Skating on Stilts

Our interview this week is with Francis Fukuyama, a fellow and teacher at Stanford and a renowned scholar and public intellectual for at least three decades. He is the coauthor of the Report of the Working Group on Platform Scale, an insightful paper on the power of platforms to suppress and shape public debate. Fukuyama understands the temptation to address those issues through antitrust lens – as well as the reasons why antitrust will fail to counter the threat that platform power poses to our democracy. As a solution, the report proposes forcing the platforms to divest their curatorial authority over what Americans (and the world) reads, creating a host of middleware suppliers who will curate consumers' feeds in whatever way consumers prefer. We explore the many objections to this approach, from first amendment purists to those, mainly on the left, who really like the idea of suppressing their opponents on the right.  But it remains the one policy proposal that could attract bipartisan support from left and right and at the same time actually make a difference.

In the news roundup, Dmitri Alperovich, Nick Weaver, and I have a spirited debate over the wisdom of Google's decision to expose and shut down a western intelligence agency's use of zero day exploits against terrorist targets. I argue that if a vulnerabilities equities process balancing security and intelligence is something we expect from NSA, we should expect the same of Google.

Nate Jones and Dmitri explore the slightly odd policy take on SolarWinds that seems to be coming from NSA and Cyber Command – who are pushing the view that the Russians exploited NSA's domestic blind spot by using US infrastructure for their attack. That suggests that NSA wants to do more spying domestically, although no such proposal has surfaced. Nate, Dmitri, and I are united in thinking that a better solution is a change in US law, though Dmitri thinks a know your customer rule for cloud providers is the best answer, while I think I persuaded Nate that empowering faster and more automatic warrant procedures for the FBI is doable, a solution that we adopted to the burner phone intercept problem in the 90s.

The courts, meanwhile, seem to be looking for ways to bring back a Potter Stewart style of jurisprudence for new technology and the fourth amendment: "I can't define it, but I know it when it creeps me out." The first circuit's lengthy oral argument on how long video surveillance of public spaces can continue without violating the fourth amendment is a classic of the genre. 

Dmitri and Nick weigh in on Facebook's takedown of Chinese hackers who were using Facebook to target Uighurs abroad. Dmitri thinks we can learn policy lessons from the exposure (and likely sanctioning) of the private Chinese companies that carried out the operation.

Dmitri also explains why CISA's head is complaining about the refusal of private companies to tell DHS which US government agencies were compromised in SolarWinds. The companies claimed that their NDAs with, say, Treasury meant that they couldn't tell DHS that Treasury had been pwned. I say that's an all too familiar example of federal turf fights hurting federal cybersecurity.  

In our ongoing feature, This Week in U.S.-China Decoupling, we cover the "Disasta in Alaska," evaluate the latest bipartisan bill to build an international Western technology sphere to compete with China's, note the completely predictable ousting of Chinese telecom companies from the US market, and conclude that the financial sector's effort to defy the gravity of decoupling will be a hard act to maintain.

Always late to embrace a trend, I offer Episode 1 of the Cyberlaw Podcast as a Non-Fungible Token to the first listener who coughs up $150, and Nick explains why it would be cheap at a tenth the price, dashing my hopes of selling NFTs for the next 354 episodes and retiring.

Nick and I have kind words for whoever is doxxing Russian criminal gangs, and I suggest offering the doxxer a financial reward (not just a hat tip in a Brian Krebs column). We have fewer kind words have for the prospect that AI will soon be able to locate, track, and bankrupt problem gamblers.   

I issue a rare correction to an earlier episode, renouncing any suggestion that Israel traded its citizens' health data for first dibs on the Pfizer vaccine. It turns out that what it offered was "deidentified aggregate health data." With proper implementation, that data may actually stay aggregate and deidentified, Nick tells me.

And I offer a hat tip to Peter Machtiger, whose student note in an NYU law journal cites the Cyberlaw Podcast, twice!

And more!

