It’s a story that has everything, except a reporter able to tell it. A hostile state attacking the US power grid is a longstanding and quite plausible national security concern.

The Trump administration was galvanized by the threat, even seizing Chinese power equipment at the port to do a detailed breakdown and then issuing an executive order and follow-up rulings designed to cut Chinese products from the supply chain.

Yet the Biden administration suspended this order for 90 days – the only Trump cybersecurity Order to be called into question so far.

Industry lobbying? Chinese maneuvering? Tech uncertainty? No one knows, but Brian Egan and I at least sketch the outlines of an irresistible story that will have to wait for a persistent journalist.

The SolarWinds story needs a new moniker, as the compromises spread beyond the scope of SolarWinds distributions to victims like Malwarebytes.

Increasingly, it looks as though Microsoft and its cloud are the common denominators, Sultan Meghji and I observe, but that’s one moniker the story will never acquire.

In other cyber TTP news, the Chinese are stealing airline passenger reservation data, Sultan notes.

Maybe they’re just trying to find out when Mike Pompeo next plans to come to China so they can meet him at the airport and enforce their latest sanctions – no Great Wall tours for you, Mr. Secretary!

This is our last week of Trumpian cyber news, so we wallow in it. The President issued a last-minute order calling for an assessment of the security risks of Chinese drones, Maury Shenk tells us.

And Brian unpacks the other last-minute order requiring US cloud providers to know which foreigners they are selling virtual machines to.

I claim victory in my short letter to Secretary Mnuchin, suggesting that, instead of jamming a cryptocurrency regulation through on his watch, he concentrates on convincing Secretary-designate Yellen to carry through. If he took my advice, it seems to have worked. Sultan reports that she is showing signs of wanting to “curtail” cryptocurrency.

In other news, Sultan boldly predicts the advent of interplanetary cryptocurrency in Elon Musk’s lifetime.

Brian and I unpack the latest Cyberspace Solarium Commission product – Transition Book – its persuasive for the Biden administration.

I predict that the statutorily mandated cybersecurity director will have to be subordinated to the Deputy National Security Adviser for cybersecurity for the office to be accepted in the administration.

And in quick hits, Maury covers the surprisingly robust European enforcement of employee protections against video surveillance.

I explain Parler’s loss in trying to overturn the AWS ban that pushed it off the internet.

Sultan explains why the Biden Peloton is a cybersecurity risk, and I tip my hat to the President’s physical fitness.

I summarize the Mike Ellis story; he held the job NSA’s general counsel for about a day before a political witch-hunt caught up with him, and may never serve another day.

And, finally, a little schadenfreude for the European Parliament, which is being investigated by the EU’s lead data regulator for poor cookie notices on a website it set up for MEPs to book coronavirus tests. The complainant? Max Schrems, who is on his way to becoming as unpopular with European politicos as he is in the US.

And more.

Download the 346th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We interview Jane Bambauer on the failure of COVID-tracking phone apps. She and Brian Ray are the author of “COVID-19 Apps Are Terrible—They Didn’t Have to Be,” a paper for Lawfare’s Digital Social Contract project. It turns out that, despite high hopes, the failure of these apps was overdetermined, mainly by twenty years of privacy scandalmongering and privacy laws. In essence, Google and Apple set far too strict rules for the apps in an effort to avoid privacy-based political attacks, and the governments that could have reined them in surrendered instead, in order to avoid privacy-based political attacks. So, we have no one to blame but ourselves, and our delusional enthusiasm for privacy.

In the news roundup, suddenly face recognition isn’t toxic at all, since it can be used to identify pro-Trump protestors. And, of course, we have always been at war with Oceania. Dave Aitel explains why face recognition might work even with a mask but still not be very good. And Jane Bambauer reprises her recent amicus argument that Illinois’s biometric privacy law is a violation of the first amendment.

If you heard last week’s episode about Silicon Valley speech suppression, you might be interested in seeing the proposal I came up with then, now elaborated into a Washington Post Op-Ed. Meanwhile, Dave reports that Parler may be back from the dead but dependent on Russian infrastructure. Dave wants to know if that means Parler can be treated by the Biden team like TikTok was treated by the Trump administration.

