Podcasts
Caveat
Ep 129
Caveat 6.16.22
Ep 129 | 6.16.22

The strength of cybersecurity in America.

Show Notes
Transcript

Greg Murphy: Unfortunately, it's going to be, you know, several years before this actually starts to take effect. But I think it is really important for organizations to start preparing for these reporting requirements and make sure that they're in a position to comply with the law when it gets passed.

Dave Bittner: Hello everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Today, Ben has an update on the Texas social media platform case. I've got the story of Canadian ISPs being ordered to block pirated streams of - wait for it - hockey games. And later in the show - my conversation with Greg Murphy. He's from a company called Ordr. We're discussing the Strengthening American Cybersecurity Act. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's jump into some stories here. Why don't you kick things off for us? 

Ben Yelin: So just after we finished recording our previous episode, we got a Supreme Court decision of sorts on their so-called shadow docket. So this is when they issue a decision that hasn't been presented to them via oral argument. They're just making a snap decision based on a petition from the parties. And this has to do with the Texas social media platform statute that we've talked about several times on this podcast. 

Dave Bittner: Yeah. 

Ben Yelin: So as a quick refresher, the statute prohibits viewpoint discrimination on social media platforms that meet a certain threshold. So they have to have 50 million users. They can't be your mom-and-pop social media companies. They have to be the big guys. Once they are established as big social media platforms, they have certain reporting requirements related to how they make decisions about banning certain users and this viewpoint discrimination provision, meaning... 

Dave Bittner: This is - the origin of this is the folks on the Republican side making the case that they believe that their points of view are being censored by the big platforms. 

Ben Yelin: Exactly. 

Dave Bittner: It's in response to that belief. 

Ben Yelin: Exactly. 

Dave Bittner: OK. 

Ben Yelin: And so we've seen this pop up in a number of states. Another one where this was enacted was Florida, and there was a similar court case there. What happened in Texas is everybody sort of assumed that this law was going to get struck down immediately. The platforms themselves have First Amendment rights. And if you were to take the enforcement provisions literally in the statute, the tech platforms would be forced to publish viewpoints that they do not want represented on their platform. 

Dave Bittner: Such as? 

Ben Yelin: Such as certain types of things that we would define as hate speech. 

Dave Bittner: OK. 

Ben Yelin: If the state of Texas defined that as viewpoint discrimination and forced the social media platforms to put that content on - in public on the platforms, then that would violate the First Amendment speech rights of these companies. And there has been previous case laws saying, to an effect, that you can't compel somebody to be a platform for speech - a private organization to be a platform for speech for which they vehemently disagree with that speech. 

Dave Bittner: Yeah. And this, to me, seems like a textbook First Amendment case, where we're protecting a private organization from the government. 

Ben Yelin: From the government, exactly. 

Dave Bittner: (Laughter) Right, OK. 

Ben Yelin: If you'll recall, the beginning of the First Amendment says, Congress shall make no law. 

Dave Bittner: Right. 

Ben Yelin: That's been incorporated to the states through the 14th Amendment... 

Dave Bittner: OK. 

Ben Yelin: ...Which means that - it also means the Texas Legislature shall make no law abridging the rights of freedom of speech. 

Dave Bittner: I see. 

Ben Yelin: But they sort of did. 

Dave Bittner: Yeah. 

Ben Yelin: The District Court - so the trial court level at the federal level weighed in and issued an injunction against the law. Unexpectedly, the Fifth Circuit Court of Appeals, which has a very conservative membership, vacated that injunction, meaning the law was put back in place. 

Dave Bittner: Right. And that was the one they did without comment, right? 

Ben Yelin: No comment. 

Dave Bittner: They just did it. 

Ben Yelin: And it's been about six or seven weeks now, and we still don't have their justification for why they vacated that injunction. But they did. The law was put back in place. So the companies petitioned to the U.S. Supreme Court to stay the ruling of the appeals court, if that makes sense, and enjoin the law again from being enforced. 

Dave Bittner: OK. 

Ben Yelin: So take the law once again out of commission. 

