Caveat 2.17.22
Ep 113 | 2.17.22

Balancing port security and protecting the supply chain.

Transcript

Ron Brash: There's a fundamental good that's coming out of this, but maybe for the wrong reasons. So we should all be concerned about it, but the main piece is probably going to be disruption.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner. And joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Today, Ben has the story of two U.S. senators issuing a new warning about CIA surveillance. I've got the story of proposed legislation that puts guardrails on social media algorithms. And later in the show, my conversation with Ron Brash from aDolus. We're going to be discussing software attack vectors faced by the shipping community. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's jump into some stories here. Why don't you kick things off for us? 

Ben Yelin: Sure. Well, this story I could've found anywhere, but the one I'm using for this article came from Politico. It is about a letter sent by two United States senators - Ron Wyden, our old fallback... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Of Oregon and Martin Heinrich of New Mexico. And they sent a letter to the director of the CIA, Avril Haines, alleging that the CIA has, quote, "secretly conducted its own bulk surveillance program outside the statutory framework that the Congress and the public believe govern this collection." 

Ben Yelin: So stepping back for a minute, there's been this concern that there's a level of surveillance that takes place off the books. Any surveillance that occurs in the United States with the assistance of our service providers or on the internet backbone that runs through our country, that's generally governed by FISA, or Section 702 of the FISA Amendments Act if we're doing surveillance on foreign nationals. 

Dave Bittner: OK. 

Ben Yelin: But FISA does not cover surveillance that occurs overseas. So if we are gleaning information either through human intelligence overseas or, you know, collecting information that goes into a database that's stored overseas, that's not governed by FISA. It's instead governed by an executive order. So there's no statutory law. The executive order is 12333 or, as the experts in the industry call it, twelve triple-three. 

Dave Bittner: (Laughter) And who executed this executive order? 

Ben Yelin: That was the Gipper himself, Ronald Reagan, in 1981. 

Dave Bittner: Oh, wow. 

Ben Yelin: So we've had this regime in place for about 40 years now. President Bush made some minor changes to it, but, largely, the framework has been in place. Most of... 

Dave Bittner: So it's worth noting - I mean, that's a pre-internet framework. 

Ben Yelin: It sure is. 

Dave Bittner: Yeah. 

Ben Yelin: Most of executive order 12333 is relatively anodyne. I mean, it's, you know, which agency has authority over which type of surveillance. But there are a couple of important provisions in there. One of them says that you can retain communications you receive from overseas surveillance, even if one side of that communication is from a U.S. person. 

Dave Bittner: Ah. 

Ben Yelin: And that's where the controversy lies - is in these incidentally collected communications. Now, we know when those types of communications are collected in the United States, that goes into a database. There's been this huge controversy as to whether the government can conduct backdoor searches into that database. 

Ben Yelin: What these senators seem to be alleging here is that the CIA, under the authority of executive order 12333, is collecting a large number of U.S. persons' communications that just happen to be captured incidentally through foreign surveillance efforts. The problem is we really don't know exactly what they are alleging. So a lot of their own letter is redacted. The response from the CIA is partially redacted. Everything that they've been declassified, you have to kind of learn how to read through black ink to really (laughter) decipher it, which... 

Dave Bittner: (Laughter) Right. Is that a 200-level class in law school, Ben, or what (laughter)? 

Ben Yelin: I really think they should. I mean, maybe they can create special glasses where you can see through it, but... 

Dave Bittner: Oh, yeah. Sure, sure (laughter). 

Ben Yelin: And I know our government's - you know, we've talked about incidents in the past where they actually do a bad job redacting information. 

Dave Bittner: Right, right. 

Ben Yelin: You can see little letters poking out. I could not do that here. 

Dave Bittner: (Laughter). 

Ben Yelin: What I do know is there is a quasi-governmental board - organization - called the Privacy and Civil Liberties Oversight Board. And they do research - put out research papers on U.S. surveillance - U.S. government surveillance efforts. And they released a report - it was a long-awaited report on executive order 12333. They released it a year ago. I was really excited about the report, brought it up on my computer, read it for five minutes and was like, that's it? 

Ben Yelin: It was basically nothing. It was like as if somebody submitted a book report on executive order 12333 the night before it was due, and it was (laughter)... 

Dave Bittner: Wow. 

Ben Yelin: You know, it was the equivalent of reading, this is what executive order 12333 does, but we can't really tell you very much. 

Dave Bittner: Right (laughter). 

