The Cyberlaw Podcast

Okay, yes, I promised to take a hiatus after episode 500. Yet here it is a week later, and I'm releasing episode 501. Here's my excuse. I read and liked Dmitri Alperovitch's book, "World on the Brink: How America Can Beat China in the Race for the 21st Century."  I told him I wanted to do an interview about it. Then the interview got pushed into late April because that's when the book is actually coming out.

So sue me. I'm back on hiatus.

The conversation  in the episode begins with Dmitri's background in cybersecurity and geopolitics, beginning with his emigration from the Soviet Union as a child through the founding of Crowdstrike and becoming a founder of Silverado Policy Accelerator and an advisor to the Defense Department. Dmitri shares his journey, including his early start in cryptography and his role in investigating the 2010 Chinese hack of Google and other companies, which he named Operation Aurora.

Dmitri opens his book with a chillingly realistic scenario of a Chinese invasion of Taiwan. He explains that this is not merely a hypothetical exercise, but a well-researched depiction based on his extensive discussions with Taiwanese leadership, military experts, and his own analysis of the terrain.

Then, we dive into the main themes of his book -- which is how to prevent his scenario from coming true. Dmitri stresses the similarities and differences between the US-Soviet Cold War and what he sees as Cold War II between the U.S. and China. He argues that, like Cold War I, Cold War II will require a comprehensive strategy, leveraging military, economic, diplomatic, and technological deterrence.

Dmitri also highlights the structural economic problems facing China, such as the middle-income trap and a looming population collapse. Despite these challenges, he stresses that the U.S. will face tough decisions as it seeks to deter conflict with China while maintaining its other global obligations.

We talk about diversifying critical supply chains away from China and slowing China's technological progress in areas like semiconductors. This will require continuing collaboration with allies like Japan and the Netherlands to restrict China's access to advanced chip-making equipment.

Finally, I note the remarkable role played in Cold War I by Henry Kissinger and Zbigniew Brzezinski, two influential national security advisers who were also first-generation immigrants.  I ask whether it's too late to nominate Dmitri to play the same role in Cold War II. You heard it here first!

There’s a whiff of Auld Lang Syne about episode 500 of the Cyberlaw Podcast, since after this it will be going on hiatus for some time and maybe forever. (Okay, there will be an interview with Dmitri Alperovich about his forthcoming book, but the news commentary is done for now.) Perhaps it’s appropriate, then, for our two lead stories to revive a theme from the 90s – who’s better, Microsoft or Linux? Sadly for both, the current debate is over who’s worse, at least for cybersecurity.

 

Microsoft’s sins against cybersecurity are laid bare in a report of the Cyber Security Review Board, Paul Rosenzweig reports.  The Board digs into the disastrous compromise of a Microsoft signing key that gave China access to US government email. The language of the report is sober, and all the more devastating because of its restraint.  Microsoft seems to have entirely lost the security focus it so famously pivoted to twenty years ago. Getting it back will require a focus on security at a time when the company feels compelled to focus relentlessly on building AI into its offerings.  The signs for improvement are not good.  The only people who come out of the report looking good are the State Department security team, whose mad cyber skillz deserve to be celebrated – not least because they’ve been questioned by the rest of government for decades.

 

With Microsoft down,  you might think open source would be up.  Think again, Nick Weaver tells us.  The strategic vulnerability of open source, as well as its appeal, is that anyone can contribute code to a project they like.   And in the case of the XZ backdoor, anybody did just that. A well-organized, well-financed, and knowledgeable group of hackers cajoled and bullied their way into a contributing role on an open source project that enabled various compression algorithms. Once in, they contributed a backdoored feature that used public key encryption to ensure access only to the authors of the feature. It was weeks from  being in every Linux distro when a Microsoft employee discovered the implant.  But the people who almost pulled this off seemed well-practiced and well-resourced. They’ve likely done this before, and will likely do it again.  Leaving all open source projects facing their own strategic vulnerability.

 

It wouldn’t be the Cyberlaw Podcast without at least one Baker rant about political correctness.  The much-touted bipartisan privacy bill threatening to sweep to enactment in this Congress turns out to be a disaster for anyone who opposes identity politics.  To get liberals on board with a modest amount of privacy preemption, I charge, the bill would effectively overturn the Supreme Court’s Harvard admissions decision and impose race, gender, and other quotas on a host of other activities that have avoided them so far. Adam Hickey and I debate the language of the bill.  Why would the Republicans who control the House go along with this?  I offer two reasons:  first, business lobbyists want both preemption and a way to avoid charges of racial discrimination, even if it means relying on quotas; second, maybe Sen. Alan Simpson was right that the Republican Party really is the Stupid Party.