Dave Bittner: Right. 

Ben Yelin: We were looking for guidance from the Supreme Court because we had now seen conflicting case law in different jurisdictions. So we had talked about the Florida case, where a court came out one way, and then there was the Fifth Circuit Court of Appeals, which came out the other way. So we were looking for guidance from the Supreme Court, and we got it sort of. So by a 5-4 vote, the Supreme Court did vacate that stay, and issued an injunction against the enforcement of that law. So the law is currently not in place once again in the state of Texas pending further legal proceedings. 

Dave Bittner: OK. 

Ben Yelin: The majority was silent. They gave no reasoning for their decision. They don't have to. It goes back down to the Fifth Circuit Court of Appeals, who will now have to hear the district court case on the merits. So they're going to have to consider, through oral arguments, the competing interests of both sides. The five justices in the majority, you have two of the liberal justices, so Justice Breyer and Justice Sotomayor. And then three of the more conservative justices, Chief Justice Roberts, Justice Kavanaugh and Justice Barrett. Then we have the dissenters. The first three dissenters did not surprise me at all. This was a joint dissent, about a six page opinion written by Justices Alito, Thomas and Gorsuch. 

Dave Bittner: OK. 

Ben Yelin: And they weighed in on the merits, basically saying that they thought the state of Texas had a good chance of succeeding in this case if the case were heard in front of oral arguments. Their justification is that, in this day and age, it's unclear whether social media companies should be seen as common carriers. In which case governments, whether that be the federal government or state governments, would have some role in regulating what these social media companies do. If these social media companies have an extremely large market share, to the extent that there aren't viable alternatives, then the government, based on past case law, can, I guess, offer a level of control over these companies vis-a-vis constitutional rights, as if they were common carriers like Amtrak or a utility company that have large market share in a local market for example. 

Dave Bittner: Like a phone company also. 

Ben Yelin: Exactly. 

Dave Bittner: Common carrier example. Yeah. 

Ben Yelin: So you have three justices here pretty much endorsing that view. Now, they didn't say it explicitly. What they were saying was, it's very plausible that that view could prevail. We might as well keep this law in place while there are further proceedings. The Court of Appeals in the Fifth Circuit can go through the full process of hearing the two parties, coming to a decision. If that decision is appealed to us, we can go through our full process. But at least it's plausible and in fact somewhat likely that the First Amendment rights of these companies have not been violated as a result of this Texas law. 

Dave Bittner: OK. 

Ben Yelin: So those were the three conservative dissenters. The fourth dissenter, which was a bit of a shock, was Justice Kagan, who is considered a more liberal justice. She was appointed by President Obama. She, much to my frustration, the frustration of many observers, did not say why she was dissenting. She did not have to say why she was dissenting. This is an injunction, so it's not a full opinion. She certainly was well within her rights to not declare why she was dissenting. She has expressed disdain in the past for major policy decisions being made through the shadow docket. So that could have been a justification for her dissenting here, but we just don't know. 

Ben Yelin: And the reason that's somewhat worrisome to observers, the tech companies and, frankly, people who want to protect the First Amendment rights of these platforms to moderate content as they see fit, is you are one justice away now, potentially, from upholding a pretty radical law like the one that Texas proposed and enacted. We have three justices who seem to be amenable to the law on the merits. And we have one other justice that, for whatever reason, didn't want to issue an injunction against the law being enforced. So that's, at least, a hint that in the future these companies really might be subject to regulation based on how they moderate content. And there really might be a viable case down the line about so-called political bias of big tech platforms. Where a state can step in and issue sanctions to Twitter or Meta or whatever for what they see as viewpoint discrimination. Now, as we've talked about, that's going to be very difficult to enforce. 

Dave Bittner: Right. 

Ben Yelin: We have no idea how that would work in practice, if it could work in practice. What we saw from the Supreme Court case is that we should probably start to at least consider those questions, frankly. 

Dave Bittner: Where does this go next? 

