Skating on Stilts

I know. The title could be talking about pretty much any national strategy written in the last 15 years. And that’s the point. In the interview, Dr. Amy Zegart and I discuss the national cyber strategy and what’s wrong with it, besides all the bloviating. We also explore the culture clash between DOD and Silicon Valley (especially Google), and whether the right response to the Mueller report would be to conduct a thorough investigation into how the Intelligence Community and Justice handled the collusion allegations at the start of the Trump Administration. As a bonus, Amy answers this burning question: “If a banana republic is a country where losing an election means getting criminally investigated, what do you call a country where winning an election means getting criminally investigated?”

In the news roundup, we talk about the New Zealand massacre and whether six months from now it will feel as though we overreacted to distribution of the video of the attack. Along the way, we  are amazed to discover that New Zealand actually still has a “Chief Censor.”

If you thought the Boeing 737MAX approval cast the FAA in a bad light, there’s some good news for that embattled agency: The FDA is even worse at dealing with software risks. Matthew Heiman and I talk about the agency’s unimpressive handling of a flaw that would let hackers control defibrillators implanted in patients.

Conservatives v. Silicon Valley. Apparently looking for Odd Couple of the Month coverage, Sen. Josh Hawley is sounding all Sen. Elizabeth Warren-y about Facebook and Silicon Valley. And Devin Nunes is renewing claims of social media bias against conservatives. Indeed, he’s putting his lawyers where his mouth is, suing Twitter and his fake Twitter Mom for defamation. It’s an uphill battle, but I would really love to read the internal Twitter emails about Nunes if his case gets to discovery.  That's his best chance to show actual malice.

Matthew tells us that the latest European fine of $1.7 billion means that Google has been hit with $7.6 billion in EU fines since 2017 – mostly for “in the eye of the beholder” abuses of a dominant position.

Jennifer Quinn-Barabanov makes a guest appearance to read the tea leaves in the SCOTUS remand of a cy pres case without decision. Bottom line: The Court is likely to cut back on cy pres settlements, which may be good policy, but which also means trouble for defendants as well as the plaintiffs’ bar.

Matthew and I talk about the most fun caper involving North Korea in the last fifty years (since most of the other capers seemed to end in people dying). This time, the good guys got away after physically pwning the entire North Korean embassy in Spain. Spanish papers claim it was the CIA, but that’s what Spanish papers would say, isn't it? This time, though, I’d like to think it’s true.

Maury Shenk explains why US chip makers don’t actually want massive new guaranteed orders as part of a China trade deal.

And Matthew tells us how Egypt is taking advantage of the cover provided by Australia and New Zealand to tighten control of websites and social media accounts that pose a “threat to national security.”

Download the 256th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

In our interview, Elsa Kania and Sam Bendett explain what China and Russia have learned from the American way of warfighting – and from Russia’s success in Syria. The short answer: everything. But instead of leaving us smug, I argue it ought to leave us worried about complacency followed by unpleasant military surprises. Elsa and Sam both try to predict where the surprises might come from. Yogi Berra makes an appearance.

In the News Roundup, David Kris explains the Fourth Circuit’s decision to turn a hostile spouse-swap dispute into an invitation to screw up the law of stored electronic communications for a generation.

And in other litigation, a Trump-appointed judge dismisses a lawsuit charging Silicon Valley with unlawfully censoring the right. Nate Jones and I agree that, while the decision is broadly consistent with law, it may spell trouble for Silicon Valley in the long run. That’s because it depends on an idiosyncratic DC Court of Appeals interpretation of the District’s public accommodation law. I speculate that Alabama or Texas or Mississippi could easily draft a law prohibiting discrimination on the basis of viewpoint in public accommodations like,say,  Internet platforms.

Nick Weaver and I note the UN report that North Korea has stolen $571 million, much of it in cryptocurrency. I ask whether the US Treasury could seize those ill-gotten bits. Maybe, says Nick, but it would really bollix up the world of cryptocurrency (not that he minds).

I explain that DHS will be rolling out facial scanning technology to a boatload of US airports – and why there’s no hidden privacy scandal in the initiative.

And this story kind of makes you wonder about their banks and their chocolate: Nick gloats as Switzerland’s proposed Internet voting system follows his predicted path from questionable undertaking to deep, smoking crater.

Elsa Kania and I offer praise for the Navy Secretary’s willingness to accept scathing criticism of the Navy’s cybersecurity.