Dave also brings us up to speed on the latest SolarWinds news. He also casts a skeptical eye on a recent New York Times article pointing fingers at JetBrains as a possible avenue of attack. The story was anonymously sourced and remains conspicuously unconfirmed by other reporting.

Not dead yet, the Trump administration has delivered regulations for administering the executive order allowing the exclusion of risky components from the national IT and communications infrastructure. Maury Shenk explains the basics.

Speaking of which, China is getting ready to strike back at such measures, borrowing the basic blocking statute rubric invented by the Europeans. Blocking statutes can be effective, but only by putting private companies in a vise between two inconsistent legal duties. Bad news for the companies, but more work for lawyers.

I ride one more hobbyhorse, critiquing Mozilla’s decision to protect “user privacy” while imposing new burdens and risks on enterprise security. The object of my ire is Firefox’s Encrypted Client Hello. Dave corrects my tech but more or less confirmed that this is one more nail in the coffin for CISO control of corporate networks.

Matthew Heiman and I dig into the latest ransomware gang tactics – going after top executive emails to raise the pressure to pay. The answer? I argue for more fake emails.

In a few quick hits, Maury tells us about the CNIL’s decision that privacy law prevents France from using drones to enforce its coronavirus rules.

I note a new FDIC cybersecurity rule that isn’t (yay!) grounded in personal data protection.

Maury explains the recently EU advocate general’s opinion, which would probably make Schrems II even less negotiable than it is now. If it’s adopted by the European Court of Justice, which I argue it will be unless the Court can find some resolution that is even more anti-American can the advocate general’s proposal.

And, finally, Matthew tells us that the State Department has reorganized to deal with cyber issues – a reorganization that may not last longer than a few months.

And more.

Download the 345th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this episode, I interview Zach Dorfman about his excellent reports in Foreign Policy about US-China intelligence competition in the last decade. Zach is a well-regarded national security journalist, a Senior Staff Writer at the Aspen Institute’s Cyber and Technology program, and a Senior Fellow at the Carnegie Council for Ethics in International Affairs. We dive deep into his tale of how the CIA achieved remarkable penetration of the Chinese government and then lost it, inspiring China to build a far more professional and formidable global intelligence network.

In the news roundup, we touch on the disgraceful demonstration-cum-riot at the Capitol this week and the equally disgraceful Silicon Valley rush to score points on the right in a way they never did with the BLM demonstrations-cum-riots last summer. Nate Jones has a different take, but we manage to successfully predict Parler’s shift from platform to (antitrust) plaintiff and to bond over my proposal to impose heavy taxes on social media with more than ten million users. Really, why spend three years in court trying to break ‘em up when you can get them to do it themselves and raise money to boot?

SolarWinds keep blowing. Sultan Meghji and Zach give us the latest on the attribution to Russia, the fine difference between attack and espionage, and the likelihood of direct or indirect regulation.

Pete Jeydel and Sultan cover the latest round of penalties imposed by the rapidly dwindling Trump administration on Chinese companies.

Nate dehypes the UK High Court decision supposedly ruling mass hacking He previews some Biden appointments, and we talk about the surprising rise of career talent and why that might be happening. Nate also critiques DNI Grenell after accusations of politicization of intelligence. I’m kinder. But not when I condemn Distributed Denial of Services for joining forces with ransomware gangs to punish victims; it’s hard to believe that anyone could make Julian Assange and Wikileaks look responsible, but they do. Speaking of Julian, he’s won another Pyrrhic victory in court – likely extending his imprisonment with another temporizing win.

And more.

Download the 344th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Episode 343 of the Cyberlaw Podcast is a long meditation on the ways in which technology is encouraging other nations to exercise soft power inside the United States. I interview Nina Jankowicz, author of How to Lose the Information War on how Russian disinformation has affected Poland, Ukraine, and the rest of Eastern Europe – and the lessons, if any, those countries can offer a divided United States.