Ben Yelin: Here's five pages on the history of it. 

Dave Bittner: They summarized the summary and the book cover that - right (laughter)? 

Ben Yelin: Yeah. I mean, it really was virtually nothing. 

Dave Bittner: OK. 

Ben Yelin: Now, they wrote a comprehensive report which was all classified, all redacted. 

Dave Bittner: Ah. 

Ben Yelin: And one of the members of the Privacy and Civil Liberties Oversight Board wrote a dissent from the majority - as if he were some sort of Supreme Court justice - saying, basically, you guys are misrepresenting this report. You really need to declassify more of it because the public isn't getting any useful information about what happens under this executive order. Some of it must've been declassified to Congress, and that's probably where Senators Heinrich and Wyden are getting their information. 

Dave Bittner: I see. 

Ben Yelin: You know, the one thing that stands out to me here is I thought, at least, it was pretty clear that we were collecting U.S. persons' communications incidentally... 

Dave Bittner: Right. 

Ben Yelin: ...Through executive order 12333. I don't know why - it seems like they're sort of presenting that as if it's something new or, you know, some sort of radical discovery. It might be - there might be an interesting angle about, you know, it's the CIA and not the NSA who's collecting this information. But, you know, I think maybe they are using this as an opportunity to raise alarm bells about surveillance generally when we don't actually have that much useful additional information, you know, based on what I can see in their letter and into the report that they've linked to. 

Dave Bittner: Interesting. So what happens next with this? They wrote this letter. Where's it go from here? 

Ben Yelin: So the CIA will probably write a longer response. In responding to the articles about it, they've basically said, yes, we admit that there is some incidental collection under this executive order, but we comply with the executive order, all relevant laws, et cetera. 

Ben Yelin: In the long run, you know, Congress is probably going to have to do something about the fact that there's this surveillance framework for overseas surveillance that's somewhat of the wild, Wild West. I mean, it's not governed by any statute passed by Congress. And that used to not really be a problem because, frankly, most of us don't care about (laughter) information we're gleaning from overseas sources. We thought that, you know... 

Dave Bittner: Right. 

Ben Yelin: ...That only affects those people, right? 

Dave Bittner: Right (laughter). 

Ben Yelin: Not us. 

Dave Bittner: Right. 

Ben Yelin: But now with the way the internet works, you know, you and I could send an email to one another, and that could end up on an overseas server in a variety of ways. And if the government was able to obtain that communication and one of us said something incriminating, they could use that for law enforcement purposes, even though not only did they not get a warrant for our individual conversation, they have no FISA Court authorization to do the surveillance in the first place. 

Dave Bittner: And let me understand here. In this - in the case you describe, neither of us are foreign nationals. 

Ben Yelin: As far as I know, that's correct. 

(LAUGHTER) 

Dave Bittner: So just the fact that the - I'm sorry, a light bulb just went off above my head. Just the fact that the data travels through a foreign country would be all they needed to gather it? 

Ben Yelin: Yes, because data that is collected overseas is not subject to FISA. FISA applies to communications collected from our service providers or from the internet backbone physically in the United States. 

Dave Bittner: So let's just continue down this admittedly conspiratorial pathway that my mind has now embraced. 

Ben Yelin: I love it. 

Dave Bittner: (Laughter) So you could imagine a scenario where, you know, routing tables could be manipulated so as to send traffic - to intentionally send traffic to a friendly ally and therefore be able to collect information on American citizens without a warrant or having to deal with any of that pesky FISA stuff. 

Ben Yelin: Theoretically, yes. And this isn't just us raising this concern. Do you remember when we talked about Schrems II... 

Dave Bittner: Yeah. 

Ben Yelin: ...The case in the European Court of Justice? I mean, the reason Schrems II exists is because there was concern among our European allies that we were sort of cavalier about our foreign intelligence surveillance efforts... 

Dave Bittner: Oh. 

Ben Yelin: ...And that communications, whether they are from U.S. persons or people subject to the jurisdiction of the EU, because, you know, our overseas surveillance is only governed by - largely by this executive order, it can be ripe for abuse. And so, you know, I think that reflects rather poorly on the United States. 

Ben Yelin: Congress could easily step in here and extend FISA or make explicit in FISA that it applies not just to domestic communications or our own internet service providers, but that it applies to all overseas surveillance as long as that surveillance concerns U.S. persons, even if their communications are collected incidentally. They could do that. They - for a variety of reasons, they haven't. And, you know, last time I checked, unless you have two-thirds majorities in each House of Congress, you have to get it signed by a president. And guess what a president really likes. 

