldsmar, Florida’s water supply. But Nate and I both suspect that it will turn out to be a much more mundane horror story, one where the call is always coming from inside the house—and untraceable because all the employees use the same password and no firewall.

Paying for news links is suddenly all the rage among Western governments. I’d link to the Australian stories about their new law, but I’m afraid they’d want me to pay them. Mark MacCarthy says that risk is overrated, but the prospect for such payment schemes is pretty good. Not just Australia, but also the European Union is moving in this direction.

And Microsoft has expressed its willingness to let Google pay such a fee in the U.S. I suggest that this is all part of restoring an establishment of “authoritative narrative shapers,” in an internet age, noting that the critical question will be which publishers can attach themselves to the flow of internet funding—a question already causing angst among French publishers.

Paul Rosenzweig summarizes the work done by a lot of smart people on the question of how to think about Chinese technology platforms operating in the United States. He also summarizes the current state of litigation over Chinese technology platforms operating in the United States. In a word, it’s mostly on hold, waiting for the Biden administration to run a laborious interagency review.

Nate says the process has already begun for a related topic—how to secure the U.S. tech supply chain, particularly manufacturing semiconductors.

Meanwhile, the U.S. Court of Appeals for the First Circuit has taken on the question of border searches of mobile phones, ruling against a coalition of cyberleft organizations. There is now a circuit conflict that could bring the Supreme Court into the fray—soon if the cyberleft losers are imprudent enough to seek cert but not much longer than that if the Solicitor General picks a favorable case to lose in the U.S. Court of Appeals for the Ninth Circuit.

In short hits, I wonder at just how bad open source security has gotten, noting a clever hack that pawned many companies by providing a public (and compromised) package in a public repository, thereby trumping the companies’ private packages.

Luckily, NIST is all over open source security. Or not. It turns out that NIST is actually offering a host of insecure open source  products with known flaws. The purpose of the products? Better computer security, naturally. 

The creative policing award of the week goes to the Beverly Hills cop who expresses his unhappiness with being filmed on the job by playing background snippets of songs that will get the video taken down by copyright bots if it is ever posted. 

In the “about time” category, a Canadian woman who defamed dozens of ordinary people in online vendettas has been arrested in Toronto.  

And EncroChat, the phone that promised criminals absolute security but delivered them into the hands of law enforcement has spawned a complicated debate about whether stealing messages from memory was wiretapping or hacking. 

Finally, either The Cyberlaw Podcast has hit a new height or the Harvard Law Review has hit a new low: Looking for a way to sum up the European Court of Justice’s ruling in Schrems II , a student note in the review quotes from the podcast, characterizing Schrems II as “solipsistic Europocrisy meets judicial imperialism.” Couldn’t have said it better myself!

And more!

Download the 349th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode features a deep dive into the National Security Agency’s (NSA) self-regulatory approach to overseas signals intelligence, or SIGINT. Frequent contributor David Kris takes us into the details of the SIGINT Annex that governs NSA’s collections outside the U.S. It turns out to be a surprising amount of fun as we stop to examine the SIGINT turf wars of the 1940s, the intelligence scandals of the 1970s, and how they shaped NSA’s corporate culture.

In the news roundup, Bruce Schneier and I review the privacy commissioner’s determination that Clearview artificial intelligence (AI) violated Canadian privacy law by scraping Canadians’ photos from social media.

Bruce thinks Clearview had it coming; I’m skeptical, since it appears that pretty much everyone has been scraping public face data for their machine learning collections for years.

David Kris explains why a sleepy investment review committee with practically no staff is now being compared to a SWAT team. The short answer is “CFIUS.”

More and more, Gus Hurwitz and I note, Big Tech CEOs are being treated like comic book supervillains in Washington.  But have they met their match? Sen. Amy Klobuchar is clearly campaigning to be, if not attorney general, then their nemesis. Like Doc Ock, she’s throwing punch after punch at Big Tech, not just in antitrust legislation but Section 230 reform as well.

We’re not done with SolarWinds yet, and Bruce Schneier thinks that’s fair. He critiques the company for milking profits from its software niche without reinvesting in security.

Gus revives the theme of Big Tech at bay, noting that Australia may start charging Google when it links to Australian news stories and that the new administration seems quite willing to join the rest of the world in imposing more taxes on tech profits.

David covers the flap between India and Twitter, which is refusing to follow an Indian order to suppress several Twitter accounts. That’s probably, I suggest, because there is insufficient proof that the accounts in question belong to Republicans.

IBM seems to be bailing on blockchain, and Bruce thinks it’s about time.  In some ways, IBM is the most interesting of tech companies, since it has less of a moat around its business than most and must live by its wits, which are formidable. Bruce offers quantum computing as an example of IBM doing the right things well.

Bruce and Gus help me with a preview of an upcoming interview of Nicole Perlroth as we cover an op-ed pulled from her new book. Bruce also offers a quick assessment of the draft report of the National Security Commission on Artificial Intelligence. The short version: There isn’t enough there there.

Finally, Gus reminds us that a prophet who predicts the attention economy but then refuses to play by its rules is almost guaranteed to end up as an attention Cassandra, as Michael Goldhaber has.  

And more!

Download the 348th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The U.S. has never really had a “cyberczar.” Arguably, though, the U.K. has. The head of the National Cyber Security Center (NCSC) combines the security roles of the National Security Agency and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. To find out how cybersecurity issues look from that perspective, we interview Ciaran Martin, the first director of the NCSC.

In the news roundup, Paul Rosenzweig sums up recent successes in taking down the NetWalker  and Emotet hacking networks: It’s a win, and that’s good, but we will need more than this to change the overall security status of the country.

Jordan Schneider explains the remarkable trove of leaked Chinese police records and the extraordinary surveillance now being imposed on the Uighur minority in China.

Enthusiasts for end-to-end encryption should be worried, Mark MacCarthy and I conclude. First, the EU—once a firm advocate of unbreakable encryption—is now touting “security through encryption and security despite encryption.” You can only get the second with some sort of lawful access, an idea that has now achieved respectability inside Brussels government circles, despite lobbying by e2e messaging firms based in Europe. On top of that, there’s a growing fifth column of encryption skeptics inside the firms, whose sentiments can be summarized as, “I’m all for cop-proof encryption as long as it isn’t used by lawbreakers who voted for Trump.” 

Paul brings us up to speed on the Office 36—I mean the SolarWinds—attack. Turns out lots of companies were compromised without any connection to SolarWinds. The episode shows that information sharing about exploits still has a ways to go. And if you’re a lawyer who’s been paying ten cents a page for downloads from the federal courts’ electronic filing system, whatever you’ve been paying for, it isn’t security. The attackers got in there, and as a result, we’ll be making sensitive filings on paper.  First voting, then suing—more and more of our lives are heading off line.

Does China want your DNA, and why? I have a truly scary suggestion, and Jordan tries to talk me down.

The Facebook Oversight Board has issued its first decisions. Paul and Mark touch on the highlights. I predict that the board will overrule Trump’s deplatforming, to surprisingly little dissent. 

Jordan and I dig into two overviews of U.S. tech and military competition. It starts to feel a little incestuous when it turns out we all know the authors—and that Jordan has invited them all to be on his excellent podcast, ChinaTalk.

In short hits, I predict that Beijing will fight CFIUS to the last dollar of TikTok revenue. And could easily win. I question YouTube’s demonetization of the Epoch Times, but Jordan has less sympathy for the paper. I’m less flexible about Google’s hard-to-justify decision to block the ads of a group that (like most Americans) opposes Democratic proposals to pack the Supreme Court. And if you’re wondering how dumb stuff like this happens, the L.A.Times gives an object lesson. Faced with a campaign to recall California Governor Gavin Newsom, the Times dug into the online organizations supporting recall. Remarkably, it found that the groups included a lot of the same kinds of folks who came to Washington in January to protest President Biden’s victory. Shortly after that drive-by festival of guilt by association, Facebook banned ads supporting the recall movement.

And more!

Download the 347th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

It’s a story that has everything, except a reporter able to tell it. A hostile state attacking the U.S. power grid is a longstanding and quite plausible national security concern.

The Trump administration was galvanized by the threat, even seizing Chinese power equipment at the port to do a detailed breakdown and then issuing an executive order and follow-up rulings designed to cut Chinese products from the supply chain.

Yet the Biden administration suspended this order for 90 days—the only Trump cybersecurity order to be called into question so far.

Industry lobbying? Chinese maneuvering? Tech uncertainty?  No one knows, but Brian Egan and I at least sketch the outlines of an irresistible story that will have to wait for a persistent journalist.

The SolarWinds story needs a new moniker, as the compromises spread beyond the scope of SolarWinds distributions to victims like Malwarebytes.

