A lot of cybersecurity ideas that don't work, and a few that might

Episode 352 of the Cyberlaw Podcast

|

We're mostly back to our cybersecurity roots in this episode, for good reasons and bad. The worst of the bad reasons is a new set of zero-day vulnerabilities in Microsoft's Exchange servers. They've been patched, Bruce Schneier tells us, but that seems to have inspired the Chinese government hackers to switch their campaign from Stealth to Promiscuous Mode. Anyone who hasn't already installed the Microsoft patch is at risk of being compromised today for exploitation tomorrow.

Nick Weaver and Dmitri Alperovitch weigh in on the scope of the disaster and later contribute to our discussion of what to do about our ongoing cyberinsecurity. We're long on things that don't work. Bruce has pointed out that the market for software products, unfortunately, makes it entirely rational for industry to skimp on security while milking a product's waning sales. Voluntary information sharing has also failed, Dmitri notes. In fact, as OODA Loop showed in a devastating chart, information sharing is one of half a dozen standard recommendations made in the last dozen commission recommendations for cybersecurity. They either haven't been implemented or they don't work.

Dmitri is hardly an armchair quarterback on cybersecurity policy. He's putting his money where his mouth is, in the form of the Silverado Policy Accelerator, which we discuss during the interview segment of the episode. Silverado is focused on moving the cybersecurity policy debate forward in tangible, sometimes incremental, ways. It will be seeking new policy ideas in cybersecurity, international trade and industrial security, and ecological and economic security (what the group is calling Eco2Sec).  (The unifying theme is the challenge to the US posed by the rise of China and the inadequacy of our past response to that challenge.) But ideas are easy; implementation is hard. Dmitri expects Silverado to focus its time and resources both on identifying novel policy ideas and on ensuring those ideas are transformed into concrete outcomes.

Whether artificial intelligence would benefit from some strategic decoupling sparks a debate between me, Nick, Jane Bambauer, and Bruce, inspired by the final AI commission report. We shift from that to China's version of industrial policy, which seems to reflect Chinese politics in its enthusiasm not just for AI and chips but also for keeping old leaders alive longer.

Jane and I check in on the debate over social media speech suppression, including the latest developments in the Facebook Oversight Board and the unusual bedfellows that the issue has inspired. I mock Google for YouTube's noblesse oblige promise that it will stop suppressing President Trump's speech when it no longer sees a threat of violence on the Right. And then I mock it again for its silly refusal to return search results for "BlueAnon"—the Right's label for the Left's wackiest conspiracy theories. (If you think there aren't any, just google "blue anon" … oh, wait, you can't.)

In quick hits, Bruce and Dmitri explore a recent Atlantic Council report on hacked access as a service and what to do about it. Bruce thinks the problem (most often associated with the Israeli firm NSO) is real and the report's recommendations plausible. Dmitri argues that trying to stamp out a trade in zero days is solving the wrong part of the problem, since reverse engineering of software patches, not zero days, is the source of most successful attacks.  Speaking of NSO, Nick reminds us of the rumors that they have been under criminal investigation and that the investigation has been revived recently.

Jane notes that Virginia has become the second state with a consumer data protection law, and one that resembles California's CCPA.

Jane also notes the Israeli Supreme Court decision ending (sort of) Shin Bet's use cellphone data for coronavirus contact tracing. Ironically, it turns out to have been more effective than most implementations of the Gapple privacy-crippled app.

Bruce and Dmitri celebrate the hacking of three Russian cybercrime forums for the rich array of identity clues the doxxing is likely to offer researchers like Bellingcat (whose founder will be our interview guest on Episode 353 of the Cyberlaw Podcast).

And more!

Download the 352nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

NEXT: Classes #14: Compulsory Expression and

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Encryption works.

    1. Very few people can implement robust encryption systems on their own.

  2. First step, crush the pro-criminal lawyer profession protecting the hackers. The lawyers are traitors and our mortal enemy.

    Second, an app. Finds the source of a hack. Dispatches a drone to the location of the hacker, and hauls a rocket into the location to kill the hacker, his family and friends, and to destroy the location sheltering the hacker. Landlords on notice.

    To deter.

    1. Even a kid in Life Skills class, learning to eat with a spoon, knows this. The decease have a low recidivism rate. Not the lawyer profession, the most toxic occupation in our nation, 10 times more toxic than organized crime.

      1. Except for obstruction by the traitor lawyer profession, there is nothing to stop this remedy. We have $1.1 trillion in debt to China, to help us maintain our luxury lifestyle, held as a hostage. It is a recording in a server somewhere, probably in the US. The slightest verbal criticism of such violent retaliation by any Chinese Communist Party official, we erase it.

        1. Stop me if you’ve been told this before, but you are an abject idiot.

          1. James are you a lawyer? Say something in lawyer. It took weeks to verify Artie was a lawyer.

            1. See above statement regarding your abject idiocy. I am an IT administrator, formerly a CISSP.

    2. Gee, I sure hope your app doesn’t get hacked, and start dropping rockets on your head. Of course, all that it takes to ensure this is that you are smarter and more clever than any hacker on Earth. What odds?

      1. Drone would do facial recognition, and exclude deep fakes.

        1. And make you a cup of tea.

          1. Why not, since it works magically?

      2. James. Thank you for being the only one to reply.

        The app would provide the evidence, the chain of evidence to itself. It would judge probable cause, and convict the hacker to a standard of 100% certainty. Beyond a reasonable doubt is 80% certainty. And indeed, 20% of convictions are false, even in an expensive death penalty case. That is because they are managed by the lawyer dumbass in utter failure.

        The app would be investigator, prosecutor, defense advocate, judge, and executive penalty dispenser. It would address billions of crimes a year, instead of 2 million prosecutions today. There are billions of internet crimes. There are 15 million common law crimes. The majority are not addressed by the lawyer profession in utter failure.

        The legislature would write and own the app. It would be held accountable when it wrongly damaged a plaintiff. That case would be decided by another accurate, successful app.

        Guess what happens to the lawyer profession. It is gone from the criminal law.

        1. So you want to make a honeypot that drones people?

            1. Whatever you said, the owner, the legislature would be liable for any damage by its mistakes. It would be forced to upgrade the app frequently. It would address all crime, not a tiny fraction as happens with the lawyer profession in utter failure. The most fundamental role of government is in utter failure, protection of the public.

              1. Got to admit, it’s a slam-bang brilliant set-up for a YA dystopia.

                1. Poor fellow, getting whipsawed between you telling him how brilliant he is while I point out that he is an idiot. This almost produces sympathy.

        2. “The legislature would write and own the app. It would be held accountable when it wrongly damaged a plaintiff. That case would be decided by another accurate, successful app. ”

          Speaking as an IT security professional, I am amazed at your optimism in the magic power of computers and horrified at your dedication to the creation of Skynet.

  3. I love what the blog is about for more information, and any writing service on blogs you can reach us through https://toptutor4me.com/

  4. I do believe technologies can cope with cybersecurity for 100%! What to say about artificial intelligence – it’s being benefiting so many industries – from healthcare to cybersecurity.

Please to post comments