Skating on Stilts

As Congress barrels toward an election that could see at least one house change hands, efforts to squeeze a few big bills into law are mounting.  The one with the best chance (better than I expected) would drop $52 billion in cash and a boatload of tax breaks on the semiconductor

Dusty Old Trust Building, Providence, RI

industry. Michael Ellis points out that this is industrial policy without apology, and a throwback to the 1980s, when the government organized Sematech to shore up US chipmaking. Thanks to a bipartisan consensus on the need to fight a Chinese challenge, and elimination of controversial provisions that tried to hitch a ride on the bill, there now looks to be a clear path to enactment for this bill.

And if there were doubt about how serious the Chinese challenge in chips will be, we highlight an undercovered story revealing that China’s chipmaking champion, SMIC, has been making 7-nanometer chips for months without making a public announcement.  That’s a diameter that Intel and GlobalFoundries, the main US producers, have yet to reach in commercial production.

The national security implications are plain. If commercial products from China are cheap enough to sweep the market, even security-minded agencies will be forced to buy them, as it turns out the FBI and DHS have both been doing with Chinese drones. Nick recommends that policymakers read his Lawfare piece showing just how cheaply the US (and Ukraine) could be making drones.

Responding to the growing political concern about national security and Chinese products, TikTok’s owner ByteDance, has  increased its U.S. lobbying budget to more than $8 million a year, Christina Ayiotis tells us; that's an amount, I point out, that just about matches what Google spends on lobbying.

In the same vein, Nick Weaver and Michael question why the government hasn’t come up with the extra $3 billion to fund “rip and replace” for Chinese telecom gear. That effort will certainly get a boost from reports that Chinese telecom gear was offered on especially favorable terms to carriers who service America’s nuclear missile locations. I note that the Obama administration actually paid these same rural carriers to install Chinese equipment in the teens, as part of the 2009 stimulus law. I can’t help wondering why US taxpayers should pay those carriers both to install and to remove the same gear.

In news not tied to China, Nick tells us about the House’s serious progress on a compromise federal data privacy bill. It’s probably still doomed, given resistance from Dems (and maybe the GOP) in the Senate. I argue that that’s a good thing, given the bill's egregious effort to impose “disparate impact” quotas for race, color, religion, national origin, sex, and disability on the outcomes of every algorithm that processes even a little personal data. This is a transformative social engineering project, imposed by a single section (207) of  the bill without any serious debate.

Tina grades Russian information warfare based on its latest exploit:  hacking a Ukrainian radio broadcaster to spread fake news about Zelensky’s health,  As a hack, it gets a passing grade, but as a believable bit of information warfare, it’s a bust.

Tina, Michael and I evaluate YouTube’s new policy on removing “misinformation” related to abortion, and the risk that this policy, like so many Silicon Valley speech suppression schemes, will start out sounding plausible and end up enforcing political correctness. 

Nick and I celebrate DOJ’s increasing though still episodic success in seizing cryptocurrency from hackers and ransomware gangs. It may just be Darwin at work, but it’s nice to see.

Nick offers the recommended long read of the week --  Brian Krebs’s takedown of the VPN malware supplier, 911.

And in updates and quick hits:

1. That Twitter worker arrested for spying on behalf of Saudi Arabia is going to trial.
2. GCHQ’s cryptoskeptics have returned to ask how we can square end-to-end encryption with child safety. I think the answer is “Not well.”
3. GDPR's consequences are still emerging: Turns out, it means that schoolkids in Denmark won’t be able to use Chromebooks or Google Workspace.
4. And Nick takes a moment to dunk on the Three Arrows founders, whose cryptocurrency company went under in the bust and who are now giving interviews from an undisclosed location.

Listen to Episode 418 here.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed.  Send your questions, comments, and suggestions for topics or interviewees to [email protected]. 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

* This week's title is an obscure Rhode Island tribute to the Industrial Trust Building, known to a generation of children as the ‘Dusty Old Trust” building until a new generation christened it the “Superman Building.” 

