As Congress barrels toward an election that could see at least one house change hands, efforts to squeeze big bills into law are mounting. The one with the best chance (and better than I expected) would drop $52 billion in cash and a boatload of tax breaks on the semiconductor industry. Michael Ellis points out that this is industrial policy without apology, and a throwback to the 1980s, when the government organized SEMATECH, a name derived from “Semiconductor Manufacturing Technology” to shore up U.S. chipmaking. Thanks to a bipartisan consensus on the need to fight a Chinese challenge, and a trimming of provisions that tried to hitch a ride on the bill, there now looks to be a clear path to enactment for this bill. 

And if there were doubt about how serious the Chinese challenge in chips will be, an under-covered story revealed that China’s chipmaking champion, SMIC, has been making 7-nanometer chips for months without an announcement. That’s a diameter that Intel and GlobalFoundries, the main U.S. producers, have yet to reach in commercial production. 

The national security implications are plain. If commercial products from China are cheap enough to sweep the market, even security-minded agencies will be forced to buy them, as it turns out the FBI and Department of Homeland Security have both been doing with Chinese drones. Nick Weaver points to his Lawfare piece showing just how cheaply the United States (and Ukraine) could be making drones.

Responding to the growing political concern about Chinese products, TikTok’s owner ByteDance, has increased its U.S. lobbying spending to more than $8 million a year, Christina Ayiotis tells us—about what Google spends on lobbying. 

In the same vein, Nick and Michael question why the government hasn’t come up with the extra $3 billion to fund “rip and replace” for Chinese telecom gear. That effort will certainly get a boost from reports that Chinese telecom sales were offered on especially favorable terms to carriers who service America’s nuclear missile locations. I offer an answer: The Obama administration actually paid these same rural carriers to install Chinese equipment as part of the 2009 stimulus law. I cannot help thinking that the rural carriers ought to bear some of the cost of their imprudent investments and not ask U.S. taxpayers to pay them both for installing and ripping out the same gear.

In news not tied to China, Nick tells us about the House Energy and Commerce Committee’s serious progress on a compromise federal data privacy bill. It is still a doomed bill, given resistance from Dems and GOP in the Senate. I argue that that’s a good thing, given the effort to impose “disparate impact” quotas for race, color, religion, national origin, sex, and disability on every algorithm that processes even a little personal data. This is a transformative social engineering project that just one section (208) of  the “privacy” bill will impose without any serious debate. 

Christina grades Russian information warfare based on its latest exploit: hacking a Ukrainian radio broadcaster to spread fake news about Ukrainian President Volodymyr Zelenskyy’s health.  As a hack, it gets a passing grade, but as a believable bit of information warfare, it is a bust. 

Tina, Michael and I evaluate YouTube’s new policy on removing “misinformation” related to abortion, and the risk that this policy, like so many Silicon Valley speech suppression schemes, will start out sounding plausible and end in political correctness.  

Nick and I celebrate the Department of Justice's increasing success in sometimes seizing cryptocurrency from hackers and ransomware gangs. It may just be Darwin at work, but it’s nice to see.

Nick offers the recommended long read of the week—Brian Krebs’s takedown of the VPN malware supplier, 911.

And in updates and quick hits: 

• That Twitter worker arrested for spying on behalf of Saudi Arabia is going to trial.
• the United Kingdom’s Government Communications Headquarters’s cryptoskeptics have returned to ask how we can square end-to-end encryption with child safety. I think the answer is “Not well.”
• The General Data Protection Regulation has consequences: Turns out that schoolkids in Denmark won’t be able to use Chromebooks or Google Workspace.
• And Nick takes a moment to dunk on the Three Arrows founders, whose cryptocurrency company went under in the bust and who are now giving interviews from an undisclosed location.

*An obscure Rhode Island tribute to the Industrial Trust Building that was known to a generation of children as the ‘Dusty Old Trust” building until a new generation christened it the “Superman Building.”

Kicking off a packed episode, the Cyberlaw Podcast calls on Megan Stifel to cover the first Cyber Safety Review Board (CSRB) Report. The CSRB does exactly what those of us who supported the idea hoped it would do—provide an authoritative view of how the Log4J incident unfolded along with some practical advice for cybersecurity executives and government officials.

Jamil Jaffer tees up the second blockbuster report of the week, a Council on Foreign Relations study called “Confronting Reality in Cyberspace Foreign Policy for a Fragmented Internet.” I think the study’s best contribution is its demolition of the industry-led claim that we must have a single global internet. That has not been true for a decade, and pursuing that vision means that the U.S. is not defending its own interests in cyberspace. I call out the report for the utterly wrong claim that the United States can resolve its transatlantic dispute with Europe by adopting a European-style privacy law. Europe’s beef with us on privacy reregulation of private industry is over (we surrendered); now the fight is over Europe’s demand that we rewrite our intelligence and counterterrorism laws. Jamil Jaffer and I debate both propositions.

Megan discloses the top cybersecurity provisions added to the House defense authorization bill—notably the five year term for the head of Cybersecurity and Infrastructure Security Agency (CISA) and a cybersecurity regulatory regime for systemically critical industry. The Senate hasn’t weighed in yet, but both provisions now look more likely than not to become law.

Regulatory cybersecurity measures look like the flavor of the month. The Biden White House is developing a cybersecurity strategy that is expected to encourage more regulation. Jamil reports on the development but is clearly hoping that the prediction of more regulation does not come true.

Speaking of cybersecurity regulation, Megan kicks off a discussion of Department of Homeland Security’s CISA weighing in to encourage new regulation from the Federal Communication Commission (FCC) to incentivize a shoring up of the Border Gateway Protocol’s security. Jamil thinks the FCC will do better looking for incentives than punishments. 