Download the 355th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our news roundup for this episode is heavy on China and tech policy. And most of the news is bad for tech companies. Jordan Schneider tells us that China is telling certain of its agencies not to purchase Teslas or allow them on the premises, for fear that Elon Musk's famously intrusive record-keeping systems will give U.S. agencies insight into Chinese facilities and personnel. Pete Jeydel says the Biden administration is prepping to make the same determination about Chinese communications and information technology, sending subpoenas to a number of Chinese tech suppliers. Meanwhile, Apple's effort to protect its consumers from apps that collect personal data is coming under pressure from what Jordan sees as a remarkable alliance of normally warring Chinese tech companies, including Baidu, Tencent, and Bytedance. In addition to their commercial heft, all these companies likely have more juice in Beijing than Apple, so look for Tim Cook to climb down from his privacy high horse in China. (And in Russia, where Apple has already agreed to let the Russian government specify the apps that must come preinstalled on iPhones sold in Russia.) Still, you can expect that Apple will continue to bravely refuse to cooperate with the FBI on terrorism and serious crime because that might set a precedent for cooperating with governments like Russia's and China's.

But the episode gets its title from our discovery that President Xi's critique of social media platforms sounds exactly like Sen. Josh Hawley's. It is, in fact, the global bien pensant consensus, which has no dissenters to speak of now that the Chinese go to Davos. Jordan offers insights into why the Chinese government's concerns about Big Tech might have origins in something other than factional strife in Beijing.

David Kris and I dive into the final word from the intelligence community on foreign governments' interference  (via hacking or influence ops) in our 2020 election. The short answer is that the Russians and the Chinese didn't hack our election machinery; in fact they didn't even try. So, chest-beating over our 2020 cyber defenses may be a little like doing a victory lap after the other team forfeits. David and I manage to disagree about a few things, including the Hunter Biden laptop story, which I contend is now the principal example of a disinformation campaign in 2020, with the media and Big Tech combining to throttle the story on spurious suspicions of a Russian hand in its provenance; David disagrees.

Pete Jeydel and Ishan Sharma, our interview guest, weigh in on the latest cyber conflict paper  from the United Nations. We all agree that it could be worse, and that getting the General Assembly to accept it was an achievement at a time of lowered expectations for the UN.

The Cyber Space Solarium Commission is not going away, Pete and I agree, as witness the most recent report card issued to the Biden Administration by a Solarium staffer. In principle, that's a good thing; commissions need to stick around and fight for their recommendations. But I can't help complaining that some of the things the Commission is fighting for – Senate confirmation of a White House cyber director, and cutting DHS out of supply chain governance – are bad ideas.

We close with a recognition of the rafts of material supplied over the years to the podcast by the data protection authorities of Europe. They've mostly been an what Texans call "all hat and no cattle" – better talkers than doers. But now their lack of serious implementation skills is catching up with them, as the companies they have penalized begin to  pursue, and win, judicial appeals. That's a trend likely to continue, and a good thing too.

Our interview is with Ishan Sharma, from the Federation of American Scientists, and author of "A More Responsible Digital Surveillance Future Multi-stakeholder Perspectives and Cohesive State & Local, Federal, and International Actions."

If you like the episodes where I disagree profoundly with my guests, this one's for you. I don't think Ishan gets more than two minutes into the interview before the critiquing begins. Still, he holds his own, defending a vision of surveillance technology that serves democratic ends and is for that reason supported and even subsidized in a global competition with the less democratic alternatives from China. I suspect that he'll lose friends on both the left and the right as he tries to walk this line, but he's clearly put a lot of thought into finding an alternative to technopessimism, and he defends it ably.

And more!

Download the 354th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This week we interview Eliot Higgins, founder and executive director of the online investigative collective Bellingcat and author of We Are Bellingcat.

Bellingcat has produced remarkable investigative scoops on everything from Saddam's use of chemical weapons to exposing the Russian FSB operatives who killed Sergei Skripal with Novichok, and, most impressive, calling a member of the FSB team that tried to kill Navalny and getting him to confess. Eliot talks about the origins of the effort (as a part-time break from his job at a lingerie company), the techniques that make Bellingcat so effective, and the hazards, physical and moral, that surround crowdsourced investigations.

In the news, Dave Aitel gives us the latest on the Chinese Exchange server attacks, and the reckless hack-everyone spree that was apparently triggered by Microsoft's patch of the vulnerability.

