We couldn’t avoid President Biden’s trip to Europe this week. He made news (but only a little progress) on cybersecurity at every stop. Nick Weaver and I dig into the President’s consultations with Vladimir Putin, which featured veiled threats and a modest agreement on some sort of continuing consultations on protecting critical infrastructure.

Jordan Schneider sums up the G7 and NATO statements aligning with U.S. criticisms of China.

And our newest contributor, Michael Ellis, critiques the EU-U.S. consultations on technology, which featured a complete lack of U.S. resolve on getting an outcome on transatlantic data flows that would preserve US intelligence capabilities.

Michael also recaps the latest fallout from the Colonial Pipeline ransomware shutdown – new regulatory initiatives from TSA and a lot of bipartisan regulatory proposals in Congress. I note the very unusual (or, maybe, all too usual) meaning given to “bipartisanship” on Capitol Hill.

Nick isn’t exactly mourning the multiple hits now being suffered by ransomware insurers, from unexpected losses to the ultimate in concentrated loss – gangs that hack the insurer first and then systematically extort all its ransomware insurance customers.

Jordan sums up China’s new data security law. He suggests that, despite the popular reporting on the law, which emphasizes the government control narrative, the motive for the law may be closer to the motive for data protection laws in the West – consumer suspicion over how private data is being used. I’m less convinced, but we have a nice discussion of how bureaucratic imperatives and competition work in the Peoples Republic of China.

Michael and Nick dig into the White Paper on FISA applications published by the outgoing chairman of the Privacy and Civil Liberties Oversight Board. Notably, in my mind, the White Paper does not cast doubt on the Justice Department’s rebuttal to a Justice Inspector General’s report suggesting that the FISA process is riddled with error. The paper also calls urgently for renewal of the expired FISA section 215 authority and suggests several constructive changes to the FISA paperwork flow.

In quick hits, Michael brings us up to date on the FCC’s contribution to technology decoupling from China: a unanimous vote to exclude Chinese companies from the U.S. telecom infrastructure and a Fifth Circuit decision upholding its decision to exclude Chinese companies from subsidized purchases by U.S. telecom carriers.  And Jordan reminds us just how much progress China has made in exploring space.

And more!

                                                                                                           

Download the 367th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

 

Just as retail stores, bars, restaurants, and entertainment venues in New York City have been authorized to relax COVID restrictions, they will soon have to confront a new set of requirements—this time focused on their collection of customers’ biometric information. On July 9, 2021, New York City’s new law addressing the collection and use of biometric identifier information will go into effect. The NYC Biometric Law is part of a broader trend of state and local governments adopting laws to regulate business’ collection and use of biometric information.

The NYC Biometric Law requires “[a]ny commercial establishment that collects, retains, converts, stores or shares biometric identifier information of customers” to provide notice of such practices by “placing a clear and conspicuous sign near all of the commercial establishment’s customer entrances notifying customers in plain, simple language…that customers’ biometric identifier information is being collected, retained, converted, stored or shared, as applicable.” The sign must adhere to a “a form and manner prescribed by the commissioner of consumer and worker protection by rule.”

In addition, the NYC Biometric Law prohibits “sell[ing], leas[ing], trad[ing], [or] shar[ing] in exchange for anything of value or otherwise profit[ing] from the transaction of biometric identifier information.”

“Commercial establishment” is defined as “a place of entertainment, a retail store, or a food and drink establishment.” The law does not apply to financial institutions.

“Biometric identifier information” is defined as “a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.” Significantly, the law’s notice requirement does not apply “to [b]iometric identifier information collected through photographs or video recordings, if (i) the images or videos collected are not analyzed by software or applications that identify, or that assist with the identification of, individuals based on physiological or biological characteristics, and (ii) the images or video are not shared with, sold or leased to third-parties other than law enforcement agencies.”