Dave Bittner: (Laughter). 

Ben Yelin: A lot of power in an executive order. 

Dave Bittner: Right, right (laughter). 

Ben Yelin: So, you know, I don't see that happening anytime soon. 

Ben Yelin: There have been warnings for a long time about executive order 12333. There was a op-ed in The Washington Post about eight years ago by a guy who worked in the State Department. He said, look. You know, I'm not going to be a Snowden. I'm not going to leak information. But, you know, based on what I know, this is something to be concerned about. And they asked the chairwoman of the Senate Intelligence Committee at the time, which was Dianne Feinstein, senator from California, and she said, I don't have enough information on what happens under 12333 to conduct oversight. 

Ben Yelin: And then we get, finally, this Privacy and Civil Liberties Oversight Board report that is a whole bag of nothing. So, I mean, at the very least, we need information that can be released to the public. Sure, it's going to be redacted, but it should give some indication of what kind of surveillance is taking place here, what kind of communications are being collected, and what's the scale of this collection. 

Dave Bittner: And it seems as though that is what senators Wyden and Heinrich are doing here, is trying to rattle that cage a bit. 

Ben Yelin: Absolutely. I think that's the reason they released this letter, and it worked. I mean, they got media attention for this story, and they got a bunch of headlines saying, is the CIA doing warrantless backdoor spying? 

Dave Bittner: Right. 

Ben Yelin: So, you know, even though this might not be new information, you know, it might be - it might have been a ripe time for them to raise this issue. 

Dave Bittner: All right. Yeah. Well, interesting. As they say, time will tell, and we'll see how this plays out. Yeah. 

Dave Bittner: All right. Well, my story this week comes from The Verge - they were the first to break this story - written by Makena Kelly. And it's titled "New Algorithm Bill Could Force Facebook to Change How the News Feed Works." Now, Ben... 

Ben Yelin: We've got an acronym. 

Dave Bittner: (Laughter) So there - let me just walk you through my own personal journey with this story. 

Ben Yelin: Oh, let's hear it. 

Dave Bittner: So this story came by, and I read it, and I thought to myself, ooh, this is a good story for CAVEAT. Let's talk about this. In this story on The Verge, they talk about the Social Media NUDGE Act. NUDGE is capitalized, which means it's an acronym, right? So... 

Ben Yelin: Yeah. 

Dave Bittner: My acronym alarm went off. I was so disappointed - crestfallen, Ben - crestfallen. This article did not outline what NUDGE stands for. I went looking at several different articles, and it seemed like most of them were written off of this primary article. 

Ben Yelin: Right. 

Dave Bittner: You know, The Verge was first to write about it. And they also referenced the Social Media NUDGE Act. None of them listed what NUDGE stood for. 

Ben Yelin: So you actually had to do some advanced research here. 

Dave Bittner: I actually went to the bill itself (laughter). 

Ben Yelin: Wow. 

Dave Bittner: I brought up the bill on LegiScan, which has the proposed bill, and it turns out that the... 

Ben Yelin: Drumroll, please. 

Dave Bittner: NUDGE stands for Nudging Users to Drive Good Experiences on Social Media Act. Now... 

Ben Yelin: Let's see if our listeners can hear the sigh. 

Dave Bittner: I want to call foul on using - of having the N be nudge... 

Ben Yelin: Absolutely. 

Dave Bittner: ...When the acronym is NUDGE. This... 

Ben Yelin: That's cheating. 

Dave Bittner: It is cheating. I have to say, whoever the staffers were who were responsible for coming up on this, they really need to up their game. I'm disappointed in what they've done here, so... 

Ben Yelin: I completely agree. 

Dave Bittner: (Laughter) All that aside, let's talk about the actual bill here. So this is authored by Senators Klobuchar, Democrat from Minnesota, and Cynthia Lummis from Wyoming - Republican from Wyoming. And this would direct the National Science Foundation and the National Academy of Sciences, Engineering and Medicine to study content-neutral ways to add friction to content sharing online. And as you read through this bill, they really repeatedly hit on that content-neutral thing which... 

Ben Yelin: Right. 

Dave Bittner: ...Obviously, you've got to do these days, right? 

Ben Yelin: Yeah. 

Dave Bittner: Because everyone - doesn't matter which side you're on. But I think it's fair to say that folks from the right should really hammer on this notion that they're being silenced on social media, evidence notwithstanding. 

