Skating on Stilts

It's a story that has everything, except a reporter ready to tell it. A hostile state attacking the US power grid is a longstanding and quite plausible national security concern. The Trump administration was galvanized by the threat, even seizing Chinese power equipment when it arrived in the US to do a detailed breakdown of the gear and then issuing an executive order and follow-up rulings designed to cut Chinese products out of the US grid supply chain.

Yet now the Biden administration has suspended this order for 90 days – the only Trump cybersecurity order to be called into question so far. Industry lobbying? Chinese maneuvering? Tech uncertainty?  No one knows, but Brian Egan and I sketch the outlines of an irresistible story that will surely reward a persistent journalist.

The SolarWinds story, meanwhile, needs a new moniker, as the compromises spread beyond SolarWinds distributions, reaching victims like Malwarebytes. Increasingly, it looks as though Microsoft and its cloud are the common denominators, Sultan Meghji and I observe, but that's one moniker the story will never acquire.

In other cyber TTP news, the Chinese are stealing airline passenger reservation data, Sultan notes. Maybe they're just trying to find out when Mike Pompeo next plans to come to China so they can meet him at the airport and enforce their latest sanctions – no Great Wall tours for you, Mr. Secretary!

This is our last week of Trumpian cyber news, so we wallow in it. President Trump also issued a last-minute order calling for an assessment of the security risks of Chinese drones, Maury Shenk tells us. And Brian unpacks the other last-minute Trump administration order requiring U.S. U.S. cloud providers to know which foreigners they are selling virtual machines to.

I claim victory in my short letter to Secretary Mnuchin, suggesting that, instead of jamming a cryptocurrency regulation through on his watch, he concentrate on convincing Secretary-designate Yellen to carry the project through.  If he took my advice, it seems to have worked. Sultan reports that she is showing signs of wanting to "curtail" cryptocurrency. In other news, Sultan boldly predicts the advent of interplanetary cryptocurrency in Elon Musk's lifetime.

Brian and I unpack the latest Cyberspace Solarium Commission product -- its persuasive Transition Book for the Biden administration. I predict that the statutorily mandated cybersecurity director it recommends will have to be subordinated to the Deputy National Security Adviser for cybersecurity if the office is to be accepted in the White House.

And in quick hits: Maury covers the surprisingly robust European enforcement of employee protections against video surveillance. I explain Parler's loss in trying to overturn the AWS ban that pushed it off the internet. Sultan explains why the Biden Peloton is a cybersecurity risk, and I tip my hat to the President's physical fitness. I summarize the Mike Ellis story; he held the job NSA's general counsel for about a day before a political witch-hunt caught up with him, and he may never serve another day.  

And, finally, a little schadenfreude for the European Parliament, which is being investigated by the EU's lead data regulator for poor cookie notices on a website it set up for MEPs to book coronavirus tests. The complainant? Max Schrems, who is now well on his way to becoming as unpopular with European politicos as he is in the U.S.

And more!

Download the 346th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this episode, I interview Jane Bambauer on the failure of COVID-tracking phone apps. She and Brian Ray are the authors of "COVID-19 Apps Are Terrible—They Didn't Have to Be," a paper for Lawfare's Digital Social Contract project. It turns out that, despite high hopes, the failure of these apps was overdetermined, mainly by twenty years of privacy scandalmongering and regulation. In essence, Google and Apple set far too strict rules for the apps in an effort to avoid privacy-based political attacks, and the governments that could have reined them in surrendered instead, also in order to avoid privacy-based political attacks. So, we have no one to blame but ourselves, and our delusional valuation of privacy over life itself. Sometimes, privacy really does kill.

In the news roundup, we discover that face recognition suddenly isn't toxic at all, since it can be used to identify pro-Trump protestors.  Dave Aitel explains why face recognition might work even with a mask but still not be very good.  And Jane Bambauer reprises her recent amicus argument that Illinois's biometric privacy law is a violation of the first amendment.