The NYC Biometric Law contains a private right of action. Private plaintiffs may seek both monetary damages and injunctive relief. For violations of the notice requirement only, commercial establishments are provided with a 30-day cure period. For each violation of the notice requirement, businesses may be liable for damages of $500. Each negligent violation of the prohibition on selling, leasing, trading, or sharing biometric identifier information for anything of value or profit may result in damages of $500, while each intentional or reckless violation may lead to damages of $5,000. Plaintiffs may also recover reasonable attorney’s fees and costs.

Paul Rosenzweig lays out the much more careful, well-written, and a policy catastrophe in the making. The main problem? It tries to turn one of the most divisive issues in American life into a problem to be solved by technology. Apparently because that has worked so well in areas like content suppression. In fact, I argue, the report will be seen by many, especially in the center and on the right, as an effort to impose proportional representation quotas by stealth in a host of places that have never been the objects of such policies before. Less controversial, but only a little, is the U.S. government’s attempt to make government data available for training more AI algorithms. Jane more or less persuades me that this effort too will end in tears or stasis.

In cheerier news, the good guys got a couple of surprising wins this week. While encryption and bitcoin have posed a lot of problems for law enforcement in recent years, the FBI has responded with imagination and elan, at least if we can judge by two stories from last week. First, Nick Weaver takes us through the laugh-out-loud facts behind a, government-run encrypted phone for criminals complete with influencers, invitation-only membership, and nosebleed pricing to cement the phone’s exclusive status. Jane Bambauer unpacks some of the surprisingly complicated legal questions raised by the FBI’s creativity.

Paul Rosenzweig lays out the much more obscure facts underlying the FBI’s recovery of much of the ransom paid by Colonial Pipeline. There’s no doubt that the government surprised everyone by coming up with the private key controlling the bitcoin account. We’d like to celebrate the ingenuity behind the accomplishment, but the how it pulled it off, probably because it hopes to do the same thing again and can’t if it blows the secret. FBI isn’t actually explaining

The Biden administration is again taking a shaky and impromptu Trump policy and giving it a sober interagency foundation.  This time it’s the TikTok and WeChat bans; these have been rescinded. But a new process has been put in place that could restore and even expand those bans in a matter of months. Paul and I disagree about whether the Biden administration will end up applying the Trump policy to TikTok or WeChat or to a much larger group of Chinese apps.

For comic relief, Nick regales us with Brian Krebs’s wacky story of the FSB’s weird and counterproductive attempt to secure communications to the FSB’s web site.

Jane and I review the latest paper by Bruce Schneier (and Henry Farrell) on how to address the impact of technology on American democracy. We are not persuaded by its suggestion that our partisan divide can best be healed by more understanding, civility, and aggressive prosecutions of Republicans.

Finally, everyone confesses to some confusion about the claim that the Trump Justice Department breached norms in its criminal discovery motions that turned up records relating to prominent Democratic congressmen and at least one Trump administration official.

Best bet: this flap will turn out to be less interesting the more we learn. But I renew my appeal, this time aimed at outraged Democrats, for more statutory guardrails and safeguards against partisan misuse of national security authorities. Because that’s what we’ll need if we want to keep those authorities on the books.

And more!

                                                                                                           

Download the 366th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Biden administration is pissing away one of the United States’ most important counterterrorism intelligence programs. At least that’s my conclusion  from this episode’s depressing review of the administrations halting and delusion-filled approach to the transatlantic data crisis. The EU thinks time is on its side, and it’s ignoring Jamil Jaffer’s heartfelt plea to be a better ally in the face of Russian and Chinese pressure. Every day, Silicon Valley companies whose data stores in the US have been a goldmine for counterterrorism are feeling legal pressure to move that data to Europe. Those companies care little whether the US gets good intelligence from its section 702 requests, at least compared to the prospects of massive fines and liability in Europe. So, unless the administration creates a countervailing incentive, the other actors will simply present Washington with a fait accompli. The Biden administration, like the Trump administration before it, seems unable to grasp the need for action. When Trump was in charge, we could call him incompetent. When we wake up to what we’ve lost under Biden, that’s what we’ll call him, too

For companies struggling with their role in this global drama, Charles Helleputte has moderately good news. The European Commission, contrary to the dogmatic approach of the data protection agencies, has opened a door for transfers using the new standard contractual clauses. If your data has not been requested by the U.S. under section 702 or similar intelligence programs and you can offer good reason to think they won’t be requested in the future, you could avoid the hammer of a data export ban.

