The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

Fighting ransomware by pushing every button on the dashboard

Episode 371 of the Cyberlaw Podcast


The Biden administration's effort to counter ransomware may not be especially creative, but it is comprehensive. The administration is pushing all the standard buttons on the interagency dashboard, including creation of a high-level task force and a $10 million reward program (but not including hackback authority for victims, despite headlines suggesting otherwise). And all the noise seems to be having some effect, as the REvil ransomware gang's web sites have mysteriously shut down. Nick Weaver reminds us (in song, no less) that the government's efforts to stop scourges like Trickbot have a distinct whiff of Whac-a-Mole, and the same may be true of REvil.

Our interview is with Josh Steinman, who served as the National Security Council's Cybersecurity Senior Director for the entire Trump administration. He offers his perspective on the issues and the personalities that drove cybersecurity policy in those chaotic years. As a bonus, Josh and I dig into his public effort to find a suitable startup, an effort we have to cut short as I start getting too close to one of the more promising possibilities.

Maury Shenk covers the Biden administration's belated but well-coordinated international response to China's irresponsible Microsoft Exchange hack, including the surprising revelation that China may be back to hacking like it's 1999 – relying on criminal hackers to serve the government's ends.

In other China news, Maury Shenk and Pete Jeydel catalog the many ways in which the current Chinese regime is demonstrating its determination to bring China's tech sector to heel. It's punishing Didi in particular for launching a U.S. IPO despite go-slow signals from Beijing. It's imposing cybersecurity reviews on other companies that IPO outside China.  And it seems to be pressing for competition concessions that the big tech companies would have successfully resisted a few years ago.

It was a big week for state-sponsored attacks on secure communications. Nick and I dig in the FBI and Australian federal police coup in selling ANOM phones to criminal gangs. Previewing a forthcoming article for Lawfare, I argue that the Australian police may have to answer tough questions about whether their legal authority for the phone's architecture really avoided introducing a systemic weakness into the phone's security.

Law enforcement agencies around the world could face even tougher questions if they've been relying on NSO or Candiru, Israeli firms that compromise mobile phones for governments. Both firms have been on the receiving end of harsh forensics analyses from Amnesty International and Citizen Lab. Nick thinks the highly specific and centralized target logs are particularly a problem for NSO's claims that it doesn't actually know the details of how its malware is deployed.

Pete Jeydel tells us that the administration is learning to walk and chew gum on cybersecurity at the same time. While coordinating pushes on Chinese and Russian hacks, it also managed to get big chunks of the government to turn in their federal cybersecurity homework on time. Pete talks us through one of those assignments, the NTIA's paper setting minimum elements for a Software Bill of Materials.

It wouldn't be the Cyberlaw Podcast without a brief rant on content moderation. The Surgeon General claimed this week that "Misinformation takes away our freedom to make informed decisions about our health." He didn't say that administration censorship would give us our freedom back, but that seems to be the administration's confident view, as the President, no less, accused Facebook of "killing people" by not jumping more quickly to toe the CDC's official line. (He later walked the accusation back.)

And if you thought the censorship would stop with social media, think again.  The White House is now complaining that telecom carriers also should be screening and suppressing text messages that are hostile to vaccinations.

Finally, just to show that the world has truly turned upside down, Maury reminds me that a German – German! – court has fined American social media for violating freedom of expression by too enthusiastically censoring a lockdown protest video.

Pete tells us what's in the new Colorado privacy bill. Short version: it joins Virginia in some of hosing down California's excesses.

And in short takes:

  • Maury explains Vietnam's version of China's fifty-cent army.
  • Maury updates me on the European Parliament LIBE committee's latest proposal for accepting the U.S. intelligence community's transatlantic surrender on data flows.
  • And Pete tells us that the SEC may finally be putting the screws to companies that have been lax about reporting breaches to their investors.

And More!

Download the 371st Episode (mp3)

Reminder: this is the last regular episode before our August hiatus, although we will do at least one episode on cryptocurrency in coming weeks.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.