Kicking off a packed episode, the Cyberlaw Podcast calls on Megan Stifel to cover the first Cyber Safety Review Board (CSRB) Report. The CSRB does exactly what those of us who supported the idea hoped it would do – provide an authoritative view of how the Log4J incident unfolded along with some practical advice for cybersecurity executives and government officials.

Jamil Jaffer tees up the second blockbuster report of the week, a Council on Foreign Relations study called "Confronting Reality in Cyberspace Foreign Policy for a Fragmented Internet." I think the study's best contribution is its demolition of the industry-led claim that we must have a single global internet. That has not been a realistic prospect for a decade, and pursuing that vision has kept the U.S. from fully defending its own interests in cyberspace, so CFR's realism is welcome. Less welcome is its utterly wrong claim that the U.S. can resolve its transatlantic dispute with Europe by adopting a European-style privacy law. Europe has no real remaining beef with us on privacy regulation of industry (we surrendered); now the fight is over Europe's demand that we rewrite our intelligence and counterterrorism laws, a demand that new privacy legislation won't satisfy. Jamil Jaffer and I debate both propositions.

Megan discloses the top cybersecurity provisions added to the House defense authorization bill – notably the five year term for the head of Cybersecurity and Infrastructure Security Agency (CISA) and a cybersecurity regulatory regime for systemically critical industry. The Senate hasn't weighed in yet, but both provisions now look more likely than not to become law.

Regulatory cybersecurity measures are the flavor of the month in Washington. The latest evidence: The Biden White House is developing a cybersecurity strategy that is expected to encourage more regulation. Jamil reports on the development but is clearly hoping that my prediction of more regulation does not come true.

Speaking of cybersecurity regulation, Megan kicks off a discussion of Department of Homeland Security's CISA weighing in to encourage new regulation from the Federal Communication Commission (FCC) to incentivize a shoring up of the Border Gateway Protocol's security. Jamil thinks the FCC would do better looking for incentives than punishments.

Tatyana Bolton and I try to unpack a recent smart contract hack and the confused debate about whether "Code is Law" in web3. Answer: it is not, and never was, but that does not turn the hacking of a smart contract into a violation of the Computer Fraud and Abuse Act.

Megan covers North Korea's tactic for earning dollars while trying to infiltrate U.S. crypto firms – getting remote work employment at the firms as coders. I wonder why LinkedIn is not doing more to stop scammers like this, given the company's rich trove of data about job applicants using the site.

Not to be outdone, other ransomware gangs are now adding to the threat of doxing their victims by making it easier to search their stolen data. Jamil and I debate the best way to counter the tactic.

Tatyana reports on Sen. Mark Warner's (D-Va) effort to strongarm the intelligence community into supporting Sen. Amy Klobuchar's (D-MN) antitrust law aimed at the biggest tech platforms – despite its inadequate protections for national security.

Jamil discounts as old news the Uber leak. I agree; we didn't learn much from the orgy of coverage that we didn't already know about Uber's highhanded approach in the teens to taxi monopolies and government.

Jamil and I endorse the efforts of a Utah startup devoted to following China's IP theft using China's surprisingly open information. Why Utah, you ask? We've got the answer.

In quick hits and updates:

• Josh Schulte has finally been convicted for one of the most damaging intelligence leaks in history.
• Google gets grudging respect from me for its political jiu-jitsu. Faced with smoking gun evidence of its political bias after the company spam-blocked GOP but not Dem fundraising messages, Google turned the tables. It managed to kick off public  outrage by saying it wanted to fix its bias problem by forcing political spam on all its users. Now the GOP will have the burden of explaining that it's not trying to send us more spam; it just wants Gmail to stop favoring Democrats in running Gmail spam filters.
• And, finally, we all get to enjoy the story of the bored Chinese housewife who created an interlocking universe of fake Russian history on China's Wikipedia. She's promised to stop, but I suspect she's really just been hired to work for the world's most active producer of fake history – China's Ministry of State Security.