In the news, Bruce Schneier and I dig for more lessons in the rubble left behind by the SolarWinds hack. Nobody comes out looking good. Persistent engagement and defending forward only works if you’re actually, you know, engaged and defending, and Russia’s cyberspies managed (not surprisingly) to have hidden their achievement from NSA and Cyber Command.

More and better defense is another answer (not that it’s worked for the last 40 years it’s been tried). But whatever solution we pursue, Bruce makes clear, it’s going to be expensive.

Taking a quick break from geopolitics, Michael Weiner gives us a rundown on the new charges and details (mostly redacted) in the Texas case against Google for monopolization and conspiring with competitor Facebook. The scariest thing about the case from Google’s point of view, though, may be where it’s been filed. Not Washington but Beaumont, Texas, the most notoriously pro-plaintiff, anti-corporate jurisdiction in the country.

Returning to ways in which foreign governments are using our technology against us, David Kris tells the story of the Zoom executive who used pretextual violations of terms of service to take down speech the Chinese government didn’t like, censoring American efforts to hold a Tiananmen memorial. The good news: he was indicted by the Justice Department. The bad news: I can’t help suspecting that China learned this trick from lefty ideologues in Silicon Valley.

Aaand, right on cue, it turns out that China’s been accused of using its 50-cent army to file complaints of racism and video game violence to get YouTube to demonetize Americans using the platform to criticize China’s government.

Then Bruce points us toward a deep and troubling series of Zach Dorfman articles about how effectively China is using technology to vault over US intelligence agencies in the global spying competition.

And in quick succession, David Kris explains what’s new and what’s not in Israel’s view of international law and cyberconflict.

I note that President Trump’s NDAA veto has been overridden, making the cyberczar and DHS’s CISA the biggest winners in the cyber policy arena.

Bruce and I give a lick and a promise to the FinCen proposed rule regulating. We’re both inclined to think more reregulation is worth pursuing, but we agree it’s too late for this administration to get anything on the books.

David Kris notes that Twitter has been fined around $550K over a data breach filing that was a few days late – by the Irish data protection office, in a GDPR ruling that is a few years late.

Apple has lost its bullying copyright battle against security start-up Corellium but the real risk to Corellium may be in the as-yet unresolved claim for violation of the DMCA.

And Trump’s DHS is leaving office with new warnings about the cyber risks of Chinese technology, this time touching on backdoors in TCL smart TVs and spillage from Chinese data services.

And More!

—-

Download the 343rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunesSpotifyPocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

According to media reports, Russian government hackers have penetrated the systems of thousands of companies across a variety of industries, as well numerous US government agencies. Moreover, what has been publicly reported may be only the tip of the iceberg in terms of both the scope of the attacks’ victims and the attackers’ methodologies. The most recent reporting also suggests that victim companies are not just those that would be of obvious interest to Russian intelligence services. Accordingly, all companies should assess whether they have been affected by this attack, what steps they need to take to remediate those effects, and what legal and contractual obligations they may have to notify government agencies, business partners, customers, and individuals. Continue Reading The Urgent Need to Assess and Respond to Russian Supply Chain Attacks

