The Cyberlaw Podcast: A Lot of Cybersecurity Measures That Don't Work, And A Few That Might

Stewart Baker
Tuesday, March 9, 2021, 12:42 PM

Published by The Lawfare Institute
in Cooperation With
Brookings

We’re mostly back to our cybersecurity roots in this episode, for good reasons and bad. The worst of the bad reasons is a new set of zero-day vulnerabilities in Microsoft’s Exchange servers. They’ve been patched, Bruce Schneier tells us, but that seems to have inspired the Chinese government hackers to switch their campaign from Stealth to Promiscuous Mode. Anyone who hasn’t already installed the Microsoft patch is at risk of being compromised today for exploitation tomorrow.

Nick Weaver and Dmitri Alperovitch weigh in on the scope of the disaster and later contribute to our discussion of what to do about our ongoing cyberinsecurity. We’re long on things that don’t work. Bruce has pointed out that the market for software products, unfortunately, makes it entirely rational for industry to skimp on security while milking a product’s waning sales. Voluntary information sharing, has failed Dmitri notes. In fact, as OODA Loop reported in a devastating chart, information sharing is one of half a dozen standard recommendations made in the last dozen commission recommendations for cybersecurity. They either haven’t been implemented or they don’t work.

Dmitri is hardly an armchair quarterback on cybersecurity policy. He’s putting his money where his mouth is, in the form of the Silverado Policy Accelerator, which we discuss during the interview segment of the episode. Silverado is focused on moving the cybersecurity policy debate forward in tangible, sometimes incremental, ways. It will be seeking new policy ideas in cybersecurity, international trade and industrial security, and ecological and economic security (what the group is calling Eco2Sec).

(The unifying theme is the challenge to the US posed by the rise of China and the inadequacy of our past response to that challenge.) But ideas are easy; implementation is hard. Dmitri expects Silverado to focus its time and resources both on identifying novel policy ideas and on ensuring those ideas are transformed into concrete outcomes.

Whether artificial intelligence (AI) would benefit from some strategic decoupling sparks a debate between me, Nick, Jane Bambauer and Bruce, inspired by the final AI commission report. We shift from that to China’s version of industrial policy, which seems to reflect Chinese politics in its enthusiasm not just for AI and chips but also for keeping old leaders alive longer.

Jane and I check in on the debate over social media speech suppression, including the latest developments in the Facebook Oversight Board and the unusual bedfellows that the issue has inspired. I mock Google for YouTube’s noblesse oblige promise that it will stop suppressing President Trump’s speech when it no longer sees a threat of violence on the Right. And then I mock it again for its silly refusal to return search results for “BlueAnon”—the Right’s label for the Left’s wackier conspiracy theories.

In quick hits, Bruce and Dmitri explore a recent Atlantic Council report on hacked access as a service and what to do about it. Bruce thinks the problem (usually associated with NSO Group) is real and the report’s recommendations plausible. Dmitri points out that trying to stamp out a trade in zero days is looking at the wrong part of the problem, since reverse engineering patches is the source of most successful attacks, not zero days. Speaking of NSO Group, Nick reminds us of the rumors that they have been under criminal investigation and that the investigation has been revived recently.

Jane notes that Virginia has become the second state with a consumer data protection law, and one that resembles the California Consumer Privacy Act.

Jane also notes the Israeli Supreme Court decision ending (sort of) Shin Bet’s use cellphone data for coronavirus contact tracing. Ironically, it turns out to have been more effective than most implementations of the Gapple privacy-crippled app.

Bruce and Dmitri celebrate the hacking of three Russian cybercrime forums for the rich array of identity clues the doxxing is likely to make available to researchers like Bellingcat (whose founder will be our interview guest on Episode 353 of the Cyberlaw Podcast).

And more!

Download the 352nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.


Stewart A. Baker is a partner in the Washington office of Steptoe & Johnson LLP. He returned to the firm following 3½ years at the Department of Homeland Security as its first Assistant Secretary for Policy. He earlier served as general counsel of the National Security Agency.

Subscribe to Lawfare