This episode of the Cyberlaw Podcast is dominated by things that U.S. officials said in San Francisco last week at the Rivest-Shamir-Adleman (RSA) conference. We summarize what they said and offer our views of why they said it.
Bobby Chesney, returning to the podcast after a long absence, helps us assess Russian warnings that the U.S. should expect a “military clash” if it conducts cyberattacks against Russian critical infrastructure. Bobby, joined by Michael Ellis sees this as a routine Russian PR response to U.S. Cyber Command and Director, Paul M. Nakasone’s talk about doing offensive operations in support of Ukraine.
Bobby also notes the FBI analysis of the NetWalker ransomware gang, an analysis made possible by seizure of the gang’s back office computer system in Bulgaria. The unfortunate headline summary of the FBI’s work was a claim that “just one fourth of all NetWalker ransomware victims reported incidents to law enforcement.” Since many of the victims were outside the United States and would have had little reason to report to the Bureau, this statistic undercounts private-public cooperation. But it may, I suggest, reflect the Bureau’s increasing sensitivity about its long-term role in cybersecurity.
Michael notes that complaints about a dearth of private sector incident reporting is one of the themes from the government’s RSA appearances. A Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) executive also complained about a lack of ransomware incident reporting, a strange complaint considering that CISA can solve much of the problem by publishing the reporting rule that Congress authorized last year.
In a more promising vein, two intelligence officials underlined the need for intel agencies to share security data more effectively with the private sector. Michael sees that as the one positive note in an otherwise downbeat cybersecurity report from Avril Haines, Director of National Intelligence. And David Kris points to a similar theme offered by National Security Agency official Rob Joyce who believes that sharing of (lightly laundered) classified data is increasing, made easier by the sophistication and cooperation of the cybersecurity industry.
Michael and I are taking with a grain of salt the New York Times’ claim that Russia’s use of U.S. technology in its weapons has become a vulnerability due to U.S. export controls. We think it may take months to know whether those controls are really hurting Russia’s weapons production.
Bobby explains why the Department of Justice (DOJ) was much happier to offer a “policy” of not prosecuting good-faith security research under the Computer Fraud and Abuse Act instead of trying to draft a statutory exemption. Of course, the DOJ policy doesn’t protect researchers from civil lawsuits, so Leonard Bailey of DOJ may yet find himself forced to look for a statutory fix. (If it were me, I’d be tempted to dump the civil remedy altogether.)
Michael, Bobby, and I dig into the ways in which smartphones have transformed both the war and, perhaps, the law of war in Ukraine. I end up with a little more understanding of why Russian troops who’ve been flagged as artillery targets in a special Ukrainian government phone app might view every bicyclist who rides by as a legitimate target.
Finally, David, Bobby and I dig into a Forbes story, clearly meant to be an expose, about the United States government’s use of the All Writs Act to monitor years of travel reservations made by an indicted Russian hacker until he finally headed to a country from which he could be extradited.
You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!
The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.