And Nick and I close with an effort to draw lessons from the disastrous software and human factor interactions at the heart of the Boeing 737 MAX crashes.

Download the 255th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

You've begged for it in the comments, so here it is.  With Stewart Baker off the grid at the bottom of the Grand Canyon, literally, David Kris, Maury Shenk, and Brian Egan take merciless advantage to extol the virtues of data privacy and the European Union.

Maury interviews James Griffiths, a journalist based in Hong Kong and the author of the new book, The Great Firewall of China: How to Build and Control an Alternative Version of the Internet.

In the news, David and Brian discuss last week’s revelation that the NSA is considering whether it will continue to seek renewal of the of the Section 215 “call detail record” program authority when it expires in December. We plug last week’s Lawfare podcast in which the national security advisor to House Minority Leader McCarthy made news when he reported that the NSA hasn’t been using this program for several months. David waxes poetic on the little-known and little-used “lone wolf” authority, which is also up for renewal this year.

We explore the long lineup of politicians and government officials who are coming up with new proposals to “get tough” on large technology companies. Leading the charge is Senator Warren, who promises to roll out a plan to break up “platform utilities” – basically, large Internet companies that run their own marketplaces – if she is elected president. Not to be outdone, the current chair of the Federal Trade Commission has urged that Congress provide new authorities for the FTC to impose civil enforcement penalties on tech (and presumably other) companies that violate their data privacy commitments. And last – but never least – the French finance minister announced that he will propose a 3% tax on the revenue of the 30 largest Internet businesses in France, most of which are US companies.

David discusses how one technology company is using a more familiar tool – litigation – to fight back against Chinese companies for creating and then selling fake Facebook and Instagram accounts.

In the “motherhood and apple pie” category, Maury explains French President Macron’s call for the creation of a “European Agency for the Protection of Democracies” to protect elections against cyberattacks. And Brian covers a recently re-introduced bill, the Cyber Deterrence and Response Act, which would impose sanctions on “all entities and persons responsible or complicit in malicious cyber activities aimed against the United States.”

If you are in London this week, you can see James Griffiths during his book tour. On March 13, he will be at the Frontline Club, and on March 14, he will be at Chatham House. You can also see him later this month at the Hong Kong Foreign Correspondents Club.

Download the 254th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The second half of my interview with Cyber Insecurity News has been posted, here.  It deals with a lot of stuff from my career, including DHS, European privacy negotiations, Snowden, and cybersecurity.  (The first half is here.)  Here's an excerpt that captures some of my thinking on cybersecurity:

CIN: Is the government providing enough intelligence information—threats they’re aware of—to companies? I know that’s sometimes a complaint that companies have.

SB: Yeah, I do hear that. And I take that with a grain of salt. One thing I’ve learned from watching the intelligence community for 25 years is that intelligence in the abstract is almost never useful. For the intelligence to get good, you have to have a customer who understands the intelligence and how it’s being collected, and can tell the intelligence officers exactly what he wants and what’s wrong with the intelligence that has been collected. You don’t get good intelligence if you just try to go out and steal the best secrets you can. Because you usually don’t know what secrets really matter. You need a very sophisticated consumer who can say, “OK, I see what you’ve brought me. There are some interesting things here. But it isn’t exactly what I need. Go look for X.” The spies on their own would never think to look for X. They’re just not as deep into the technology or the situation as the consumer. So for an exchange of intelligence to be really useful, you have to make the companies your customer. I don’t think that’s likely to happen. Part of the private sector’s unhappiness with what they’re being given is their assumption that since what they got wasn’t that useful, they must not have gotten the good stuff. That’s not how intelligence works, in my experience. There isn’t “good stuff” just hiding out there. The good stuff—you have to dig it out as a customer. That isn’t likely ever to be something that the intelligence community does for individual companies.

 

CIN: What can companies be doing better?

SB: I think companies need to ask themselves—and they’re starting to do this—not so much what’s on my checklist of technologies to deploy, but who wants my stuff? And what tactics and tools are they using this week to get it? Those are things that are knowable. Those are things that you can get from intelligence. You can get it from the private sector forensics people as well. So knowing that there’s a North Korean or Chinese campaign to get information on, let’s say, windpower means that, if you’re a windpower company, you suddenly have a whole new set of adversaries, and you’re going to have to spend a whole hell of a lot more money on cybersecurity or lose your technology.  You constantly have to do a cost-benefit analysis there. But the key is knowing who’s breaking into your system, and why: Are they motivated by money, are they motivated by the desire to steal your technology? Are they criminals or governments? All of those are things that should be part of your cybersecurity planning.

