The Cyberlaw Podcast

The Cyberlaw Podcast: The Biden Cybersecurity Executive Order—CISA as CISO

By Stewart Baker
Tuesday, May 18, 2021, 10:31 AM

Our interview is with Brandon Wales, acting head of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and Jen Daskal, deputy general counsel for Cyber and Technology Law at DHS. We dig deep into the latest Executive Order on cybersecurity. There’s a lot to say. The EO is focused largely on how the federal civilian government protects its networks, and it is just short of revolutionary in overriding long standing turf fights, almost all of which are resolved in favor of CISA—to the point where it seems clear that CISA is on its way to being the civilian agencies’ CISO, or Chief Information Security Office. This is clearly CISA’s moment. It is getting new authorities from the president and new money from Congress. Whether it can meet all the expectations that these things bring is the question.

We also touch on parts of the EO that will touch the private sector, from the determined push for breach and other incident reporting in federal contracts to the formation of a Cyber Safety Review Board to investigate private sector incidents. I predict that the board will need and will get subpoena power soon. Neither Brandon nor Jen takes the other side of that bet.

In the news, we get an update on the Colonial Pipeline ransomware attack from Nick Weaver and first-timer Betsy Cooper. Colonial has paid $5 million in ransom, gotten a bad decryption tool and restarted operations anyway. Since it’s likely to end up as the second test case for the Cyber Security Review Board, Colonial may regret having waited five days to start sharing information with CISA.

Maury Shenk explains the 200-page Irish High Court decision allowing the Irish data protection regulator to begin an inquiry that could cut off its data exports to the United States. Facebook would love to forestall that day until EU-U.S. talks on a new data export deal is done, but the Biden administration isn’t exactly making it a priority to bail out either Facebook or the U.S. intelligence community, which has as much at stake in data flows as the companies.

One of the puzzles of recent weeks has been persistent but vague stories that DHS wants more authority to gather information from public postings on social media. Nick, Betsy, and I try to make sense of the story, and we’re not helped by the fact that much of the media and politicians have switched from condemning such intelligence operations to demanding them, and vice versa, since the Trump administration ended.

Nick can’t resist a story that leaves both bitcoin and Tor looking bad, so of course we cover the boom in Tor exit nodes configured to steal the cryptocurrency of Tor users.

Betsy covers the unanimous view of chip making and consuming companies that the federal government should subsidize chip making in the U.S. Industrial policy is making a comeback, we note, but Betsy reminds us there’s a reason it went away. *cough*Solyndra*cough*

Betsy seizes on the latest WhatsApp tactic to lament the willingness of data-driven tech companies to annoy us into submission.

Nick and I cross swords over Apple’s firing of Antonio García Martínez, author of Chaos Monkeys, in my view one of the funniest and most insightful Silicon Valley books of the last decade. Part of its appeal is Garcia Martinez’s relentless burning of every bridge in his past business and personal life.  How, you keep asking, can he recover from telling all those truths about Morgan Stanley, Facebook, Y Combinator, and AdTech? Turns out, he can’t. But it wasn’t any of those supposedly potent institutions that nailed him. Instead, it was his claim that the women of Silicon Valley are mostly "soft and weak, cosseted and naïve” and possessed of a “self-regarding entitlement feminism.”

Apple employees demanded that they be protected from Garcia Martinez, and he was summarily fired. The more interesting question is whether hiring Garcia Martinez shows just how determined Apple is to replace Facebook as Google’s main competition in the “leverage customer data to sell ads” business.

In quick hits, I revisit the claim that a Saudi prince hacked Jeff Bezos’s phone and turned his unexpurgated selfies over to the National Enquirer in order to suppress Washington Post publicity over the killing of Jamal Khashoggi. That was all BS, it turns out, apparently designed to turn Bezos from an ordinary tawdry adulterer into a press freedom crusader.

And Nick draws our attention to Counterfit, a promising Microsoft tool for testing artificial intelligence algorithms to find security flaws.

And More!

Download the 362nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.