 

Nick and I turn to a difficult AI story, about how Israel is using algorithms to identify and kill even low-level Hamas operatives in their homes. Far more than killer robots, this use of AI in war is far more likely to sweep the world.  Nick is critical of Israel’s approach; I am less so. But there’s no doubt that the story forces a sober assessment of just how personal and how ugly war will soon be.

 

Paul takes the next story, in which Microsoft serves up leftover “AI gonna steal yer election” tales that are not much different than all the others we’ve heard since 2016 (when straight social media was the villain).  The bottom line: China is using AI in social media to advance its interests and probe US weaknesses, but it doesn’t seem to be having much effect.

 

Nick answers the question, “Will AI companies run out of training data?” with a clear viewpoint: “They already have.”  He invokes the Hapsburgs to explain what’s going wrong. We also touch on the likelihood that demand for training data will lead to copyright liability,  or that hallucinations will lead to defamation liability.  Color me skeptical.

 

 Paul comments on two US quasiagreements, with the UK and the EU, on AI cooperation. And Adam breaks down the FCC’s burst of initiatives celebrating the arrival of a Democratic majority on the Commission for the first time since President Biden’s inauguration. The commission is now ready to move out on net neutrality, on regulating cars as oddly shaped phones with benefits, and on SS7 security.

 

Faced with a security researcher who responded to a hacking attack by taking down North Korea’s internet, Adam acknowledges that maybe my advocacy of hacking back wasn’t quite as crazy as he thought when he was in government.

 

In Cyberlaw Podcast alumni news, I note that Paul Rosenzweig has been appointed an advocate at the Data Protection Review Court, where he’ll be expected to channel Max Schrems.  And Paul offers a summary of what has made the last 500 episodes so much fun for me, for our guests, and for our audience.  Thanks to you all for the gift of your time and your tolerance!

This episode is notable not just for cyberlaw commentary, but for its imminent disappearance from these pages and from podcast playlists everywhere.  Having promised to take stock of the podcast when it reached episode 500, I’ve decided that I, the podcast, and the listeners all deserve a break.  So I’ll be taking one after the next episode.  No final decisions have been made, so don’t delete your subscription, but don’t expect a new episode any time soon.  It’s been a great run, from the dawn of the podcast age, through the ad-fueled podcast boom, which I manfully resisted, to the market correction that’s still under way.  It was a pleasure to engage with listeners from all over the world. Yes, even the EU! 

 

As they say, in the podcast age, everyone is famous for fifteen people.  That’s certainly been true for me, and I’ll always be grateful for your support – not to mention for all the great contributors who’ve joined the podcast over the years

 

Back to cyberlaw, there are a surprising number of people arguing that there’s no reason to worry about existential and catastrophic risks from proliferating or runaway AI risks.  Some of that is people seeking clever takes; a lot of it is ideological, driven by fear that worrying about the end of the world will distract attention from the dire but unidentified dangers of face recognition.  One useful antidote is the Gladstone Report, written for the State Department’s export control agency. David Kris gives an overview of the report for this episode of the Cyberlaw Podcast. The report explains the dynamic, and some of the evidence, behind all the doom-saying, a discussion that is more persuasive than its prescriptions for regulation.

 

Speaking of the dire but unidentified dangers of face recognition, Paul Stephan and I unpack a New York Times piece saying that Israel is using face recognition in its Gaza conflict. Actually, we don’t so much unpack it as turn it over and shake it, only to discover it’s largely empty.  Apparently the editors of the NYT thought that tying face recognition to Israel and Gaza was all we needed to understand that the technology is evil.

 

More interesting is the story arguing that the National Security Agency, traditionally at the forefront of computers and national security, may have to sit out the AI revolution. The reason, David tells us, is that NSA’s access to mass quantities of data for training is complicated by rules and traditions against intelligence agencies accessing data about Americans. And there are few training databases not contaminated with data about and by Americans.

 

While we’re feeling sorry for the intelligence community as it struggles with new technology, Paul notes that Yahoo News has assembled a long analysis of all the ways that personalized technology is making undercover operations impossible for CIA and FBI alike.

 

Michael Ellis weighs in with a review of a report by the Foundation for the Defence of Democracies on the need for a US Cyber Force to man, train, and equip fighting nerds for Cyber Command.  It’s a bit of an inside baseball solution, heavy on organizational boxology, but we’re both persuaded that the current system for attracting and retaining cyberwarriors is not working. In the spirit of “Yes, Minister,” we must do something, and this is something.