In other news, Jamil and I cross swords on whether the Colonial pipeline hack should have ended TSA’s light-touch oversight of pipeline cybersecurity.

And Nate Jones and I dig deep into the state trend toward regulating police access to DNA ancestry databases. After some fireworks, we come close to agreement that some state law provision on database access is inevitable and workable, but that the Maryland law is so hostile to solving brutal crimes with DNA searches that it is hard to distinguish from a ban.

Jamil explains the Biden administration’s decision to provide a new foundation for the Trump ban on investment in Chinese military companies. Treasury will take the program away from DOD, which had handled its responsibilities with the delicacy of Edward Scissorhands.

Nate limbers up the DeHype Machine to put in perspective DOJ’s claim to be giving ransomware hacks the same priority as terrorism. Jamil takes on autonomous drones and pours cold water on the notion that DOD will be procuring some of its drones from China.

In a moment of weakness I fail to attack or even mock the UN GGE’s latest report on norms for cyberconflict.

And in a series of quick hits:

  • Jamil reviews Facebook’s latest antitrust problems in the EU and UK.
  • I bring back the “throuple” Congresswoman, whose failed pivot from abuser of power to victim of revenge porn has just cost her over $100,000.
  • In case you haven’t heard, Facebook might let Trump come back in January 2023, and his blog page has shut down for good.
  • The European Commission has proposed a trusted and secure Digital Identity for all Europeans but Charles thinks there’s less there than meets the eye.
  • And Nigeria has suspended Twitter after the platform shut down the President’s account for obliquely threatening military action against secessionists.
  • And more!

                                                                                                            

Download the 365th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

President Bill Clinton earned lasting notoriety for his explanation of why his statement denying a relationship with Monica Lewinsky was truthful (“it depends on what the meaning of the word ‘is’ is”). It is doubtful Justice Amy Coney Barrett’s majority opinion for the Supreme Court last week in Van Buren v. U.S. will earn as much ridicule from late-night comedians, despite putting so much questionable weight on a two-letter word (in this case, the word “so”). But the opinion does finally resolve an issue that has split lower courts and vexed employers, website operators, security researchers, and others for many years: whether the Computer Fraud and Abuse Act (CFAA) can be used to prosecute, or sue civilly, someone who accesses a computer with authorization, but uses that access for an improper purpose. The Court answered that question with a resounding, “No.” But the Court left unresolved a number of other questions, including what sorts of limits on access have to be transgressed in order to give rise to a CFAA violation.

The CFAA prohibits, among other things, intentionally accessing a computer “without authorization” or “exceed[ing] authorized access” and obtaining information. In Van Buren, a police officer had used his patrol car computer to access a law enforcement database to look up a license plate number in exchange for money from a private person who wanted information about a woman he had met at a strip club. The arrangement turned out to be an FBI sting, and after the officer used his valid credentials to look up the license plate number in the database, he was arrested and charged with violating the CFAA. The government alleged that the officer had exceeded his authorized access to the database by accessing it for an improper purpose—i.e., for personal use, in violation of police department policy. The officer was convicted and sentenced to 18 months in prison.

On appeal to the Eleventh Circuit, the officer argued that “exceeds authorized access” in the CFAA reaches only people who are authorized to access a computer, but then access information to which their authorized access does not extend. Several circuits have interpreted this clause in just this way. However, the Eleventh Circuit, like some others, adopted a broader view, holding that the clause also applies to someone who has authorization to access a computer but then uses that access for an inappropriate reason.

This broad interpretation has drawn a great deal of criticism, including by those who argue that it results in the criminalization of a great deal of everyday behavior. Anyone who violates a website’s terms of use (such as by using a pseudonym, or supplying a fake date of birth), or violates her company’s computer use policy by sending personal emails or composing personal documents on a workplace computer, would be violating the CFAA.

