The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

Does Good Ransomware Policy Have To Be Boring?

Episode 364 of the Cyberlaw Podcast


We don't get far into the interview of the authors of a widely publicized Ransomware Task Force report, before I object that most of its recommendations are boring procedural steps that don't directly address the ransomware scourge. That prompts a vigorous dialogue with Philip Reiner, Executive Director of the Institute for Security and Technology (IST), the report's sponsoring organization, with Megan Stifel, of the Global Cyber Alliance, and with Chris Painter, of The Global Forum on Cyber Expertise Foundation. And in the end we in fact find several new and not at all boring recommendations among the nearly 50 put forward in the report.

In the news roundup, Dmitri Alperovitch has an answer to my question, "Is Putin finally getting a handle on U.S. social media?" Not just Putin, he argues, but every other large authoritarian government is finding ways to bring Google, Twitter, and Facebook to heel. In Russia's case, the method is first a token fine, then a gradual throttling of service delivery that makes domestic competitors look better in comparison to the Silicon Valley brand. Silicon Valley may have invented the shadow ban, but Putin is perfecting it.

Mark MacCarthy handicaps the Epic v. Apple lawsuit. The judge is clearly determined to give both sides reason to fear that the case won't go well for them. Our best guess is that Epic might get some form of relief but not the outcome they hoped for.

Dmitri and I marvel at the speed and consensus in Washington around imposing new regulations after the Colonial Pipeline ransomware event. It's likely that the attack will spur mandatory reporting of cyber incidents (and without the pain-easing award of liability protection) as well as aggressive security regulation from the agency with jurisdiction – TSA.  I offer a cynical Washington perspective on why TSA has acted so decisively.

Mark and I dig into the signing and an immediate lawsuit against Florida's social media regulation attacking common content moderation issues. Florida will face an uphill fight, but neither of us is persuaded by the tech press's claim that the law will be "laughed out of court."  There is a serious case to be made for almost everything in the law, with the exception of the preposterous (and probably severable) exemption for owners of Florida theme parks.

Dmitri revs up the DeHyping Machine for reports that the Russians responded to Biden administration sanctions by delivering another cyberpunch in the form of hijacked USAID emails. It turns out that the attack was garden variety cyberespionage, that the compromise didn't involve access to USAID networks, that it was launched before the latest round of Russia sanctions, and that it wasn't very effective as cyberespionage.

Jordan Schneider explains the surprisingly successful impact of U.S. government policy on China's cellular-equipment industry, and the appeal of Open RAN as a way of end-running the current incumbents.

U.S. industrial policy could be transformed by the shape-shifting Endless Frontier Act. Jordan and Dmitri explain how. I ask whether we're seeing a deep convergence on industrial policy on both sides of the Pacific, now that President XI has given a speech on tech policy that could have been delivered by half a dozen Republican or Democratic senators.

Finally, Dmitri reviews the bidding on cryptocurrency regulation both at the White House White House and in London.

Finally, in short hits, we cover:

  • The European Court of Human Rights decision squeezing but not quite killing GCHQ's mass data interception programs and its cooperation with the U.S. I offer a possible explanation for the court's caution.
  • A Justice Department court filing strongly suggesting that the Biden administration will not be abandoning a Trump administration rule that requires visa applicants to register their social media handles with the U.S. government.  I speculate on why.
  • A WhatsApp decision not to threaten its users to get them to accept the company's new privacy terms. Instead, I argue, WhatsApp will annoy them into submission.
  • And, finally, a festival of EU competition law attacks on Silicon Valley, from Brussels to Germany and France.

And More!

Download the 364th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

NEXT: U.S. Daily COVID-19 Deaths Dip to Lowest Level Since March 2020

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. How about a bounty for the scalp of all hackers? Kill one, claim $10000 payment. Get an extra $5000 for killing their families and friends.

    1. That's actually not a bad idea with a little bit more civility -- I'm thinking an expansion of the false claim act where you can get a good chunk of change for turning people in (etc).

      Dmitri and I marvel at the speed and consensus in Washington around imposing new regulations after the Colonial Pipeline ransomware event.

      My guess is that they are thinking of the Columbia Gas mess in Massachusetts a couple of years ago -- that was human error but malice could do the same thing.

      HOWEVER, I don't see how the TSA got authority over pipelines -- I always thought it was the NTSB (and the DOT) had that jurisdiction.