Increasingly, it looks as though Microsoft and its cloud are the common denominators, Sultan Meghji and I observe, but that’s one moniker the story will never acquire.

In other cyber news, the Chinese are stealing airline passenger reservation data, Sultan notes.

Maybe they’re just trying to find out when Mike Pompeo next plans to come to China so they can meet him at the airport and enforce their latest sanctions—no Great Wall tours for you, Mr. Secretary!

This is our last week of Trumpian cyber news, so we wallow in it. The President issued a last-minute order calling for an assessment of the security risks of Chinese drones, Maury Shenk tells us.

And Brian unpacks the other last-minute order requiring U.S. cloud providers to know which foreigners they are selling virtual machines to.

I claim victory in my short letter to former Secretary of the Treasury Steven Mnuchin, suggesting that, instead of jamming a cryptocurrency regulation through on his watch, he concentrates on convincing the newly confirmed Secretary Janet Yellen to carry through.  If he took my advice, it seems to have worked. Sultan reports that she is showing signs of wanting to "curtail" cryptocurrency. 

In other news, Sultan boldly predicts the advent of interplanetary cryptocurrency in Elon Musk’s lifetime.

Brian and I unpack the latest Cyberspace Solarium Commission product—Transition Book—which is persuasive for the Biden administration.

I predict that the statutorily mandated cybersecurity director will have to be subordinated to the deputy national security adviser for cybersecurity for the office to be accepted in the administration.

And in quick hits, Maury covers the surprisingly robust European enforcement of employee protections against video surveillance. I explain Parler’s loss in trying to overturn the Amazon Web Services ban that pushed it off the internet. Sultan explains why the Biden Peloton is a cybersecurity risk, and I tip my hat to the president’s physical fitness.  

I summarize the Michael Ellis story; he held the job of NSA's general counsel for about a day before a political witch-hunt caught up with him, and may never serve another day.  

And, finally, a little schadenfreude for the European Parliament, which is being investigated by the EU’s lead data regulator for poor cookie notices on a website it set up for Members of the European Parliament to book coronavirus tests. The complainant? Max Schrems, who is on his way to becoming as unpopular with European politicos as he is in the U.S.

And more!

Download the 346th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We interview Jane Bambauer on the failure of COVID-tracking phone apps. She and Brian Ray are the authors of “COVID-19 Apps Are Terrible—They Didn't Have to Be,” a paper for Lawfare’s Digital Social Contract project. It turns out that, despite high hopes, the failure of these apps was overdetermined, mainly by twenty years of privacy scandalmongering and privacy laws. In essence, Google and Apple set far too strict rules for the apps in an effort to avoid privacy-based political attacks, and the governments that could have reined them in surrendered instead, in order to avoid privacy-based political attacks. So, we have no one to blame but ourselves, and our delusional enthusiasm for privacy.

In the news roundup, suddenly face recognition isn’t toxic at all, since it can be used to identify pro-Trump protestors. And, of course, we have always been at war with Oceania. Dave Aitel explains why face recognition might work even with a mask but still not be very good.  And Jane Bambauer reprises her recent amicus argument that Illinois’s biometric privacy law is a violation of the First Amendment.

If you heard last week’s episode about Silicon Valley speech suppression, you might be interested in seeing the proposal I came up with then, now elaborated in a Washington Post op-ed. Meanwhile, Dave reports that Parler may be back from the dead but dependent on Russian infrastructure. Dave wants to know if that means Parler can be treated by the Biden team like TikTok was treated by the Trump administration.

Dave also brings us up to speed on the latest SolarWinds news. He also casts a skeptical eye on a recent New York Times article pointing fingers at JetBrains as a possible avenue of attack. The story was anonymously sourced and remains conspicuously unconfirmed by other reporting.

Not dead yet, the Trump administration has delivered regulations for administering the executive order allowing the exclusion of risky components from the national IT and communications infrastructure. Maury Shenk explains the basics. 

Speaking of which, China is getting ready to strike back at such measures, borrowing the basic blocking statute rubric invented by the Europeans. Blocking statutes can be effective, but only by putting private companies in a vise between two inconsistent legal duties. Bad news for the companies, but more work for lawyers.

I ride one more hobbyhorse, critiquing Mozilla’s decision to protect “user privacy” while imposing new burdens and risks on enterprise security. The object of my ire is Firefox’s Encrypted Client Hello. Dave corrects my tech but more or less confirmed that this is one more nail in the coffin for chief information security officer’s control of corporate networks.