  • Our interview is with Alex Stamos, who lays out a complex debate over child sexual abuse that’s now roiling Brussels. The application of European privacy standards and AI hostility to internet communications providers has called into question the one tool that has reduced online child sex predation. Scanning for sex abuse images works well, and even scanning for signs of “grooming” is surprisingly effective. But they depend on automated monitoring of communications content, something that has come as a surprise to European lawmakers hoping to impose more regulation on American tech platforms. Left unchanged, the new European rules could make it easier to abuse American kids. Alex explains the rushed effort to head off that disaster – and tells us what Ashton Kutcher has to do with it (a lot, it turns out).
  • Meanwhile, in the news roundup, Michael Weiner breaks down the FTC’s (and the states’) long-awaited antitrust lawsuit against Facebook. Maybe the government will come up with something as the case moves forward, but its monopolization claims don’t strike me as overwhelming. And, Mark MacCarthy points out, the likelihood that the lawsuit will do something good on the privacy front is vanishingly small.
  • Russia’s SVR, heir of the KGB, is making headlines with a remarkably sophisticated and well-hidden cyberespionage attack on a lot of institutions that we hoped were better at defense than they turned out to be. Nick Weaver lays out the depressing story, and Alex offers a former CISO’s perspective, arguing for a federal breach notification law that goes well beyond personal data and includes disciplined after-action reports that aren’t locked up in post-litigation gag orders. Jamil Jaffer tells us that won’t happen in Congress any time soon.
  • Jamil also comments on the prospects for the National Defense Authorization Act, chock full of cyber provisions and struggling forward under a veto threat. If you’re not watching the European Parliament tie itself in knots trying to avoid helping child predators, tune in to watch American legislators tie themselves into knots trying to pass an important defense bill without drawing the ire of the President.
  • The FCC, in an Ajit Pai farewell, has been hammering Chinese telecoms companies. In one week, Jamil reports, the FCC launched proceedings to kick China Telecom out of the US infrastructure, reaffirmed its exclusion of Huawei from the same infrastructure, and adopted a “rip and replace” mandate for US providers who still have Chinese gear in their networks.
  • Nick and I clash over the latest move by Apple and Google to show their contempt for US counterterrorism efforts – the banning of a location data company whose real crime was selling the data to (gasp!) the Pentagon.
  • Mark explains the proposals for elaborate new regulation of digital intermediaries now working their way through — where else? – Brussels. I offer some cautious interest in regulation of “gatekeeper” platforms, if only to prevent Brussels and the gatekeepers from combining to slam the Overton window on conservatives’ fingers.
  • Mark also reports on the Trump administrations principles for US government use of artificial intelligence, squelching as premature my celebration at the absence of “fairness” and “bias” can’t.
  • Those who listen to the roundup for the porn news won’t be disappointed, as Mark and I dig into the details of Pornhub’s brush with cancellation at the hands of Visa and Mastercard – and how the site might overcome the attack.
  • In short hits, Nick and I disagree about Timnit Gebru, the “ethicist” who was let go at Google after threatening to quit and who now is crying racism. I report on the enactment of a modest but useful IoT Cybersecurity law and on the doxxing of the Chinese Communist Party membership rolls as well as the adoption of the most law-enforcement-hostile technology yet to come out of Big Tech – Amazon’s Sidewalk.
  • And More!

Download the 342nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Did you ever wonder where all that tech money came from all of a sudden? Turns out, a lot of it comes from online programmatic ads, an industry that gets little attention even from the companies, such as Google, that it made wealthy. That lack of attention is pretty ironic, because lack of attention is what’s going to kill the industry, according to Tim Hwang, former Google policy maven and current research fellow at the Center for Security and Emerging Technology (CSET).

In our interview, Tim Hwang explains the remarkably complex industry and the dynamics that are gradually leaching the value out of its value proposition. Tim thinks we’re in an attention bubble, and the popping will be messy. I’m persuaded the bubble is here, but not that its end will be disastrous outside of Silicon Valley.

Sultan Meghji and I celebrate was seems like excellent news about a practical AI achievement in predicting protein folding. It’s a big deal, and an ideal problem for AI, with one exception. The parts of the problem that AI hasn’t solved would be a lot easier for humans to work on if AI could tell us how it solved the parts it did figure out. Explainability, it turns out, is the key to collaborative AI-human work.

We welcome first time participant and long-time listener Jordan Schneider to the panel. Jordan is the host of the unmissable ChinaTalk podcast. Given his expertise, we naturally ask him about … Australia. Actually, it’s a natural, because Australia is now the testing ground for many of China’s efforts to exercise power over independent countries using cyber power along with trade. Among the highlights: Chinese tweets highlighting a report about Australian war crimes followed by hamhanded tweet-boosting bot campaigns. And in a move that ought to be featured in future justifications of the Trump administration’s ban on WeChat, the platform refused to carry the Australian prime minister’s criticism of the war-crimes tweet. Ted Cruz, call your office!

And this will have to be Sen. Cruz’s fight, because it looks more and more as though the Trump administration has thrown in the towel. Its claim to be negotiating a TikTok sale after ordering divestment is getting thinner; now the divestment deadline has completely disappeared, as the government simply says that negotiations continue. Nick Weaver is on track to win his bet with me that CFIUS won’t make good on its order before the mess is shoveled onto Joe Biden’s plate.