Download the 417th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this episode, Dave Aitel introduces us to a deliciously shocking story about lawyers as victims -- and maybe co-conspirators -- in the hacking of law firms to win legal disputes.  The trick, it turns out, is figuring out how to benefit from hacked documents without actually dirtying one's hands with the hacking. And here too, a Shakespearean Henry (II this time) has the answer: hire a private investigator and ask "Will no one rid me of this meddlesome litigant?" Before you know it, there's a doxing site full of useful evidence on the internet.

But first Dave digs into an intriguing but flawed story of how and why the White House ended up bigfooting a possible acquisition of NSO by L3Harris. Dave spots what looks like a simple fact error, and we are both convinced that the New York Times got only half the story. I suspect the White House was surprised by the leak, popped off about how bad an idea the deal was, and then was surprised to discover that its intelligence community had signaled support.

That leads us to the reason why NSO has continuing value – its ability to break Apple's phone security. Apple is now trying a new way to reinforce security: its new, more secure and less convenient lockdown mode. Dave gives it high marks, and he challenges Google to match Apple's move.

Next, we dive into the US effort to keep Dutch firm ASML from selling chip-making machines to China. Dmitri Alperovich makes a special appearance to urge more effective use of export controls; he cautions, however, that the US must impose the same burdens on its own firms as on its allies'.

Jane Bambauer introduces the latest government proposal to take a bite out of crime by taking a bite out of end-to-end (e2e) encryption. The U.K. has introduced an amendment to its pending online safety bill that would require regulated user-to-user services to identify and swiftly take down terrorism and child sex abuse material. Identifying such material isn't easy in an e2e environment, Jane notes, so this bill could force adoption of the now-abandoned Apple proposal to do local scanning on your phone. I'm usually a cheap date for crypto-skeptical laws, but I can't help noticing that this proposal will stir up 90% as much opposition as requiring companies to intercept communications when they get a court order while  addressing only 10% of the crimes that occur on e2e networks.

Jane and I take turns pouring cold water on journalists, NGOs, and even Congress for their feverish effort to turn the Supreme Court's abortion ruling into a privacy issue. Dumbest of all, in my view, is the claim that location services will be used to gather evidence and prosecute women who visit out of state abortion clinics. As I point out, such prosecutions couldn't even muster five votes on this Court.

Dave spots another doubtful story about Russian government misuse of a red team hacking tool. He thinks it's actually a case of a red team hacking tool being used by … a red team.

Jane notes that Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has announced a surprisingly anodyne (and arguably unnecessary) post-quantum cryptography initiative.  I'm a little less hard on DHS, but only a little.

Finally, in updates and quick hits:

• I point out that the U.S. - EU transatlantic data deal is looking a lot like vaporware. That's a worry now that Ireland is on the verge of ordering Facebook to stop moving data across the Atlantic.
• Jane and I take a whack at predicting Elon Musk's Twitter bid. I argue that Musk may escape with less than $1 billion in penalties but for years he will be to mergers what Google is to new digital products.
• And, finally, some modest good news on Silicon Valley's campaign to suppress politically incorrect speech.  Last year, Twitter suspended former NYT reporter Alex Berenson for saying several true but inconvenient things about the covid vaccine (it doesn't stop infection or transmission, and it has side effects, all of which raise real doubts about the wisdom of mandating vaccinations for everyone). Berenson sued, and Twitter has now settled, unsuspending his account. The lawsuit had narrowed down the point where Twitter probably felt it could settle without creating a precedent, but any chink in Big Social's self-righteous armor is worth celebrating.