 

In that same spirit, it’s fair to say that the latest Senate Judiciary proposal for a “compromise” 702 renewal bill is nothing much – a largely phony compromise chock full of ideological baggage. David Kris and I are unimpressed, and surprised at how muted the Biden administration has been in trying to wrangle the Democratic Senate into producing a workable bill.

 

Paul and Michael review the latest trouble for TikTok – a likely FTC lawsuit over privacy. Michael and I puzzle over the stories claiming that Meta may have “wiretapped” Snapchat analytic data.  It comes from a trial lawyer suing Meta, and there are a lot of unanswered questions, such as whether users consented to the collection of the data.  In the end, we can’t help thinking that if Meta had 41 of its lawyers review the project, they found a way to avoid wiretapping liability.

 

The most intriguing story of the week is the complex and surprising three- or four-cornered fight in northern Myanmar over hundreds of thousands of women trapped in call centers to run romance and pig-butchering scams.  Angry that many of the women and many victims are Chinese, China fostered a warlord’s attack on the call centers that freed many women, and deeply embarrassed the current Myanmar ruling junta and its warlord allies, who’d been running the scams.  And we thought our southern border was a mess!

And  in quick hits:

·         Elon Musk's X Corp has lost lawsuit against the left-wing smear artists at CCDH

·         AT&T has lost millions of customer records in a data breach

·         Utah has passed an:  AI regulation bill

·         The US is still in the cyber sanctions business, tagging several Russian fintech firms and a collection of  Chinese state hackers.

·         The SEC isn’t done investigating SolarWinds; now it’s investigating companies harmed by the supply chain attack.

·         Apple’s reluctant compliance with EU law has attracted the expected EU investigation of its app store policies  App Store changes rejected: Apple could be fined 10% of global turnover

·         And in a story that will send chills through large parts of the financial and tech elite, it turns out that Jeffrey Epstein’s visitor records didn’t die with him.  Thanks to geolocation adtech, they can be reconstructed.

 

The Biden administration has been aggressively pursuing antitrust cases against Silicon Valley giants like Amazon, Google, and Facebook. This week it was Apple’s turn. The Justice Department (joined by several state AGs)  filed a gracefully written complaint accusing Apple of improperly monopolizing the market for “performance smartphones.” The market definition will be a weakness for the government throughout the case, but the complaint does a good job of identifying ways in which Apple has built a moat around its business without an obvious benefit for its customers.  The complaint focuses on Apple’s discouraging of multipurpose apps and cloud streaming games, its lack of message interoperability, the tying of Apple watches to the iPhone to make switching to Android expensive, and its insistence on restricting digital wallets on its platform.  This lawsuit will continue well into the next presidential administration, so much depends on the outcome of the election this fall.

 

Volt Typhoon is still in the news, Andrew Adams tells us, as the government continues to sound the alarm about Chinese intent to ravage American critical infrastructure in the event of a conflict.  Water systems are getting most of the attention this week.  I can’t help wondering how we expect the understaffed and underresourced water and sewage companies in this country to defeat sophisticated state-sponsored attackers. This leads Cristin and i to a discussion of how the SEC’s pursuit of CISO Tim Brown and demands for more security disclosures will improve the country’s cybersecurity.  Short answer: It won’t.

 

Cristin covers the legislative effort to force a divestiture of Tiktok. The bill has gone to the Senate, where it is moving slowly, if at all. Speaking as a parent of teenagers and voters, Cristin is not surprised. Meanwhile, the House has sent a second bill to the Senate by a unanimous vote. This one would block data brokers from selling American’s data to foreign adversaries. Andrew notes that the House bill covers data brokers.  Other data holders, like Google and Apple, would face a similar restriction, under executive order, so the Senate will have plenty of opportunity to deal with Chinese access to American personal data.

 

In the wake of the Murthy argument over administration jawboning in favor of censorship of mostly right-wing posts,  Andrew reports that the FBI has resumed outreach to social media companies, at least where it identifies foreign influence campaigns. And the FDA, which piled on to criticize ivermectin advocates, has withdrawn its dubious and condescending tweets.

 

 Cristin reports on the spyware agreement sponsored by the United States. It has collected several new supporters. Whether this will reduce spyware installations or simply change the countries that supply the spyware remains to be seen.

The Supreme Court is getting a heavy serving of first amendment social media cases. Gus Hurwitz covers two that made the news last week. In the first, Justice Barrett spoke for a unanimous court in spelling out the very factbound rules that determine when a public official may use a platform’s tools to suppress critics posting on his or her social media page.  Gus and I agree that this might mean a lot of litigation, unless public officials wise up and simply follow the Court’s broad hint: If you don’t want your page to be treated as official, simply say up top that it isn’t official.