Matthew Heiman and I dig into the latest ransomware gang tactics—going after top executive emails to raise the pressure to pay. The answer? I argue for more fake emails

In a few quick hits, Maury tells us about the CNIL’s decision that privacy law prevents France from using drones to enforce its coronavirus rules.

I note a new Federal Deposit Insurance Corporation cybersecurity rule that isn’t (yay!) grounded in personal data protection.

Maury explains the recent EU advocate general’s opinion, which would probably make Schrems II even less negotiable than it is now.  If it’s adopted by the European Court of Justice, which I argue it will be unless the court can find some resolution that is even more anti-American than the advocate general’s proposal.

And, finally, Matthew tells us that the State Department has reorganized to deal with cyber issues—a reorganization that may not last longer than a few months.

And more!

Download the 345th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this episode, I interview Zach Dorfman about his excellent reports in Foreign Policy about U.S.-Chinese intelligence competition in the last decade. Zach is a well-regarded national security journalist, a senior staff writer at the Aspen Institute’s Cyber and Technology program and a senior fellow at the Carnegie Council for Ethics in International Affairs. We dive deep into his tale of how the CIA achieved remarkable penetration of the Chinese government and then lost it, inspiring China to build a far more professional and formidable global intelligence network.

In the news roundup, we touch on the disgraceful riot at the Capitol this week, and I criticize Silicon Valley’s rush to score points against the right in a way it never did with the BLM demonstrations last summer. Nate Jones disagrees with my take, but we manage to successfully predict Parler’s shift from platform to (antitrust) plaintiff and to bond over my proposal to impose heavy taxes on social media with more than ten million users. Really, why spend three years in court trying to break‘em up when you can get them to do it themselves and raise money to boot?

SolarWinds keep blowing. Sultan Meghji and Zach Dorfman give us the latest on the attribution to Russia, the fine difference between attack and espionage and the likelihood of direct or indirect regulation.

Pete Jeydel and Sultan cover the latest round of penalties imposed by the rapidly dwindling Trump administration on Chinese companies.

Nate dehypes the UK High Court decision supposedly ruling mass hacking illegal. He previews some Biden appointments, and we talk about the surprising rise of career talent and why that might be happening. Nate also critiques former Director of National Intelligence Ric Grenell after accusations of politicization of intelligence. I’m kinder. But not when I condemn Distributed Denial of Services for joining forces with ransomware gangs to punish victims; it’s hard to believe that anyone could make Julian Assange and Wikileaks look responsible, but they do. Speaking of Julian, he’s won another Pyrrhic victory in court – likely extending his imprisonment with another temporizing win.

And more!

Download the 344th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Episode 343 of the Cyberlaw Podcast is a long meditation on the ways in which technology is encouraging other nations to exercise soft power inside the United States. I interview Nina Jankowicz, author of How to Lose the Information War on how Russian disinformation has affected Poland, Ukraine and the rest of Eastern Europe—and the lessons, if any, those countries can offer a divided United States. 

In the news, Bruce Schneier and I dig for more lessons in the rubble left behind by the SolarWinds hack. Nobody comes out looking good. Persistent engagement and defending forward only works if you’re actually, you know, engaged and defending, and Russia’s cyberspies managed (not surprisingly) to have hidden their achievement from the National Security Agency (NSA) and Cyber Command.

More and better defense is another answer (not that it’s worked for the last 40 years it’s been tried). But whatever solution we pursue, Bruce makes clear, it’s going to be expensive. 

Taking a quick break from geopolitics, Michael Weiner gives us a rundown on the new charges and details (mostly redacted) in the Texas case against Google for monopolization and conspiring with competitor Facebook. The scariest thing about the case from Google’s point of view, though, may be where it’s been filed. Not Washington but Beaumont, Texas, the most notoriously pro-plaintiff, anti-corporate jurisdiction in the country.

Returning to ways in which foreign governments are using our technology against us, David Kris tells the story of the Zoom executive who used pretextual violations of terms of service to take down speech the Chinese government didn’t like, censoring American efforts to hold a Tiananmen memorial. The good news: He was indicted by the Justice Department. The bad news: I can’t help suspecting that China learned this trick from lefty ideologues in Silicon Valley. 

Aaand, right on cue, it turns out that China’s been accused of using its 50-cent army to file complaints of racism and video game violence to get YouTube to demonetize Americans using the platform to criticize China’s government. 

