The Cyberlaw Podcast

The Cyberlaw Podcast: The Former Lingerie Salesman Who Has Putin's Knickers in a Twist

By Stewart Baker
Tuesday, March 16, 2021, 5:35 PM

This week we interview Eliot Higgins, founder and executive director of the online investigative collective Bellingcat and author of We Are Bellingcat.

Bellingcat has produced remarkable investigative scoops on everything from Saddam’s use of chemical weapons to exposing the Russian FSB operatives who killed Sergei Skripal with Novichok, and, most impressive, calling a member of the FSB team that tried to kill Navalny and getting him to confess. Eliot talks about the techniques that make Bellingcat so effective and the hazards, physical and moral, that surround crowdsourced investigations.

In the news, Dave Aitel gives us the latest on the Exchange server compromise, and the reckless Chinese hack-everyone spree that was apparently triggered by Microsoft’s patch of the vulnerability.

Jamil Jaffer introduces us to the vulnerability of the week—dependency confusion, and the startling speed with which it is being exploited. 

I ask Nate Jones and the rest of the panel what all this means for government policy.  No one thinks that the Biden published cyberstrategy tells us anything useful. More interesting are two deep dives on cyber strategy from people with a long history in the field. We see Jim Lewis’s talk on the topic as an evolution in the direction of much harsher responses to Russian and Chinese intrusions. Dmitri Alperovich’s approach also has a hard edge, although he points out that the utter irresponsibility of the Chinese pawn-em-all tactic  deserves an especially harsh response.  I wonder why Cyber Command didn’t respond by releasing a worm that would install poorly secured shells on every Exchange server in China. 

In other news, I blame poor (or rushed) Pentagon lawyering for the district court ruling that the Department of Defense couldn’t list Xiaomi as an entity aligned with the Chinese military. Jamil is more charitable both to the Department of Defense and the judge who made the ruling, but he expects (or maybe just hopes) that the court of appeal will show the Pentagon more deference.

Twitter, on the other hand, is praying that the Northern District of California suffers from full-blown Red State Derangement, as it asks the court there to enjoin a Texas Attorney General investigation into possible anticompetitive coordination in the Great Deplatforming of January 2021.

Nate gives us the basics. I observe that, to bring such a Hail Mary of a case, Twitter must deeply fear what its own employees were saying about the deplatforming at the time. Neither Nate nor I give Twitter a high probability of success. And even if it does succeed, red states are lining up new laws and regulatory initiatives for Silicon Valley, most notably Gov. DeSantis’s controversial effort to navigate Section 230 and the First Amendment.

Nate also provides a remarkably clear explanation of the sordid tale of European intelligence and law enforcement agencies trying to cut a special deal for themselves in the face of surveillance-hostile rulings from the EU’s Court of Justice. The agencies are right to want to avoid those foolish decisions, but leaving the U.S. on the hook will only inflame trans-Atlantic relations.

In quick hits, Jamil and Dave talk us through Israel’s Unit 8200, the press on which offers a better cybersecurity venture capital alumni network than Stanford. We also discuss recent news about security lapses in what Dave calls the internet of things.

And more!

Download the 353rd Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.