Ben Yelin: So it goes back to the Fifth Circuit Court of Appeals. They are going to hear the case on the merits and presumably issue a holding on the merits. So they're going to actually have to, unlike their previous ruling, go through their reasoning, a constitutional analysis of why the Texas law, in their view, is or is not constitutional. That could potentially be a very long process. Depending on the outcome of that case, if the Fifth Circuit, as I would expect, sides with the state of Texas, then the big tech platforms will petition the Supreme Court to issue a writ of certiorari and hear the case in their - in one of their next terms, whether that's the 2023 term, which starts in October, or the 2024 term, which starts the next October. And we'll have at least one new member of the court since justice-to-be Ketanji Brown Jackson will have joined at that point. So all this means for now is that the law is not in effect while the proceedings continue. Based on what we know about the Fifth Circuit, it seems as if there's at least a strong chance that they would put the law back into place, they would vacate the initial injunction once again... 

Dave Bittner: Right. 

Ben Yelin: ...Of the district court. And then, who knows what would happen if there were a full argument at the Supreme Court? Perhaps the three dissenting conservative justices would be able to, through the process of briefs from outside observers or constitutional scholars, may be persuaded to consider big tech platforms as common carriers. And that would just have vast, wide-reaching implications across a bunch of different spheres. 

Dave Bittner: Yeah. That's huge. I mean, are you and other observers surprised that this Supreme Court ruling was as close as it was? 

Ben Yelin: Yes. Now, again, I have no idea what Justice Kagan was thinking. I want to just go up to her and be like, please, just give me one sentence. 

Dave Bittner: (Laughter). 

Ben Yelin: You can use cryptography. You know, maybe you only write it so that I can understand it. 

Dave Bittner: Is she not returning your phone calls, Ben? 

Ben Yelin: Yeah. Or put it in secret code. Maybe make an acronym... 

Dave Bittner: OK. Right. 

Ben Yelin: ...That gives me some hint as to what she's thinking. I mean, my guess is it's a procedural objection and that she is not actually a fourth vote for this common carrier view. But I don't know. So it certainly did surprise me that it was a 5-4 decision. Justice Thomas had previously indicated an interest in regulating Big Tech platforms as common carriers. Justice Alito usually sees eye to eye with Justice Thomas on this. Justice Alito has spoken contemporaneously in many documents about his disdain for what he sees as Big Tech political bias. He's just a conservative-oriented individual, and I'm not surprised that's his viewpoint. 

Dave Bittner: Yeah. 

Ben Yelin: Not surprised to see it from Justice Gorsuch as well. I think he sees eye to eye on these issues, just like Justice Thomas and Justice Alito. So Kagan was the surprise for me. 

Dave Bittner: Yeah. 

Ben Yelin: I have no idea what the broader implications of that might be. But if for some reason she did agree with Justice Thomas on the merits, then you'd only need to pull off one more justice. And certainly, I think Justices Kavanaugh and Barrett, given their political disposition, would at least potentially be amenable to that argument. So it's something we really have to be watchful for. And I think, as we mentioned previous times, this is not just going to happen in Texas and Florida. There are a lot of states with Republican state legislatures who strongly dislike Big Tech platforms and think that these platforms are biased against conservatives. And we're going to see these types of laws enacted in a number of different states. And I think until we get some sort of definitive resolution on this, which we don't have at this point, that's going to be an open question. 

Dave Bittner: Yeah. Boy, that's - it's going to be fascinating to see this one play out because it's - I mean, it's like flipping the table upside down. If you make them common carriers, that's a big change (laughter). 

Ben Yelin: That's an enormous change. And it's not just in this area of the law. 

Dave Bittner: Right. 

Ben Yelin: I mean, there are tons of regulations governments can issue on common carriers, even for things like common law torts, that would make life a living H-E-double-hockey-sticks, to give you a vague preview of our next story. 

Dave Bittner: (Laughter) Right. Right. 

Ben Yelin: So the tech platforms would freak out, basically... 

Dave Bittner: Yeah. 

Ben Yelin: ...If they were put under the microscope like that. 

Dave Bittner: Interesting. 

