The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

Does Good Ransomware Policy Have To Be Boring?

Episode 364 of the Cyberlaw Podcast


We don't get far into the interview of the authors of a widely publicized Ransomware Task Force report, before I object that most of its recommendations are boring procedural steps that don't directly address the ransomware scourge. That prompts a vigorous dialogue with Philip Reiner, Executive Director of the Institute for Security and Technology (IST), the report's sponsoring organization, with Megan Stifel, of the Global Cyber Alliance, and with Chris Painter, of The Global Forum on Cyber Expertise Foundation. And in the end we in fact find several new and not at all boring recommendations among the nearly 50 put forward in the report.

In the news roundup, Dmitri Alperovitch has an answer to my question, "Is Putin finally getting a handle on U.S. social media?" Not just Putin, he argues, but every other large authoritarian government is finding ways to bring Google, Twitter, and Facebook to heel. In Russia's case, the method is first a token fine, then a gradual throttling of service delivery that makes domestic competitors look better in comparison to the Silicon Valley brand. Silicon Valley may have invented the shadow ban, but Putin is perfecting it.

Mark MacCarthy handicaps the Epic v. Apple lawsuit. The judge is clearly determined to give both sides reason to fear that the case won't go well for them. Our best guess is that Epic might get some form of relief but not the outcome they hoped for.

Dmitri and I marvel at the speed and consensus in Washington around imposing new regulations after the Colonial Pipeline ransomware event. It's likely that the attack will spur mandatory reporting of cyber incidents (and without the pain-easing award of liability protection) as well as aggressive security regulation from the agency with jurisdiction – TSA.  I offer a cynical Washington perspective on why TSA has acted so decisively.

Mark and I dig into the signing and an immediate lawsuit against Florida's social media regulation attacking common content moderation issues. Florida will face an uphill fight, but neither of us is persuaded by the tech press's claim that the law will be "laughed out of court."  There is a serious case to be made for almost everything in the law, with the exception of the preposterous (and probably severable) exemption for owners of Florida theme parks.

Dmitri revs up the DeHyping Machine for reports that the Russians responded to Biden administration sanctions by delivering another cyberpunch in the form of hijacked USAID emails. It turns out that the attack was garden variety cyberespionage, that the compromise didn't involve access to USAID networks, that it was launched before the latest round of Russia sanctions, and that it wasn't very effective as cyberespionage.

Jordan Schneider explains the surprisingly successful impact of U.S. government policy on China's cellular-equipment industry, and the appeal of Open RAN as a way of end-running the current incumbents.

U.S. industrial policy could be transformed by the shape-shifting Endless Frontier Act. Jordan and Dmitri explain how. I ask whether we're seeing a deep convergence on industrial policy on both sides of the Pacific, now that President XI has given a speech on tech policy that could have been delivered by half a dozen Republican or Democratic senators.

Finally, Dmitri reviews the bidding on cryptocurrency regulation both at the White House White House and in London.

Finally, in short hits, we cover:

  • The European Court of Human Rights decision squeezing but not quite killing GCHQ's mass data interception programs and its cooperation with the U.S. I offer a possible explanation for the court's caution.
  • A Justice Department court filing strongly suggesting that the Biden administration will not be abandoning a Trump administration rule that requires visa applicants to register their social media handles with the U.S. government.  I speculate on why.
  • A WhatsApp decision not to threaten its users to get them to accept the company's new privacy terms. Instead, I argue, WhatsApp will annoy them into submission.
  • And, finally, a festival of EU competition law attacks on Silicon Valley, from Brussels to Germany and France.

And More!

Download the 364th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.