If you heard the part of episode 344 last week about Silicon Valley speech suppression, you might be interested in seeing a further elaboration of proposal I came up with then, now  a Washington Post Op-Ed. Meanwhile, Dave reports that Parler may be back from the dead but dependent on Russian infrastructure. Dave wants to know if that means Parler can be treated by the Biden team like TikTok was treated by the Trump administration.

Dave also brings us up to speed on the latest SolarWinds news. He also casts a skeptical eye on a recent New York Times article pointing fingers at JetBrains as a possible avenue of attack. The story was anonymously sourced and remains conspicuously unconfirmed by other reporting.

Not dead yet, the Trump administration has delivered regulations for the exclusion of risky components from the national IT and communications infrastructure. Maury Shenk explains the basics.

Speaking of which, China is getting ready to strike back at such measures, borrowing the basic blocking statute rubric invented  by the Europeans. Blocking statutes can be effective, but only by putting private companies in a vise between two inconsistent legal duties. Bad news for the companies, more work for lawyers.

I ride one more hobbyhorse, critiquing Mozilla's decision to protect "user privacy" while imposing new burdens and risks on enterprise security. The object of my ire is Firefox's Encrypted Client Hello. Dave corrects my tech but more or less confirms that this is one more nail in the coffin for CISO control of corporate networks.

Matthew Heiman and I dig into the latest ransomware gang tactics -- going after top executive emails to raise the pressure to pay. The answer? I argue for more fake emails

In our concluding quick hits, Maury tells us about the CNIL's decision that privacy law prevents France from using drones to enforce its coronavirus rules. I note a new FDIC cybersecurity rule that isn't (yay!) grounded in personal data protection. Maury explains the recently EU advocate general's opinion, which would probably make Schrems II even less negotiable than it is now.  If it's adopted by the European Court of Justice, which I argue it will be unless the Court can find some resolution that is even more anti-American than the advocate general's proposal. And, finally, Matthew tells us that the State Department has reorganized to deal with cyber issues – a reorganization that may not last longer than a few months.

Download the 345th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Washington Post has published my op-ed on social media speech suppression and what to do about it.  I consider and deprecate the use of section 230 and the antitrust laws, which leads me to using the tax code to induce gatekeeper platforms to break themselves up:

What if the federal government imposed a 40 percent tax on the gross revenue of gatekeeper social media companies that have more than, say, 30 million active users in the United States? Instead of fighting antitrust authorities in the trenches for years, companies faced with such a harsh tax rate would rush to break themselves up. (And if they didn’t, well, the treasury could certainly use the revenue after the bailouts of 2008-09 and 2020-21.) Efforts to avoid the tax would surely spur a proliferation of mainstream social media companies, each serving a broad audience. Some might adopt an editorial stance that leans to the left and others to the right, just as broadcast and other news media already do. But their ability to enforce ideological conformity or pursue a unified business interest would be shattered.

https://www.washingtonpost.com/opinions/2021/01/19/rein-in-big-tech-taxes/ 

In this episode, I interview Zach Dorfman about his excellent reports in Foreign Policy about US-China intelligence competition in the last decade. Zach is a well-regarded national security journalist, a Senior Staff Writer at the Aspen Institute's Cyber and Technology program, and a Senior Fellow at the Carnegie Council for Ethics in International Affairs. We dive deep into his tale of how the CIA achieved remarkable penetration of the Chinese government and then lost it, inspiring China to mirror-image the Agency's techniques and build a far more professional and formidable global intelligence network.

In the news roundup, we touch on the disgraceful demonstration-cum-riot at the Capitol this week and the equally disgraceful Silicon Valley rush to score points on the right in a way they never did with the BLM demonstrations-cum-riots last summer. Nate Jones has a different take, but we manage to successfully predict Parler's shift from platform to (antitrust) plaintiff and to bond over my proposal to impose heavy taxes on social media platforms with more than ten million users. Really, why spend three years in court trying to break 'em up when you can get them to do it themselves and raise money to boot?