The second social media case making news was being argued as we recorded. Murthy v. Missouri appealed a broad injunction against the US government pressuring social media companies to take down posts the government disagrees with.  The Court was plainly struggling with a host of justiciability issues and a factual record that the government challenged vigorously. If the Court reaches the merits, it will likely address the question of when encouraging the suppression of particular speech slides into coerced censorship. 

Gus and Jeffrey Atik review the week’s biggest news – the House has passed a bill to force the divestment of TikTok, despite the outcry of millions of influencers.  Whether the Senate will be quick to follow suit is deeply uncertain.

Melanie Teplinsky covers the news that data about Americans’ driving habits is increasingly being sent to insurance companies to help them adjust their rates.

Melanie also describes the FCC’s new Cyber Trust Mark for IOT devices.  Like the Commission, our commentators think this is a good idea.

Gus takes us back to more contest territory: What should be done about the use of technology to generate fake pictures, especially nude fake pictures. We also touch on a UK debate about a snippet of audio that many believe is a fake meant to embarrass a British Labour politician.  

 Gus tells us the latest news from the SVR’s compromise of a Microsoft network. This leads us to a meditation on the unintended consequences of the SEC’s new cyber incident reporting requirements.

Jeffrey explains the bitter conflict over app store sales between  Apple and Epic games.

Melanie outlines a possible solution to the lack of cybersecurity standards (not to mention a lack of cybersecurity) in water systems. It’s interesting but it’s too early to judge its chances of being adopted.

Melanie also tells us why  JetBrains and Rapid7 have been fighting over “silent patching.”

Finally, Gus and I dig into Meta’s high-stakes fight with the FTC, and the rough reception it got from a DC district court.

 

This bonus episode of the Cyberlaw Podcast focuses on the national security implications of sensitive personal information. Sales of personal data have been largely unregulated as the growth of adtech has turned personal data into a widely traded commodity. This, in turn, has produced a variety of policy proposals – comprehensive privacy regulation, a weird proposal from Sen. Wyden (D-OR) to ensure that the US governments cannot buy such data while China and Russia can, and most recently an Executive Order to prohibit or restrict commercial transactions affording China, Russia, and other adversary nations with access to Americans’ bulk sensitive personal data and government related data. 

To get a deeper understanding of the executive order, and the Justice Department’s plans for implementing it, Stewart interviews Lee Licata, Deputy Section Chief for National Security Data Risk.

Kemba Walden and Stewart revisit the National Cybersecurity Strategy a year later. Sultan Meghji examines the ransomware attack on Change Healthcare and its consequences. Brandon Pugh reminds us that even large companies like Google are not immune to having their intellectual property stolen. The group conducts a thorough analysis of a "public option" model for AI development. Brandon discusses the latest developments in personal data and child online protection. Lastly, Stewart inquires about Kemba's new position at Paladin Global Institute, following her departure from the role of Acting National Cyber Director.

The United States is in the process of rolling out a sweeping regulation for personal data transfers. But the rulemaking is getting limited attention because it targets transfers to our rivals in the new Cold War – China, Russia, and their allies. Adam Hickey, whose old office is drafting the rules, explains the history of the initiative, which stems from endless Committee on Foreign Investment in the United States efforts to impose such controls on a company-by-company basis. Now, with an executive order as the foundation, the Department of Justice has published an advance notice of proposed rulemaking that promises what could be years of slow-motion regulation. Faced with a similar issue—the national security risk posed by connected vehicles, particularly those sourced in China—the Commerce Department issues a laconic notice whose telegraphic style contrasts sharply with the highly detailed Justice draft.

I take a stab at the riskiest of ventures—predicting the results in two Supreme Court cases about social media regulations adopted by Florida and Texas. Four hours of strong appellate advocacy and a highly engaged Court make predictions risky, but here goes. I divide the Court into two camps—the Justices (Thomas, Alito, probably Gorsuch) who think that the censorship we should worry about comes from powerful speech-monopolizing platforms and the Justices (Kavanagh, the Chief) who see the cases through a lens that values corporate free speech. Many of the remainder (Kagan, Sotomayor, Jackson) see social media content moderation as understandable and justified, but they’re uneasy about the power of large platforms and reluctant to grant a sweeping immunity to those companies. To my mind, this foretells a decision striking down the laws insofar as they restrict content moderation. But that decision won’t resolve all the issues raised by the two laws, and industry’s effort to overturn them entirely on the current record is also likely to fail. There are too many provisions in those laws that some of the justices considered reasonable for Netchoice to win a sweeping victory. So I look for an opinion that rejects the “private censorship” framing but expressly leaves open or even approves other, narrower measures disciplining platform power, leaving the lower courts to deal with them on remand.

