How long before grid attacks become the new normal?

Episode 351 of the Cyberlaw Podcast

|

In the news roundup, David Kris digs into rumors that Chinese malware attacks may have caused a blackout in India at a time when military conflict was flaring on the two nation's Himalayan border. This leads us to Russia's targeting of the U.S. grid and to uneasy speculation on how well our regulatory regime is adapted to preventing successful grid attacks.

The Biden administration is starting to get its legs under it on cybersecurity. In its first major initiative, Maury Shenk and Nick Weaver tell us, it has called for a set of studies on how to secure the supply chain in several critical products, from rare earths to semiconductors. As a reflection of the rare bipartisanship of the issue, the President's order is weirdly similar to Sen. Tom Cotton's call to "beat China" economically.

Nick explains the most recent story on how China repurposed an NSA attack tool to use against U.S. targets. Bottom line: It's embarrassing for sure, but it's also business as usual for attack teams. This leads us to a surprisingly favorable review of the Cyber Threat Alliance's recent paper on how to run a Vulnerability Equities Process.

Maury explains the new rules that Facebook, WhatsApp and Twitter will face in India.

Among other things, the rules will require India-based "grievance officers" to handle complaints. I am unable to resist suggesting that, if ever there were a title that the wokeforce at these companies should aspire to, it's Chief Grievance Officer.

Nick and I make short work of two purported scandals—ICE investigators using a private utility database to enforce immigration law and the IRS purchasing cellphone location data. I argue that the first story is the work of ideologues who would loudly protest ICE access to the White Pages. And the second is a nonstory largely manufactured by Sen. Wyden.

In a story that isn't manufactured, David and I predict that the Supremes will agree to decide the scope of cellphone border searches.  More than that, we conclude, the Ninth Circuit will lose. The hard question is how broadly the Court decides to rule once it has kicked the Ninth Circuit rule to the curb.

Maury reports that Facebook and Google have pushed the Aussie government into a compromise on paying Aussie media fees for links. Facebook gets the credit for being willing to shoot the family members the government was holding hostage (although in Facebook's case, the hostage was probably a second cousin once removed). Maury predicts that the negotiations will be tougher once the European Union starts rounding up its hostages.

In quick hits, I claim credit for pointing out years ago that sooner or later the crybullies would come for  "quantum supremacy." And they have. Maury and I note the rise of audits for AI bias. He's mildly favorable; I am not. And I close by noting the surprisingly difficult choices illustrated by Pro Publica's story on how the content moderation sausage was made at Facebook when the Turkish government demanded that a Kurdish group's postings be taken down.

And more!

Download the 351st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

NEXT: Classes #11: “Offensive” Speech I & Estates III

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. More than a decade before Hunter Biden was conning corrupt Ukrainians out of money W Bush’s brother was getting millions of dollars “working” for a Chinese semiconductor company…while knowing nothing about semiconductors.

    1. That’s the primary reason there wasn’t more outrage about it in Washington: It isn’t an uncommon form of corruption, unfortunately.

      1. I agree, but semiconductors?? There is corruption and then there is “helping” a Chinese company develop semiconductors while knowing nothing about semiconductors.

        1. Both parties’ establishment leaders have been selling the country out to China since Nixon.

          1. GHW Bush was right beside Nixon when he went to China. I take a different view that the Bush family truly believes expanding the global middle class is not only good for the globe but good for America. So I think they are like English elites that thought the British Empire was good for the globe. I think W Bush was a bottom 5 president but I don’t think he is evil…just incompetent and ambitious. Do you really think W wanted to saddle Texans with an extra $28 billion in electricity costs because he hated Texans?? Do you think he wanted to build an obsolete ballpark because he hated the residents of DFW?? No, W wanted to get “wins” because he was ambitious but unfortunately he had outsized ambitions and too little wisdom and just enough luck to cover up his incompetence…but the people that voted for him got caught up in whatever he was selling because in 2000 I was explaining to anyone that would listen that his ballpark looked good, but was very uncomfortable in the summer when baseball is played. As an aside now people are realizing retractable roofs are sort of dumb because in a place like Miami they open it a handful of times a season.

            1. Blaming W for anything the Cheney administration did seems unfair.

        2. “I agree, but semiconductors?? There is corruption and then there is “helping” a Chinese company develop semiconductors while knowing nothing about semiconductors.”

          I’m not seeing the distinction here. Once politicians’ family members are getting lucrative jobs they’re not qualified for, (And which frequently don’t even require any work.) why does it matter exactly what field they’re not qualified in? How are semiconductors relevantly different from energy?

          I do see a little distinction between Biden’s case and the usual corruption, in that usually politicians accept that their kids getting ahead is bribe enough, but Biden, “the big guy”, needed to get a personal cut of the money. But that’s not a really big difference, he’s just using Hunter to launder the bribes.

