Maritime cybersecurity: All at sea

Spurred by a Cyberspace Solarium op-ed, Nate Jones gives an overview of cybersecurity worries in the maritime sector, where there is certainly plenty to worry about. I critique the U.S. government's December 2020 National Maritime Cybersecurity Strategy, a 36-page tome that, once the intro and summary and appendices and blank pages are subtracted, boils down to eight pages of substance. Luckily, the Atlantic Council has filled the void with its own report on the topic.

Of course, the maritime sector isn't the only one we should be concerned about. Sultan Meghji points to the deeply troubling state of industrial control security, as illustrated by a "10 out of 10" vulnerability recently identified in a Rockwell Automation ICS system.

Still, sometimes software rot serves a good purpose. Maury Shenk tells us about decay in Russia's SORM – a site-blocking system that may be buckling under the weight of the Ukraine invasion. Talking about SORM allows me to trash a nothingburger story perpetrated by three New York Times reporters who ought to know better. Adam Satariano, Paul Mozur and Aaron Krolik should be ashamed of themselves for writing a long story suggesting that Nokia did something wrong by selling Russia telecom gear that enables wiretaps. Since the same wiretap features are required by Western governments as a matter of law, Nokia could hardly do anything else. SORM and its abuses were all carried out by Russian companies. I suspect that, after wading through a boatload of leaked documents, these three (three!) reporters just couldn't admit there was no there there.

Nate and I note the emergence of a new set of secondary sanctions targets as Treasury begins listing companies that it sees as part of a sanctions evasion network. We also puzzle over the surprising pushback on proposals to impose  sanctions on Kaspersky, If the WSJ is correct, and the reason is fear of cyberattacks if the Russian firm is sanctioned, isn't that reason enough to sanction them out of Western networks?

Sultan and Maury remind us that regulating cryptocurrency is wildly popular with some, including Sen. Elizabeth Warren and the EU Parliament. Sultan remains skeptical that sweeping regulation is in the cards. He is much more bullish on Apple's ability to upend the entire fintech field by plunging into financial services with enthusiasm. I point out that it's almost impossible for a financial services company to maintain a standoffish relationship with government, so Apple may have to change the tune it's been playing in the U.S. for the last decade.

Nate and I plumb some of the complexities of a story Brian Krebs broke about hackers exploiting the system by which online services provide subscriber information to law enforcement in an emergency.

Speaking of Krebs, we dig into Ubiquiti's defamation suit against him. The gist of the complaint is that Krebs relied on a "whistleblower" who turned out to be the perp, and that Krebs didn't quickly correct his scoop when that became apparent. My sympathies are with Krebs on this one, at least until Ubiquiti fills in a serious gap in its complaint – the lack of any allegation that the company told Krebs that he'd been misled and asked for a retraction. Without that, it's hard to say that Krebs was negligent (let alone malicious) in reporting allegations by an apparently well-informed insider.

As the episode draws to a close, Maury brings us up to speed on the (still half-formed) U.K. online harms bill and explains why the U.K. government was willing to let the subsidiary of a Chinese company buy the U.K.'s biggest chip foundry. Sultan finds several insights in an excellent CNN story about the Great Conti Leak.

And, finally, I express my qualms about the indictment (for disclosing classified information) of Mark Unkenholz, a highly competent NSA lifer whom I knew while in government. To my mind the prosecutors are going to have to establish that Unkenholz did something very different from the kind of disclosures that were a standard part of his job. You can't do the kind of commercial outreach he did without encountering tech companies that have no security clearances but plenty of capabilities valued by the intelligence community. You either give the companies' uncleared execs enough classified information to understand what you need or you get no help. In that milieu, it simply isn't enough for prosecutors to say, "He gave classified information to someone without a clearance; he should be in jail."

Download the 401 Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed.

Also, we're in the market.  We will have a part-time opening for someone who'd like to do cyberlaw substantive work as well as sound editing and production on the podcast.  If you're interested, send a cv to CyberlawPodcast@steptoe.com.