Armed Conflict Cybersecurity & Tech

The Cyberlaw Podcast: What the Cyberspace Solarium Report Means for the Private Sector

Stewart Baker
Tuesday, April 14, 2020, 11:39 AM

Published by The Lawfare Institute
in Cooperation With
Brookings

The Cyberspace Solarium Commission’s report was released into the teeth of the COVID-19 crisis and hasn’t attracted the press it probably deserved. But the commissioners included four sitting Congressmen who plan to push for adoption of its recommendations. And the Commission is going to be producing more material – and probably more press attention – over the coming weeks. In this episode, I interview Sen. Angus King, co-chair of the Commission, and Dr. Samantha Ravich, one of the commissioners.

We focus almost exclusively on what the Commission’s recommendations mean for the private sector. The Commission has proposed a remarkably broad range of cybersecurity measures for business. The Commission recommends a new products liability regime for assemblers of final goods (including software) who don’t promptly patch vulnerabilities. It proposes two new laws requiring notice not only of personal data breaches but also of other significant cyber incidents. It calls for a federal privacy and security law – without preemption. It updates Sarbanes-Oxley to include cybersecurity principles. And lest you think the Commission is in love with liability, it also proposed liability immunities for critical infrastructure owners operating under government supervision during a crisis. We cover all these proposals, plus the Commission’s recommendation of a new role for the Intelligence Community in providing support to critical US companies.

In the news, Nick Weaver and I dig deep into the Google and Apple proposals for tracking COVID-19 infections. I’ve got a separate post in the works on the topic, but the short version is that I think Google and Apple have dramatically overvalued privacy interests and downgraded, you know, actually tracking infections. Nick and I agree that the app should operate on an opt-out basis, not opt-in.

The Great Decoupling, part 278: It looks as though China Telecom will be getting the boot from US telecom markets, at least if Team Telecom has anything to say about it. And speaking of Team Telecom, Brian Egan tells us that it has a new charter and a new, catchy acronym: CAFPUSTTSS!

Nick and I dig into a Ninth Circuit decision that may be bound for the Supreme Court. It holds that Facebook can be held liable for wiretapping when it gets information from its widely deployed “like” buttons on third-party sites.

Fish gotta swim, birds gotta fly, and the EU has to regulate tech, coronavirus or not. Maury Shenk reports, bemusedly.

Matching him bemusement for bemusement, Nick tries to explain a French ruling that Google must pay news outlets for content (and can’t stop linking to the outlets).

Maury explains the 5G-coronavirus conspiracy that has Brits burning cellular masts.

Nick explains how to make a “smart” lock spill its secrets, and how to fall foul of the FTC.

And in quick takes, the COVID-19 cyber threat has the US and UK authorities joining hands against cyberattacks, the Australian government is hacking criminals who are exploiting coronavirus, and it turns out that IoT devices may defect to work for foreign intelligence agencies.

Download the 311th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.


Stewart A. Baker is a partner in the Washington office of Steptoe & Johnson LLP. He returned to the firm following 3½ years at the Department of Homeland Security as its first Assistant Secretary for Policy. He earlier served as general counsel of the National Security Agency.

Subscribe to Lawfare