All At Sea: Maritime Cybersecurity

Spurred by a Cyberspace Solarium op-ed, Nate Jones gives an overview of cybersecurity worries in the maritime sector, where there is plenty to worry about. I critique the U.S. government’s December 2020 National Maritime Cybersecurity Strategy, a 36-page tome that, when the intro and summary and appendices and blank pages are subtracted, offers only eight pages of substance. Luckily, the Atlantic Council has filled the void with its own report on the topic. Of course, the maritime sector isn’t the only one we should be concerned about. Sultan Meghji points to the deeply troubling state of industrial control security, as illustrated by at “10 out of 10” vulnerability recently identified in a Rockwell Automation ICS system.  Still, sometimes software rot serves a good purpose. Maury Shenk tells us about decay in Russia’s SORM—a site-blocking system that may be buckling under the weight of the Ukraine invasion. Talking about SORM allows me to trash a nothingburger story perpetrated by three New York Times reporters who ought to know better. Adam Satariano, Paul Mozur and Aaron Krolik should be ashamed of themselves for writing a long story suggesting that Nokia did something wrong by selling Russia telecom gear that enables wiretaps. Since the same wiretap features are required by Western governments as a matter of law, Nokia could hardly do anything else. SORM and its abuses were all carried out by Russian companies. I suspect that, after wading through a boatload of leaked documents, these three (three!) reporters just couldn’t admit there was no there, there.  Nate and I note the emergence of a new set of secondary sanctions targets as the Treasury Department begins sanctioning companies that it concludes are part of a sanctions evasion network. We also puzzle over the surprising pushback on proposals to impose  sanctions on Kaspersky. If the Wall Street Journal is correct, and the reason is fear of cyberattacks if the Russian firm is sanctioned, isn’t that a reason to sanction them out of Western networks?  Sultan and Maury remind us that regulating cryptocurrency is wildly popular with some, including Sen. Elizabeth Warren and the EU Parliament. Sultan remains skeptical that sweeping regulation is in the cards. He is much more bullish on Apple’s ability to upend the entire fintech field by plunging into financial services with enthusiasm. I point out that it’s almost impossible for a financial services company to maintain a standoffish relationship with the government, so Apple may have to change the tune it’s been playing in the U.S. for the last decade. Maury and I explore fears that the DMA will break WhatsApp encryption, while Nate and I plumb some of the complexities of a story Brian Krebs broke about hackers exploiting the system by which online services provide subscriber information to law enforcement in an emergency.  Speaking of Krebs, we dig into Ubiquiti’s defamation suit against him. The gist of the complaint is that Krebs relied on a “whistleblower” who turned out to be the perp, and that Krebs didn’t quickly correct his scoop when that became apparent. My sympathies are with Krebs on this one, at least until Ubiquiti fills in a serious gap in its complaint—the lack of any allegation that the company told Krebs that he’d been misled and asked for a retraction. Without that, it’s hard to say that Krebs was negligent (let alone malicious) in reporting allegations by an apparently well-informed insider.  Maury brings us up to speed on the (still half-formed) U.K. online harms bill and explains why the U.K. government was willing to let the subsidiary of a Chinese company buy the U.K.’s biggest chip foundry. Sultan finds several insights in an excellent CNN story about the Great Conti Leak. And, finally, I express my personal qualms about the indictment (for disclosing classified information) of Mark Unkenholz, a highly competent man whom I know from my time in government. To my mind the prosecutors are going to have to establish that Unkenholz was doing something different from the kind of disclosures that are an essential part of working with tech companies that have no security clearances but plenty of tools needed by the intelligence community. This is going to be a story to watch. Download the 401st Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.