Whoever was in charge of beating up WeChat and TikTok may have left government early, but the team that’s sticking pins in other Chinese companies is still hard at work. Jordan and Brian talk about the addition of SMIC to the amorphous Defense blacklist. And Congress has passed a law (awaiting Presidential signature) that will make life hard for Chinese firms listed on US exchanges.

China, meanwhile, isn’t taking this lying down, Jordan reports. It is mirror-imaging all the Western laws that it sees as targeting China, including bans on exports of Chinese products and technology. It is racing (on what Jordan thinks is a twenty-year pace) to create its own chip design capabilities. And with some success. Sultan, newly dubbed the podcast’s DeHyper, takes some of the hype out of China’s claims to quantum supremacy. Though even dehyped, China’s achievement should be making those who rely on RSA-style crypto just a bit nervous (that’s all of us, by the way).

Michael Weiner previews the still veiled state antitrust lawsuit against Facebook and promises to come back with details as soon as it’s filed.

In quick hits, I explain why we haven’t covered the Iranian claim that their scientist was rubbed out by an Israeli killer robot machine gun: I don’t actually believe them. Brian explains that another law aimed at China and its use of Xinjian forced labor is attracting lobbyists but likely to pass. Apple, Nike, and Coca-Cola have all taken hits for lobbying on the bill; none of them say they oppose the bill, but it turns out there’s a reason for that. Lobbyists have largely picked the bones clean.

President Trump is leaving office in typical fashion – gesturing in the right direction but uninteresting in actually getting there. In a “Too Much Too Late” negotiating move, the President has threatened to veto the defense authorization act if it doesn’t include a repeal of section 230 of the Communications Decency Act. If he’s yearning to wield the veto, Dems and GOP alike seem willing to give him the chance. They may even override, or wait until January 20 to pass it again.

Finally, I commend to interested listeners the oral argument in the Supreme Court’s Van Buren case, about the Computer Fraud and Abuse Act. The Solicitor General’s footwork in making up quasitextual limitations on the more sweeping readings of the Act is admirable, and it may well be enough to keep van Buren in jail, where he probably belongs for some crime, if not this one.

And more.


Download the 341st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunesGoogle PlaySpotifyPocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview in this episode is with Michael Daniel, formerly the top cybersecurity adviser in the Obama NSC and currently the CEO of the Cyber Threat Alliance.  Michael lays out CTA’s mission. Along the way he also offers advice to the Biden cyber team – drawing in part on the wisdom of Henry Kissinger.

In the news roundup, Michael joins Jamil Jaffer and Nate Jones to mull the significance of Bruce Reed’s appointment to coordinate technology issues in the Biden White House.  Reed’s tough take on Silicon Valley companies and section 230 may form the basis of a small-ball deal with Republicans on things like child sex abuse material, but none of us think a broader reconciliation on content moderating obligations is in the offing.

When it comes to regulating the tech sector, Brussels is a fount of proposals. The latest, unpacked by Jamil and Maury Shenk, is intended to build on the dubious success of GDPR in jumpstarting the EU’s technology industry.

Maury and I puzzle over exactly how a Russian divorcee won a court order allowing access to her estranged son’s Gmail account. Our guess: the court stretched a point to conclude that the son had consented.

Another day, another China-punishing measure from the Trump administration: Jamil explains the administration’s vision of a bloc of countries that will unite in resistance to China’s punitive trade retaliation against inconvenient Western countries, most notably Australian, now getting hit hard by China.

Meanwhile, Maury reports that the administration has identified nearly 90 Chinese companies that are too closely tied to the Chinese military for purposes of export control licenses. The only good news for US exporters is that the list eliminates some ambiguity about the status of some companies.

Maury also gives an overview of what most of us think is an oxymoron: Privacy in China. In fact, there is growing attention to protecting privacy at least from commercial companies. And harsh enforcement, as always, makes observers wonder “who did that company piss off?” before they wonder “what did that company do wrong?”