Download the 416th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

For decades, U.S. cyber exploits were notoriously lawyer-ridden, to the point where it became a key element in attributing US cybertools. But it looks like those days are gone. Today, Israel has matched and surpassed U.S. cyberwarriors on this essential measure. Nate Jones reports on an attack claimed by a vague "hacktivist" group but widely attributed to Israel. The hackers shut down several Iranian mills in a flood of sparks and molten steel. But the most interesting thing about the attack was the video pre-roll, which went out of its way to note that the mills were under international sanction and that the attackers had sent workers warnings to avoid casualties. Some of that was prudence; when you're escalating in cyberspace, it's a good idea to emphasize the limits you're observing. But a lot of it was lawyers advertising the attack's compliance with the law of armed conflict. Coming after an earlier campaign that cut off gasoline supplies but also warned emergency medical and fire services to gas up in advance, it sure looks as though some of the best cyber attacks now come with a phalanx of lawyers.

China, meanwhile, is putting resources into exporting its Fifty Cent Army to the United States. Sultan Meghji and Maury Shenk cover a Chinese social media campaign to turn American rare earths processing into an environmental controversy. In this case, I argue, China is taking a leaf from the Russian playbook; the Russians worked hard to make fracking controversial in the US because it was holding down the price of Russian oil. I urge someone to figure out just how many of those fake American accounts are also on TikTok, and how TikTok's algorithm is treating them.

Speaking of Chinese propaganda, Maury tells us that a well-known Chinese cybersecurity firm is accusing the U.S. of planting Trojans in hundreds of important Chinese information systems, a charge that might be interesting if the report actually provided some details.

Feeling the spur of competition from Israel's cyber lawyers, NSA's counsel has opened a new front. They've persuaded the US Justice Department to fight a merger on the grounds that it will reduce competition in bidding on a single NSA program. Nate and I get stuck on the market definition problems in the case, but Sultan thinks it's an investment opportunity.

This Week in Stupid Artificial Intelligence (AI) Research: We never lack for stories in this category, but this week the two contenders are well matched.  Sultan tells us about a story that proves you can always find sex and race discrimination in AI if your study is designed badly enough. And Maury finds a group of researchers who went one better, designing a moderately effective crime prediction algorithm and then arguing that the police were racist if they put more police into high-crime neighborhoods and racist if they didn't send more police to neighborhoods with rising crime. Since the  point of most AI bias research is apparently to get your story into the press by finding that AI is racist, being able to find racism no matter how the study  turns out is a winning strategy.

Speaking of unimpressive journalism, Sultan flags a Wall Street Journal story that lazily dumps on AI research for not doing everything we want, while pretty much ignoring things it has done well.

Sultan also leads us through the wreckage of one cryptocurrency domino after another, but he thinks it's likely to put a firmer, and more regulated, foundation under the businesses that survive. Nate reprises the EU contribution to the issue – more regulation, natch – but in a surprise twist for the Cyberlaw Podcast, the Brussels proposal gets pretty high marks.

Updating a few stories from past weeks,

• Google is really getting hurt by the study showing its default spam filter favored Democratic fundraising messages over Republican messages by about 7 to 1. The GOP has always believed (correctly) that its views are being handicapped by Silicon Valley, but this time the evidence is hard to refute. Indeed, Google isn't really refuting it, just promising to do better in future, while Republicans are claiming that Gmail's bias cost them $2 billion in donations and proposing tough new transparency laws.
• The Justice Department is upping the stakes for Uber's former chief information security officer (CISO), charging Joe Sullivan with wire fraud for treating what looks like a data breach ransom as a bug bounty. The Department of Justice says this defrauded Uber drivers and customers. Sullivan is the first, but probably not the last, CISO who'll face this charge, as government stops touting "public-private partnership" as the reason for companies to report breaches and instead embraces fear of prosecution.
• And the Transportation Security Administration (TSA), after taking criticism for the harshness of its secret cybersecurity standards for pipelines, has now offered secret amendments to the standards. Is that a good thing? Who knows?

Download the 415th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.