The federal government gets creative in regulating technology
Episode 378 of the Cyberlaw Podcast
The theme of this episode is the surge of creativity in the Biden administration as it searches for ways to regulate cybersecurity and cryptocurrency without new legislative authority. Paul Rosenzweig lays out the Department of Homeland Security's entries in the creativity sweepstakes: New (and frankly pretty modest) cybersecurity directives to the rail and air industry plus a much more detailed (and potentially problematic) set of requirements for pipeline companies. Matthew Heiman describes a Justice Department plan for enforcing cybersecurity rules for federal contractors that should chill the hearts of management: an initiative that raises the prospect of whistleblower suits under the False Claims Act for failure to disclose breaches to the government. I suggest that this means the notoriously short tenure of the Chief Information Security Officer (CISO) at large companies will now come with a built-in retirement compensation package.
Creativity in regulating cryptocurrency was signaled both by the White House, which is working on a broader and more coordinated regulatory approach and by the Justice Department, which is planning a major criminal investigative approach to the industry. Nick Weaver gives us the details.
Paul covers a remarkably creative assertion by the Committee on Foreign Investment in the United States (CFIUS) of jurisdiction over a Chinese firm's purchase of Magnachip, a semiconductor company with virtually no ties to the United States. Despite having no obvious skin in the game, CFIUS insisted on a CFIUS filing under President Trump and then vetoed the deal under President Biden. I suggest that the claim of extraterritorial jurisdiction, which in other circumstances might have annoyed South Korea, is in this case a good way for South Korea to avoid taking heat from China.
Paul explains why the Facebook outage was a much bigger deal than Americans realized. If you were living in Costa Rica, the loss of Facebook and WhatsApp, he says, could have greatly complicated every aspect of daily life, including calling the fire department or other emergency services.
Paul digs into the return of "hactivism" – not to mention the return of skepticism about hactivism. I marshal the evidence that the Pandora Papers were the result of hacks, not leaks – and roast the newspapers feasting on the data for their utter hypocrisy. Hey, Marty Baron, top editor at the Washington Post! We haven't forgotten that in reaction to the Democratic National Committee (DNC) leaks of 2016, you said
"Before reporting on the release of hacked or leaked information, there should be a conversation with senior editors about the newsworthiness of the information, its authenticity and whether we can determine its provenance… If a decision is made to publish a story about hacked or leaked information, our coverage should emphasize what we know—or don't know—about the source of the information and how that may fit into a foreign or domestic influence operation. Our stories should prominently explain what we know about the full context of the information we are presenting, including its origins and the motivations of the source, including whether it appears to be an effort to distract from another development."
We're still looking for that "full context" in the Pandora Papers or the Epik leaks.
Nick fills us in on Facebook's extreme reaction to the creation of a tool that allows users to escape the News Feed. I discover that I completely missed the central Facebook experience because I semi-inadvertently disabled the news feed.
Paul offers some surprising news about the limits of Artificial Intelligence (AI). Turns out, it's not that good even at some of the things it should be superb at, like radiology scanning.
Nick and I explore Google's acceptance of warrants seeking access to the identities of people using particular search terms. He thinks that this has gone on under the radar for some time because both government and Google think the public reaction will be bad for business.
Finally, in two quick hits:
- I brag that I now have proof that I'm one of the 14,000 Gmail users feared most by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU): Google caught the Russian spy agency trying to phish me with a doctored Word document.
- And Matthew reveals what the Russian SolarWinds hackers were looking for. Which leads to this bit of good news: U.S. sanctions are really getting under Putin's skin.
You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!
The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.