Maury also reports on the effort to revive Privacy Shield – and on just how little the negotiators have to work with.

Jamil comments on the ever-rising cost of cybersecurity, and possible implications for bank consolidation.

Nate reviews the privacy and security doubts about Amazon’s Sidewalk feature, which turns Alexa devices into neighborhood WiFi networks.

Maury and I not that the deadline for a TikTok sale is still a week away and maybe always will be.

Jamil wonders why ZTE asked the FCC to reconsider its exclusion of the company from the US telecoms infrastructure. The FCC order denying the request was not exactly a marketing triumph.

Jamil and I have fun asking how much snooping will go on in a proposed new fiber-optic network linking Saudi Arabia and Israel.

Nate is not surprised that France is pushing its tax for the (US) tech sector, but we debate whether the timing will turn out to be good for France or bad. I claim that White House ADHD is France’s best friend.

Maury and I try to figure out whether there’s a public policy case in favor of the Rivada plan to take over a bunch of DoD spectrum and rent out whatever is excess to DoD needs. Maybe there is, but we can’t find it.

And more.

                                                                                                                                

Download the 340th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This is my favorite story of the episode. David Kris covers a report from the Privacy and Civil Liberties Oversight Board on the enormous value that European governments get in fighting terrorism from the same American surveillance programs that European institutions have been fighting for twenty years to shut down.  It’s a delightful takedown of European virtue-signaling, and I hope the Biden Administration gives the PCLOB a new name and mission in honor of the report.

But we begin the news roundup with a review of the US-China tech relationship and how it might change under a Biden administration. The Justice Department has issued itself a glowing report card for its contribution to decoupling – the opening of new China-related counterintelligence case every 10 hours. I wonder how long this can go on before China starts arresting American businessmen – and kicks off another round of decoupling.

Speaking of decoupling, the latest legislation aimed at prison labor in China may be getting uncomfortably close to hitting Apple, which is quietly lobbying to water down a bill that most of us expect to pass soon by overwhelming majorities. Megan Stifel and I conclude that the provision that probably scares Apple most is an obligation to make representations about whether the company’s products include parts made with prison labor. That is increasingly difficult to figure out as China has limited audits for such purposes, putting Apple in an increasingly tight spot. Sympathy for Tim Cook is in short supply.

Speaking of legacy burnishing, the Trump White House has issued its own set of guidelines for federal agencies using artificial intelligence. Nick Weaver thinks it’s actually not bad – light touch on most topics – which may be the nicest thing he’s said about a product of this White House in four years. Sticking with AI, Nick comments on the prospect for putting humans in the loop of AI decision making.  He thinks that’s a recipe for lousy AI, and that campaigns to get a “Human in the Loop” for lethal systems have already lost the technology fight. At best, we can hope to have our poky old brains “on the loop” in future AI conflicts.

More good news:  An IOT security bill that Megan and I both like (Megan more than I) and that Congress has passed and sent to the President for signature. It only sets standards for IOT that the federal government buys, but that’s a good first step.

As a former NSAer, I explain “GCHQ envy” to David, and he provides the latest reason why it must be rampant at the Fort this year, as the agency introduces a new offensive cyber unit to take on organized crime and hostile states.

David also takes on the question whether there’s a legal problem with the U.S. military buying location data from apps companies.  Short answer: Nope.

Megan explains a now-patched Facebook Messenger bug that would have allowed hackers to listen in on users. Nick tells us why the FBI needed to hire robots to retrieve sensitive files. Megan gives us some staggering statistics about the prevalence of ransomware. Hint: if you thought COVID-19 was a pandemic, you ain’t seen nothin’ yet. I give a quick summary of the TikTok and WeChat ban litigation, where the government is unlimbering a host of new technical arguments.

I give a shoutout to Sean Joyce, whose principles led him to walk away from what is probably going to be serious money when Airbnb goes public. The company’s leadership let him argue against giving data about individual users to the Chinese government before the users actually move in.  But the debate ended when one of the execs opined, “We’re not here to promote American values.” That may not be a good look for Airbnb, but it is for Joyce, who left the company within weeks over the principle.

