Header graphic for print

Steptoe Cyberblog

Episode 276: Alex Stamos on Electoral Interference in Taiwan

Posted in China, International

 

In this bonus episode of the Cyberlaw Podcast, Alex Stamos of Stanford’s Freeman Spogli Institute talks about the Institute’s recent paper on the risk of Chinese social media interference with Taiwan’s upcoming presidential election. It’s a wide-ranging discussion of everything from a century of Chinese history to the reasons why WeChat lost a social media competition in Taiwan to a Japanese company.  Along the way, Alex notes that efforts to identify foreign government election interference have been seriously degraded by (what else?) privacy law, mixed with fear of commercial consequences when China is the attacker. If companies make data about foreign government and “inauthentic” users public, the risk of liability under GDPR as well as Chinese retaliation is real, and the benefits go more to the nation as a whole rather than to the companies taking the risk.

During the interview, Alex references a paper co-authored by his colleague, Jennifer Pan, regarding the “50c party.” You can find that paper here. He also mentions his recent op-ed in Lawfare, which you can find here.


 

Download the 276th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Episode 275: Trump Derangement and the Trading with the Enemy Act

Posted in China, International

 

And we’re back with an episode that tries to pick out some of the events of August that will mean the most for technology law and policy this year. Dave Aitel opens, telling us that Cyber Command gave the world a hint of what “defending forward” looks like with an operation that is claimed to have knocked the Iranian Revolutionary Guard’s tanker attacks for a long-lasting loop.

David Kris lifts the curtain on China’s approach to information warfare, driven by the Hong Kong protests and its regional hegemonic ambitions.

Speaking of China, it looks as though that government’s determination to bring the Uighur population to heel led it to create a website devoted to compromising iPhones, in the process disclosing a few zero-days and compromising anybody who viewed the site. Dave Aitel teases out some of the less obvious lessons. He criticizes Apple for not giving security-minded users the tools they need to protect themselves. But he resists my suggestion that the FBI, which first flagged the site for Google’s Project Zero, went to Google because Apple wasn’t responsive to the Bureau’s concerns. (Alternative explanation: If you embarrass the FBI in court, don’t be surprised if they embarrass you a few years later.)

The lesson of the fight over Chinese disinformation about Hong Kong on Twitter and Facebook and the awkwardness of Apple’s situation when faced with Chinese hacking is that the US-China trade war is a lot more than a trade war. It’s a grinding, continental decoupling drift that the trade war is driving but which the Trump Administration probably couldn’t stop now if the president wanted to. We puzzle over exactly what the president does want. Then I shift to mocking CNN for Trump derangement and inaccuracy (yes, it’s an easy target, but give me a break, I’ve been away for a month): Claims that the president couldn’t “hereby order” US companies to speed their decoupling from China are just wrong as a matter of law. In fact, the relevant law, still in effect with modest changes, used to be called the Trading with the Enemy Act. And it’s been used to “hereby order” the decoupling of the US economy from countries like Nazi Germany, among others. Whether such an order in the case of China would be “lawful but stupid” is another question.

August saw more flareups over alleged Silicon Valley censorship of conservative speech. Facebook has hired former Sen. Kyl to investigate claims of anticonservative bias in its content moderation, and the White House is reportedly drafting an executive order to tackle Silicon Valley bias. I ask whether either the FTC or FCC will take up their regulatory cudgels on this issue and suggest that Bill Barr’s Justice Department might have enough tools to enforce strictures against political bias in platform censorship.

We close with the most mocked piece of tech-world litigation in recent weeks – Crown Sterling’s lawsuit against BlackHat for not enforcing its code of conduct while the company was delivering a widely disparaged sponsored talk about its new crypto system. Dave Aitel, who runs a cybersecurity conference of his own, lays out the difficulties of writing and enforcing a conference code of conduct. I play Devil’s Advocate on behalf of Crown Sterling, and by the end, Dave finds himself surprised to feel just a bit of Sympathy for the Devil.


 

Download the 275th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

New York Adopts New Data Breach Law, Including Data Security Requirements

Posted in Data Breach, Privacy Regulation

Last month, New York Gov. Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (Shield Act). The Shield Act expands the type of personal information covered by New York’s data breach notification law, amends the definition of a “breach of security of the system” and the notification requirement itself, enhances the state attorney general’s enforcement authority of the data breach notification law, and introduces data security requirements for the first time. The Shield Act was passed by the New York Legislature in June. The Act goes into effect on October 23, 2019, with the exception of the Act’s data security requirements, which go into effect on March 21, 2020. Continue Reading

Episode 274: Will Silicon Valley have to choose between end-to-end crypto and shutting down speech it hates?