Ben Yelin: Right, exactly. 

Dave Bittner: (Laughter) But... 

Ben Yelin: But everybody's going to cry bias, right? 

Dave Bittner: Right. Both sides are going to cry bias. So the notion here is that social media platforms need to have guardrails put on their algorithms. Things need to be slowed down. The way that they amplify things and accelerate discord needs to be, first of all, studied, and then something needs to be put into place. And reading through this bill, there's - it's a multiyear process where, first, it gets studied by the scientists, which - hey, you know, all right. 

Ben Yelin: Sure. 

Dave Bittner: That's what - that's great. 

Ben Yelin: When in doubt, tell somebody else to study it. 

Dave Bittner: Well - and, you know, good that we're having actual scientists do the study. 

Ben Yelin: Right. 

Dave Bittner: Right? You know, rather than, I don't know, a think tank or a bunch of, you know - no offense, Ben, but academic wonks... 

Ben Yelin: Yeah. 

Dave Bittner: (Laughter) - to study... 

Ben Yelin: It's true. 

Dave Bittner: ...This sort of thing. And then they'll come back with recommendations, which will then go to the Federal Trade Commission to try to put some rules on how these algorithms could work. So it's interesting to me that this is bipartisan. I'm curious on your take on this, Ben. Do you think this has a chance of going anywhere? 

Ben Yelin: Yeah. I mean, I think this faces better prospects than other similar pieces of legislation - A, because it's bipartisan and, B, because it would really just kick off a process to try and develop some type of standard. So as you said, first, it would go to the National Science Foundation and the National Academy of Sciences, Engineering and Medicine to study how you can produce content-neutral ways to add friction to content sharing online. So that's great. Then it goes to the FTC to actually implement that and create sanctions for companies who don't abide by that. My suspicion is, you know, the controversy here won't be enacting this piece of legislation. It's going to be what ends up being produced by those organizations. You know, that's something that, once that's produced, depending on who controls the FTC at the time, they might choose to just simply ignore those recommendations if they think, you know, this isn't sufficient or this is going to create bias. You know, some tech companies themselves have tried to, you know, engage in efforts to limit content sharing online for information that people might find disturbing. 

Dave Bittner: Right, right. It's been a little bit, oh, please don't throw me in the briar patch. 

Ben Yelin: Right. 

Dave Bittner: (Laughter). 

Ben Yelin: You know, I think they are trying to preempt government regulation... 

Dave Bittner: Yeah. 

Ben Yelin: ...Not always successfully. I'm not sure - you know, there's a fine line there, right? You know, you can suggest - when people try and post something that's incendiary or based on false information, you can say, hey, are you sure you want to post this? - which Twitter and Facebook have been doing. You know, if I try and throw out f-bombs and I'm using, you know, Twitter for web, before I tweet it, I'll get a little warning saying, we're trying to maintain civil discourse here. 

Dave Bittner: Slow down, potty mouth (laughter). 

Ben Yelin: Yeah. Are you sure you want to do that? 

Dave Bittner: Right. 

Ben Yelin: That's great. I don't know - I haven't seen any research on whether that's effective, if it actually makes people second-guess whether to post that information. 

Dave Bittner: Yeah. 

Ben Yelin: If that is going to be the practice, you know, that's fine. I don't know that that's going to have that much of an impact on content moderation. 

Dave Bittner: Right. 

Ben Yelin: The other option is, of course, you know, coming in with a bigger stick and sanctioning individuals for posting this type of content, you know, kicking people off the platform. And that's when things get controversial, and that's when people cry censorship. 

Dave Bittner: Yeah. 

Ben Yelin: So I just think, you know, the prospects of this bill are decent because it's really just kicking off a conversation, kicking off a process. But whether this could actually create something durable would depend on, you know, what these agencies themselves can do to develop these standards. 

Dave Bittner: Yeah. I think it's also interesting that when you have something like this that's going to take several years to play out and you cast that in parallel to the pace at which these things change in social media in general and technology and also, you know, calls to break up these companies - you know, there's all sorts of things happening at the same time. So all of those things will interact. And so it's hard to imagine an absolute outcome of this in an area that has so much chaos in it endemically. 

Ben Yelin: I completely agree. I mean, you can see it even in the division between what's being proposed in the Senate in this bill and a separate bill, I think we've talked about, in the House - the Protecting Americans from Dangerous Algorithms Act - PADAA, if you will. 

Dave Bittner: (Laughter). 