Tatyana Bolton and I try to unpack a recent smart contract hack and the confused debate about whether “Code is Law” in web3. Answer: it is not, and never was, but that does not turn the hacking of a smart contract into a violation of the Computer Fraud and Abuse Act.

Megan covers North Korea’s tactic for earning dollars while trying to infiltrate U.S. crypto firms—getting remote work employment at the firms as coders. I wonder why LinkedIn is not doing more to stop scammers like this, given the company’s much richer trove of data about job applicants using the site.

Not to be outdone, other ransomware gangs are now adding to the threat of doxing their victims by making it easier to search their stolen data. Jamil and I debate the best way to counter the tactic.

Tatyana reports on Sen. Mark Warner’s, effort to strongarm the intelligence community into supporting Sen. Amy Klobuchar’s antitrust law aimed at the biggest tech platforms— despite its inadequate protections for national security.

Jamil discounts as old news the Uber leak. We didn’t learn much from the coverage that we didn’t already know about Uber’s highhanded approach in the teens to taxi monopolies and government.  

Jamil and I endorse the efforts of a Utah startup devoted to following China’s IP theft using China’s surprisingly open information. Why Utah, you ask? We’ve got the answer.

In quick hits and updates: 

• Josh Schulte has finally been convicted for one of the most damaging intelligence leaks in history. 
• Google gets grudging respect from me for its political jiu-jitsu. Faced with a smoking gun of political bias after spam-blocking GOP but not Dem fundraising messages, Google managed to kick off outrage by saying it wanted to fix the problem by forcing political spam on all its users. Now the GOP will have to explain that it’s not trying to send us more spam; it just wants Gmail to stop favoring lefty spam. 

And, finally, we all get to enjoy the story of the bored Chinese housewife who created a complete universe of fake Russian history on China’s Wikipedia. She’s promised to stop, but I suspect she’s just been hired to work for the world’s most active producer of fake history—China’s Ministry of State Security.

Dave Aitel introduces a deliciously shocking story about lawyers as victims and—maybe—co-conspirators in the hacking of adversaries’ counsel to win legal disputes. The trick, it turns out, is figuring out how to benefit from hacked documents without actually dirtying one’s hands with the hacking. And here too, a Shakespearean Henry (II this time) has the answer: hire a private investigator and ask “Will no one rid me of this meddlesome litigant?” Before you know it, there’s a doxing site full of useful evidence on the internet.

But first Dave digs into an intriguing but flawed story of how and why the White House ended up bigfooting a possible acquisition of NSO by L3Harris. Dave spots what looks like a simple error, and we are both convinced that the New York Times got only half the story. I suspect the White House was surprised by the leak, popped off about how bad an idea the deal was, and then was surprised to discover that the intelligence community had signaled interest. 

That leads us to the reason why NSO has continuing value – its ability to break Apple’s phone security. Apple is now trying to reinforce its security with the new, more secure and less convenient, lockdown mode. Dave gives it high marks and challenges Google to match Apple’s move. 

Next, we dive into the U.S. effort to keep Dutch firm ASML from selling chip-making machines to China. Dmitri Alperovich makes a special appearance to urge more effective use of export controls; he and Dave both caution, however, that the U.S. must impose the same burdens on its own firms as on its allies’.

Jane Bambauer introduces the latest government proposal to take a bite out of crime by taking a bite out of end-to-end encryption (“e2e”). The U.K. has introduce an amendment to its pending online safety bill that would require regulated user-to-user services to identify and swiftly take down terrorism and child sex abuse material. The identifying isn’t easy in an e2e environment, Jane notes, so this bill could force adoption of the now-abandoned Apple proposal to do local scanning on your phone. I’m usually a cheap date for crypto-skeptical laws, but I can’t help noticing that this proposal will stir up 90 percent as much opposition as requiring companies to be able to intercept communications when they get a court order while it probably addresses only 10 percent of the crimes that occur on e2e networks.

Jane and I take turns pouring cold water on journalists, NGOs, and even Congress for their feverish effort to turn the Supreme Court’s abortion ruling into a reason to talk about privacy. Dumbest of all, in my view, is the claim that location services will be used to gather evidence and prosecute women who visit out of state abortion clinics. As I point out, such prosecutions won’t even muster five votes on this Court.

Dave spots another doubtful story about Russian government misuse of a red team hacking tool. He thinks it’s a case of a red team hacking tool being used by … a red team. 

Jane notes that Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has announced a surprisingly anodyne (and arguably unnecessary) post-quantum cryptography initiative.  I’m a little less hard on DHS, but only a little.

Finally, in updates and quick hits:

• I point out that the U.S.-EU transatlantic data deal is looking a lot like vaporware. That’s a worry now that Ireland is on the verge of ordering Facebook to stop moving data across the Atlantic.
• Jane and I take a whack at predicting Elon Musk’s Twitter bid. I argue that Musk may escape with less than $1 billion in penalties but for years he will be to mergers what Google is to new digital products.

And, finally, some modest good news on Silicon Valley’s campaign to suppress politically “incorrect” speech. Twitter suspended former NYT reporter Alex Berenson for saying several true but inconvenient things about the coronavirus vaccine (it doesn’t stop infection or transmission, and it has side effects, all of which raises real doubts about the wisdom of mandating vaccinations). Berenson sued and Twitter has now settled, unsuspending his account. The lawsuit had narrowed down the point where Twitter probably felt it could settle without creating a precedent, but any chink in Big Social’s armor is worth celebrating.