Then Bruce points us toward a deep and troubling series of Zach Dorfman articles about how effectively China is using technology to vault over US intelligence agencies in the global spying competition. 

And in quick succession, David Kris explains what’s new and what’s not in Israel’s view of international law and cyberconflict. 

I note that President Trump’s NDAA veto has been overridden, making the cyberczar and DHS’s CISA the biggest winners in the cyber policy arena.

Bruce and I give a lick and a promise to the FinCen proposed rule regulating cryptocurrency. We’re both inclined to think more reregulation is worth pursuing, but we agree it’s too late for this administration to get anything on the books.

David Kris notes that Twitter has been fined around $550,000 over a data breach filing that was a few days late – by the Irish data protection office, in a GDPR ruling that is a few years late. 

Apple has lost its bullying copyright battle against security start-up Corellium but the real risk to Corellium may be in the as-yet unresolved claim for violation of the DMCA.

And Trump’s DHS is leaving office with new warnings about the cyber risks of Chinese technology, this time touching on backdoors in TCL smart TVs and spillage from Chinese data services. 

And more.

Download Episode 343 (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview is with Alex Stamos, who lays out a complex debate over child sexual abuse that’s now roiling Brussels. The application of European privacy standards and artificial intelligence (AI) hostility to internet communications providers has called into question the one tool that has reduced online child sex predation. Scanning for sex abuse images works well, and even scanning for signs of “grooming” is surprisingly effective. But they depend on automated monitoring of communications content, something that has come as a surprise to European lawmakers hoping to impose more regulation on American tech platforms. Left unchanged, the new European rules could make it easier to abuse children.  Alex explains the rushed effort to head off that disaster—and tells us what Ashton Kutcher has to do with it (a lot, it turns out).

Meanwhile, in the news roundup, Michael Weiner breaks down the Federal Trade Commission's (FTC) (and the states’) long-awaited antitrust lawsuit against Facebook. Maybe the government will come up with something as the case moves forward, but its monopolization claims don’t strike me as overwhelming.  And, Mark MacCarthy points out, the likelihood that the lawsuit will do something good on the privacy front is vanishingly small. 

Russia’s SVR, heir of the KGB, is making headlines with a remarkably sophisticated and well-hidden cyberespionage attack on a lot of institutions that we hoped were better at defense than they turned out to be. Nick Weaver lays out the depressing story, and Alex offers a former CISO’s perspective, arguing for a federal breach notification law that goes well beyond personal data and includes disciplined after-action reports that aren’t locked up in post-litigation gag orders. Jamil Jaffer tells us that won’t happen in Congress any time soon.

Jamil also comments on the prospects for the National Defense Authorization Act (NDAA), chock full of cyber provisions and struggling forward under a veto threat. If you’re not watching the European Parliament tie itself in knots trying to avoid helping child predators, tune in to watch American legislators tie themselves into knots trying to pass an important defense bill without drawing the ire of the President.

The Federal Communications Commission (FCC), in an Ajit Pai farewell, has been hammering Chinese telecoms companies. In one week, Jamil reports, the FCC launched proceedings to kick China Telecom out of the U.S. infrastructure, reaffirmed its exclusion of Huawei from the same infrastructure and adopted a “rip and replace” mandate for U.S. providers who still have Chinese gear in their networks.

Nick and I clash over the latest move by Apple and Google to show their contempt for US counterterrorism efforts—the banning of a location data company whose real crime was selling the data to (gasp!) the Pentagon.

Mark explains the proposals for elaborate new regulation of digital intermediaries now working their way through—where else? Brussels. I offer some cautious interest in regulation of “gatekeeper” platforms, if only to prevent Brussels and the gatekeepers from combining to slam the Overton window on conservatives’ fingers. 

Mark also reports on the Trump administration's principles for U.S. government use of AI, squelching as premature my celebration at the absence of “fairness” and “bias” can’t.

Those who listen to the roundup for the porn news won’t be disappointed, as Mark and I dig into the details of Pornhub’s brush with cancellation at the hands of Visa and Mastercard—and how the site might overcome the attack.

In short hits, Nick and I disagree about Timnit Gebru, the “ethicist” who was let go at Google after threatening to quit. I report on the enactment of a modest but useful internet-of-things cybersecurity law and on the doxxing of the Chinese Communist Party membership rolls as well as the adoption of the most law-enforcement-hostile technology yet to come out of Big Tech—Amazon’s Sidewalk. 

And More!

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.