Posted in AI, China, International, Russia

 

Our guests this week are Paul Scharre from the Center for a New American Security and Greg Allen from the Defense Department’s newly formed Joint Artificial Intelligence Center. Paul and Greg have a lot to say about AI policy, especially with an eye toward national security and strategic competition. Greg sheds some light on DOD’s activity, and Paul helps us understand how the military and policymakers are grappling with this emerging technology. But at the end of the day, I want to know: Are we at risk of losing the AI race with China? Paul and Greg tell me not all hope’s lost – and how we can retain technological leadership.

Continue Reading

Episode 273: What it’s like to live through a big data breach

Posted in China, Data Breach, European Union, International

 

Today, I interview Frank Blake, who as CEO brought Home Depot through a massive data breach. Frank’s a former co-clerk of mine, a former Deputy Secretary of Energy, and the current host of Crazy Good Turns, a podcast about people who have found remarkable, even crazy, ways to help others. In addition to his insights on what it takes to lead an organization, Frank offers his views on how technology can transform nonprofit charitable initiatives. Along the way, he displays his characteristic sense of humor, especially about himself.

In the News Roundup, I ask Matthew Heiman if Google could have had a worse week in Washington? First Peter Thiel raised the question of whether it’s treasonous for the company to work on AI with Chinese scientists, not the US Defense Department, then Richard Clarke, hardly a conservative, says he agrees with the criticism. And, inevitably, President Trump weighs in with a Thiel-supporting tweet. Meanwhile, on the Hill, Google’s VP says the company has “terminated” Project Dragonfly, an effort to build a search engine that the Chinese government would approve. But that doesn’t prevent conservatives from lambasting the company for bias against conservatives and an unfair subsidy in the form of Section 230 of the Communications Decency Act. The only good news for Google is that despite all the thunder, no lightning has yet struck. Or so we thought for about five minutes, at which time Gus Hurwitz noted that Google is likely to face multimillion-dollar fines in an FTC investigation of child Internet privacy violations, not to mention a rule-making designed to increase the probability of future fines.

Speaking of which, European lightning struck Amazon this week in the form of new competition law scrutiny. Gus offers skepticism about the EU’s theory, over my counter-skepticism.

Julian Assange has completed his transformation from free-speech crusader to feces-speech crusader. Nick Weaver is astonished at the way Julian Assange managed to turn the Ecuadorian embassy into a fist-fighting, feces-smearing, election-meddling command post.

Nick also predicts that Kazakhstan will lose its war with Silicon Valley browser makers over a man-in-the-middle certificate the Kazakh government is forcing on its citizens in order to monitor their Internet browsing.

And in short hits, Gus questions whether $650 million is a harsh settlement of Equifax’s data breach liability; Nick closes the books on NSA hoarder Hal Martin’s 9-year prison sentence; and Nick explains the latest doxing of an intelligence agency – this time a contractor for the Russian FSB.


 

Download the 273rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Episode 272: Illuminating supply chain security

Posted in China, European Union, International, Security Programs & Policies

 

What is the federal government doing to get compromised hardware and software out of its supply chain? That’s what we ask Harvey Rishikof, coauthor of “Deliver Uncompromised,” and Joyce Corell, who heads the Supply Chain and Cyber Directorate at the National Counterintelligence and Security Center. There’s no doubt the problem is being admired to a fare-thee-well, and some evidence it’s also being addressed. Listen and decide!

Continue Reading

Episode 271: Is social media a disease, and how do we treat it?

Posted in AI, China, International

 

This week I interview Glenn Reynolds, of Instapundit and the UT Knoxville law school, about his new book, The Social Media Upheaval. In a crisp 64 pages, Glenn analogizes social media to a primeval city, where new proximity produces periodic outbreaks of diseases that more isolated people never experienced; traces social media’s toxicity to the desperate pursuit of engagement; and proposes remedies both for individual users and for society whole.  All that plus thoughtful advice on dietary supplements and deadlifts!

In the news roundup, Matthew Heiman dissects a recent Third Circuit ruling that Amazon can be held strictly liable for products it markets for third parties. Unlike Matthew, I am largely persuaded by the court’s ruling on products liability – but Matthew and I both have doubts about its use of section 230 of the Communications Decency Act to protect Amazon from failure to warn liability.