Ben Yelin: That is just proposed by two Democrats. It's not bipartisan. 

Dave Bittner: Right. 

Ben Yelin: And that bill comes with some sharper teeth. It would actually amend Section 230 to say that companies can now be held liable when it's found that they've amplified content that violates people's civil rights. So we have the whole range of proposals here from, let's study this and see if we can find a fair, equitable solution, to, let's remove this liability protection for Big Tech companies. So I just don't think we're really close on any sort of consensus as to how to address this problem. 

Dave Bittner: Yeah. All right. Well, we will have a link to that article in the show notes, so do check that out. We would love to hear from you. If you have a story you'd like us to cover or a question for me or for Ben, you can email us. It's caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had an interesting conversation with Ron Brash from a company called aDolus, and we were discussing software attack vectors faced by the shipping community. And when I say shipping community, we're not talking about, you know, FedEx or UPS or the Postal Service. We're talking about those giant cranes at ports that... 

Ben Yelin: Literal ships, yeah. 

Dave Bittner: Well, ship, yeah - and the devices that are used to move those huge shipping containers on and off the ships. Some interesting elements here that Ron describes - here's my conversation with Ron Brash. 

Ron Brash: Well, I think there's two pieces, and there's actually even a secondary act that coincides with it that's also very interesting. What's kind of probably driving it is the dependence of nations, right? Everybody wants to be independent. Everyone wants to reduce their dependence on other countries which are maybe affecting the power balance of the East versus the West. But regardless of that, there's this one particular company that has either been audited and - or at least been associated directly with a foreign state government. And so this one company is kind of putting some of these ports at risk, maybe because of the quality of the products, maybe because there's some sort of nefarious intelligence that you and I don't know. But whatever that reason, there's one company that controls probably over 70% of the port crane market. And that's across the world. And they're undercutting their competitors by a significant amount. And so kind of the basis, the foundation of this act is to ban those pieces of software and even the software that's connected to - or the software contained in those cranes or those cranes themselves to be banned from U.S. operating ports, to halt new deployments of new cranes. And so that's kind of the basis of it. So it's sort of a sanction, in a way, for self-protectionism. 

Dave Bittner: And what does this do to the operators of the ports? If this Chinese company has such big market shares, is this going to be a headache for them? 

Ron Brash: It'll absolutely be a headache for them. I mean, imagine if, you know, you were looking to make your margins work. You were planning out forklift upgrades, such as a big crane - a mega crane. It's going to affect you because all of your previous budgets you established, all of your estimates, all of your quotes are all going to be thrown out the window. You might have to then say, I'm going to have to dial back on any - I don't know - capability upgrades - right? - the inputs and outputs of what a port can actually do. How many sea cans can they move per day? That's absolutely going to affect the way that you do business all over your first perceived forecasts, especially if you're a financial-based organization and less of a state-owned type thing, right? If you're privatized, you're going to care about those things because you're thinking about big lifetime investments of your facilities. 

Ron Brash: So it's going to make them panic. It's going to increase the cost of business. And to be fair, not just affecting the systems, most countries don't infect their products that they actually build - if you were to attack another country, probably use their own software and their own OEMs against that country, just for various reasons. So it's going to cause a lot of headaches for the end-asset owners. It's going to affect probably shipping, which we're - every day, we're more and more reliant on, even though we'd like to bring home manufacturing to our native continent. But it's going to drive them crazy, and they're going to have five years to even remove stuff from cranes that they already have deployed, and they'll have to either retrofit them or just stop operating them altogether. So there's - it's going to be a major pain. But as with anything with sanctions, the pros and the cons sometimes don't match realities or their intended outcomes. 

Dave Bittner: I guess I'm trying to understand what the specific risk would be here. I mean, admittedly not knowing very much about port cranes, but I think it's one of those things that we all rely upon but probably don't give a whole lot of thought to. I imagine, you know, these cranes lifting containers off of ships and putting them, you know, down where they need to be sent and so on and so forth. I suspect there's more to it than that, that these cranes are - is there information that these cranes are managing? Or is it simply a matter that someone from offshore could disable them? 

Ron Brash: It's more of, I think, a remote disablement risk or threat vector, right? And also, I mean, we saw that with the Evergrande - or not Evergrande, sorry - the Evergreen incident with the freighter being stuck in the Suez Canal. The major challenge with those things - right? - is you have - all of a sudden, you have a major backup. And, you know, goods can't go in and out. Sea cans can't go back to the place of manufacturing. You wind up with, effectively, a hoarding problem of sea cans - right? - if you can't get them loaded and put back, sent back. They're on rent. You wind up with issues with cruise and visas because most shipping companies don't actually directly employ the individuals on the ship. That's an outsourced company. And their resources are on that ship. 

