loader from loading.io

High Court, High Stakes for Cybersecurity

The Cyberlaw Podcast

Release Date: 01/23/2024

World on the Brink with Dmitri Alperovitch show art World on the Brink with Dmitri Alperovitch

The Cyberlaw Podcast

Okay, yes, I promised to take a hiatus after episode 500. Yet here it is a week later, and I'm releasing episode 501. Here's my excuse. I read and liked Dmitri Alperovitch's book, "World on the Brink: How America Can Beat China in the Race for the 21st Century."  I told him I wanted to do an interview about it. Then the interview got pushed into late April because that's when the book is actually coming out. So sue me. I'm back on hiatus. The conversation  in the episode begins with Dmitri's background in cybersecurity and geopolitics, beginning with his emigration from the Soviet...

info_outline
Who’s the Bigger Cybersecurity Risk – Microsoft or Open Source? show art Who’s the Bigger Cybersecurity Risk – Microsoft or Open Source?

The Cyberlaw Podcast

There’s a whiff of Auld Lang Syne about episode 500 of the Cyberlaw Podcast, since after this it will be going on hiatus for some time and maybe forever. (Okay, there will be an interview with Dmitri Alperovich about his forthcoming book, but the news commentary is done for now.) Perhaps it’s appropriate, then, for our two lead stories to revive a theme from the 90s – who’s better, Microsoft or Linux? Sadly for both, the current debate is over who’s worse, at least for cybersecurity.   Microsoft’s sins against cybersecurity are laid bare in , Paul Rosenzweig reports. ...

info_outline
Taking AI Existential Risk Seriously show art Taking AI Existential Risk Seriously

The Cyberlaw Podcast

This episode is notable not just for cyberlaw commentary, but for its imminent disappearance from these pages and from podcast playlists everywhere.  Having promised to take stock of the podcast when it reached episode 500, I’ve decided that I, the podcast, and the listeners all deserve a break.  So I’ll be taking one after the next episode.  No final decisions have been made, so don’t delete your subscription, but don’t expect a new episode any time soon.  It’s been a great run, from the dawn of the podcast age, through the ad-fueled podcast boom, which I...

info_outline
The Fourth Antitrust Shoe Drops, on Apple This Time show art The Fourth Antitrust Shoe Drops, on Apple This Time

The Cyberlaw Podcast

The Biden administration has been aggressively pursuing antitrust cases against Silicon Valley giants like Amazon, Google, and Facebook. This week it was Apple’s turn. The Justice Department (joined by several state AGs)  filed a accusing Apple of improperly monopolizing the market for “performance smartphones.” The market definition will be a weakness for the government throughout the case, but the complaint does a good job of identifying ways in which Apple has built a moat around its business without an obvious benefit for its customers.  The complaint focuses on Apple’s...

info_outline
Social Speech and the Supreme Court show art Social Speech and the Supreme Court

The Cyberlaw Podcast

The Supreme Court is getting a heavy serving of first amendment social media cases. Gus Hurwitz covers two that made the news last week. In the , Justice Barrett spoke for a unanimous court in spelling out the very factbound rules that determine when a public official may use a platform’s tools to suppress critics posting on his or her social media page.  Gus and I agree that this might mean a lot of litigation, unless public officials wise up and simply follow the Court’s broad hint: If you don’t want your page to be treated as official, simply say up top that it isn’t official....

info_outline
Preventing Sales of Personal Data to Adversary Nations show art Preventing Sales of Personal Data to Adversary Nations

The Cyberlaw Podcast

This bonus episode of the Cyberlaw Podcast focuses on the national security implications of sensitive personal information. Sales of personal data have been largely unregulated as the growth of adtech has turned personal data into a widely traded commodity. This, in turn, has produced a variety of policy proposals – comprehensive privacy regulation, a weird proposal from Sen. Wyden (D-OR) to ensure that the US governments cannot buy such data while China and Russia can, and most recently an Executive Order to prohibit or restrict commercial transactions affording China, Russia, and...

info_outline
The National Cybersecurity Strategy – How Does it Look After a Year? show art The National Cybersecurity Strategy – How Does it Look After a Year?

The Cyberlaw Podcast

Kemba Walden and Stewart revisit the National Cybersecurity Strategy a year later. Sultan Meghji examines the ransomware attack on Change Healthcare and its consequences. Brandon Pugh reminds us that even large companies like Google are not immune to having their intellectual property stolen. The group conducts a thorough analysis of a "public option" model for AI development. Brandon discusses the latest developments in personal data and child online protection. Lastly, Stewart inquires about Kemba's new position at Paladin Global Institute, following her departure from the role of Acting...

info_outline
Regulating personal data for national security show art Regulating personal data for national security

The Cyberlaw Podcast

The United States is in the process of rolling out a for personal data transfers. But the rulemaking is getting limited attention because it targets transfers to our rivals in the new Cold War – China, Russia, and their allies. old office is drafting the rules, explains the history of the initiative, which stems from endless Committee on Foreign Investment in the United States efforts to impose such controls on a company-by-company basis. Now, with an as the foundation, the Department of Justice has published an that promises what could be years of slow-motion regulation. Faced with a...

info_outline
Are AI models learning to generalize? show art Are AI models learning to generalize?

