The Grim Lessons of the SolarWinds Breach

Episode 343 of the Cyberlaw Podcast

|

Episode 343 of the Cyberlaw Podcast is a long meditation on the ways in which technology is encouraging other nations to exercise soft power inside the United States. I interview Nina Jankowicz, author of How to Lose the Information War on how Russian disinformation has affected Poland, Ukraine, and the rest of Eastern Europe – and the lessons, if any, those countries can offer a divided United States.

In the news, Bruce Schneier and I dig for more lessons in the rubble left behind by the SolarWinds hack. Nobody comes out looking good. Persistent engagement and defending forward only work if you're actually, you know, engaged and defending, and Russia's cyberspies managed (not surprisingly) to hide their campaign from NSA and Cyber Command. More and better defense is another answer (not that it worked during the last 40 years it's been tried). But whatever solution we pursue, Bruce makes clear, it's going to be expensive.

Taking a quick break from geopolitics, Michael Weiner gives us a rundown on the new charges and details (mostly redacted) in the Texas case against Google for monopolization and conspiring with competitor Facebook. The scariest thing about the case from Google's point of view, though, may be where it's been filed. Not Washington but the Eastern District of Texas, the most notoriously pro-plaintiff, anti-corporate jurisdiction in the country.

Returning to ways in which foreign governments are using our technology against us, David Kris tells the story of the Zoom executive who used pretextual violations of terms of service to take down speech the Chinese government didn't like, censoring American efforts to hold a Tiananmen memorial. The good news: he was charged criminally by the Justice Department. The bad news: I can't help suspecting that China learned this trick from the ideologues of Silicon Valley.

Aaand, right on cue, it turns out that China's been accused of using its 50-cent army to file complaints of racism and video game violence against Americans using the platform to criticize China's government, a tactic the target claims is getting YouTube to demonetize his videos.

Next, Bruce points us toward a deep and troubling series of Zach Dorfman articles about how effectively China is using technology to vault over US intelligence agencies in the global spying competition.

Finally, in quick succession:

  • David Kris explains what's new and what's not in Israel's view of international law and cyberconflict.
  • I note that President Trump's NDAA veto has been overridden, making the cyberczar and DHS's CISA the biggest winners in the cyber policy arena.
  • Bruce and I give a lick and a promise to the FinCen proposed rule regulating cryptocurrency. We're both inclined to think more reregulation is worth pursuing, but we agree it's too late for this administration to get anything on the books.
  • David Kris notes that Twitter has been fined around $550 thousand over a data breach filing that was a few days late – a fine imposed by the Irish data protection office in a GDPR ruling that is a few years late.
  • Apple has lost its bullying copyright battle against security start-up Corellium but the real risk to Corellium may be in the as-yet unresolved claim for violation of the DMCA.
  • And the outgoing leadership of DHS is issuing new warnings about the cyber risks of using Chinese technology, this time touching on backdoors in TCL smart TVs and the risk of compromise from Chinese data services.

Download the latest episode here.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

NEXT: Ohio Gov. Signs Repeal of Duty to Retreat: 36 States Now Stand-Your-Ground, only 14 Duty-to-Retreat

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. These hacks are opportunities to introduce viruses and malware that will shut down the hacking nation.

    Hacking and identity should carry the death penalty. We should have trials in absentia, the death penalty should be carried out by drones. There should be absolute immunity for collateral damage, such as the destruction of the hacker's family and entire neighborhood. If people want to feel safer, they should kill the hackers themselves, and ship the head to the US government for proof.

    The lawyer cannot understand, the deceased have a low recidivism rate. To deter. The lawyer that controls the government is weak and stupid, obsessed by procedure to seek the rent. We can start our national defense by ridding ourselves of these obstructionists and collaborators with the enemy.

    1. Instead, the lawyer is imposing ruinous fines and penalties on the crime victims. That is just crazy, if lucrative for the lawyer profession. This is the most toxic occupation, more toxic than organized. It must be crushed and stopped if our nation is to be saved.

  2. "More and better defense is another answer (not that it worked during the last 40 years it's been tried)."

    Yes, we lack the technology to defend well. But this lack is not surprising when we consider that the government spends far more on offensive security research than it does on defensive research. Defense should be removed from the NSA portfolio and given to an agency that prioritizes defense over offense. And funding for defensive research should be increased by an order of magnitude.

    1. You cannot defend against state actors with great resources. You can only deter by making their electric outlets blow up in their faces. Shut down all their facilities. Send them for a trip to the 19th Century. To deter.

      The other thing no lawyer will allow: steal the money in the accounts of the richest man in the world, Putin. Do the same for his entire family. Empty all his accounts, and steel the deeds to all his properties, then evict him.

      1. The biggest enemy is internal, the lawyer profession, the most worthless and most toxic occupation in our nation. It must be crushed and stopped to save our nation.

  3. How about a link to the podcast, or where I can get it? It seems to be missing.

    1. My apologies. That got left out of this post. Here's the RSS feed, including a link to the latest episode: https://www.steptoe.com/feed-Cyberlaw.rss

  4. The lesson of the Solarwinds breach, and the OPM breach before it, is really, "You can't secure your systems when the people you put in charge of securing it are already deeply compromised."

    You can't keep the gate closed when the enemy is already inside the gate.

    1. But can't that be countered with multi-layered security and no single-point-of-failure vulnerabilities?

      For example, no one should have single authority to download/transmit entire databases or even to make unilateral updates, new software, etc.

      1. No, the reason it can't is because the guys who'd direct that this be done are the guys who are compromised.

        The gate guards aren't the problem. The castle architect has been bought off.

        Look at the OPM breach. The door was left open, the barbarians were invited inside the gate.

        "Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is 'so what's new?'""

        You can't fix security holes until you have people in charge who want them fixed.

        1. OK, so better personnel vetting BUT in line with monitoring/alert systems (IANA IT person).

        2. Eh, these are signs of poor security management, but were not instrumental to the actual OPM hack, which just used stolen credentials--no need to compromise anyone on the inside.

          Although there's legitimate reasons to be concerned about foreign adversaries planting people within security organizations, that wasn't the approach used in either of the Solarwinds or OPM hacks. So fixating on personnel would have you miss a lot of the other, very real problems that hackers are already exploiting.

          1. You'd like to think it was just poor security management, but people within the OPM were complaining that hiring foreign programmers working remotely was an insane security risk, and the complaints were getting shut down by somebody higher up. At least that's how I heard it at the time.

            Have you considered that they might consistently have terrible security management because people high up in the management want them to have terrible security management?

            You can't implement good security if the people making the decisions are working for the foe already. That's my point. You want good security, you first need the place to be run by people who WANT good security. That's actually the hard part, once an agency has been compromised.

            1. The people with foreign interests at OPM were hardly key decision-makers, so I don't think this is a very compelling argument.

              More to the point, this line of thinking completely falls apart when you try to extend it to SolarWinds since you'd have to argue that in addition to the government agencies that were affected, SolarWinds itself and a host of private companies also were doing intentionally bad security in order to assist foreign interests. There's just no evidence for that at all.

              Like I said, it's not that personnel vetting or motivations of key decision-makers should be ignored, but that's hardly a complete explanation for the problem here. As folks have suggested further up, the asymmetry between the offensive vs. defensive capabilities in the US (and general lack of motivation/accountability for performance on cyber security issues) is a much bigger fundamental problem than the fact that sometimes the government indirectly hires foreign nationals to help out with security work.

Please to post comments