Skating on Stilts

The Biden administration’s effort to counter ransomware may not be especially creative, but it is comprehensive. The administration is pushing all the standard buttons on the interagency dashboard, including creation of a high-level task force and a $10 million reward program (but not including hackback authority for victims, despite headlines suggesting otherwise). And all the noise seems to be having some effect, as the REvil ransomware gang's web sites have mysteriously shut down. Nick Weaver reminds us (in song, no less) that the government’s efforts to stop scourges like Trickbot have a distinct whiff of Whac-a-Mole, and the same may be true of REvil.

Our interview is with Josh Steinman, who served as the National Security Council’s Cybersecurity Senior Director for the entire Trump administration. He offers his perspective on the issues and the personalities that drove cybersecurity policy in those chaotic years. As a bonus, Josh and I dig into his public effort to find a suitable startup, an effort we have to cut short as I start getting too close to one of the more promising possibilities.

Maury Shenk covers the Biden administration’s belated but well-coordinated international response to China’s irresponsible Microsoft Exchange hack, including the surprising revelation that China may be back to hacking like it’s 1999 – relying on criminal hackers to serve the government’s ends.

In other China news, Maury Shenk and Pete Jeydel catalog the many ways in which the current Chinese regime is demonstrating its determination to bring China’s tech sector to heel. It’s punishing Didi in particular for launching a U.S. IPO despite go-slow signals from Beijing. It’s imposing cybersecurity reviews on other companies that IPO outside China.  And it seems to be pressing for competition concessions that the big tech companies would have successfully resisted a few years ago.

It was a big week for state-sponsored attacks on secure communications. Nick and I dig in the FBI and Australian federal police coup in selling ANOM phones to criminal gangs. Previewing a forthcoming article for Lawfare, I argue that the Australian police may have to answer tough questions about whether their legal authority for the phone’s architecture really avoided introducing a systemic weakness into the phone’s security.

Law enforcement agencies around the world could face even tougher questions if they’ve been relying on NSO or Candiru, Israeli firms that compromise mobile phones for governments. Both firms have been on the receiving end of harsh forensics analyses from Amnesty International and Citizen Lab. Nick thinks the highly specific and centralized target logs are particularly a problem for NSO’s claims that it doesn’t actually know the details of how its malware is deployed.

Pete Jeydel tells us that the administration is learning to walk and chew gum on cybersecurity at the same time. While coordinating pushes on Chinese and Russian hacks, it also managed to get big chunks of the government to turn in their federal cybersecurity homework on time. Pete talks us through one of those assignments, the NTIA’s paper setting minimum elements for a Software Bill of Materials.

It wouldn’t be the Cyberlaw Podcast without a brief rant on content moderation. The Surgeon General claimed this week that “Misinformation takes away our freedom to make informed decisions about our health.” He didn’t say that administration censorship would give us our freedom back, but that seems to be the administration’s confident view, as the President, no less, accused Facebook of “killing people” by not jumping more quickly to toe the CDC’s official line. (He later walked the accusation back.)

And if you thought the censorship would stop with social media, think again.  The White House is now complaining that telecom carriers also should be screening and suppressing text messages that are hostile to vaccinations.

Finally, just to show that the world has truly turned upside down, Maury reminds me that a German – German! – court has fined American social media for violating freedom of expression by too enthusiastically censoring a lockdown protest video.

Pete tells us what’s in the new Colorado privacy bill. Short version: it joins Virginia in some of hosing down California’s excesses.

And in short takes:

• Maury explains Vietnam's version of China’s fifty-cent army.

• Nick explains why Psiphon is a better tool for evading Cuban censorship that the sleaze-infested Tor system.

• Maury updates me on the European Parliament LIBE committee’s latest proposal for accepting the U.S. intelligence community’s transatlantic surrender on data flows.

• And Pete tells us that the SEC may finally be putting the screws to companies that have been lax about reporting breaches to their investors.

And More!

Download the 371st Episode (mp3)  

Reminder: this is the last regular episode before our August hiatus, although we will do at least one episode on cryptocurrency in coming weeks.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We begin the episode with the Biden administration’s options for responding to continued Russian ransomware outrages. Dmitri Alperovitch reprises his advice in the Washington Post that Putin will only respond to strength and U.S. pressure.  I agree but question whether the U.S. has the tools to enforce another set of red lines, given Putin’s enthusiasm and talent for crossing them. If jumping U.S. red lines were an Olympic sport, Russia would have retired the gold by now. Dmitri further reminds us that Russian cooperation against cybercrime remains a mirage. He also urges that we keep the focus on ransomware and not the more recent attempt to hack the Republican National Committee.

The Biden White House has been busy this week, or at least Tim Wu has. When Wu took a White House job as “Special Assistant to the President for Technology and Competition Policy,” some might have wondered why he did it. Now, Gus Hurwitz tells us, it looks as though Wu was given carte blanche to turn his recent think tank paper into an Executive Order.  It’s a kitchen sink full of proposals, Mark MacCarthy notes, most of them more focused on regulation than competition. That observation leads to a historical diversion into the way a Brandeisian competition policy aimed at breaking industry into smaller competitors ended by creating big regulatory agencies and bigger companies to match.