The Cyberlaw Podcast

We begin this episode with describing major progress in conversions. Amazon flagged its new model as having “emergent” capabilities in handling what had been serious problems – things like speaking with emotion, or conveying foreign phrases. The key is the size of the training set, but Amazon was able to spot the point at which more data led to unexpected skills. This leads Paul and me to speculate that training AI models to perform certain tasks eventually leads the model to learn “generalization” of its skills. If so, the more we train AI on a variety of tasks – chat,...

info_outline
Death, Taxes, and Data Regulation show art Death, Taxes, and Data Regulation

The Cyberlaw Podcast

On the latest episode of The Cyberlaw Podcast, guest host Brian Fleming, along with panelists and discuss the latest U.S. government efforts to protect sensitive personal data, including the and the restricting certain bulk sensitive data flows to China and other countries of concern. Nate and Brian then discuss before the April expiration and debate what to make of a recent . Gus and Jane then talk about the , as well as , in an effort to understand some broader difficulties facing internet-based ad and subscription revenue models. Nate considers the implications of in its war against...

info_outline
 
More Episodes

The Supreme Court heard argument last week in two cases seeking to overturn the Chevron doctrine that defers to administrative agencies in interpreting the statutes that they administer. The cases have nothing to do with cybersecurity, but Adam Hickey thinks they’re almost certain to have a big effect on cybersecurity policy. That’s because Chevron is going to take a beating, if it survives at all. That means it will be much tougher to repurpose existing law to deal with new regulatory problems. Given how little serious cybersecurity legislation has been passed in recent years, any new cybersecurity regulation is bound to require some stretching of existing law – and to be easier to challenge.

Case in point: Even without a new look at Chevron, the EPA was balked in court when it tried to stretch its authorities to cover cybersecurity rules for water companies. Now, Kurt Sanger tells us, EPA, FBI, and CISA have combined to release cybersecurity guidance for the water sector. The guidance is pretty generic; and there’s no reason to think that underfunded water companies will actually take it to heart. Given Iran’s interest in causing aggravation and maybe worse in that sector, Congress is almost certainly going to feel pressure to act on the problem. 

CISA’s emergency cybersecurity directives to federal agencies are a library of flaws that are already being exploited. As Adam points out, what’s especially worrying is how quickly patches are being turned into attacks and deployed. I wonder how sustainable the current patch system will prove to be. In fact, it’s already unsustainable; we just don’t have anything to replace it.

The good news is that the Russians have been surprisingly bad at turning flaws into serious infrastructure problems even for a wartime enemy like Ukraine. Additional information about Russia’s attack on Ukraine’s largest telecom provider suggests that the cost to get infrastructure back was less than the competitive harm the carrier suffered in trying to win its customers back. 

Companies are starting to report breaches under the new, tougher SEC rule, and Microsoft is out of the gate early, Adam tells us. Russian hackers stole the company’s corporate emails, it says, but it insists the breach wasn’t material. I predict we’ll see a lot of such hair splitting as companies adjust to the rule. If so, Adam predicts, we’re going to be flooded with 8-Ks. 

Kurt notes recent FBI and CISA warnings about the national security threat posed by Chinese drones. The hard question is what’s new in those warnings. A question about whether antitrust authorities might investigate DJI’s enormous market share leads to another about the FTC’s utter lack of interest in getting guidance from the executive branch when it wanders into the national security field. Case in point: After listing a boatload of “sensitive location data” that should not be sold, the FTC had nothing to say about the personal data of people serving on U.S. military bases. Nothing “sensitive” there, the FTC seems to think, at least not compared to homeless shelters and migrant camps.

Michael Ellis takes us through Apple’s embarrassing failure to protect users of its Airdrop feature.

Adam is encouraged by a sign of maturity on the part of OpenAI, which has trimmed its overbroad rules on not assisting military projects.

Apple, meanwhile, is living down to the worst Big Tech caricature in handling the complaints of app developers about its app store. Michael explains how Apple managed to beat 9 out of 10 claims brought by Epic and still ended up looking like the sorest of losers.

Michael takes us inside a new U.S. surveillance court just for Europeans, but we end up worrying about the risk that the Obama administration will come back to make new law that constrains the Biden team. 

Adam explains yet another European Court of Justice decision on GDPR. This time, though, it’s a European government in the dock. The result is the same, though: national security is pushed into a corner, and the data protection bureaucracy takes center stage. 

We end with the sad disclosure that, while bad cyber news will continue, cyber-enabled day drinking will not, as Uber announces the end of Drizly, its liquor delivery app.

Download 488th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.