The Supreme Court cited such arguments as one reason the broad interpretation of “exceeds authorized access” is “implausib[le].” But the Court’s principal reason for adopting a narrow reading of the phrase turned on the word “so.” The CFAA defines “exceeds authorized access” as “access[ing] a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The Court devoted several pages of linguistic analysis to explaining why the word “so” must be read as restricting the entire definition to persons who are authorized to access a computer, but are not entitled to use that access to obtain or alter certain information, and why the clause cannot be read as applying to people who are authorized to obtain or alter that information but then do so for a prohibited purpose. One might charitably say that this is all a very lawyerly reading of the phrase (as was said about Mr. Clinton’s exegesis of the meaning of “is”). But whatever the case, it is now the law.

Fortunately, the Court ended its opinion with a clearer enunciation of its interpretation of “exceeds authorized access”: “In sum, an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” This makes clear that one cannot violate the CFAA—and therefore be subjected to criminal prosecution or a civil suit—merely by using his authorized access to obtain information for an improper purpose. This may make it more difficult for employers to use the CFAA to go after rogue employees who steal company information for a competing firm, or for website operators to sue competitors who abuse their authorized access to a site’s content by scraping it or otherwise mining it for commercial advantage.

Nevertheless, the Court’s opinion leaves some significant questions unresolved, and therefore still leaves room for effectively using the CFAA in such situations. Notably, the Court explicitly leaves open the question of how a computer owner may limit access to particular information in order to be able to sue for violations of those limits. Some will likely misread the opinion as requiring technological barriers to access. But it may be enough to impose carefully worded limits via contractual or policy terms, as long as they are focused on prohibiting access to the information, not on prohibiting certain uses. It may also be enough to impose limits on access by certain means, while allowing access by other means. Thus, for example, a competitor might have authorization to access a website’s content as a regular user, but if the website’s terms prohibit scraping the same content via automated bots, then such scraping may still give rise to a CFAA violation.

So—while Van Buren will be widely read as limiting the ability of computer owners to use the CFAA as a legal weapon, the reality—for now, at least—is that companies can still use that statute to protect their information, as long as they give careful thought to the ways they limit access to it.

We don’t get far into my interview with the authors of a widely publicized Ransomware Task Force report, before I object that most of its recommendations are “boring” procedural steps that don’t directly address the ransomware scourge. That prompts a vigorous dialogue with Philip Reiner, the Executive Director of the Institute for Security and Technology (IST), the report’s sponsoring organization, from Megan Stifel, of the Global Cyber Alliance, and Chris Painter, of The Global Forum on Cyber Expertise Foundation. And we in fact find several new and not at all boring recommendations among the nearly 50 put forward in the report.

In the news roundup, Dmitri Alperovitch has an answer to my question, “Is Putin getting a handle on U.S. social media?” Not just Putin, but every other large authoritarian government is finding ways to bring Google, Twitter, and Facebook to heel. In Russia’s case, the method is first a token fine, then a gradual throttling of service delivery that makes domestic competitors look better in comparison to the Silicon Valley brand.

Mark MacCarthy handicaps the Epic v. Apple lawsuit. The judge is clearly determined to give both sides reason to fear that the case won’t go well. And our best guess is that Epic might get some form of relief but not the kind of outcome they hoped for.

Dmitri and I marvel at the speed and consensus around regulatory approaches to the Colonial Pipeline ransomware event. It’s highly likely that the attack will spur legislation mandating reports of cyber incidents (and without any liability protection) as well as aggressive security regulation from the agency with jurisdiction – TSA. I offer a cynical Washington perspective on why TSA has acted so decisively.

Mark and I dig into the signing and immediate court filing against Florida’s social media regulation attacking common content moderation issues. Florida will face an uphill fight, but neither of us is persuaded by the tech press’s claim that the law will be “laughed out of court.” There is a serious case to be made for almost everything in the law, with the exception of the preposterous (and probably severable) exemption for owners of Florida theme parks.

