The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

The Biden Cybersecurity Executive Order – CISA as CISO

Episode 362 of the Cyberlaw Podcast


Our interview is with Brandon Wales, acting head of the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and Jen Daskal, Deputy General Counsel for Cyber and Technology Law at DHS. We dig deep into the new Executive Order on cybersecurity.  The EO is focused largely on how the federal civilian government protects its networks, and it is just short of revolutionary in overcoming longstanding turf fights, almost all of which are resolved in favor of CISA – to the point where it seems clear that CISA is on its way to being the federal civilian agencies' CISO, or Chief Information Security Office.

This is clearly CISA's moment. It is getting new authorities from the President and new money from Congress. Whether it can meet all the expectations that these things bring is the question.

We also touch on parts of the EO that will affect the private sector, from its determined push for breach and other incident reporting in federal contracts to the formation of a Cyber Safety Review Board to investigate private sector incidents. I predict that the Board will need (and will get) subpoena power soon. Neither Brandon nor Jen takes the other side of that bet.

In the news, we get an update on the Colonial Pipeline ransomware attack from Nick Weaver and first-time news panelist Betsy Cooper. Colonial has paid $5 million in ransom for a bad decryption tool and restarted operations anyway. Since it's likely to end up as the second test case for the Cyber Security Review Board, though, Colonial's biggest regret may be waiting five days to start sharing information with CISA.

Maury Shenk explains the 200-page Irish High Court decision allowing the Irish data protection regulator to begin an inquiry that could cut off Facebook's data exports to the United States. Facebook would love to forestall that day until EU-US talks on a new data export deal are done, but the Biden administration isn't exactly making it a priority to bail out either Facebook or the US intelligence community, which has as much at stake in transatlantic data flows as the companies.

One of the puzzles of recent weeks has been a persistent but vague story that DHS wants more authority to gather information from public postings on social media. Nick, Betsy, and I try to make sense of the story, and we're not helped by the fact that much of the media and politicians have switched from condemning such intelligence operations to demanding them, and vice versa, in the weeks since the Trump administration ended.

Nick can't resist a story that leaves both bitcoin and Tor looking bad, so of course we cover the boom in Tor exit nodes configured to steal the cryptocurrency of Tor users.

Betsy covers the unanimous view of chip making and chip consuming companies that the federal government should subsidize chip making in the US. Industrial policy is making a comeback, we note, but Betsy reminds us there's a reason it went away: *cough*Solyndra*cough*

Betsy seizes on the latest WhatsApp tactic to lament the willingness of data-driven tech companies to annoy us into submission.

Nick and I cross swords over Apple's firing of Antonio García Martínez, author of Chaos Monkeys, in my view one of the funniest and most insightful Silicon Valley books of the last decade. Part of its appeal is Garcia Martinez's relentless burning of every bridge in his past business and personal life.  How, you keep asking, can he recover from telling all those truths about Morgan Stanley, Facebook, Y Combinator, and the adtech business? Turns out, he can't. But it wasn't any of those supposedly potent institutions that nailed him. Instead, it was his claim that the women of Silicon Valley are mostly "soft and weak, cosseted and naïve" and possessed of a "self-regarding entitlement feminism."

That's all it took. Apple employees demanded that they be protected from anyone with those views, and he was summarily fired.  Way to go, Apple employees!  Nothing rebuts a stereotype of female soft weakness and entitlement like demanding to be protected from someone who doesn't share your feminist entitlement. (Nick, in contrast, thinks Garcia Martinez is a walking sexual harassment judgment. He didn't like the book either.) I actually think the more interesting question is whether hiring Garcia Martinez shows just how determined Apple is to replace Facebook as Google's main competition in the business of collecting customer data to sell ads.

In quick hits, I revisit the Bezos camp's claim that a Saudi prince hacked Jeff Bezos's phone and turned his unexpurgated selfies over to the National Enquirer in order to suppress Washington Post publicity over the killing of Jamal Khashoggi. That was all BS, it turns out, apparently designed to turn Bezos from an ordinary tawdry adulterer into a press freedom crusader.

And Nick draws our attention to Counterfit, a promising Microsoft tool for testing AI algorithms to find security flaws.

And More!

Download the 362nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.