SolarWinds keep blowing. Sultan Meghji and Zach Dorfman give us the latest on the attribution to Russia, the fine difference between attack and espionage, and the likelihood of new direct or indirect cybersecurity regulation.

Pete Jeydel and Sultan cover the latest round of penalties imposed by the rapidly dwindling Trump administration on Chinese companies.

Nate dehypes the UK High Court decision supposedly ruling mass hacking illegal. He previews some Biden appointments, and we talk about the surprising rise of career talent in the new administration and why that might be happening. Nate also critiques DNI Grenell after accusations of politicization of intelligence. I'm kinder. But not when I condemn Distributed Denial of Services for joining forces with ransomware gangs to punish victims;  it's hard to believe that anyone could make Julian Assange and Wikileaks look responsible, but DDOS does. Speaking of Julian, he's won another Pyrrhic victory in court – likely extending his imprisonment with another temporizing win.

Download the 344th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Episode 343 of the Cyberlaw Podcast is a long meditation on the ways in which technology is encouraging other nations to exercise soft power inside the United States. I interview Nina Jankowicz,, author of How to Lose the Information War on how Russian disinformation has affected Poland, Ukraine, and the rest of Eastern Europe – and the lessons, if any, those countries can offer a divided United States.

In the news, Bruce Schneier and I dig for more lessons in the rubble left behind by the SolarWinds hack. Nobody comes out looking good. Persistent engagement and defending forward only work if you’re actually, you know, engaged and defending, and Russia’s cyberspies managed (not surprisingly) to hide their campaign from NSA and Cyber Command. More and better defense is another answer (not that it worked during the last 40 years it’s been tried). But whatever solution we pursue, Bruce makes clear, it’s going to be expensive.

Taking a quick break from geopolitics, Michael Weiner gives us a rundown on the new charges and details (mostly redacted) in the Texas case against Google for monopolization and conspiring with competitor Facebook. The scariest thing about the case from Google’s point of view, though, may be where it’s been filed. Not Washington but the Eastern District of Texas, the most notoriously pro-plaintiff, anti-corporate jurisdiction in the country.

Returning to ways in which foreign governments are using our technology against us, David Kris tells the story of the Zoom executive who used pretextual violations of terms of service to take down speech the Chinese government didn’t like, censoring American efforts to hold a Tiananmen memorial. The good news: he was charged criminally by the Justice Department. The bad news: I can’t help suspecting that China learned this trick from the ideologues of Silicon Valley.

Aaand, right on cue, it turns out that China’s been accused of using its 50-cent army to file complaints of racism and video game violence against Americans using the platform to criticize China’s government, a tactic the target claims is getting YouTube to demonetize his videos.

Next, Bruce points us toward a deep and troubling series of Zach Dorfman articles about how effectively China is using technology to vault over US intelligence agencies in the global spying competition.

Finally, in quick succession:

• David Kris explains what’s new and what’s not in Israel’s view of international law and cyberconflict.
• I note that President Trump’s NDAA veto has been overridden, making the cyberczar and DHS’s CISA the biggest winners in the cyber policy arena.
• Bruce and I give a lick and a promise to the FinCen proposed rule regulating cryptocurrency. We’re both inclined to think more reregulation is worth pursuing, but we agree it’s too late for this administration to get anything on the books.
• David Kris notes that Twitter has been fined around $550 thousand over a data breach filing that was a few days late – a fine imposed by the Irish data protection office in a GDPR ruling that is a few years late.
• Apple has lost its bullying copyright battle against security start-up Corellium but the real risk to Corellium may be in the as-yet unresolved claim for violation of the DMCA.
• And the outgoing leadership of DHS is issuing new warnings about the cyber risks of using Chinese technology, this time touching on backdoors in TCL smart TVs and the risk of compromise from Chinese data services

Download the latest episode here.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.