Dmitri revs up the DeHyping Machine for reports that the Russians responded to Biden administration sanctions by delivering another cyberpunch in the form of hijacked USAID emails.  It turns out that the attack was garden variety cyberespionage, that the compromise didn’t involve access to USAID networks, that it was launched before sanctions, and that it didn’t get very far.

Jordan Schneider explains the impact of S. government policy on the cellular-equipment industry, and the appeal of Open RAN as a way of end-running the current incumbents. U.S. industrial policy could be transformed by the shape-shifting Endless Frontier Act.

Jordan and Dmitri explain how. I ask whether we’re seeing a deep convergence on industrial policy on both sides of the Pacific, now that President XI has given a speech on tech policy that could have been delivered by half a dozen Republican or Democratic senators.

Finally, Dmitri reviews the bidding in cryptocurrency regulation both at the White House and in London.

In short hits, we cover:

  • The European Court of Human Rights decision squeezing but not quite killing GCHQ’s mass data interception programs and cooperation with the U.S. I offer a possible explanation for the court’s caution.
  • A court filing strongly suggesting that the Biden administration will not be abandoning a controversial Trump administration rule that requires visa applicants to register their social media handles with the U.S. government.  I speculate on why.
  • A WhatsApp decision not to threaten its users to get them to accept the company’s new privacy terms. Instead, I suspect, WhatsApp will annoy them into submission.
  • And, finally, a festival of EU competition law Brussels attacks on Silicon Valley, from to Germany and France.

And more!

                                                                                                           

Download the 364th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

Paul Rosenzweig kicks off the news roundup by laying out the New York Times’s brutal overview of the many compromises Tim Cook’s Apple has made with an increasingly oppressive Chinese government. There is no way to square Apple’s aggressive opposition to US national security measures with its quiet surrender to much more demanding Chinese measures. I suggest that the disparity could not be greater if Tim Cook were Dorian Gray and storing his portrait behind the Great Firewall. Paul, Jamil Jaffer, and I note the tension between Apple’s past claim that it could not legally share data with the Chinese government and its new claim that it solved the problem by turning its data over to a Chinese government-owned corporation.

Ransomware hasn’t stopped making news, Paul tells us, Irish hospitals with the latest to go down. Nate Jones assesses the likelihood (low) that governments will effectively ban the payment of ransomware demands. And Paul points out that, while cryptocurrency may be facilitating crime, at least it’s also warming the planet, as an entire American power plant is taken out of mothballs to power cryptocurrency mining operations.

Governments are increasingly cracking down on cryptocurrency, and Paul gives us one week of news in new regulation: China has reiterated its opposition to unregulated access to crypto.

The IRS is threatening action against unreported transactions in cryptocurrency.

And Hong Kong plans to restrict crypto exchanges to professional investors.

Another 60+ pages from the FISA court approving the executive branch’s section 702 procedures.

With Nate on the job, you don’t need to read it all, or rely on the ideologically motivated criticism of privacy groups. Nate tells us that in approving the 702 procedures the FISA court has much less leeway than a court usually does in reviewing federal agency action (with a hat tip to a good analysis by NSA alum George Croner). 

Jamil bemoans the enthusiasm sweeping Europe for sticking it to US (but not Chinese) tech companies under a variety of competition law theories.

Google has been fined just over €100 million by Italy’s antitrust watchdog for abuse of a dominant market position in Android auto apps.

Germany is readying big guns for an attack on Amazon’s market.

I point out that American policyholders seem to share this enthusiasm, at least judging from the questions the presiding judge in Epic v. Apple posed this week to Tim Cook.

Nate and I explore Apple’s apparent decision to let Parler back into the app store. (And, given the enthusiasm for regulating such dual-facing markets on antitrust grounds, that decision would be wise.) But Apple is still demanding that Parler block speech that Parler doesn’t think it should be blocking.

