Cyberwar continues to underperform

Matthew Heiman kicks off this episode of the podcast with a breakdown of Russia's attack on Ukraine's largest mobile operator. The attack was strikingly effective in destroying much of Kyivstar's infrastructure, and strikingly ineffective in achieving any meaningful Russian objectives, since service was quickly restored. Perhaps to even up the score, Ukraine supporters launched an even less effective cyberattack on an Iranian medical software company, presumably as retribution for Iran's supplying drones to Russia.

Hacking as an act of war may turn out to be more important in court than on the battlefield, at least when the victims file insurance claims, Jim Dempsey tells us. Merck's effort to get insurance coverage for its NotPetya losses despite an act of war exclusion has been settled. Which means that, if you want to know what cyberwar means for your insurance coverage, you need to review your current policy, which has almost certainly changed since the Merck case began.

Moving to the world of cybersecurity regulation, Cristin Flynn Goodwin recommends digging into the output of the reigning American champion for prescriptive cybersecurity rules, New York's Department of Financial Services, which recently sanctioned a cryptocurrency firm for a host of violations, including insufficient cybersecurity.

In Washington, meanwhile, the administration is promising to impose new cybersecurity requirements on hospitals, many of whom have been crippled by ransomware attacks. The hospitals aren't taking it well, but Jim thinks the legal basis for regulation can be found in the Golden Rule: The feds are supplying the gold, so they will make the rules.

It's "dogpile on the SEC" week, and no one is feeling sorry for the agency. Cristin reminds us that the SEC's X/ Twitter account was hacked and a market-moving tweet released last week, apparently because the SEC failed to abide by its own regulatory guidance about securing accounts with multi-factor authentication. That's also the subject of a recent Cybertoon, which asks whether the SEC should pay Elon Musk a whistleblower award for outing the agency's security failings.

The FTC's war on location data brokers continues to heat up. Jim reports on the FTC's settlement with one geolocation broker and its sweeping complaint against another. We also return to the FTC's settlement with Rite Aid over use of facial recognition, and its transformation of the settlement into a caution for users and makers of artificial intelligence products.

Speaking of AI, Cristin and I debate what should be done about the use of AI to create fake nudes of real people and other harassing tactics.

I argue that AI has bigger problems to deal with, citing Anthropic's recent report on just how hard it is to counteract malicious AI training.

Matthew and I marvel over the way that a longstanding insurgency in northern Myanmar has turned into a cybersecurity problem.

Finally, I pass on some listener feedback about an earlier episode that asked whether Apple knew about the highly sophisticated Triangulation exploit used against Kaspersky and the Russian government. It turns out that plenty of security pros find it plausible that Apple would not have been aware of the attack. 

Download 487th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.