It’s been a week of major cybersecurity incidents and unremarkable responses. As Melanie Teplinsky reminds us, the US government has been in turmoil for months over China’s apparent strategic decision to hold US infrastructure hostage for crisis cyber attacks. Now the government has responded to Volt Typhoon, the Chinese actor pursuing this strategy. He recently claimed to have disrupted a Volt Typhoon botnet by detecting a batch of compromised routers. Andrew Adams explains how the court-ordered takeover was handled. It’s been a lot of work, and there’s reason to doubt the effectiveness of the effort. Compromised routers can be compromised again if they are turned off and on again. And the only ones that haven’t been compromised by the US seizure are those within the US, leaving open the possibility of DDOS attacks from abroad. Finally, DDOS attacks on our critical infrastructure shouldn’t exactly be an existential threat. All in all, I believe there is a serious disconnect between the government’s heated chatter about the Volt Typhoon and its routine response.
Speaking of cyberattacks we might be overestimating, Taiwan just had an election that China cared about a lot. According to a detailed report, the Chinese launched a lot of cyber attacks against Taiwanese voters, but failed to make much of an impression. Richard Stiennon and I decide whether the Chinese are better off trying to influence the 2024 results here.
While we cover mundane responses to cyberattacks, Melanie explains the US sanctions against Iranian military hackers for their attack on US water systems that were more or less fish in a barrel.
For comic relief, Richard lays out the latest drama around the EU’s artificial intelligence law, now being changed in a series of backroom deals and off-the-record promises. I predict that the effort to heap crackdowns on anti-American protectionism will end, not with a GDPR-style triumph for Europe, but with an AI desert across the continent. The EU market is now small enough for AI companies to bypass Europe entirely at the first sign of toxic regulation.
The United States is not the only player whose response to cyber intrusions appears inadequate this week. Richard explains Microsoft’s recent disclosure of a Midnight Blizzard attack against the company and some of its customers. The company’s murky explanation of how its technology contributed to the attack and, worse yet, its effort to turn the disaster into an upselling opportunity earned Microsoft a patented spanking from Alex Stamos.
Andrew explains the recent Justice Department charges against three people who facilitated the massive $400 million FTX hack that coincided with the exchange’s collapse. Does he mean the hacking wasn’t an inside job? Not so fast, warns Andrew. The government has not recovered the $400 million and does not allege that the three accused SIM-swappers are the only conspirators.
Melanie explains why we’ve seen a sudden increase in state privacy legislation. It turns out that the industry has stopped fighting the idea of state privacy laws and is now selling a lightweight model law that omits things like private rights of action.
I give a word and a promise to a “privacy” regulation now being pursued by the CFPB for consumer financial information. I put privacy in quotes, because it’s really an effort to create an entirely new market for personal data, which will ensure better data management while undermining the competitive advantage of big data. Bruce Schneier likes the idea. Me too, in principle, but that means a massive redesign of a major industry by technocrats who may not be as smart as they think they are. Bruce, if you want to come on the podcast to explain and discuss this whole thing, email me!
Spies are notoriously bad and often mean, but one of the meanest and meanest, Joshua Schulte, was sentenced to 40 years in prison last week. Andrew has the details.
There may be some good news on the ransomware front. More and more victims are refusing to pay. Melanie, Richard and I explore ways to keep this trend alive. I urge you to consider a tax on ransom payments.
I would also like to point out some new technological regulatory measures that will probably be adopted in the coming months. The FCC will likely use the TCPA to outlaw the use of AI-generated voices in robocalls. And Amazon risks finding itself responsible for the safety of products sold by third parties on the Amazon platform.
Finally, some quick shots:
Download 490th episode (mp3)
You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to interact with @stewartbaker on Twitter. Send questions, comments and suggestions on topics or interviewees to CyberlawPodcast@gmail.com. Remember: If the suggested guest appears on the show, we’ll send you a highly coveted Cyberlaw Podcast mug! The opinions expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families or pets