We wrap up with a few quick hits:

  • Looking for a cheap way to defeat ransomware?  Brian Krebs has a “might not work but what do you have to lose?” idea: install a Russian keyboard layout on your computer (although with my luck, the ransomware will translate all my files into Russian).
  • Andy Greenberg has a good retrospective on the seeds. OG supply chain hack: the Chinese theft of RSA’s core security.
  • Dangling the other shoe: The UK’s head of MI5 isn’t mincing words. Ken McCallum is accusing Facebook of giving a ‘free pass’ to terrorists by preparing to introduce end-to-end crypto on its messaging app. Sooner or later, this is going to end in tears. And we all agree that the Biden administration was lucky to persuade Matt Olsen to leave Uber to become head of DOJ’s National Security Division.

And More!

                                                                                                           

Download the 363rd Episode (mp3) 

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

Our interview is with, Brandon Wales, acting head of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and Jen Daskal, Deputy General Counsel for Cyber and Technology Law at DHS. We dig deep into the latest Executive Order on cybersecurity. There’s a lot to say. The EO is focused largely on how the federal civilian government protects its networks, and it is just short of revolutionary in overriding longstanding turf fights, almost all of which are resolved in favor of CISA – to the point where it seems clear that CISA is on its way to being the civilian agencies’ CISO, or Chief Information Security Office. This is clearly CISA’s moment. It is getting new authorities from the President and new money from Congress. Whether it can meet all the expectations that these things bring is the question.

We also touch on parts of the EO that will touch the private sector, from the determined push for breach and other incident reporting in federal contracts to the formation of a Cyber Safety Review Board to investigate private sector incidents.  I predict that the Board will need and will get subpoena power soon. Neither Brandon nor Jen takes the other side of that bet.

In the news, we get an update on the Colonial Pipeline ransomware attack from Nick Weaver and first-timer Betsy Cooper. Colonial has paid $5 million in ransom, gotten a bad decryption tool, and restarted operations anyway. Since it’s likely to end up as the second test case for the Cyber Security Review Board, Colonial may regret having waited five days to start sharing information with CISA.

Maury Shenk explains the 200-page Irish High Court decision allowing the Irish data protection regulator to begin an inquiry that could cut off its data exports to the United States. Facebook would love to forestall that day until EU-US talks on a new data export deal is done, but the Biden administration isn’t exactly making it a priority to bail out either Facebook or the US intelligence community, which has as much at stake in data flows as the companies.

One of the puzzles of recent weeks has been persistent but vague stories DHS wants more authority that to gather information from public postings on social media. Nick, Betsy, and I try to make sense of the story, and we’re not helped by the fact that much of the media and politicians have switched from condemning such intelligence operations to demanding them, and vice versa, since the Trump administration ended.

Nick can’t resist a story that leaves both bitcoin and Tor looking bad, so of course we cover the boom in Tor exit nodes configured to steal the cryptocurrency of Tor

Betsy covers the unanimous view of chip making and consuming companies that the federal government should subsidize chip making in the US. Industrial policy is making a comeback, we note, but Betsy reminds us there’s a reason it went away. *cough*Solyndra*cough*

Betsy seizes on the latest WhatsApp tactic to lament the willingness of data-driven tech companies to annoy us into submission.

Nick and I cross swords over Apple’s firing of Antonio García Martínez, author of Chaos Monkeys, in my view one of the funniest and most insightful Silicon Valley books of the last decade. Part of its appeal is Garcia Martinez’s relentless burning of every bridge in his past business and personal life.  How, you keep asking, can he recover from telling all those truths about Morgan Stanley, Facebook, Y Combinator, and AdTech? Turns out, he can’t. But it wasn’t any of those supposedly potent institutions that nailed him. Instead, it was his claim that the women of Silicon Valley are mostly “soft and weak, cosseted and naïve” and possessed of a “self-regarding entitlement feminism.”

Apple employees demanded that they be protected from Garcia Martinez, and he was summarily fired.  Way to go, Apple employees!  Nothing rebuts a stereotype of female softness and entitlement like demanding to be protected from someone who doesn’t share your feminism. (Nick thinks Garcia Martinez is a walking sexual harassment judgment. He didn’t like the book either.) The more interesting question is whether hiring Garcia Martinez shows just how determined Apple is to replace Facebook as Google’s main competition in the “leverage customer data to sell ads” business.