      1. See the op ed:

        I would hack the accounts of the Russian oligarchs, and of Putin, and retrieve all ransoms. Do the same for all the other rogue nations, including China.

        In 2024, Trump should declare regime change in China is US policy.

        We have $1.1 trillion of debt to the Chinese Commie Party (which is just a bunch of mafia dons). Let the Uyghurs sue them in US Court and put a lien on that debt.

        1. The report in the post is filled with useless general advice. Lawyer garbage.

        2. Congress does have the power to issue letters of marque and reprisal....

  2. Does anybody else still remember “information wants to be free”?

    1. Too bad information doesn't get to make any of the relevant decisions...

  3. Since this is a legal blog: If a state actor (i.e. Russia, China, Iran, NK) uses ransomware against another state (USA), is that an act of war?

    1. I tend to think an act of war is much like an impeachable offense. It is pretty much what the legislature says it is in the particular circumstance.

      1. Right...but legally, is one nation deploying ransomware against another a recognized act of war? That matters.

    2. I'm not thinking state actor as much as how WW-I started.

      It's 2 1/2 miles between Russian-owned island of Big Diomede and Little Diomede Island, Alaska. If someone there shoots a Russian on Big Diomede, what can Russia do in response?

  4. Re: Endless Frontier Act

    You gotta love federal laws.

    The act proposes:
    Semiconductor production/incentives
    STEM development in rural areas (YAAY Tennessippi!)
    Space activities (space labs, rockets, International Space Station, etc.)

    And also these:

    Sec. 2511. Country of Origin Labeling for King Crab and Tanner Crab Would amend Section 281(7)B) of the Agricultural Marketing Act of 1946 (7 U.S.C. 1638(7)(B) to include whole cooked king crab and tanner crab and cooked king crab and tanner crab

    Sec. 2518. Shark Fin Sales Elimination.
    Would prohibit the possession, transport, sale, offer for sale, or purchase of shark fins or products containing shark fins; with certain exceptions, including dogfish.

    1. Yeah, looking through it, log rolling is absolutely still a thing.

      The thing is, the space stuff is desperately important. Space development is one of the few potential white swans out there that could rescue our economy from a terrifyingly deep crash, given how fast debt is mounting up. And it's an area where we're ahead at the moment, thanks the Musk.

      So it's desperately important the government not screw this one up.

  5. Most of the Florida would be perfectly constitutional if enacted by Congress. The main issues are not First Amendment in nature, but federal preemption and regulating external commerce. Congress could make social media platforms utilities and assign them common carrier status (like telephone companies) if it wanted to. The question here is whether an individual state can do so after Congress has decided not to. I think the answer is no. But I agree it’s not such a laughing matter.

  6. A Suoreme Court case in Florida’s favor - Boblo Island Excursion Co. v. Michigan.

    Boblo Island, in Canada, was a whites-only amusement park in the 1930s. Michigan applied its state criminal discrimination law to the companies taking passengers to Boblo Island. The companies argued that this was international commerce and state law was pre-empted.

    The decision in Michigan’s favor suggests that when the state enacts a discrimination law, federal pre-emption gets looked at a little more leniently in the state’s favor.

    I don’t think this case will win. Section 230 is an explicit conflicting federal policy, not just a general or implicit pre-emption. But I think Florida can argue that its law is a kind of discrimination law and Boblo Island leniency should apply. Cases like this suggest that Florida’s argument is not nearly as frivolous as the internet companies are suggesting.

  7. Someone obtains my credit card information and, without authority orders various merchandise. This is noticed and stopped before the merchandise is delivered. But, why not let the merchandise be delivered and when it is picked up, seize it and investigate and hopefully convict the persons involved. But credit care companies virtually never bother to do this. Yes, it costs, but after a while, when the thieves see it is less profitable and more dangerous, the number of these attacks should slow down.

    In a kidnapping, the most precarious part of the enterprise for the perpetrator is the payoff. Why is this not the case with ransomware. I know that it is said that the payoffs can't be traced but, frankly, I would hope our peeps could figure out a way to trace even BitCoin or any other cyber currency wherever it goes. If every email ever sent still exists somewhere in the ether, why can't these transactions, admittedly highly encrypted, be found?

    And simply using existing laws and beefed up procedures would be enough, not new legislation that would not change the dynamic at all.

Please to post comments