Ben Yelin: So they're going to hire the best appellate attorneys in the country to make sure that doesn't happen. 

Dave Bittner: (Laughter) Right. Right. All right. Well, we'll have a link to that story in our show notes. 

Dave Bittner: My story this week actually originally came to me over Twitter. There's a gentleman named Andy Kaplan-Myrth who is a telecom lawyer in Ottawa, Canada. He brought this story to my attention, and then I found a write-up about what's going on here on the website TorrentFreak. The title of the article is "NHL Broadcasters Win Canada's First 'Dynamic' Pirate IPTV Blocking Order." Basically, what's going on here is that the rights holders to hockey games in Canada, the broadcasters who have spent a lot of money for those rights, have convinced the Canadian Supreme Court - and correct me if I'm wrong here, Ben - the Canadian Supreme Court that Canadian ISPs have to do dynamic blocking of particular IP addresses while hockey games are being broadcast in order to block pirated streams of those hockey games. 

Ben Yelin: That's right. Now, first, I will say I'm thrilled to be talking about the NHL on this podcast. Never thought I'd have the opportunity. 

Dave Bittner: (Laughter). 

Ben Yelin: I'm a big hockey fan myself. 

Dave Bittner: Right. 

Ben Yelin: I'm wondering if I can get your prediction on the Tampa Bay Lightning versus the Colorado Avalanche in the Stanley Cup finals. 

Dave Bittner: OK. Yeah. 

Ben Yelin: Yeah. Throw a dart at the wall. 

Dave Bittner: I think the best team will win, Ben. 

Ben Yelin: There you go. Yeah, I like that prediction. 

Dave Bittner: Yeah. Yeah. Yeah. 

Ben Yelin: I don't think you can understand this story without understanding how important hockey is in Canada. 

Dave Bittner: Right. 

Ben Yelin: I have some Canadian ancestry, and it is life or death there. Think about this like the rights to broadcasting the Super Bowl. Hockey gets such incredible ratings in Canada that they've measured the impact on sewage systems during major hockey games, and you'll see that during the first and second intermission of a hockey game, a lot of people are flushing their toilets. 

Dave Bittner: Yeah. 

Ben Yelin: And it has a measurable impact. 

Dave Bittner: OK. 

Ben Yelin: Because people are sitting through the actual hockey action. 

Dave Bittner: Yeah. 

Ben Yelin: So the rights are extremely valuable there. If people are able, through piracy, to watch these games or to stream these games illegally on platforms, that's an enormous portion of the revenue of some of these big media companies. So the big media companies in Canada, Rogers, TSN - ITV, I believe, is another one. They pay an arm and a leg for these rights. 

Dave Bittner: Yeah. 

Ben Yelin: And the government is basically protecting their intellectual property, their ability to have exclusive broadcasting rights for these mega events by having this dynamic way of shutting down online piracy. 

Dave Bittner: Right. So just - I'm speaking hypothetically here, but I think this description would hold up. So say, for example, the Stanley Cup were being broadcast in the U.S., where hockey is popular but certainly not as popular as it is in Canada, someone living in Canada, rather than paying for their local stream, could latch on to a U.S. stream where perhaps it's streaming for free because it's not as in demand and then they avoid having to pay for it locally. 

Ben Yelin: Yeah, some people - I'm not going to name them - might use VPNs to illegally stream sporting events. I'm not sure how street legal that is, but you can certainly, through a VPN, place yourself in a U.S. market, buy an ESPN+ subscription, if you want to spend a minimal amount of money, and can get that broadcast for free without having to pay the exorbitant fees for a full cable package in Canada, which I'm sure many Canadians only get that cable package to make sure that they can watch the Stanley Cup - or the Stanley Cup playoffs, rather. 

Dave Bittner: Yeah. So help me understand here. This article points out that the federal court grants an interlocutory injunction. What does that mean? 

Ben Yelin: It means... 

Dave Bittner: Lawyer boy. 

