A Cavalcade of Paranoia
It's episode 399 of the Cyberlaw Podcast
A special reminder for fans of the Cyberlaw Podcast that we will be doing episode 400 live in audio and video and with audience participation on March 28, 2022 at noon Eastern daylight time. So, mark your calendar and when the time comes, use this link to join the audience:
https://riverside.fm/studio/the-cyberlaw-podcast-400
See you there!
There's nothing like a serious shooting war to bring out the paranoia and mistrust, and the Russian invasion of Ukraine is generating mistrust on all sides.
Everyone expected a much more damaging cyberattack from the Russians, and no one knows why it hasn't happened yet. Dave Aitel walks us through some possibilities. Cyberattacks take planning, and Russia's planners may have believed they wouldn't need to use large-scale cyberattacks—apart from what appears to be a pretty impressive bricking of the Viasat terminals used extensively by Ukrainian forces. Now that the Russians could use some additional cyber weapons in Ukraine, the pace of the war may be making it hard to build and deploy them. None of that is much comfort to the Western countries that have imposed sanctions, since their infrastructure makes a nice fat sitting-duck target, and may draw fire soon if American intelligence warnings prove true.
Meanwhile, Matthew Heiman reports, the effort to shore up cyber defenses is leading to a cavalcade of paranoia. Has the UK defense ministry banned the use of WhatsApp due to fears that it's been compromised by Russia? Maybe. But WhatsApp has long had known security limitations that might justify downgrading its use on the battlefield. Speaking of ambiguity and mistrust, Telegram use is booming in Russia, Dave Aitel says, either because the Russians know how to control it or because they can't. Take your pick.
Speaking of mistrust, the German security agency has suddenly discovered that it can't trust Kaspersky products. Good luck finding them, Dave offers, since many have been white-labeled into other companies' software. He has limited sympathy for the agency, which resolutely ignored U.S. warnings about Kaspersky for years.
Even when governments aren't subverting software, the war is producing products that can't be trusted. One open-source maintainer of a popular open-source tool turned it into a data wiper for anyone whose computer looks Belarussian or Russian. What could possibly go wrong with that plan?
Meanwhile, people who've advocated tougher cybersecurity regulation are doing a victory lap in the press about how it will bolster our defenses. It'll help, I argue, but only some, and at a cost of new failures. The best example is TSA's effort to regulate pipeline cybersecurity, which has long struggled to find its feet while being critiqued by an industry that has been hostile to the whole effort from the start.
The most interesting impact of the war is in China. Jordan Schneider explores how China and Chinese companies are responding to sanctions on Russia. Jordan argues that Chinese companies will follow their economic interests and adhere to sanctions – at least where it's clear they're being watched – despite online hostility to sanctions among Chinese digerati.
Matthew and I think more attention needs to be paid to Chinese government efforts to police and intimidate overseas Chinese, including Chinese Americans, in the United States. The Justice Department for one is paying attention; it has arrested several alleged Chinese government agents engaged in such efforts.
Jordan unpacks China's new guidance on AI algorithms. I offer grudging respect to the breadth and value of the topics covered by China's AI regulatory endeavors.
Dave and I are disappointed by a surprise package in the FY 22 omnibus appropriations act. Buried on page 2334 is an entire smorgasbord of regulation for intelligence agency employees who go looking for jobs after leaving the intelligence community. This version is better than the original draft, but mainly for the intelligence agencies; intelligence professionals seem to have been left out in the cold when revisions were proposed.
Matthew does an update on the peanut butter sandwich spies who tried to sell nuclear sub secrets to a foreign power that the Justice Department did not name at the time of their arrest. Now that country has been revealed. It's Brazil, apparently chosen because the spies couldn't bring themselves to help an actual enemy of their country.
And finally, I float my own proposal for the nerdiest possible sanctions on Putin. He's a big fan of the old Soviet empire, so it would be fitting to finally wipe out the last traces of the Soviet Union on the internet, where the .su country code has lingered for thirty years too long in the Internet domain system. Check WIRED magazine for my upcoming op-ed on the topic.
Download the 399th Episode (mp3)
You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!
The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.