It’s a story that has everything, except a reporter able to tell it. A hostile state attacking the U.S. power grid is a longstanding and quite plausible national security concern.

The Trump administration was galvanized by the threat, even seizing Chinese power equipment at the port to do a detailed breakdown and then issuing an executive order and follow-up rulings designed to cut Chinese products from the supply chain.

Yet the Biden administration suspended this order for 90 days—the only Trump cybersecurity order to be called into question so far.

Industry lobbying? Chinese maneuvering? Tech uncertainty?  No one knows, but Brian Egan and I at least sketch the outlines of an irresistible story that will have to wait for a persistent journalist.

The SolarWinds story needs a new moniker, as the compromises spread beyond the scope of SolarWinds distributions to victims like Malwarebytes.

Increasingly, it looks as though Microsoft and its cloud are the common denominators, Sultan Meghji and I observe, but that’s one moniker the story will never acquire.

In other cyber news, the Chinese are stealing airline passenger reservation data, Sultan notes.

Maybe they’re just trying to find out when Mike Pompeo next plans to come to China so they can meet him at the airport and enforce their latest sanctions—no Great Wall tours for you, Mr. Secretary!

This is our last week of Trumpian cyber news, so we wallow in it. The President issued a last-minute order calling for an assessment of the security risks of Chinese drones, Maury Shenk tells us.

And Brian unpacks the other last-minute order requiring U.S. cloud providers to know which foreigners they are selling virtual machines to.

I claim victory in my short letter to former Secretary of the Treasury Steven Mnuchin, suggesting that, instead of jamming a cryptocurrency regulation through on his watch, he concentrates on convincing the newly confirmed Secretary Janet Yellen to carry through.  If he took my advice, it seems to have worked. Sultan reports that she is showing signs of wanting to "curtail" cryptocurrency. 

In other news, Sultan boldly predicts the advent of interplanetary cryptocurrency in Elon Musk’s lifetime.

Brian and I unpack the latest Cyberspace Solarium Commission product—Transition Book—which is persuasive for the Biden administration.

I predict that the statutorily mandated cybersecurity director will have to be subordinated to the deputy national security adviser for cybersecurity for the office to be accepted in the administration.

And in quick hits, Maury covers the surprisingly robust European enforcement of employee protections against video surveillance. I explain Parler’s loss in trying to overturn the Amazon Web Services ban that pushed it off the internet. Sultan explains why the Biden Peloton is a cybersecurity risk, and I tip my hat to the president’s physical fitness.  

I summarize the Michael Ellis story; he held the job of NSA's general counsel for about a day before a political witch-hunt caught up with him, and may never serve another day.  

And, finally, a little schadenfreude for the European Parliament, which is being investigated by the EU’s lead data regulator for poor cookie notices on a website it set up for Members of the European Parliament to book coronavirus tests. The complainant? Max Schrems, who is on his way to becoming as unpopular with European politicos as he is in the U.S.

And more!

Download the 346th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We interview Jane Bambauer on the failure of COVID-tracking phone apps. She and Brian Ray are the authors of “COVID-19 Apps Are Terrible—They Didn't Have to Be,” a paper for Lawfare’s Digital Social Contract project. It turns out that, despite high hopes, the failure of these apps was overdetermined, mainly by twenty years of privacy scandalmongering and privacy laws. In essence, Google and Apple set far too strict rules for the apps in an effort to avoid privacy-based political attacks, and the governments that could have reined them in surrendered instead, in order to avoid privacy-based political attacks. So, we have no one to blame but ourselves, and our delusional enthusiasm for privacy.

In the news roundup, suddenly face recognition isn’t toxic at all, since it can be used to identify pro-Trump protestors. And, of course, we have always been at war with Oceania. Dave Aitel explains why face recognition might work even with a mask but still not be very good.  And Jane Bambauer reprises her recent amicus argument that Illinois’s biometric privacy law is a violation of the First Amendment.

If you heard last week’s episode about Silicon Valley speech suppression, you might be interested in seeing the proposal I came up with then, now elaborated in a Washington Post op-ed. Meanwhile, Dave reports that Parler may be back from the dead but dependent on Russian infrastructure. Dave wants to know if that means Parler can be treated by the Biden team like TikTok was treated by the Trump administration.

Dave also brings us up to speed on the latest SolarWinds news. He also casts a skeptical eye on a recent New York Times article pointing fingers at JetBrains as a possible avenue of attack. The story was anonymously sourced and remains conspicuously unconfirmed by other reporting.

Not dead yet, the Trump administration has delivered regulations for administering the executive order allowing the exclusion of risky components from the national IT and communications infrastructure. Maury Shenk explains the basics. 

Speaking of which, China is getting ready to strike back at such measures, borrowing the basic blocking statute rubric invented by the Europeans. Blocking statutes can be effective, but only by putting private companies in a vise between two inconsistent legal duties. Bad news for the companies, but more work for lawyers.

I ride one more hobbyhorse, critiquing Mozilla’s decision to protect “user privacy” while imposing new burdens and risks on enterprise security. The object of my ire is Firefox’s Encrypted Client Hello. Dave corrects my tech but more or less confirmed that this is one more nail in the coffin for chief information security officer’s control of corporate networks.