          1. Well, let’s talk about the bigger picture here. This is what happens when unbridled capitalism and the ability to make lots of money are seen as the only worthy goals for a society. Krushchev famously said that the western capitalists would sell the socialist countries the rope with which to hang them, and he was right.

            I’m more of a capitalist than I am a socialist, but at the same time, there’s a whole lot of capitalism that really isn’t healthy for society. Maybe some regulation of capitalism’s worst impulses isn’t such a bad thing.

      2. But it was Clinton who gave the ChiComs rocket tech in exchange 1996 campaign cash. 25 years later, this is why they are a threat to us.

        1. Nope, we hemorrhaged manufacturing jobs to China when W Bush was president and China was funneling millions of dollars to his brother.

          NOTHING TO SEE HERE, PLEASE MOVE ALONG!

        2. “But it was Clinton who gave the ChiComs rocket tech in exchange 1996 campaign cash.”

          But it was Reagan who gave the Iranians F-15 parts in exchange for cash to use fighting the Sandanistas when Congress wouldn’t fund that particular cesspit.

      3. Exactly. They were all like, whoa, easy now, we all want to get rich selling out our country.

  2. Security guys always depict a long list of eminent threats that are just around the corner. So you should all listen and believe in all the threats and pay security guys a lot.

    1. Security guys are paid to see things you aren’t smart enough to worry about. Complaining that they see things you don’t see just looks extra stupid.
      “Ransomware? Why should we worry about THAT?”

  3. “How long before grid attacks become the new normal?”

    Who knows, probably tomorrow! Unless we somehow give the government more powers to spy on us.

    “Russia’s targeting of the U.S. grid”

    Was that this story?

    Russia Hysteria Infects WashPost Again: False Story About Hacking U.S. Electric Grid
    The “anything goes” media mentality when it comes to Russia strikes again.

    THE WASHINGTON POST on Friday reported a genuinely alarming event: Russian hackers have penetrated the U.S. power system through an electrical grid in Vermont. The Post headline conveyed the seriousness of the threat . . The first sentence of the article directly linked this cyberattack to alleged Russian hacking of the email accounts of the DNC and John Podesta — what is now routinely referred to as “Russian hacking of our election” — by referencing the code name revealed on Wednesday by the Obama administration when it announced sanctions on Russian officials . . The media reactions, as Alex Pfeiffer documents, were exactly what one would expect: hysterical, alarmist proclamations of Putin’s menacing evil. ..

    WHAT’S THE PROBLEM here? It did not happen.

    There was no “penetration of the U.S. electricity grid.” The truth was undramatic and banal. Burlington Electric, after receiving a Homeland Security notice sent to all U.S. utility companies about the malware code found in the DNC system, searched all its computers and found the code in a single laptop that was not connected to the electric grid.

    Apparently, the Post did not even bother to contact the company before running its wildly sensationalistic claims, so Burlington Electric had to issue its own statement to the Burlington Free Press, which debunked the Post’s central claim (emphasis in original): “We detected the malware in a single Burlington Electric Department laptop NOT connected to our organization’s grid systems.”

    So the key scary claim of the Post story — that Russian hackers had penetrated the U.S. electric grid — was false. All the alarmist tough-guy statements issued by political officials who believed the Post’s claim were based on fiction.

    Even worse, there is zero evidence that Russian hackers were even responsible for the implanting of this malware on this single laptop.

    https://theintercept.com/2016/12/31/russia-hysteria-infects-washpost-again-false-story-about-hacking-u-s-electric-grid/

    1. “‘How long before grid attacks become the new normal?’

      Who knows, probably tomorrow! Unless we somehow give the government more powers to spy on us. ”

      The true answer is “until somebody wises up and decides that the software and hardware need hardening so they aren’t nice easy targets.”
      This is similar to the lesson learned in Iraq… as long as you keep sending out unarmored vehicles, your motorcades will keep being hit with cheap IED attacks that can only work against unarmored vehicles.

  4. Audits for AI “bias”; The “bias” in question isn’t actual bias, it’s the algorithms’ failure to be politically correct. Failure to conform to racial or sex quotas, for instance.

    Since the ‘bias’ is actually the AI working as intended, this is going to be hard to ‘fix’ without breaking the algorithms.

    1. The “bias” is the failure of the AI to be correct.

      If your AI algorithms produce results that are not correct, the algorithms are not correct, QED.

  5. Mr. Baker, in this:
    “As a reflection of the rare bipartisanship of the issue, the President’s order is weirdly similar to Sen. Tom Cotton’s call to “beat China” economically” the link you give for “the President’s order” is a link to Cotton’s report.

    1. You’re right. That is “weirdly similar.”

  6. The Texas cold snap outages were probably a perfect time to practice grid attacks in the US. Systems under stress and failing already – who would notice driving a few key systems to failure? If I can think of it, you know they have already.

    1. There’s a pandemic on. Let’s get that handled before we start any new projects.

Please to post comments