Ron Brash: Terminals versus ship ownership are two different things as well. So there's a lot of things that could be cascaded and affected. The main risk from a suspicion point is, yes, the third party, the nation, you know, nation threat, protectionism, those are probably the main drivers. But really, I suspect what it is is to rebalance the market - really aims to just rebalance the market and to have more American-made cranes or American-sponsored manufacturing of cranes. It could be - they could be made in Mexico, for example, and those to be deployed in the ports. That's what the real gist of this is probably about, but also maybe putting a name or an enemy in an act. But we should have been also doing all of these security assessments all along. So there's a fundamental good that's coming out of this, but maybe for the wrong reasons. So we should all be concerned about it. But the main piece is probably going to be disruption. 

Dave Bittner: Is this act as it's been proposed, is there a lot of pushback on it? Or is there a negotiation phase that we're in? 

Ron Brash: There might be a bit of a negotiation phase, particularly around leniency on, you know, exceptions to the five-year date. You know, one of the statements in the first act, which is the HR 6487, is you cannot operate any new machinery as of the time of the enactment. You have 180 days to do a review. You may not operate any foreign software related to or embedded in the crane after five years of enactment in 1.3(a)(2) Those are very consequential things. Those are the real pieces of this that are going to drive people crazy. 

Dave Bittner: Are there aspects to particularly the shipping community, you know, when it comes to security, when it comes to software attack vectors, that go underreported, that the people generally don't understand, things that you wish people knew more about? 

Ron Brash: Well, for one thing, I mean, if we always think about third-party risk, I mean, shipping probably has one of the largest third-party risk profiles possible. I mean, there's some other industries that'll be very similar. But shipping is very big because if there's - you have various companies coming in and out of your sites. You have, possibly, some contractors operating various things. You have different unions. You have different this and that. And it's always changing. One of probably the most misunderstood challenges is validating integrity anywhere in shipping. How can you actually validate what is in that sea can is supposed to be there, right? That's a very traditional thing. Are there drugs in there? Does the manifest match, so on and so on? 

Ron Brash: Again, you have different resources in there. How do I know that someone did not install, via USB stick in a PLC cabinet that was unlocked, an update or something changes? Those same things are true on the navigation systems on ships. Sometimes, it's very simple to modify the nav systems onboard a ship for the helm. Those are all big concerns. So probably, one of the biggest underreported and misunderstood - but also probably the most prevalent across all of those different audiences in shipping - is the ability to actually validate integrity of the data, validate the integrity of devices in use. That from a electronic standpoint is going to be a massive, understated risk, same with modernizing and updating ports. We're effectively performing electronic maintenance. Those are two major issues that I foresee - going to raise a lot of questions and cause a lot of challenges. 

Dave Bittner: All right. Ben, what do you think? 

Ben Yelin: So most of what I knew about port security came from "The Wire" Season 2. 

Dave Bittner: (Laughter). 

Ben Yelin: I was rather uneducated on this topic. It was really interesting. 

Dave Bittner: Yeah. 

Ben Yelin: And certainly, the bill you referenced that's been proposed, I think there are security justifications for it. The other side of the ledger is, we've had all of these supply chain problems in the past year. And, you know, we've heard about supply chain issues emanating from deficiencies at our ports. There have been these horror stories of ships lined up in southern California. And we just don't have the personnel or the equipment to offload them quickly enough. So I think you have to strike a balance between efficiency and security. My instinct, just based on hearing about that bill and listening to your conversation, is that just - the bill just might be a step too far (laughter) in the direction of protecting security. 

Dave Bittner: I was going to say, it seems like there's some protectionism baked in as well. 

Ben Yelin: Right. It is favoring U.S. industries, which... 

Dave Bittner: Yeah. 

Ben Yelin: ...Obviously, Congress does that all the time. 

Dave Bittner: Sure. 

Ben Yelin: That part of legislating. 

Dave Bittner: Yeah. 

Ben Yelin: But I think you have to balance the very legitimate security concerns when we're talking about foreign companies with, you know, we need to keep our supply chain moving. 

Dave Bittner: Right. All right. Well, our thanks to Ron Brash. Again, he is the VP of research and critical infrastructure at software security firm aDolus. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.