Cybersecurity's First Crash Report
Episode 417 of the Cyberlaw Podcast
Kicking off a packed episode, the Cyberlaw Podcast calls on Megan Stifel to cover the first Cyber Safety Review Board (CSRB) Report. The CSRB does exactly what those of us who supported the idea hoped it would do – provide an authoritative view of how the Log4J incident unfolded along with some practical advice for cybersecurity executives and government officials.
Jamil Jaffer tees up the second blockbuster report of the week, a Council on Foreign Relations study called "Confronting Reality in Cyberspace Foreign Policy for a Fragmented Internet." I think the study's best contribution is its demolition of the industry-led claim that we must have a single global internet. That has not been a realistic prospect for a decade, and pursuing that vision has kept the U.S. from fully defending its own interests in cyberspace, so CFR's realism is welcome. Less welcome is its utterly wrong claim that the U.S. can resolve its transatlantic dispute with Europe by adopting a European-style privacy law. Europe has no real remaining beef with us on privacy regulation of industry (we surrendered); now the fight is over Europe's demand that we rewrite our intelligence and counterterrorism laws, a demand that new privacy legislation won't satisfy. Jamil Jaffer and I debate both propositions.
Megan discloses the top cybersecurity provisions added to the House defense authorization bill – notably the five year term for the head of Cybersecurity and Infrastructure Security Agency (CISA) and a cybersecurity regulatory regime for systemically critical industry. The Senate hasn't weighed in yet, but both provisions now look more likely than not to become law.
Regulatory cybersecurity measures are the flavor of the month in Washington. The latest evidence: The Biden White House is developing a cybersecurity strategy that is expected to encourage more regulation. Jamil reports on the development but is clearly hoping that my prediction of more regulation does not come true.
Speaking of cybersecurity regulation, Megan kicks off a discussion of Department of Homeland Security's CISA weighing in to encourage new regulation from the Federal Communication Commission (FCC) to incentivize a shoring up of the Border Gateway Protocol's security. Jamil thinks the FCC would do better looking for incentives than punishments.
Tatyana Bolton and I try to unpack a recent smart contract hack and the confused debate about whether "Code is Law" in web3. Answer: it is not, and never was, but that does not turn the hacking of a smart contract into a violation of the Computer Fraud and Abuse Act.
Megan covers North Korea's tactic for earning dollars while trying to infiltrate U.S. crypto firms – getting remote work employment at the firms as coders. I wonder why LinkedIn is not doing more to stop scammers like this, given the company's rich trove of data about job applicants using the site.
Not to be outdone, other ransomware gangs are now adding to the threat of doxing their victims by making it easier to search their stolen data. Jamil and I debate the best way to counter the tactic.
Tatyana reports on Sen. Mark Warner's (D-Va) effort to strongarm the intelligence community into supporting Sen. Amy Klobuchar's (D-MN) antitrust law aimed at the biggest tech platforms – despite its inadequate protections for national security.
Jamil discounts as old news the Uber leak. I agree; we didn't learn much from the orgy of coverage that we didn't already know about Uber's highhanded approach in the teens to taxi monopolies and government.
Jamil and I endorse the efforts of a Utah startup devoted to following China's IP theft using China's surprisingly open information. Why Utah, you ask? We've got the answer.
In quick hits and updates:
- Josh Schulte has finally been convicted for one of the most damaging intelligence leaks in history.
- Google gets grudging respect from me for its political jiu-jitsu. Faced with smoking gun evidence of its political bias after the company spam-blocked GOP but not Dem fundraising messages, Google turned the tables. It managed to kick off public outrage by saying it wanted to fix its bias problem by forcing political spam on all its users. Now the GOP will have the burden of explaining that it's not trying to send us more spam; it just wants Gmail to stop favoring Democrats in running Gmail spam filters.
- And, finally, we all get to enjoy the story of the bored Chinese housewife who created an interlocking universe of fake Russian history on China's Wikipedia. She's promised to stop, but I suspect she's really just been hired to work for the world's most active producer of fake history – China's Ministry of State Security.
Download the 417th Episode (mp3)
You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!
The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.