Ben Yelin: So an interlocutory appeal means it is an interim nonfinal decision where they - so they are granting some type of injunction, as they are here, against the actions of the defendants, who are unnamed individuals who have pirated hockey games, without completed proceedings at the court. So it's an appeal without having gone through - it's a judicial decision, without having gone through the full and complete process that one normally goes through to get a decision at the Canadian Supreme Court. Now, I am not an expert on the Canadian Supreme Court. 

Dave Bittner: Oh, come on, Ben. 

Ben Yelin: I know. I know it's a little bit less powerful than our Supreme Court. I don't know if they have the same level of judicial review powers that we do. I think their legislature, the Canadian Parliament, is more powerful than our Congress, for example. But there's a reason they're stepping in now, which is because we are in crunch time in the Stanley Cup playoffs. And there is a lot of money to be made and lost over the next several weeks as these playoffs continue. I mean, that is prime ratings season. 

Dave Bittner: Right. 

Ben Yelin: The companies don't want to lose that revenue because they're not going to have an opportunity to gain that revenue again. Granted, the contracts have been signed. But they're not going to have the same viewership until this time next year. So the interlocutory appeal is designed to expedite that process so that these companies can get some level of relief during this pretty valuable time period. 

Dave Bittner: Right. So they've got some oversight here. As you mentioned, this ruling or this order expires after the Stanley Cup ends. They're requiring some third-party auditing to see if it actually works or not. Some of the IS - oh, the ISPs have to get paid for their efforts in doing this. 

Ben Yelin: Right, and it's no small effort on the part of the ISPs. I mean, takes a lot of compliance work on their part. 

Dave Bittner: Let's look at the big picture here, though. There are some civil liberties folks who are concerned that, as always, that this could be a slippery slope. 

Ben Yelin: How so? 

Dave Bittner: Well, just that the broadcasters aren't going to stop here, that if they ask for this, they're going to ask for this for, obviously, all hockey games. But then what else? And what else gets blocked? And what gets caught up in the blocks? And, you know, they're saying we need to be mindful that the court just doesn't give the broadcasters a blank check for what they want to have - for what, on the internet - right? - not their domain, to be blocked. 

Ben Yelin: Right. I would say I'm usually amenable to those types of slippery slope arguments. But knowing what I know about hockey in Canada, this is the slippery slope. If you are enforcing a ruling during the Stanley Cup finals, that is as far as you are going to go. Nothing else matters. 

Dave Bittner: Oh, man. I think you're being clouded by your love for hockey, Ben. I think... 

Ben Yelin: I am. But I also believe that - I mean, how much further can you go if you are a Canadian broadcasting company? I mean, curtailing people's ability to watch curling or sled dog racing does not have the same effect. This is serious business. Covering the Canadian elections or, you know, the provincial news in Ontario, I don't think carries the same cachet in Canada as a single game in the Stanley Cup playoffs. And I'm - I think I'm not just saying that as a hockey fan. I think I'm saying that as somebody who understands the basics about Canadian culture. So I am sympathetic to the slippery slope argument, but I think - I don't think that's really applicable here. I mean, I think the fact that there were willing to do this for the Stanley Cup means that they take the antipiracy rights of these broadcasters very seriously. I think that is the best indication that you're going to get. 

Dave Bittner: OK. All right. Fair enough. Well, we will have a link to that story in the show notes. We would love to hear from you. If you have something you'd like for us to discuss on the show, you can email us. It's caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Greg Murphy. He's from a company called Ordr, and our conversation centers on the strengthening American Cybersecurity Act. Here's my conversation with Greg Murphy. 

Greg Murphy: Sure. I think this act was pulling, actually, from three other pieces of legislation. And what it's really designed to do is to ensure that entities and organizations in critical infrastructure segments have a responsibility to report cyber incidents very promptly within 72 hours after an incident occurs, or in the case of ransomware, where someone's paying a ransom to bad actors to report that within 24 hours of making that payment. And so the intent here is to ensure that information is being shared and disseminated widely so that other organizations and other entities get the benefits of understanding what is happening, how organizations have been responding, and can take steps to defend themselves. So the whole goal is to enable a more coordinated, faster response and ensure that people have visibility to the threat landscape as quickly as possible. 