 

CIN: You just said the magic word: “money.” When I talk to CISOs at companies, if we talk long enough and they feel comfortable enough, they will almost always say something about budgets, and how the management of companies so often underestimates how much is needed. And they routinely underfund cybersecurity budgets. What do you think?

SB: I agree. But I would also like to speak up for management and the board. Their most common complaint is: “My CISO comes in and says, ‘Bogeyman, bogeyman, bogeyman! Give me more money!’ He tells me that the North Koreans could do these things to me. Should I be worried about that or not? I feel as though I’m chasing goal posts that will always recede.” So there is a culture clash there. That’s one of the reasons that I like a model that asks, “Who wants my stuff, and what are they doing to get it?” Once you have that answer, you can also ask the question, “What would it cost to make sure they don’t get it? What do I have to do to defeat every one of the tools and tactics they currently are using?” Then, when I know how much that will cost, I can compare the cost of letting them win to the cost of making sure they don’t.  So I think you can reduce this to a cost-benefit analysis, if you’re disciplined about identifying who’s likely to attack companies like yours, and if you have up-to-date intelligence on how they’re getting into the systems they attack.

 

CIN: If you were the country’s cybersecurity czar, what would be the first things you would do?

SB: I would say, “If you are in a business that the lives of a large number of Americans depend upon—pipelines, refineries, electrical power grids, water, sewage systems—you’re going to have to meet certain cybersecurity standards. We’re going to continue to use regulatory agencies that you are familiar with, if you are regulated already at the federal level, but we’re going to find a way to make you meet these standards. And when we’re done getting you to meet those standards, the people that you do business with are going to have to meet those standards. We can’t afford to have weak links in our security process.” I hate to say that, because I see all the downsides to regulation. It slows everything down. It raises the cost of everything. It locks in a lack of competition. But there’s no obvious alternative, other than saying, “If you’re hacked, we’re going to expropriate your company, because you don’t deserve to be in business.” That would motivate people—sort of like the death penalty for companies. I don’t think we really want to do that. So, better to come up with a constantly shifting set of best practices, and impose them on people who currently don’t care enough to adopt them. They’re not evil people; they just don’t have enough skin in the game to worry about security.

 

CIN: What advice would you like to dispense before we conclude this conversation? Anything special you have to say to general counsel?

SB: Yes. It’s from a theme that we’ve been talking about—the need to think about who your adversary is. And it’s one of the hidden advantages in having your general counsel involved in cybersecurity. Engineers are used to protecting against inanimate nature. They’re really comfortable asking whether gravity is going to bring a bridge down. They’re much less comfortable asking, “What if the Russians wanted to bring it down, and they had all the explosives they needed?” They don’t do adversarial thinking as a routine part of their job description. And neither do the risk managers, who are most comfortable asking questions like, “Is this a risk we can self-insure, or do we have to get insurance for it?” In contrast, if you’re a good general counsel, you wake up every day and you say, “I know there are people—maybe competitors, maybe the plaintiffs bar, maybe governments—people out there who want to do my company harm using legal tools. I need to know who they are. I need to know what tools they will use to attack, and I need an early warning as they develop new ones. When the plaintiffs bar develops new lawsuits, I want to watch that. I hope that they try them out on somebody else first. But if they don’t, my job is to figure out what we will do in response.” In other words, the way of thinking about cybersecurity that I’m advocating is a way of thinking about corporate interests that lawyers are already familiar with. It should give general counsel a little bit of confidence that they have a perspective to bring to cybersecurity that isn’t just, “What will the regulators think if we don’t do this?” They can insist on more deeply adversary-based cybersecurity planning.

 

CIN: Based on your experience as an outside lawyer who advises general counsel, do you think that many GCs have a sense that cybersecurity is a really important part of their jobs, and have a seat at the table at their companies to help tackle it?   