Jamil Jaffer introduces us to the vulnerability of the week – dependency confusion, and the startling speed with which it is being exploited.

I ask Nate Jones and the rest of the panel what all this means for government policy.  No one thinks that the Biden administration's published cyberstrategy tells us anything useful. More interesting are two deep dives on cyber strategy from people with a long history in the field. We see Jim Lewis's talk on the topic as a sign of his evolution in the direction of much harsher responses to Russian and Chinese intrusions. Dmitri Alperovich's approach also has a hard edge, although he points out that the utter irresponsibility of the Chinese pwn-em-all tactic  deserves an especially harsh response.  I ask why Cyber Command didn't respond by releasing a worm that would install poorly secured shells on every Exchange server in China.

In other news, I blame poor (or rushed) DOD lawyering for the district court ruling that DOD couldn't list Xiaomi as an entity aligned with the Chinese military. Jamil is more charitable both to DOD and the Judge who made the ruling, but he expects (or maybe just hopes) that the court of appeal will show DOD more deference.

Twitter, on the other hand, is praying that the Northern District of California suffers from full-blown Red State Derangement, as it asks the court there to enjoin the Texas Attorney General's investigation into possible anticompetitive coordination in the Great Deplatforming of January 2021. Nate gives us the basics on the lawsuit. I observe that, to bring such a Hail Mary of a case, Twitter must deeply fear what its own employees were saying about the deplatforming at the time. Neither Nate nor I give Twitter a high probability of success. And even if this case does succeed, red states are lining up a host of new laws and regulatory initiatives for Silicon Valley, most notably Gov. DeSantis's controversial effort to navigate section 230 and the first amendment.

Nate also provides a remarkably clear explanation of the sordid tale of European intelligence and law enforcement agencies trying to cut a special deal for themselves in the face of surveillance-hostile rulings from the EU's Court of Justice. The agencies are right to want to avoid those foolish decisions, but leaving the US on the hook will only inflame trans-Atlantic relations.

In quick hits, Jamil and Dave talk about Israel's Unit 8200, which offers a better cybersecurity VC alumni network than Stanford. Playing to type, I close with This Week in Sex Toy Security and immediately display my naivete: Wearables, who knew?  But the security lapses in what Dave calls the internet of junk at least offer us a new, more explicit interpretation of a man-in-the-middle attack.

And more!

Download the 353rd Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We're mostly back to our cybersecurity roots in this episode, for good reasons and bad. The worst of the bad reasons is a new set of zero-day vulnerabilities in Microsoft's Exchange servers. They've been patched, Bruce Schneier tells us, but that seems to have inspired the Chinese government hackers to switch their campaign from Stealth to Promiscuous Mode. Anyone who hasn't already installed the Microsoft patch is at risk of being compromised today for exploitation tomorrow.

Nick Weaver and Dmitri Alperovitch weigh in on the scope of the disaster and later contribute to our discussion of what to do about our ongoing cyberinsecurity. We're long on things that don't work. Bruce has pointed out that the market for software products, unfortunately, makes it entirely rational for industry to skimp on security while milking a product's waning sales. Voluntary information sharing has also failed, Dmitri notes. In fact, as OODA Loop showed in a devastating chart, information sharing is one of half a dozen standard recommendations made in the last dozen commission recommendations for cybersecurity. They either haven't been implemented or they don't work.

Dmitri is hardly an armchair quarterback on cybersecurity policy. He's putting his money where his mouth is, in the form of the Silverado Policy Accelerator, which we discuss during the interview segment of the episode. Silverado is focused on moving the cybersecurity policy debate forward in tangible, sometimes incremental, ways. It will be seeking new policy ideas in cybersecurity, international trade and industrial security, and ecological and economic security (what the group is calling Eco2Sec).  (The unifying theme is the challenge to the US posed by the rise of China and the inadequacy of our past response to that challenge.) But ideas are easy; implementation is hard. Dmitri expects Silverado to focus its time and resources both on identifying novel policy ideas and on ensuring those ideas are transformed into concrete outcomes.

Whether artificial intelligence would benefit from some strategic decoupling sparks a debate between me, Nick, Jane Bambauer, and Bruce, inspired by the final AI commission report. We shift from that to China's version of industrial policy, which seems to reflect Chinese politics in its enthusiasm not just for AI and chips but also for keeping old leaders alive longer.