Dave Bittner: Well, this has passed the Senate and has yet to make its way through the House. How are we looking in terms of its prospects there? 

Greg Murphy: Well, I think it looks very good. I think, you know, when you looked at the Senate, it passed unanimously. And in this day and age, I can't think of too many things that make it through the Senate with unanimous agreement. So I think that, especially in response to recent events in Ukraine and in world events and the concerns about cyber threats to national security, I think there is just a heightened focus on this where, you know, a few months ago or years ago, this may not have been possible. But I think it's looking very positive and expect that it would actually make it through the House as well. 

Dave Bittner: Can you share your insights on this sort of disclosure legislation or where do you come down on this? Is this a good thing? 

Greg Murphy: I think overall, it's a very good thing. When a cyber incident occurs, the main thing that we want to do as an industry is ensure that everyone gets as much information as quickly as possible so that other organizations can take steps to defend themselves. Because the reality of the world we live in is that the bad actors, the, you know, the criminals that are propagating this malware, they rarely go out and target just one organization. They're going after multiple organizations. You know, very often they're deploying malware and it's sitting dormant on a network for months or even years before it's activated. 

Greg Murphy: So the assumption is that whenever one organization is subject to attack, there are probably lots of others that are in the sights of these attackers. And getting information in people's hands as fast as possible so they can take proactive steps to protect themselves and to protect their businesses, to protect consumers, to protect patients and health care. That's all very beneficial. So I think this is a big step forward. I think it's been a long time coming. Unfortunately, it's going to be several years before this actually starts to take impact, take effect. But I think it is really important for organizations to start preparing for these reporting requirements and make sure that they're in a position to comply with the law when it gets passed. 

Dave Bittner: What about the actual requirements themselves? You know, we're talking about 72 hours here for reporting cyberattacks and 24 hours for ransomware. I've heard some folks say that perhaps that puts an undue burden on the organizations. What are your thoughts there? 

Greg Murphy: You know, I think it really comes down to, in this act, you know, it's put CISA, the agency, in charge of defining some of the specific regulations about what exactly needs to be disclosed and when. But I think you're right. I think it has to be - the regulation has to balance the need for information to be shared quickly with the reality that when you're, you know, 70 hours into a cyberattack and you're the CISO of the organization, you're probably in absolute firefighting mode. You don't always have perfect or complete information. And so I think the regulations need to reflect that and understand that that information may be partial. That information may change over time and need to be updated. 

Greg Murphy: And I think they also need to make sure that they - as they think about these regulations, they recognize the differences between types of organizations and the resources that they have available to them. You know, in health care, which is one of the critical infrastructure categories, you've got everything from small community hospitals that may have one or two people in the IT organization in its entirety. And then you've got, you know, very large multibillion-dollar organizations with immense resources available. And so the regulations need to make sure that these organizations can realistically provide that information. And also make sure that they have enough protection that they're not feeling like they are being put at significant legal or business exposure by making these disclosures. So that the goal here is information sharing and speed, and not punitive to go after and punish organizations that are victims of these attacks. 

Dave Bittner: What do you suppose this is going to mean for those various-sized organizations in terms of, you know, the adjustments they're going to have to make to be able to comply? 

Greg Murphy: Well, you know, I think one of the things that are really important is that organizations start to prepare, if they haven't already done that, to make sure they have good monitoring tools in place so that they know what devices are connected to their network and what those devices are doing and so when malware comes into their environment that they can identify where it came from and how it may have spread and what protocols it used on the network. 

Greg Murphy: There are tools like ones, frankly, that we develop on the market that enable them to do that. And it's important that they have those types of systems in place because, certainly, when you're in the midst of an attack, that's not the time that you're going to be able to go and put in new systems and processes. So when you're firefighting, you don't want to be having to spend your time trying to gather data and figure out, you know, what you're going to need to pull together in order to meet the reporting requirements. You want to have those systems and tools already in place so that you have them at your fingertips and, frankly, can use them to help you respond more quickly and, you know, in a more effective manner to any attacks that occur. So I think this is - you know, the good news here is that CISOs, you know, have been thinking about this for quite a while. And this is really, I think, an instigator for them and for their organizations to make sure that they have the appropriate infrastructure in place to enable them to comply with this regulation. 