And, finally, it turns out that the FCC is in its last weeks of Trump legacy burnishing; facing a deadline in January 2020, it had to choose between starting to write regulations about the scope of section 230 and dealing with foreign products in the 5G infrastructure.  It chose 5G.

And more.

                                                                                             

Download the 339th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Another week, another Trump administration initiative to hasten the decoupling from China. As with MIRV warheads, the theory seems to be that the next administration can’t shoot them all down.  Brian Egan lays out this week’s initiative, which lifts from obscurity a DoD list of Chinese military companies and excludes them from U.S. capital markets.

Our interview is with Frank Cilluffo and Mark Montgomery. Mark is Senior Fellow at the Foundation for Defense of Democracies and Senior Advisor to the congressionally mandated Cyberspace Solarium Commission. Previously, he served as Policy Director for the Senate Armed Services Committee under Senator John S. McCain—and before that served for 32 years in the U.S. Navy as a nuclear trained surface warfare officer, retiring as a Rear Admiral in 2017. Frank is director of Auburn University’s Director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security. He served on the Cyberspace Solarium Commission and chaired the Homeland Security Advisory Council’s subcommittee on economic security. We talk about the unexpected rise of the industrial supply chain as a national security issue. Both Frank and Mark were moving forces in two separate reports highlighting the issue, as was I. So, if we seem suspiciously agreed on important issues, it’s because we are. Still, as an introduction to one of the surprise hot issues of the year, it’s not to be missed.

After our interview of a Justice Department official on how to read Schrems II narrowly, it was only a matter of time. Charles Helleputte reviews the EDPB’s effort to give more authoritative and less comfortable advice to U.S. companies that want to keep relying on the standard contractual clauses. Still, the Justice Department take on the topic manages to squeak through without a direct hit from the privacy bureaucrats.  Still, the EDPB (and the EDPS even more) makes clear that anyone following the DOJ’s lead is in for an uphill fight. For those who want more of Charles’s thinking on the topic, see this short piece.

Zoom has been allowed to settle an FTC proceeding for deceptive conduct (claiming that its crypto was end to end when it wasn’t, and more). Mark MacCarthy gives us details.  I rant about the FTC’s failure to ask any serious national security questions about a company that deserves some.

Brian brings us up to speed on TikTok.  Only one of the Trump administration penalties remains unenjoined. My $50 bet with Nick Weaver that CFIUS will overcome judicial skepticism that IEEPA could not is hanging by a thread. Casey Stengel makes a brief appearance to explain how TikTok might win.

Brian also reminds us that export control policymaking is even slower and less functional on the other side of the Atlantic, as Europe tries, mostly ineffectively, to adopt stricter limits on exports of surveillance tech.

Mark and I admire the new Aussie critical-infrastructure cybersecurity initiative, mostly for its clarity if not for its political appeal.

Charles explains and I decry the enthusiasm of European courts for telling Americans what they can say and read on line. Apparently, we aren’t allowed to post on Facebook that political censorship is what members of a fascist party tend to advocate; but don’t worry about our liability; we can’t pronounce the plaintiff’s name. Faschy McFarschface, though, that I can pronounce.

So, in retrospect, how did we do in policing all the new cyberish threats to the 2020 election?  Brian gives the government credit for preventing foreign interference. I question the whole narrative of foreign interference (other than the hack and dump operation against the DNC) in 2016 and 2020, noting how conveniently it serves Democratic messaging (Hillary only lost because of the Russians! Ignore Trump’s corruption allegations because it’s more Russian interference!). Mark and I wonder that Silicon Valley thinks it’s accomplishing with its extended bans on political advertising after the election.  They’re going to find out it’s almost always election season somewhere (see, e.g., Georgia). DHS’s CISA produced a detailed rumor control site that may have corrected one too many of the President’s tweets.  Chris Krebs, familiar to Cyberlaw Podcast listeners, may be on the chopping block. That would be a shame for DHS and CISA; for Chris it’s probably a badge of honor. Frank Cilluffo and Mark Montgomery weigh in with praise for Chris as well.

And more.

                                                                                                         

Download the 338th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.