Cybersecurity & Tech

The Cyberlaw Podcast: The Geopolitics of Extraditing Hackers

Stewart Baker
Wednesday, July 5, 2023, 11:01 AM

Published by The Lawfare Institute
in Cooperation With
Brookings

Geopolitics has always played a role in prosecuting hackers. But it’s getting a lot more complicated, as Kurt Sanger reports. Responding to a U.S. request, a Russian cybersecurity executive has been arrested in Kazakhstan, accused of having hacked Dropbox and Linkedin more than ten years ago. The executive, Nikita Kislitsin, has been hammered by geopolitics in that time. The firm he joined after the alleged hacking, Group IB, has seen its CEO arrested by Russia for treason—probably for getting too close to U.S. investigators. Group IB sold off all its Russian assets and moved to Singapore, while Kislitsin stayed behind, but showed up in Kazakhstan recently, perhaps as a result of the Ukraine war. Now both Russia and the U.S. have dueling extradition requests before the Kazakh authorities; Paul Stephan points out that Kazakhstan’s tenuous independence from Russia will be tested by the tug of war. 

In more hacker geopolitics, Kurt and Justin Sherman examine the hacking of a Russian satellite communication system that served military and civilian users. It’s reminiscent of the Viasat hack that complicated Ukrainian communications, and a bunch of unrelated commercial services, when Russia invaded. Kurt explores the law of war issues raised by an attack with multiple impacts. Justin and I consider the claim that the Wagner group carried it out as part of their aborted protest march on Moscow. We end up thinking that this makes more sense as the Ukrainians serving up revenge for Viasat at a time when it might complicate Russian’s response to the Wagner group.  But when it’s hacking and geopolitics, who really knows?

Paul outlines the legal theory—and antitrust nostalgia—behind the  FTC’s planned lawsuit targeting Amazon’s exploitation of its sales platform.  

We also ask whether the FTC will file the case in court or before the FTC’s own administrative law judge. The latter may smooth the lawsuit’s early steps, but it will also bring to the fore arguments that Lina Khan should recuse herself because she’s already expressed a view on the issues to be raised by the lawsuit. I’m not Chairman Khan’s biggest fan, but I don’t see why her policy views should lead to recusal; they are, after all, why she was appointed in the first place.

Justin and I cover the latest Chinese law raising the risk of doing business in that country by adopting a vague and sweeping view of espionage. 

Paul and I try to straighten out the EU’s apparently endless series of laws governing data, from General Data Protection Regulation (GDPR) and the AI Act to the Data Act (not to be confused with the Data Governance Act). This week, Paul summarizes the Data Act, which sets the terms for access and control over nonpersonal data. It’s based on a plausible idea—that government can unleash the value of data by clarifying and making fair the rules for who can use data in new businesses. Of course, the EU is unable to resist imposing its own views of fairness, thus upsetting existing commercial arrangements without really providing any certainty about what will replace them. The outcome is likely to reduce, not improve, the certainty that new data businesses want. 

Speaking of which, that’s the critique of the AI Act now being offered by dozens of European business executives, whose open letter slams the way the AI Act kludged the regulation of generative AI into a framework where it didn’t really fit. They accuse the European Parliament of “wanting to anchor the regulation of generative AI in law and proceeding with a rigid compliance logic [that] is as bureaucratic …  as it is ineffective in fulfilling its purpose.” And you thought I was the EU-basher. 

Justin recaps an Indian court’s rejection of Twitter’s lawsuit challenging the Indian government’s orders to block users who’ve earned the government’s ire. Kurt covers a matching story about whether Facebook should suspend Hun Sen’s Facebook account for threatening users with violence. I take us to Nigeria and question why social media thinks governments can be punished for threatening violence.

Finally, in two updates,

  • I note that Google has joined Facebook in calling Canada’s bluff by refusing to link to Canadian news media in order to avoid the Canadian link tax. 

  • And I do a victory lap for the Cyberlaw Podcast’s Amber Alert feature. One week after we nominated the Commerce Department’s IT supply chain security program for an Amber Alert, the Department answered the call by posting the supply chain czar position in USAJOBS.


Download 466th Episode (mp3)


You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.


Stewart A. Baker is a partner in the Washington office of Steptoe & Johnson LLP. He returned to the firm following 3½ years at the Department of Homeland Security as its first Assistant Secretary for Policy. He earlier served as general counsel of the National Security Agency.

Subscribe to Lawfare