Cybersecurity’s First Crash Report

Kicking off a packed episode, the Cyberlaw Podcast calls on Megan Stifel to cover the first Cyber Safety Review Board (CSRB) Report. The CSRB does exactly what those of us who supported the idea hoped it would do—provide an authoritative view of how the Log4J incident unfolded along with some practical advice for cybersecurity executives and government officials. Jamil Jaffer tees up the second blockbuster report of the week, a Council on Foreign Relations study called “Confronting Reality in Cyberspace Foreign Policy for a Fragmented Internet.” I think the study’s best contribution is its demolition of the industry-led claim that we must have a single global internet. That has not been true for a decade, and pursuing that vision means that the U.S. is not defending its own interests in cyberspace. I call out the report for the utterly wrong claim that the United States can resolve its transatlantic dispute with Europe by adopting a European-style privacy law. Europe’s beef with us on privacy reregulation of private industry is over (we surrendered); now the fight is over Europe’s demand that we rewrite our intelligence and counterterrorism laws. Jamil Jaffer and I debate both propositions. Megan discloses the top cybersecurity provisions added to the House defense authorization bill—notably the five year term for the head of Cybersecurity and Infrastructure Security Agency (CISA) and a cybersecurity regulatory regime for systemically critical industry. The Senate hasn’t weighed in yet, but both provisions now look more likely than not to become law. Regulatory cybersecurity measures look like the flavor of the month. The Biden White House is developing a cybersecurity strategy that is expected to encourage more regulation. Jamil reports on the development but is clearly hoping that the prediction of more regulation does not come true. Speaking of cybersecurity regulation, Megan kicks off a discussion of Department of Homeland Security’s CISA weighing in to encourage new regulation from the Federal Communication Commission (FCC) to incentivize a shoring up of the Border Gateway Protocol’s security. Jamil thinks the FCC will do better looking for incentives than punishments.  Tatyana Bolton and I try to unpack a recent smart contract hack and the confused debate about whether “Code is Law” in web3. Answer: it is not, and never was, but that does not turn the hacking of a smart contract into a violation of the Computer Fraud and Abuse Act. Megan covers North Korea’s tactic for earning dollars while trying to infiltrate U.S. crypto firms—getting remote work employment at the firms as coders. I wonder why LinkedIn is not doing more to stop scammers like this, given the company’s much richer trove of data about job applicants using the site. Not to be outdone, other ransomware gangs are now adding to the threat of doxing their victims by making it easier to search their stolen data. Jamil and I debate the best way to counter the tactic. Tatyana reports on Sen. Mark Warner’s, effort to strongarm the intelligence community into supporting Sen. Amy Klobuchar’s antitrust law aimed at the biggest tech platforms— despite its inadequate protections for national security. Jamil discounts as old news the Uber leak. We didn’t learn much from the coverage that we didn’t already know about Uber’s highhanded approach in the teens to taxi monopolies and government.   Jamil and I endorse the efforts of a Utah startup devoted to following China’s IP theft using China’s surprisingly open information. Why Utah, you ask? We’ve got the answer. In quick hits and updates:  Josh Schulte has finally been convicted for one of the most damaging intelligence leaks in history.  Google gets grudging respect from me for its political jiu-jitsu. Faced with a smoking gun of political bias after spam-blocking GOP but not Dem fundraising messages, Google managed to kick off outrage by saying it wanted to fix the problem by forcing political spam on all its users. Now the GOP will have to explain that it’s not trying to send us more spam; it just wants Gmail to stop favoring lefty spam.  And, finally, we all get to enjoy the story of the bored Chinese housewife who created a complete universe of fake Russian history on China’s Wikipedia. She’s promised to stop, but I suspect she’s just been hired to work for the world’s most active producer of fake history—China’s Ministry of State Security.