In quick hits, I revisit the claim that a Saudi prince hacked Jeff Bezos’s phone and turned his unexpurgated selfies over to the National Enquirer in order to suppress Washington Post publicity over the killing of Jamal Khashoggi.  That was all BS, it turns out, apparently designed to turn Bezos from an ordinary tawdry adulterer into a press freedom crusader.

And Nick draws our attention to Counterfit, a promising Microsoft tool for testing AI algorithms to find security flaws.

And more!

                                                                                                                                               

Download the 362nd Episode (mp3).

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

On May 12, 2021, President Biden signed a landmark Executive Order to improve and modernize the federal government’s cybersecurity infrastructure. The Executive Order comes in the wake of numerous cyber incidents targeting the United States, including the so-called SolarWinds, Microsoft Exchange, and Colonial Pipeline incidents. The Executive Order will directly affect government contractors, including companies that sell software to the government or provide IT services. More broadly, but less directly, the Executive Order is likely to influence the informal, and eventually formal, development of cybersecurity standards for software and hardware makers and providers of online services generally, even when the government is not a customer.

President Biden’s Executive Order takes the following steps:

  • Removing barriers to sharing threat information
    • The Executive Order helps facilitate the sharing of cyber threat and incident information between IT service providers and federal government agencies by (1) removing contractual barriers to such exchanges and (2) requiring the reporting of information about cyber incidents to federal agencies.
  • Strengthening federal government cybersecurity
    • The Executive Order requires the federal government to adopt cybersecurity best practices including “advance[ing] toward Zero Trust Architecture; accelerat[ing] movement to secure cloud services…central[izing] and streamlin[ing] access to cybersecurity data to drive analytics for identifying and managing cybersecurity threats; and invest[ing] in both technology and personnel to match these modernization goals.” As part of these efforts, federal agencies are ordered to “adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.”
  • Enhancing software supply chain security
    • The Executive Order mandates the establishment of minimum-security standards for software sold to the federal government. In particular, the standards must address:
      • “Secure software development environments;
      • “Generating and, when requested by a purchaser, providing artifacts [e.g. data] that demonstrate conformance to the processes” implemented to ensure secure software development environments”;
      • “Employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code”;
      • “Employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release”;
      • “Providing, when requested by a purchaser, artifacts of the execution of the tools and processes described [in the prior two bullets] and making publicly available summary information on completion of these actions, to include a summary description of the risks assessed and mitigated”;
      • “Maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis”;
      • “Providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website”;
      • “Participating in a vulnerability disclosure program that includes a reporting and disclosure process”;
      • “Attesting to conformity with secure software development practices”;
      • “Ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.”
    • The Executive Order also directs development of a pilot program to create a labeling system which would allow the government (and the public) to determine whether software was developed securely.
  • Establishing a Cybersecurity Safety Review Board
    • The Board, which is to be led by individuals from the government and the private sector, will convene following major cybersecurity incidents to review and assess such incidents, mitigation, and response efforts. This idea has been likened to the National Transportation Safety Board (NTSB) for transportation incidents.
  • Standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents
    • The Executive Order promotes the implementation of “standardized response processes [to] ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.” Various federal agencies are required to coordinate to “develop a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting [Federal Civilian Executive Branch] Information Systems.”
  • Improving detection of cybersecurity vulnerabilities and incidents on federal government networks
    • The Executive Order requires the federal government to “employ all appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks.” Such measures must “include increasing the Federal Government’s visibility into and detection of cybersecurity vulnerabilities and threats to agency networks in order to bolster the Federal Government’s cybersecurity efforts.”
  • Enhancing the federal government’s investigative and remediation capabilities
    • The Executive Order requires the formulation of “policies for agencies to establish requirements for logging, log retention, and log management.”
  • Introducing National Security System Requirements
    • The Executive Order mandates the application of the requirements set forth in the Order to National Security Systems (i.e., non-civilian systems).