Dave Bittner: You know, this act is all about disclosure. What about what comes next? Do you envision us getting to a point where we're actually doing information sharing? 

Greg Murphy: Yeah. That's the - to me, the critical part is the whole goal of this has to be information sharing. I mean, just disclosing the information, you know, may help the government in compiling statistics, but the goal of having the disclosures happen so quickly is presumably so that that information can be shared very quickly with others, you know, and you see that all the time, is that we have bad actors and criminal gangs that are attacking multiple organizations. And so having that visibility of what's happening in another organization and getting information about how they - what the indicators of compromise are, how the malware was spread, what was done to defend against it, that's incredibly valuable information. So if there is no sharing, then there's no point to this legislation, really. 

Dave Bittner: So what's your advice, you know, for organizations who see this coming along and want to be prepared for when it actually goes into effect? What sort of steps should they be taking now? 

Greg Murphy: Well, you know, I think the first is make sure, you know, that you have basic hygiene in place. If you think about yourself as an organization, you need to know what devices are connected to your network - you know, what those devices are, how they behave, you know, have the ability to detect anomalous behavior very quickly. For example, if you see a video surveillance camera on your network that is suddenly talking to your financial systems in a way that no video surveillance camera has ever done before, you want to be able to know about that and flag it, you know, and take action immediately. Those are the - those types of systems, having that in place will enable you to quickly provide the type of information that the government is going to be looking for, you know, after these responses, to be able to - or after these incidents and be able to share that information very effectively with other organizations. So I would really look to putting that basic hygiene in place. Make sure you understand exactly what's connected to your network, what those devices do, and have anomaly detection capabilities in place. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: Wow. Congress is actually doing something. 

Dave Bittner: (Laughter) Imagine that. 

Ben Yelin: I am as shocked as you and Mr. Murphy... 

Dave Bittner: Yeah. 

Ben Yelin: ...Were in your interview. I think the prospects, as he said, are quite good for this legislation. Again, it's largely a legislation geared around reporting. That's usually the first step and not the last step. A lot of it is going to depend on how it's enforced by CISA. 

Dave Bittner: Yeah. 

Ben Yelin: But it has passed the Senate. That's usually the hardest hurdle. 

Dave Bittner: Right. 

Ben Yelin: Because there are all these procedural things you can do in the Senate to gum up the works. And the fact that you had unanimous support, I think, is a very positive sign. I don't think it would have happened several years ago. I think it's happening because we've all now been impacted by cyberattacks, ransomware attacks that have had these kinetic effects where it's not just affecting people in the industry; it's affecting the everyday Americans who call their members of Congress. 

Dave Bittner: Right. 

Ben Yelin: I think the prospects are good in the House. So I think there's a strong chance that this could be enacted into law. And it's just fascinating to hear about what the impetus was for this law, how the federal government was able to put something together to at least begin to try to respond to this problem. 

Dave Bittner: Yeah. 

Ben Yelin: And it's really about having situational awareness on what the threats are. 

Dave Bittner: Right. 

Ben Yelin: Reporting itself isn't necessarily going to change anything overnight, but it's about giving other entities who have not yet been subject to these attacks the awareness of the threat landscape. And I think without these types of reporting requirements, a lot of private and public organizations are largely in the dark. So I think this holds a lot of promise. 

Dave Bittner: All right. Well, our thanks to Greg Murphy for joining us. We do appreciate him taking the time. 

Dave Bittner: And that is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Microsoft Federal: Your Partner in Cybersecurity Compliance
Microsoft Federal: Your Partner in Cybersecurity Compliance

Microsoft Federal brings the mission understanding, engineering expertise, and leading technology to drive outcomes in a new era of government. Learn more at microsoftfederal.com.