"This Is How They Tell Me the World Ends"
Episode 349 of the Cyberlaw Podcast
Our interview this week is with Nicole Perlroth, the New York Times reporter and author of This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. It's a wide-ranging, occasionally confrontational, interview and a great tour of the issues raised in the book about 0-day exploits, US responsibility for the global cyber arms race, and the colorful personalities whose hard choices helped shape the cybersecurity environment we all now live in.
In the news roundup, Nate Jones serves up a second helping of the SuperMicro story, a rerun of a much-maligned Bloomberg report from two years ago, claiming that SuperMicro gear had been elaborately compromised by China. This time, Nate reports, Bloomberg offers much more evidence, but probably not enough to completely satisfy the critics. Still, as we conclude, even giving the critics their due, this is a very bad story for SuperMicro – and for its customers.
It seemed like a classic cybersecurity horror story, with hackers using access to the industrial control system to nearly poison Oldsmar's water supply. But Nate and I both suspect that it will turn out to be a much more mundane horror tale, one where the call is always coming from inside the house – and untraceable because all the employees use the same password and no firewall.
Paying for news links is suddenly all the rage among Western governments. I'd link to the Australian stories about their new law, but I'm afraid they'd want me to pay them. Mark MacCarthy says that risk is overrated, but the prospects for such payment schemes are pretty good. Not just Australia, but also the EU are moving in this direction. And Microsoft has expressed its willingness to let Google pay such a fee in the U.S.
I suggest that this is all part of restoring an Establishment of "authoritative narrative shapers," for the internet age, noting that the critical question will be which publishers can attach themselves firmly to the flow of internet funding – a question already causing angst among French publishers.
Paul Rosenzweig summarizes the work done by a lot of smart people on the question of how to think about Chinese technology platforms operating in the United States. He also summarizes the current state of litigation over Chinese technology platforms operating in the United States. In a word, it's mostly on hold, waiting for the Biden administration to run a laborious interagency review.
Nate says the process has already begun for a related topic – how to secure the US tech supply chain, particularly manufacturing semiconductor.
Meanwhile, the First Circuit has taken on the question of border searches of mobile phones, ruling against a coalition of cyberleft organizations. There is now a circuit conflict that could bring the Supreme Court into the fray – soon if the cyberleft losers are imprudent enough to seek cert but not much longer than that if the Solicitor General picks a favorable case to lose in the Ninth Circuit.
In short hits, I wonder at just how bad open source security has gotten, noting a clever hack that pwned many companies by putting a compromised package in a public repository, thereby trumping the companies' private packages. Luckily, NIST is all over open source security. Or not. It turns out that NIST is actually offering a host of insecure open source products with known flaws. The purpose of the products? Better computer security, naturally.
The creative policing award of the week goes to the Beverly Hills cop who expresses his unhappiness with being filmed on the job by playing background snippets of songs that will get the video taken down by copyright bots if it is ever posted.In the "a bout time" category, a Canadian woman who defamed dozens of ordinary people in online vendettas has been arrested in Toronto. And EncroChat, the phone that promised criminals absolute security but delivered them into the hands of law enforcement, has spawned a complicated debate about whether stealing messages from memory is wiretapping or hacking.
Finally, either The Cyberlaw Podcast has hit a new high or the Harvard Law Review has hit a new low: Looking for a way to sum up the European Court of Justice's ruling in Schrems II, a student note in the Review quotes from the podcast, characterizing Schrems II as "solipsistic Europocrisy meets judicial imperialism." Couldn't have said it better myself!
You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!
The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.