Matthew Heiman and I dig into the latest ransomware gang tactics—going after top executive emails to raise the pressure to pay. The answer? I argue for more fake emails

In a few quick hits, Maury tells us about the CNIL’s decision that privacy law prevents France from using drones to enforce its coronavirus rules.

I note a new Federal Deposit Insurance Corporation cybersecurity rule that isn’t (yay!) grounded in personal data protection.

Maury explains the recent EU advocate general’s opinion, which would probably make Schrems II even less negotiable than it is now.  If it’s adopted by the European Court of Justice, which I argue it will be unless the court can find some resolution that is even more anti-American than the advocate general’s proposal.

And, finally, Matthew tells us that the State Department has reorganized to deal with cyber issues—a reorganization that may not last longer than a few months.

And more!

Download the 345th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this episode, I interview Zach Dorfman about his excellent reports in Foreign Policy about U.S.-Chinese intelligence competition in the last decade. Zach is a well-regarded national security journalist, a senior staff writer at the Aspen Institute’s Cyber and Technology program and a senior fellow at the Carnegie Council for Ethics in International Affairs. We dive deep into his tale of how the CIA achieved remarkable penetration of the Chinese government and then lost it, inspiring China to build a far more professional and formidable global intelligence network.

In the news roundup, we touch on the disgraceful riot at the Capitol this week, and I criticize Silicon Valley’s rush to score points against the right in a way it never did with the BLM demonstrations last summer. Nate Jones disagrees with my take, but we manage to successfully predict Parler’s shift from platform to (antitrust) plaintiff and to bond over my proposal to impose heavy taxes on social media with more than ten million users. Really, why spend three years in court trying to break‘em up when you can get them to do it themselves and raise money to boot?

SolarWinds keep blowing. Sultan Meghji and Zach Dorfman give us the latest on the attribution to Russia, the fine difference between attack and espionage and the likelihood of direct or indirect regulation.

Pete Jeydel and Sultan cover the latest round of penalties imposed by the rapidly dwindling Trump administration on Chinese companies.

Nate dehypes the UK High Court decision supposedly ruling mass hacking illegal. He previews some Biden appointments, and we talk about the surprising rise of career talent and why that might be happening. Nate also critiques former Director of National Intelligence Ric Grenell after accusations of politicization of intelligence. I’m kinder. But not when I condemn Distributed Denial of Services for joining forces with ransomware gangs to punish victims; it’s hard to believe that anyone could make Julian Assange and Wikileaks look responsible, but they do. Speaking of Julian, he’s won another Pyrrhic victory in court – likely extending his imprisonment with another temporizing win.

And more!

Download the 344th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Episode 343 of the Cyberlaw Podcast is a long meditation on the ways in which technology is encouraging other nations to exercise soft power inside the United States. I interview Nina Jankowicz, author of How to Lose the Information War on how Russian disinformation has affected Poland, Ukraine and the rest of Eastern Europe—and the lessons, if any, those countries can offer a divided United States. 

In the news, Bruce Schneier and I dig for more lessons in the rubble left behind by the SolarWinds hack. Nobody comes out looking good. Persistent engagement and defending forward only works if you’re actually, you know, engaged and defending, and Russia’s cyberspies managed (not surprisingly) to have hidden their achievement from the National Security Agency (NSA) and Cyber Command.

More and better defense is another answer (not that it’s worked for the last 40 years it’s been tried). But whatever solution we pursue, Bruce makes clear, it’s going to be expensive. 

Taking a quick break from geopolitics, Michael Weiner gives us a rundown on the new charges and details (mostly redacted) in the Texas case against Google for monopolization and conspiring with competitor Facebook. The scariest thing about the case from Google’s point of view, though, may be where it’s been filed. Not Washington but Beaumont, Texas, the most notoriously pro-plaintiff, anti-corporate jurisdiction in the country.

Returning to ways in which foreign governments are using our technology against us, David Kris tells the story of the Zoom executive who used pretextual violations of terms of service to take down speech the Chinese government didn’t like, censoring American efforts to hold a Tiananmen memorial. The good news: He was indicted by the Justice Department. The bad news: I can’t help suspecting that China learned this trick from lefty ideologues in Silicon Valley. 

Aaand, right on cue, it turns out that China’s been accused of using its 50-cent army to file complaints of racism and video game violence to get YouTube to demonetize Americans using the platform to criticize China’s government. 

Then Bruce points us toward a deep and troubling series of Zach Dorfman articles about how effectively China is using technology to vault over US intelligence agencies in the global spying competition. 

And in quick succession, David Kris explains what’s new and what’s not in Israel’s view of international law and cyberconflict. 

I note that President Trump’s NDAA veto has been overridden, making the cyberczar and DHS’s CISA the biggest winners in the cyber policy arena.

Bruce and I give a lick and a promise to the FinCen proposed rule regulating cryptocurrency. We’re both inclined to think more reregulation is worth pursuing, but we agree it’s too late for this administration to get anything on the books.

David Kris notes that Twitter has been fined around $550,000 over a data breach filing that was a few days late – by the Irish data protection office, in a GDPR ruling that is a few years late. 

Apple has lost its bullying copyright battle against security start-up Corellium but the real risk to Corellium may be in the as-yet unresolved claim for violation of the DMCA.

And Trump’s DHS is leaving office with new warnings about the cyber risks of Chinese technology, this time touching on backdoors in TCL smart TVs and spillage from Chinese data services. 

And more.

Download Episode 343 (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.