Kurt Sanger and I dig into the Securities Exchange Commission's amended complaint against Tim Brown and SolarWinds, alleging material misrepresentation with respect to company cybersecurity. The amended complaint tries to bolster the case against the company and its CISO, but at the end of the day it’s less than fully persuasive. SolarWinds didn’t have the best security, and it was slow to recognize how much harm its compromised software was causing its customers. But the SEC’s case for disclosure feels like 20-20 hindsight. Unfortunately, CISOs are likely to spend the next five years trying to guess which intrusions will look bad in hindsight. 

I cover the National Institute of Standards and Technology’s (NIST) release of version 2.0 of the Cybersecurity Framework, particularly its new governance and supply chain features.

Adam reviews the latest update on section 702 of FISA, which likely means the program will stumble into 2025, thanks to a certification expected in April. We agree that Silicon Valley is likely to seize on the opportunity to engage in virtue-signaling litigation over the final certification.

Kurt explains the remarkable power of adtech data for intelligence purposes, and Senator Ron Wyden’s (D-OR) effort to make sure such data is denied to U.S. agencies but not to the rest of the world. He also pulls Adam and me into the debate over whether we need a federal backup for cyber insurance. Bruce Schneier thinks we do, but none of us is persuaded.

Finally, Adam and I consider the divide between CISA and GOP election officials. We agree that it has its roots in CISA’s imprudently allowing election security mission creep, from the cybersecurity of voting machines to trying to combat “malinformation,” otherwise known as true facts that the administration found inconvenient. We wish CISA well in the vital job of protecting voting machines and processes, as long as it manages in this cycle to stick to its cyber knitting. 

Download 494th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

This episode of the Cyberlaw Podcast kicks off with the Babylon Bee’s take on Google Gemini’s woke determination to inject a phony diversity into images of historical characters, The Bee purports to quote a black woman commenting on the AI engine’s performance: "After decades of nothing but white Nazis, I can finally see a strong, confident black female wearing a swastika. Thanks, Google!" Jim Dempsey and Mark MacCarthy join the discussion because Gemini’s preposterous diversity quotas deserve more than snark. In fact, I argue, they were not errors; they were entirely deliberate efforts by Google to give its users not what they want but what Google in its wisdom thinks they should want. That such bizarre results were achieved by Google’s sneakily editing prompts to ask for, say, “indigenous” founding fathers simply shows that Google has found a unique combination of hubris and incompetence. More broadly, Mark and Jim suggest, the collapse of Google’s effort to control its users raises this question: Can we trust AI developers when they say they have installed guardrails to make their systems safe?

The same might be asked of the latest in what seems an endless stream of experts demanding that AI models defeat their users by preventing them from creating “harmful” deepfake images. Later, Mark points out that most of Silicon Valley recently signed on to promises to combat election-related deepfakes. 

Speaking of hubris, Michael Ellis covers the State Department’s stonewalling of a House committee trying to find out how generously the Department funded a group of ideologues trying to cut off advertising revenues for right-of-center news and comment sites. We take this story a little personally, having contributed op-eds to several of the blacklisted sites.  

Michael explains just how much fun Western governments had taking down the infamous Lockbit ransomware service. I credit the Brits for the humor displayed as governments imitated Lockbit’s graphics, gimmicks, and attitude. There were arrests, cryptocurrency seizures, indictments, and more. But a week later, Lockbit was claiming that its infrastructure was slowly coming back on line.

Jim unpacks the FTC’s case against Avast for collecting the browsing habits of its antivirus customers. He sees this as another battle in the FTC’s war against “de-identified” data as a response to privacy concerns.

Mark notes the EU’s latest investigation into TikTok. And Michael explains how the Computer Fraud and Abuse Act ties to Tucker Carlson’s ouster from the Fox network.

Mark and I take a moment to tease next week’s review of the Supreme Court oral argument over Texas and Florida social media laws. The argument was happening while we were recording, but it’s clear that the outcome will be a mixed bag. Tune in next week for more.

Jim explains why the administration has produced an executive order about cybersecurity in America’s ports, and the legal steps needed to bolster port security.

Finally, in quick hits:

• We dip into the trove of leaked files exposing how China’s cyberespionage contractors do business

• I wish Rob Joyce well as he departs NSA and prepares for a career in cyberlaw podcasting

• I recommend the most cringey and irresistible long read of the week: How I Fell for an Amazon Scam Call and Handed Over $50,000

• And in a scary taste of the near future, a new paper discloses that advanced LLMs make pretty good autonomous hacking agents.

Download 493rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.