We had to cover Donald Trump’s class actions against Twitter, Facebook, and Google, but if the time we devoted to writing about the lawsuits was proportionate to their prospects for success, we’d have already stopped.  

Mark gives more time to a House Republican leadership plan to break up Big Tech and stop censorship. But the plan (or, to be fair, the sketch) is hardly a dramatic rebuke to Silicon Valley – and despite that fact it isn’t likely to get far. Divisions in both parties’ caucuses now seem likely to doom any legislative move against Big Tech in this Congress.

The most interesting tech and policy story of the week is the Didi IPO in the U.S., and the harsh reaction to it in Beijing. Dmitri tells us that the government has banned new distributions of Didi’s ride-sharing app and opened a variety of punitive regulatory investigations into the company. This has dropped Didi’s stock price, punishing the U.S. investors who likely pressed Didi to launch the IPO despite negative signals from Beijing.

Meanwhile, more trouble looms for the ride-sharing giant, as Senate conservatives object to Didi benefiting from U.S. investment and China makes clear that Didi will not be allowed to provide the data needed to comply  with U.S. stock exchange rules.

Mark and Gus explain why 37 U.S. states are taking Google to court over its Play Store rules -- and why, paradoxically, Google’s light hand in the Play store could expose it more to antitrust liability than Apple’s famously iron-fisted rule.

Dmitri notes the hand-wringing over the rise of autonomous drone weapons but dismisses the notion that there’s something uniquely new or bad about the weapons (we’ve had autonomous, or at least automatic, submarine weapons, he reminds us, since the invention of naval mines in the fourteenth century).

In quick hits;

• Gus and Dmitri offer dueling perspectives on the Pentagon’s proposal to cancel and subdivide the big DOD cloud contract.
• Gus tells us about the other Fortnite lawsuit against Apple over its app store; this one is in Australia and was recently revived.
• As I suspected, Tucker Carlson has pretty much drained the drama from the tale of having his communications intercepted by NSA. Turns out he’s been seeking an interview with Putin. And no one should be surprised that the NSA might want to listen to Putin.
• The Indian government is telling its courts that Twitter has lost its 230-style liability protection in that country. As a result, it looks as though Twitter is rushing to comply with Indian law requirements that it has blown off so far. Still, the best part of the story is Twitter’s appointment of a “grievance officer.” Really, what could be more Silicon Valley Woke? I predict it’s only a matter of months before the Valley fills with Chief Grievance Officers and the Biden administration appoints one for the United States.
• And, finally, I give the EU Parliament credit for doing the right thing in passing legislation that lets companies look for child abuse on their platforms. Readers may remember that the problem was an EU privacy rule that threatened to prevent social media from monitoring their platforms for abuse, not just in Europe but around the world. To make sure we knew that it is still the same feckless EU Parliament as before, the law was grudgingly adopted only after giving child abusers a six-month holiday from scrutiny and was scheduled to expire in three years, by which time the Parliament seems to think it can stop worrying about the sexual abuse of children and get back to imposing privacy requirements on the United States that none of its Member States observe.

And More!

Download the 370th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We begin the episode with a review of the massive Kaseya ransomware attack. Dave Aitel digs into the technical aspects while Paul Rosenzweig and Matthew Heiman explore the policy and political  implications. But either way, the news is bad.

The news was also bad for Gov. DeSantis's Florida 'deplatforming' law, which a Clinton appointee dispatched in a cursory opinion last week. I've been in a small minority who thinks the law, far from being a joke, is likely to survive (at least in part) if it reaches the Supreme Court. Paul challenges me to put my money where my mouth is. Details to be worked out, but if a portion of the law survives in the top court, Paul will be sending a thousand bucks to Trumpista nonprofit. If not, I'll likely be sending my money to the ACLU. 

Surprisingly, our commentators mostly agree that both NSA and Tucker Carlson could be telling the truth about the claim that NSA has at least a few of Carlson's communications. Sadly, this will disappoint partisans for both, since each thinks that the other must be lying. In the process, NSA gets unaccustomed praise for its … wait for it … agile and savvy response. That's got to be a first.

Paul and I conclude that Maine, having passed in haste the strongest state facial recognition ban yet, will likely find itself repenting at leisure.  

Matthew decodes Margrethe Vestager's warning to Apple against using privacy, security to limit competition.

And I mock Apple for claiming to protect privacy while making employees wear body cams to preserve the element of surprise at the next Apple product unveiling. Not to mention the 2-billion-person asterisk hanging off Apple's commitment to human rights.

Dave praises NSA for its stewardship of a popular open source reverse engineering tool, Ghidra.

And everyone has a view about cops using YouTube's crappy AI takedown engine to keep people from posting videos of their conversations with cops.  

And More!

Download the 369th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.