Fighting ransomware by pushing every button on the dashboard

Episode 371 of the Cyberlaw Podcast

|

The Biden administration's effort to counter ransomware may not be especially creative, but it is comprehensive. The administration is pushing all the standard buttons on the interagency dashboard, including creation of a high-level task force and a $10 million reward program (but not including hackback authority for victims, despite headlines suggesting otherwise). And all the noise seems to be having some effect, as the REvil ransomware gang's web sites have mysteriously shut down. Nick Weaver reminds us (in song, no less) that the government's efforts to stop scourges like Trickbot have a distinct whiff of Whac-a-Mole, and the same may be true of REvil.

Our interview is with Josh Steinman, who served as the National Security Council's Cybersecurity Senior Director for the entire Trump administration. He offers his perspective on the issues and the personalities that drove cybersecurity policy in those chaotic years. As a bonus, Josh and I dig into his public effort to find a suitable startup, an effort we have to cut short as I start getting too close to one of the more promising possibilities.

Maury Shenk covers the Biden administration's belated but well-coordinated international response to China's irresponsible Microsoft Exchange hack, including the surprising revelation that China may be back to hacking like it's 1999 – relying on criminal hackers to serve the government's ends.

In other China news, Maury Shenk and Pete Jeydel catalog the many ways in which the current Chinese regime is demonstrating its determination to bring China's tech sector to heel. It's punishing Didi in particular for launching a U.S. IPO despite go-slow signals from Beijing. It's imposing cybersecurity reviews on other companies that IPO outside China.  And it seems to be pressing for competition concessions that the big tech companies would have successfully resisted a few years ago.

It was a big week for state-sponsored attacks on secure communications. Nick and I dig in the FBI and Australian federal police coup in selling ANOM phones to criminal gangs. Previewing a forthcoming article for Lawfare, I argue that the Australian police may have to answer tough questions about whether their legal authority for the phone's architecture really avoided introducing a systemic weakness into the phone's security.

Law enforcement agencies around the world could face even tougher questions if they've been relying on NSO or Candiru, Israeli firms that compromise mobile phones for governments. Both firms have been on the receiving end of harsh forensics analyses from Amnesty International and Citizen Lab. Nick thinks the highly specific and centralized target logs are particularly a problem for NSO's claims that it doesn't actually know the details of how its malware is deployed.

Pete Jeydel tells us that the administration is learning to walk and chew gum on cybersecurity at the same time. While coordinating pushes on Chinese and Russian hacks, it also managed to get big chunks of the government to turn in their federal cybersecurity homework on time. Pete talks us through one of those assignments, the NTIA's paper setting minimum elements for a Software Bill of Materials.

It wouldn't be the Cyberlaw Podcast without a brief rant on content moderation. The Surgeon General claimed this week that "Misinformation takes away our freedom to make informed decisions about our health." He didn't say that administration censorship would give us our freedom back, but that seems to be the administration's confident view, as the President, no less, accused Facebook of "killing people" by not jumping more quickly to toe the CDC's official line. (He later walked the accusation back.)

And if you thought the censorship would stop with social media, think again.  The White House is now complaining that telecom carriers also should be screening and suppressing text messages that are hostile to vaccinations.

Finally, just to show that the world has truly turned upside down, Maury reminds me that a German – German! – court has fined American social media for violating freedom of expression by too enthusiastically censoring a lockdown protest video.

Pete tells us what's in the new Colorado privacy bill. Short version: it joins Virginia in some of hosing down California's excesses.

And in short takes:

  • Maury explains Vietnam's version of China's fifty-cent army.
  • Maury updates me on the European Parliament LIBE committee's latest proposal for accepting the U.S. intelligence community's transatlantic surrender on data flows.
  • And Pete tells us that the SEC may finally be putting the screws to companies that have been lax about reporting breaches to their investors.

And More!

Download the 371st Episode (mp3)

Reminder: this is the last regular episode before our August hiatus, although we will do at least one episode on cryptocurrency in coming weeks.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

NEXT: Government Persuasion vs. Government Coercion: The Employer Speech Analogy

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. The fact that TOR is ‘sleaze infested’ suggests to me that it’s actually pretty censorship resistant. How do you avoid a sleaze infestation without some form of censorship?

  2. Another area of utter failure of the criminal law. Crime has not dropped, you lawyer morons. It has updated. The criminal law has not.

    Need a legally immune app. It finds the hacker. It sends a drone with facial recognition. It sends a rocket propelled grenade into his apartment. The more family and friends are killed the better. The subscription should cost $19.95 a year, as seen on TV. The deceased have a low recidivism rate, you morons.

  3. Is it simply impossible to do anything at all about crypto-currencies, whose main purposes seem to be enabling criminal activity and speculation?

    I mean, I know a lot of people are just in love with the concept, but the situation seems ludicrous to me.

    1. El Salvador recently made bit coin legal tender.

    2. Crypto-currency has a number of purposes, such as escaping from an inflationary cycle, or enabling you to transfer financial assets out of the country in a political emergency.

      But, yes, enabling illegal transactions is certainly one of them. If you’re a stone cold statist, that’s a killer argument against crypto-currencies. If you’re a libertarian, not so much.

  4. Josh Steinman?

    The ‘stolen election’ kook? The discredited-for-life Trumper? The alt-right clinger? The ‘Biden is a puppet’ loser? The virus-flouting yahoo? The ‘election fraud’ bozo? The ‘Trump is the rightful president’ crank?

    The real story: How did anyone pry Steinman’s tongue from Trump’s scrotum long enough to conduct an interview?

    Why does Reason continue to publish this authoritarian drivel?

  5. The sourcing on the “suppressing text messages” is awfully weak. The article linked is some random person saying “the White House is planning” and “The White House could”, and their source is some random person saying ” may be asked” and “If the White House asks”.

    Yes, the administration certainly *could* ask for these things. Is there any evidence at all that they *have* asked, or that they are even *thinking* about asking?

    1. I managed to find what I think is the source, and they’re only proposing, at this point, to push out messages.

      ‘Potentially a death sentence’: White House goes off on vaccine fearmongers

      But given the left’s views of social media censorship and their efforts to scale back 1st amendment protections, suppressing contrary text messages isn’t a totally off the wall extrapolation.

      1. That’s a better source, thanks. It isn’t that I think it’s impossible, or even unlikely… just that the source given was poor.

Please to post comments