Maury Shenk and Nick Weaver review the progress of the War on Facial Recognition. Opponents have rolled out the ultimate weapon in modern left ideology – OMG, ICE is using it!  But facial recognition is still winning, mostly because its opponents are peddling undifferentiated fear of a technology that’s already being used for many very different purposes, from anonymously tracking shoppers moving through a store (where the store doesn’t need to know the shoppers’ identities) to boarding planes (where the airline damn well better know the passengers’ identities, and the tech only has a couple of hundred faces to match).

Matthew and Nick consider China’s seizing and installing spyware on travelers’ devices. Turns out, China’s practice isn’t all that different from most government efforts to extract data from phones, except that the Chinese leave the code on Android devices so that security researchers can reverse engineer China’s deepest fears. And what do they fear most?  Japanese heavy metal, apparently.  Almost makes you feel a bit of empathy for Beijing…

Maury also highlights Big Tech’s concerns about the UK’s particularly aggressive proposal for an online “duty of care.

Nick and I follow the problem of fake cancer cures being advertised on Facebook and YouTube down the usual ratholes – who should be responsible in the first place, and why does Silicon Valley think that algorithms will ever be able to discipline such content?

This Week in the US China trade war: No one seems to know exactly what President Trump’s concessions at the G-20 meeting amount to, but more and more US tech companies have decided that moving 30% of their tech sourcing out of China is a good idea no matter how the trade war ends. This war isn’t good for US companies, but it’s really not good for China’s. Which, come to think of it, is what President Trump has said right from the start.

Finally, if you’re looking for tough government action against contractors with bad cybersecurity, CBP is your agency.  It has cut ties with Perceptics, the firm that was breached by Boris the Bullet-Dodger, and seems to be readying a debarment proceeding that will cut the firm off from future contracts. Matthew and I speculate that there may be something more behind this harsh remedy – perhaps a lack of prompt contractor candor about the breach. Whatever the context, though, this proceeding is likely to set a precedent that haunts other contractors long into future.

Download the 271st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunesGoogle Play, SpotifyPocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember, if your guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

 

Episode 270: China’s cyber offense comes of age

Posted in CFIUS, Cloud Computing, International, Security Programs & Policies

 

The theme this week is China’s growing confidence in using cyberweapons in new and sophisticated ways, as the US struggles to find an answer to China’s growing ambition to dominate technology. Our interview guest, Chris Bing of Reuters, talks about his deep dive story on Chinese penetration of managed service providers like HP Enterprise – penetration that allowed them access to hundreds of other companies that rely on managed service providers for most of their IT. Most chilling for the customers are strong suggestions that the providers often didn’t provide notice of the intrusions to their customers – or that the providers’ contracts may have prevented their customers from launching quick and thorough investigations when their own security systems detected anomalous behavior originating with the providers. Chris also tells the story of an apparent “Five Eyes” intrusion into Yandex, the big Russian search engine.

Continue Reading

Episode 269: A McLaughlin Group for cybersecurity

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

 

Our interview guests are Dick Clarke and Rob Knake, who have just finished their second joint book on cybersecurity, The Fifth Domain. We talk about what they got right and wrong in their original book. There are surprising flashes of optimism from Clarke and Knake about the state of cybersecurity, and the book itself is an up-to-date survey of the policy environment. Best of all, they have the courage to propose actual policy solutions to problems that many others just admire. I disagree with about half of their proposals, so much light and some heat are shed in the interview, which I end by bringing back the McLaughlin Group tradition of rapid-fire questions and an opinionated “You’re wrong” whenever the moderator disagrees. C’mon, you know the arguments are really why you listen, so enjoy this one!

Continue Reading

More States Move to Restrict Companies’ Use or Sale of Personal Information

Posted in Privacy Regulation

In the aftermath of the passage of the California Consumer Privacy Act (CCPA) in 2018, numerous other states have begun to consider similar legislation. While most of those states are in the early stages of the legislative process, Nevada and Maine recently enacted laws strictly regulating what online companies can do with their customers’ personal information.

The Nevada legislation applies broadly to commercial online services that operate in the state, but its restrictions affect only the sale of customer information; it was signed into law on May 29, and will go into effect on October 1, 2019. The Maine legislation is more narrowly targeted at broadband Internet access providers, but its restrictions apply not just to the sale of customer information but also its use or access; it was signed into law on June 6 and will go into effect on July 1, 2020. The Nevada legislation will more directly affect retailers that operate in Maine and have websites or provide other online services. The Maine law may not affect most retailers directly, since it’s limited to broadband Internet access service providers.

Click here to read more.