Ransomware – Death and Diplomacy

Episode 377 of the Cyberlaw Podcast

|

  • This is the meatiest episode in a long time, as Dmitri Alperovitch, Dave Aitel, and Mark MacCarthy go deep on the substance of a dozen stories or more. 

    First up, Dmitri and I speculate on possible outcomes from the newly announced administration plan to convene 30 countries to crack down on ransomware. We also report on what may be the first confirmed death resulting from the equipment failures caused by ransomware – a newborn strangled by its umbilical cord because the hospital's usual electronic warnings weren't operating. 

    Dmitri also explains a new cryptocurrency regulatory topic unrelated to its use in ransomware schemes – the move to ensure the financial stability of stablecoins. 

    Dave weighs in on two surprising provisions of the House intel authorization bill. The first would respond to the Project Raven incident by imposing new controls on ex-spies working for foreign governments. No one is against the idea, but no one thinks that the problem is limited to alumni of a few intelligence agencies. And the bill's sweep is far broader than cases like Project Raven. I fear that as written it may criminalize ex-spies giving security advice to Airbus, or perhaps even the Atlantic Council.

    The second provision imposes requires reports on U.S. government purchases of computer vulnerabilities from foreign vendors. This leads to a discussion of which nation has the best offensive talent. Dave thinks the old champ has been decisively dethroned. 

    In other legislative news, Dmitri covers the three committee drafts on cyber incident reporting, with special emphasis on the recently leaked bill from Senate Intel. It's a very tough bill, perhaps designed to stake out negotiating room with the Homeland committees. I ask, "What's the difference between Europe's staggering fines for General Data Protection Regulation (GDPR) violations and this bill's fines for violating cyber reporting obligations?" The answer: "about two weeks," at which point the maximum fine due to the U.S. will exceed the top European fine.

    Mark gives an overview and some prognostication about Google's effort to overturn the EU's $5 billion antitrust fine for its handling of Android. 

    Dmitri and I find ourselves forced to face up to the growing soft power of Russia and China, now increasingly forcing Silicon Valley companies to project Russian and Chinese power into the West. Russia, having forced Apple and Google to send it hostages in the form of local employees, is trying to use its leverage to control what those companies do in countries like Germany. And Linkedin, the last Western social media company still standing in China, is trying to keep that status by asking Americans to self-censor their accounts.

    At Dave's request, we visit a story we missed last week and explore all the complex equities at work when the FBI decides whether to use ransomware keys for remediation or disruption.

    Mark gives an overview of the new Federal Trade Commission, where regulatory ambition is high but practical authority weak, at least until the Senate confirms a third Democratic commissioner. Waiting in the wings for that event is a even more antitrust action, possible new online privacy rules and Commissioner Slaughter's enthusiasm for imposing racial equity quotas under the guise of algorithmic fairness.

    Dmitri offers his best guess about the recent Russian arrest of a cybersecurity executive for treason (that's the second in five years if you're counting) and the US decision to send a Russian scammer back to Russia after bitterly fighting to extradite him from Israel.

     In quick hits:

    • Dmitri makes a public service announcement about the ways that Two-Factor Authentication (2FA) can be subverted. 
    • I celebrate some good news for the U.S.: China is planning to encourage provincial controls on the design and use of social media algorithms. That's bound to give US companies a new competitive advantage in a field where TikTok has surpassed them.
    • Dave and I dissect the guilty plea of former Ethereum developer Virgil Griffith, accused of violating U.S. sanctions by giving a bland speech on cryptocurrency in North Korea.
    • I give the highlights of two new and eminently contestable cyberlaw rulings:
      • In U.S. v Wilson, the Ninth Circuit decided that law enforcement needs a warrant to open files that it knows from hashes are 99.9% certain to be child porn. The decision would be unfortunate if it weren't meaningless; the hash itself provides probable cause, so warrants will be quickly and routinely issued. Thanks for the make-work, EFF!
      • And a magistrate judge clearly gunning for promotion has written a Stored Communications Act opinion that empowers Silicon Valley's Trust and Safety operatives to de-platform people and then turn their posts over to law enforcement without the subpoena they usually demand. I would worry more about those consequences if I thought the opinion would survive.  
    • And, finally, Dmitri is pleased to find one field where AI is succeeding without controversy, as machine learning declares a famous Peter Paul Rubens painting, Samson and Delilah, to be a fake. But how long, I wonder, before this AI is forced by the FTC to correct its notorious anti-Flemish bias?

