We Go To RSA So You Don't Have To
Episode 411 of the Cyberlaw Podcast
This episode of the Cyberlaw Podcast is dominated by things that U.S. officials said in San Francisco last week at the RSA conference. We summarize what they said and offer our views of why they said it.
Bobby Chesney, returning to the podcast after a long absence, helps us assess Russian warnings that the U.S. should expect a "military clash" if it conducts cyberattacks against Russian critical infrastructure. Bobby, joined by Michael Ellis sees this as a run-of-the-mill Russian PR response to U.S. Cyber Command and NSA Director Paul M. Nakasone's remarks about doing offensive operations in support of Ukraine.
Bobby also notes an FBI analysis of the NetWalker ransomware gang, an analysis made possible by seizure of the gang's back office computer system in Bulgaria. The unfortunate headline summary of the FBI's work was a claim that "just one fourth of all NetWalker ransomware victims reported incidents to law enforcement." Since many of the victims were outside the United States and would have had little reason to report to the Bureau, this statistic undercounts private-public cooperation. But it may, I suggest, reflect the Bureau's increasing sensitivity and insecurity about its long-term role in cybersecurity.
Michael sees complaints about a dearth of incident reporting by the private sector as one of the themes emerging from the government's RSA appearances. A Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) executive also complained about a lack of ransomware incident reporting, a strange complaint considering that CISA can solve much of the problem by publishing an incident reporting rule that Congress authorized last year.
In a more promising vein, two intelligence officials underlined a commitment on the part of intel agencies to sharing security data more effectively with the private sector. Michael sees that as the one positive note in an otherwise downbeat cybersecurity report from Avril Haines, Director of National Intelligence. And David Kris points to a similar theme offered by National Security Agency official Rob Joyce, who believes that sharing of (lightly laundered) intelligence is increasing, thanks in part to the sophistication and cooperation of the cybersecurity industry.
Michael and I are taking with a grain of salt the New York Times' claim that Russia's use of U.S. technology in its weapons has become a vulnerability due to U.S. export controls. We think it may take months to know whether those controls are really hurting Russia's weapons production.
Bobby explains why the Department of Justice (DOJ) was much happier to offer a "policy"—instead of a legislative amendment—to protect good-faith security research from prosecution under the Computer Fraud and Abuse Act. That's understandable, but the DOJ policy doesn't protect researchers from civil lawsuits, so DOJ may yet find itself forced to look for a statutory fix. (If it were up to me, I'd be tempted to dump the civil remedy altogether.)
Michael, Bobby, and I dig into the ways in which smartphones have transformed both the war and, perhaps, the law of war in Ukraine. The change is driven by a Ukrainian government phone app that lets every Ukrainian civilian direct artillery fire onto Russians they encounter in the street. That's probably enough for the Russians to shoot all the civilians they encounter, but for armies that care about the law of armed conflict, the answer is surprisingly complicated and unsatisfying.
Finally, David, Bobby and I dig into a Forbes story, clearly meant to be a shocking expose, about the United States government's use of the All Writs Act to monitor an indicted Russian hacker's travel reservations for years until he finally headed to a country from which he could be extradited. We remain unshocked.
Download the 411th Episode (mp3)
You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!
The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.