The Executive Order constitutes a major step forward in strengthening cyber defenses against the sorts of attacks that have bedeviled government agencies and private companies for decades now. Government contractors will need to comply with the new requirements that will result from the Executive Order. But even more broadly, the Executive Order and the rules that flow from it will have an impact on all companies by creating new expectations for threat and incident reporting and new standards (whether informal or formal) for cybersecurity.

Bruce Schneier joins us to talk about AI hacking in all its forms. He’s particularly interested in ways AI will hack humans, essentially preying on the rough rules of thumb programmed into our wetware – that big-eyed, big-headed little beings are cute and need to have their demands met or that intimate confidences should be reciprocated. AI may not even know what it’s doing, since machines are famous for doing what works unless there’s a rule against it. Bruce is particularly interested in law-hacking – finding and exploiting unintended consequences buried in the rules in the U.S. Code. If any part of that code will lend itself to AI hacking, Bruce thinks, it’s the tax code (insert your favorite tax lawyer joke here). It’s a bracing view of a possible near-term future.

In the news, Nick Weaver and I dig into the Colonial Pipeline ransomware attack and what it could mean for more aggressive cybersecurity action in Washington than the Biden administration was contemplating just last week as it was pulling together an executive order that focused heavily on regulating government contractors.

Nate Jones and Nick examine the stalking flap that is casting a cloud over Apple’s introduction of AirTags.

Michael Weiner takes us through a quick tour of all the pending U.S. government antitrust lawsuits and investigations against Big Tech. What’s striking to me is how much difference there is in the stakes (and perhaps the prospects for success) depending on the company in the dock. Facebook faces a serious challenge but has a lot of defenses. Amazon and Apple are being attacked on profitable but essentially peripheral business lines. And Google is staring at existential lawsuits aimed squarely at its core business.

Nate and I mull over the Russian proposal for a UN cybercrime proposal. The good news is that stopping progress in the UN is usually even easier than stopping legislation in Washington.

Nate and I also puzzle over ambiguous leaks about what DHS wants to do with private firms as it tries to monitor extremist chatter online. My guess: This is mostly about wanting the benefit of anonymity or a fake persona while monitoring public speech.

And then Michael takes us into the battle between Apple and Fortnite over access to the app store without paying the 30% cut demanded by Apple. Michael thinks we’ve mostly seen the equivalent of trash talk at the weigh-in so far, and the real fight will begin with the economists’ testimony this week.

Nick indulges a little trash talk of his own about the claim that Apple’s app review process provides a serious benefit to users, citing among other things the litigation-driven disclosure that Apple never send emails to users of the 125 million buggered apps it found a few years back.

Nick and I try to make sense of stories that federal prosecutors in 2020 sought phone records for three Washington Post journalists as part of an investigation into the publication of classified information that occurred in 2017.

I try to offer something new about the Facebook Oversight Board’s decision on the suspension of President Trump’s account. To my mind, a telling and discrediting portion of the opinion reveals that some of the board members thought that international human rights law required more limits on Trump’s speech – and they chose to base that on the silly notion that calling the coronavirus a Chinese virus is racist. Anyone who has read Nicholas Wade’s careful article knows that there’s lots of evidence the virus leaked from the Wuhan virology lab. If any virus in the last hundred years deserves to be named for its point of origin, then, this is it. Nick disagrees.

Nate previews an ambitious task force plan on tackling ransomware. We’ll be having the authors on the podcast soon to dig deeper into its nearly 50 recommendations.

Signal is emerging a Corporate Troll of the Year, if not the decade. Nick explains how, fresh from trolling Cellebrite, Signal took on Facebook by creating a bevy of personalized Instagram ads that take personalization to the Next Level.

Years after the fact, the New York Attorney General has caught up with the three firms that generated fake comments opposing the FCC’s net neutrality rollback. They’ll be paying fines. But I can’t help wondering why anyone thinks it’s useful to think about proposed rules by counting the number of postcards and emails that shout “yes” or “no” but offer no analysis.

                                                                                                                                               

Download the 361st Episode (mp3).

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.