SB: Yes and yes. First, you’d be crazy as a CEO not to give your general counsel a seat at the table, because liability is a significant part of the calculation here. In practically every tabletop exercise we run, people start turning to the general counsel almost routinely. It’s odd how often questions that easily could be answered by somebody else—there’s no necessary connection to the law—end up getting lateraled to the general counsel for one reason or another. I’m a little less confident that general counsel always bring to the task a breadth of strategic thinking that maximizes their value to the company. They will always say, “I can tell you what our regulatory obligations are. I can tell you what our privacy statement says. I can tell you what the liability decisions of the court might be, or what the FTC would say about this.” Those are all things that general counsel should be doing. I feel a little bit like a proselytizer when I say, “No, that isn’t enough; what you need to bring to this, in addition to all that, is the sense that your company is engaged in an eternal battle with institutional opponents, and that your job is to make sure your company is as fully armed for that battle as possible.”

Our interview is with two men who overcame careers as lawyers and journalists to become successful serial entrepreneurs -- and who are now trying to solve the “fake news” problem. Gordon Crovitz and Steve Brill co-founded NewsGuard to rate news sites on nine journalistic criteria. Using, of all things, real people instead of algorithms. By the end of the interview, I’ve confessed myself a reluctant convert to the effort. This despite NewsGuard’s treatment of Instapundit, which Gordon Crovitz and I both read regularly but which has not received a green check.

In the news, Klon Kitchen talks about the latest on cyberconflict with Russia: CYBERCOM’s takedown of the Russian troll farm during 2018 midterms. The Russians are certainly feeling abused. They are using US attacks to justify pursuing their “autonomous Internet,” and they’ve sentenced two Kaspersky Lab experts to long jail terms for treason, likely because of their law enforcement cooperation with the United States.

Gus Hurwitz, Klon, and Nick Weaver muse on the latest evidence that information intermediaries still haven’t found a way to deal with wayward members of their ecosystems. Amazon marketplace sellers will now have the ability to remove what they deem counterfeit listings. Amazon has let the FTC discipline fake paid Amazon reviews. And Facebook is being criticized for the costs of using human beings to enforce Facebook’s content rules. (The failure of Silicon Valley to get a handle on this problem is, of course, the key to NewsGuard’s business model.)

Finally, just to give me an excuse to link to this Dr. Strangelove clip, Gus tells us that not even our prosthetic arms are safe from IoT hacking.

Download the 253rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

I recently wrote a piece for Lawfare on illegal immigration and the "compromise" appropriations bill that avoided another government shutdown.  Here's the introduction: 

While Congress and cable news chatter emergency powers and President Trump’s wall, there’s a far more important immigration fight under way on the southwest border. At a time when judicial deference to the executive on immigration law has nearly vanished, the country is one court ruling away from a disastrous immigration outcome. It was summarized this way by one Honduran caravan member, who traveled to the border because: “she had heard … that bringing her daughter would guarantee them admission into the United States.”

She got it right—with one caveat. To avoid this outcome, the Trump administration is now telling applicants to wait for their asylum hearings in Mexico instead of the United States. That “remain in Mexico” policy, however, is fiercely contested and could be set aside by the courts tomorrow. If it is, anyone who crosses the border with a son or daughter will be more or less guaranteed admission, plus a work permit for some years, plus a realistic shot at staying in the country illegally for a lifetime.

I worked at the Department of Homeland Security (DHS) under President George W. Bush, and I played a large role in shaping and trying to pass comprehensive immigration reform legislation. I’m not a knee-jerk immigration restrictionist. But you don’t have to be a restrictionist to think that it is bad policy to offer years of legal U.S. residence to anyone who can pass a background check and walk across the southwest border with a child in tow. There are probably a billion people around the globe who’d take that offer tomorrow. Worse, the policy effectively invites busloads of children and parents to cross without notice in some remote spots, swamping Border Patrol stations that were never built for child care. From a national security point of view, these mass border crossings are a major vulnerability; they can be exploited by smugglers who use them as cover to sneak in drugs and dangerous individuals elsewhere along the border while Border Patrol agents are busy handing out diapers and juice boxes.

So a lot depends on the Trump administration’s effort to cut this Gordian knot of laws and court rulings with a “remain in Mexico” policy. A group of non-governmental organizations have already challenged the new approach in court, and they stand more than a decent chance of prevailing. Avoiding an adverse ruling will require creative lawyering and and aggressive international diplomacy on the government’s part. In that effort, the administration may have gotten some unintended help from the drafters of the “compromise” appropriations bill that avoided another government shutdown. That, at least, is the thesis of this article.

Here's the rest: https://www.lawfareblog.com/how-appropriations-bill-can-strengthen-remain-mexico