Jane and I check in on the debate over social media speech suppression, including the latest developments in the Facebook Oversight Board and the unusual bedfellows that the issue has inspired. I mock Google for YouTube's noblesse oblige promise that it will stop suppressing President Trump's speech when it no longer sees a threat of violence on the Right. And then I mock it again for its silly refusal to return search results for "BlueAnon"—the Right's label for the Left's wackiest conspiracy theories. (If you think there aren't any, just google "blue anon" … oh, wait, you can't.)

In quick hits, Bruce and Dmitri explore a recent Atlantic Council report on hacked access as a service and what to do about it. Bruce thinks the problem (most often associated with the Israeli firm NSO) is real and the report's recommendations plausible. Dmitri argues that trying to stamp out a trade in zero days is solving the wrong part of the problem, since reverse engineering of software patches, not zero days, is the source of most successful attacks.  Speaking of NSO, Nick reminds us of the rumors that they have been under criminal investigation and that the investigation has been revived recently.

Jane notes that Virginia has become the second state with a consumer data protection law, and one that resembles California's CCPA.

Jane also notes the Israeli Supreme Court decision ending (sort of) Shin Bet's use cellphone data for coronavirus contact tracing. Ironically, it turns out to have been more effective than most implementations of the Gapple privacy-crippled app.

Bruce and Dmitri celebrate the hacking of three Russian cybercrime forums for the rich array of identity clues the doxxing is likely to offer researchers like Bellingcat (whose founder will be our interview guest on Episode 353 of the Cyberlaw Podcast).

And more!

Download the 352nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In the news roundup, David Kris digs into rumors that Chinese malware attacks may have caused a blackout in India at a time when military conflict was flaring on the two nation's Himalayan border. This leads us to Russia's targeting of the U.S. grid and to uneasy speculation on how well our regulatory regime is adapted to preventing successful grid attacks.

The Biden administration is starting to get its legs under it on cybersecurity. In its first major initiative, Maury Shenk and Nick Weaver tell us, it has called for a set of studies on how to secure the supply chain in several critical products, from rare earths to semiconductors. As a reflection of the rare bipartisanship of the issue, the President's order is weirdly similar to Sen. Tom Cotton's call to "beat China" economically.  

Nick explains the most recent story on how China repurposed an NSA attack tool to use against U.S. targets. Bottom line: It's embarrassing for sure, but it's also business as usual for attack teams. This leads us to a surprisingly favorable review of the Cyber Threat Alliance's recent paper on how to run a Vulnerability Equities Process.

Maury explains the new rules that Facebook, WhatsApp and Twitter will face in India.

Among other things, the rules will require India-based "grievance officers" to handle complaints. I am unable to resist suggesting that, if ever there were a title that the wokeforce at these companies should aspire to, it's Chief Grievance Officer.

Nick and I make short work of two purported scandals -- ICE investigators using a private utility database to enforce immigration law and the IRS purchasing cellphone location data. I argue that the first story is the work of ideologues who would loudly protest ICE access to the White Pages. And the second is a nonstory largely manufactured by Sen. Wyden.  

In a story that isn't manufactured, David and I predict that the Supremes will agree to decide the scope of cellphone border searches.  More than that, we conclude, the Ninth Circuit will lose. The hard question is how broadly the Court decides to rule once it has kicked the Ninth Circuit rule to the curb.

Maury reports that Facebook and Google have pushed the Aussie government into a compromise on paying Aussie media fees for links. Facebook gets the credit for being willing to shoot the family members the government was holding hostage (although in Facebook's case, the hostage was probably a second cousin once removed). Maury predicts that the negotiations will be tougher once the European Union starts rounding up its hostages.  

In quick hits, I claim credit for pointing out years ago that sooner or later the crybullies would come for  "quantum supremacy." And they have. Maury and I note the rise of audits for AI bias. He's mildly favorable; I am not. And I close by noting the surprisingly difficult choices illustrated by Pro Publica's story on how the content moderation sausage was made at Facebook when the Turkish government demanded that a Kurdish group's postings be taken down.

And more!

Download the 351st Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.