    And More!

    Download the 377th Episode (mp3)

    You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

    The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

     

     

     

     

     

     

NEXT: The "Reagan Revolution" and OT 2021

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. ... even the font stubbornly refuses to be like anything else on this blog.

  2. Dave weighs in on two surprising provisions of the House intel authorization bill. The first would respond to the Project Raven incident by imposing new controls on ex-spies working for foreign governments. No one is against the idea, but no one thinks that the problem is limited to alumni of a few intelligence agencies.

    I'm not necessarily against the bill, either. But I'm struck by how House Intelligence Committee Chairman Adam Schiff justifies it:

    People in the intelligence community develop skills necessary to protect our country against foreign bad actors, and that intellectual property really belongs to the United States.

    The skills you acquire while emp;oyed belong to your employer?

    1. More like the skills on a specific tool.

      Maybe everybody can use a sledge hammer but then a person develops a specific skill using a claw hammer.

      So the govt wouldn't want the person to use that skill on a claw hammer belonging to a foreign entity.

    2. Perhaps they could wipe your memories when you retire?

      Actually, I can see a limited application of the principle here: There are general skills, and there is knowledge of matters internal to the US intelligence services. Of course you can't expect former employees to not employ job related general skills. But you certainly can require them to not disclose proprietary IP.

      1. Of course you can’t expect former employees to not employ job related general skills.

        One might think so, but that's not what Schiff said. One might think that someone would be charged in a murder as widely seen on TV as Ashli Babbitt's, but what one might think doesn't seem any longer to obtain, if it ever did.

    3. If your employer is an intelligence agency and those skills are "intelligence sources or methods", then yes. People with security clearances sign lifelong NDAs with the government in exchange for those clearances, and E.O. 13526 explicitly identifies "intelligence sources or methods" as eligible for being classified.

      1. That's not what Schiff said. And my objection to what he said is not removed by calling any acquired skills in using a claw hammer “intelligence methods”. Obviously skills in accessing a specifically NSA database cannot legally be employed, but the idea that the government owns a former employee's skills in forming database queries and that Quatar cannot employ him in any role which involves him in querying ITS databases is... novel.

        It turns out that the Schiff quote in the article that the podcast links to is quoted in full in the podcast, but it didn't appear to set off any bells in the heads of the podcasters.

        1. "Obviously skills in accessing a specifically NSA database cannot legally be employed, but the idea that the government owns a former employee’s skills in forming database queries and that Quatar cannot employ him in any role which involves him in querying ITS databases is… novel."

          It's so novel, it's been part of patent law for a couple of hundred years. The difference is, the government makes anybody who is not the government disclose their invention in order to get patent protection. You also might want a quick research trip on the subject of trade secrets. Start with the text of the relevant statute(s): http://euro.ecom.cmu.edu/program/law/08-732/TradeSecrets/utsa.pdf

    4. "The skills you acquire while emp;oyed belong to your employer?"

      This is neither new or controversial in intellectual property. If you get hired to write a book, you can't take the book with you when you leave that job for a better-paying one.
      Trade secrets aren't allowed to leave with you, either. So, for example, if you were employed by a company that knew it was operating on the shady side, so you took a bunch of their documents with you when you left, you'd better make sure that you disclosed them to law enforcement before you started using the knowledge for personal gain.

  3. Can the US issue letters of marque and reprisal to let private parties go after ransomware perpetrators?

    1. No. That's why we have SEAL teams.

Please to post comments