Serious Threats, Not-so-Serious Responses: A Look into the Issue

It was a week of serious cybersecurity incidents and unimpressive responses. As Melanie Teplinsky reminds us, the U.S. government has been agitated for months about China’s apparent strategic decision to hold U.S. infrastructure hostage to cyberattack in a crisis. Now the government has struck back at Volt Typhoon, the Chinese threat actor pursuing that strategy. It claimed recently to have disrupted a Volt Typhoon botnet by taking over a batch of compromised routers. Andrew Adams explains how the court-ordered takeover was managed. It was a lot of work, and there is reason to doubt the effectiveness of the effort. The compromised routers can be re-compromised if they are turned off and on again. And the only ones that were uncompromised by the U.S. seizure are those inside the U.S., leaving open the possibility of DDOS attacks from abroad. Finally, DDOS attacks on our critical infrastructure shouldn’t exactly be an existential threat. All things considered, I argue that there’s a serious disconnect between the government’s hair-on-fire talk about Volt Typhoon and its business-as-usual response.

Speaking of cyberattacks we could be overestimating, Taiwan just had an election that China cared a lot about. According to one detailed report, the Chinese threw a lot of cyber at Taiwanese voters—and failed to make much of an impression. Richard Stiennon and I mix it up over whether the Chinese will do better trying to influence the 2024 outcome here.

While we’re covering humdrum responses to cyberattacks, Melanie explains U.S. sanctions on Iranian military hackers for their hack of U.S. water systems that were more or less fish in a barrel.

For comic relief, Richard lays out the latest drama around the EU AI Act, now being amended in a series of backroom deals and off-the-books promises. I predict that the effort to pile pet-rock provisions on top of anti-American protectionism will end, not in a GDPR-style triumph for Europe but in a continent-wide AI desert. The EU market is now small enough for AI companies to bypass Europe entirely at the first sign of toxic regulation.

The U.S. is not the only player whose response to cyberintrusions is looking inadequate this week. Richard explains Microsoft’s recent disclosure of a Midnight Blizzard attack on the company and a number of its customers. The company’s obscure explanation of how its technology contributed to the attack and, worse, its effort to turn the disaster into an upsell opportunity earned Microsoft a patented Alex Stamos spanking.

Andrew explains the recent Justice Department charges against three people who facilitated the big $400m FTX hack that coincided with the exchange’s collapse. Does that mean the hack wasn’t an inside job? Not so fast, Andrew cautions. The government hasn’t recovered the $400m, and it isn’t claiming the three SIM-swappers it has charged are the only conspirators.

Melanie explains why we’ve seen a sudden surge in state privacy legislation. It turns out that industry has stopped fighting the idea of state privacy laws and is now selling a light-touch model law that omits things like a private right of action.

I give a lick and a promise to a “privacy” regulation now being pursued by CFPB for consumer financial information. I put privacy in quotes, because it’s really an effort to create a whole new market for personal data, one that will assure better data management while undermining the competitive advantage of big data holdings. Bruce Schneier likes the idea. So do I, in principle, but it means a massive re-engineering of a big industry by technocrats who may not be quite as smart as they think they are. Bruce, if you want to come on the podcast to explain and debate  the whole thing, send me an email!

Spies are notoriously nasty, and often petty, but one of the nastiest and pettiest, Joshua Schulte, was sentenced to 40 years in prison last week. Andrew has the details.

There may be some good news on the ransomware front. More victims are refusing to pay. Melanie, Richard, and I explore ways to keep that trend going. I urge consideration of a tax on ransom payments.

I also flag a few new tech regulatory measures likely to come down the pike in the next few months. The FCC will likely use the TCPA to declare the use of AI-generated voices in robocalls illegal. And Amazon is likely to find itself held liable for the safety of products sold by third parties on the Amazon platform.

Finally, a few quick hits:

Download 490th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets