What new major cyber regulatory changes are coming?
Blaise Wabo: So it's important that different regulatory bodies are updating their standards to ensure that they are capturing their relevant threats that we're currently dealing with.
Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: Today, Ben shares an interesting federal case on the legal defense of forgetting one's passcode. I've got an opinion from the EFF on Apple's App Store restrictions. And later in the show, my conversation with Blaise Wabo. He's health care and financial services director at cybersecurity firm A-LIGN. We're going to be talking about some of the major cyber regulatory changes that are coming.
Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.
Dave Bittner: All right, Ben, let's hop into our stories this week. Why don't you start things off for us here?
Ben Yelin: So another one from the Professor Orin Kerr Twitter files. This is a case he alerted me to - not me personally, unfortunately.
(LAUGHTER)
Ben Yelin: But his followers. There's a...
Dave Bittner: Right. Orin Kerr so far does not have a red phone to Ben.
Ben Yelin: One day. One day in my dreams that might happen.
Dave Bittner: (Laughter) OK.
Ben Yelin: But so far, that has yet to take place.
Dave Bittner: All right.
Ben Yelin: So it was a federal case, a Third Circuit case, and it concerns an individual named Michael Dashem. So there was a 911 call to law enforcement in the state of Pennsylvania about some type of domestic dispute. So police went to this guy's house, and he was getting into a physical altercation with his father. His father said to the police, my son possesses child pornography; I saw it just the other day. Michael admitted that he had child pornography. He is arrested and charged with the federal crime of possessing child pornography.
Dave Bittner: OK.
Ben Yelin: But law enforcement asked him to unlock his tablet on the scene, and he refused by saying, quote, "I don't know the password." And that's what this case really comes down to, is whether there is a valid defense in simply saying, I can't remember the passcode. A lot of that has to do with how believable it is that a person actually does not know the passcode. So...
Dave Bittner: OK. So I think on behalf of everyone who's forgotten a password that they made up moments after making it, there is a case to be made for that (laughter).
Ben Yelin: Right. I mean, it does happen. I would say for a tablet passcode, it strains credibility because all of us - I mean, I've probably typed in the tablet passcode for my kids 600 times before I ate breakfast this morning.
Dave Bittner: So this is for - OK, so this is the passcode for the entire device. Got it.
Ben Yelin: For the entire device. It's not for a specific account.
Dave Bittner: Right.
Ben Yelin: It's not one of those Chrome-generated difficult passwords that nobody knows.
Dave Bittner: He wasn't locking down a folder inside of the device. This was the...
Ben Yelin: Exactly. This is the six-digit passcode.
Dave Bittner: Yep. OK.
Ben Yelin: So he's claiming that he doesn't know it.
Dave Bittner: Yeah.
Ben Yelin: That strains credibility. And law enforcement saw right through it, basically called him on his BS and said, if your father saw these images just the other day, then clearly one of you knows how to unlock this device. And we're going to go ahead and assume that it's you.
Dave Bittner: OK.
Ben Yelin: So this person, Dashem, still refused to comply. The computer was sent to a forensics lab where they were able to unlock the device, found the offending files. He was charged, convicted. And so at the sentencing phase, the judge took under consideration whether Dashem tried to obstruct the case by refusing to disclose his passcode. And they found that he did. Just because the testimony of the father and the son both indicate that they had had access to the device, to the contents of the device, in the previous couple of days, it would be completely incredulous, it would be unbelievable to try to claim that the person did not know their passcode. It's just simply not a valid defense.
Dave Bittner: So does - where does the Fifth Amendment slide in here?
Ben Yelin: So you're getting a little bit ahead of me there.
Dave Bittner: Oh, sorry (laughter).
Ben Yelin: But I'll just jump right into that now since you've jumped into that...
Dave Bittner: OK.
Ben Yelin: ...Hot jacuzzi here.
Dave Bittner: Yeah.
Ben Yelin: So there's obviously this Fifth Amendment right against self-incrimination.
Dave Bittner: Yeah.
Ben Yelin: And Dashem, as sort of a last-ditch effort to save himself from an enhanced sentence said, well, by denying that - or by refusing to unlock this device with my passcode, I was simply asserting my Fifth Amendment right against self-incrimination because if I had entered in the passcode and you had viewed these files, I would have been summarily convicted. And I have a right, a Fifth Amendment right, to not have to testify against myself.
Dave Bittner: Yeah.
Ben Yelin: And that is applicable to the states through the 14th Amendment. Well, law enforcement - or what this court said here is that this is not a proper invocation of the Fifth Amendment right. For one, it's unclear based on court precedence whether this is testimonial evidence. So the Fifth Amendment only - right against self-incrimination only applies to testimonial evidence, basically, things you say...
Dave Bittner: Yeah.
Ben Yelin: ...The content of one's own mind. And there's kind of conflicting case law on whether passcodes count as testimonial evidence. They sort of tend to count as testimonial evidence. But there's a lot of confusion since passcodes have become kind of interchangeable with biometric.
Dave Bittner: Yeah. Well, I was going to go there with you as well because my recollection, based on previous conversations we've had, is that, you know, biometrics were open game but passwords were not.
Ben Yelin: That's generally the rule. But there's been some disagreements. Now that passcodes are functionally equivalent to biometric data, there's been some discussion, especially among lower federal courts, that perhaps the passcode is not testimonial evidence. That ended up not being the deciding factor in this case.
Dave Bittner: OK.
Ben Yelin: The deciding factor in this case is that this person never asserted his Fifth Amendment rights. He just claimed that he didn't know the password. So there's an obvious lesson here for people who are accused of committing heinous crimes.
Dave Bittner: (Laughter).
Ben Yelin: If you're going to assert your Fifth Amendment privilege at any point in the - either during the arrest or at a subsequent trial or at a sentencing hearing, you actually have to assert that right. Simply by claiming that you forget the password - in other words, you're clearly lying - that is not a proper invocation of your Fifth Amendment right.
Dave Bittner: I see.
Ben Yelin: And if you don't invoke that right prior to your conviction, you have waived the ability to invoke that right post-conviction.
Dave Bittner: So you can't invoke the Fifth Amendment retroactively?
Ben Yelin: Exactly. I mean, this is a - if I had a client who was in Dashem's position, I might have tried this, too, because he's so screwed. I mean, (laughter) he clearly committed the crime. And he's going to get...
Dave Bittner: Yeah. And you mentioned he admitted that he had the stuff ahead of time. So was this...
Ben Yelin: He did.
Dave Bittner: ...A matter of just seeing just how bad it really was?
Ben Yelin: Right.
Dave Bittner: Yeah.
Ben Yelin: So it turns out he had - there are - as we found out in the Ketanji Brown Jackson hearings, largely, the sentences for these types of crimes depend on the number of files that are uncovered on a device.
Dave Bittner: Yeah.
Ben Yelin: That, frankly, seems a little bit outdated in the age of digital files. Somebody might be sent a single folder that contains a million separate images.
Dave Bittner: Right.
Ben Yelin: And that's - I don't know if that's necessarily more heinous than somebody snooping around, getting actual physical photographs, but only getting 100 of them.
Dave Bittner: Right. Right.
Ben Yelin: But that is the prevailing legal standard. And he clearly knew that he was going to be a lot - in a lot of trouble if he unlocked the device. I think he was trying to stave off the enhanced penalties that would have come from seeing how many specific images and how - I don't want to get into the details here. But there were images that depicted things like masochism, sadism...
Dave Bittner: Yeah.
Ben Yelin: ...That might have enhanced his penalties.
Ben Yelin: Bad, bad stuff.
Ben Yelin: So yeah, he was trying to get ahead of the situation by saying, OK, I have them. But I'm not going to let you see them...
Dave Bittner: Right.
Ben Yelin: ...Because I don't remember my passcode. So what this means for future cases, both in the third circuit and around the country, is there is not a proper defense that you forgot your passcode. And someone claiming that should not therefore think that they have properly invoked their Fifth Amendment right against self-incrimination. You actually have to assert that right. I don't know what the ultimate disposition of the case would have been if instead of saying, I forgot my passcode, Mr. Dashem had said, I'm not going to do that. That violates my Fifth Amendment right against self-incrimination...
Dave Bittner: Right.
Ben Yelin: ...Talk to my attorney.
Dave Bittner: Right.
Ben Yelin: But it certainly would have given him a better chance than, oh, I forgot my passcode.
Dave Bittner: (Laughter).
Ben Yelin: So I think there is a broader lesson there. Not that anybody should be a criminal, but if you are being charged with one of these crimes, then I think that's the lesson we can take from this case.
Dave Bittner: What do you make of that? Is that a reasonable use of the Fifth Amendment, in your opinion, to - if you know that there's - something incriminating is going to be revealed by giving up your password, is that what the - is that the spirit of the Fifth Amendment?
Ben Yelin: It absolutely is the spirit of the Fifth Amendment.
Dave Bittner: Yeah.
Ben Yelin: You don't want to put a criminal defendant in an impossible position. So if they are asked at any trial proceeding - did you do this or do you have this? - and you do have or - have that thing or did that thing, you are faced with incredibly difficult options. You could lie about it, but then you could be convicted of perjury. You could admit it, but then you're admitting to the crime. And you are going to do the time, so to speak. The third option, if we didn't have this right against self-incrimination, would be to be charged with contempt of court. So then you would be put in this position where no matter what the person did or said, they would be subjecting themselves to criminal penalties. And therefore, the trial would be kind of worthless. There wouldn't really be a functional right for a defendant to make his or her case in court. That's why we have this right against self-incrimination. I think it's certainly - the details are debated. And we can debate them. But certainly, the spirit of it is reflected in, don't reveal something that's going to incriminate you.
Dave Bittner: Wow.
Ben Yelin: And I certainly think a passcode fits that bill.
Dave Bittner: Do we know how this one turned out?
Ben Yelin: Yes. So the court has not only upheld the conviction, but they upheld the sentencing proceedings where there were sentencing enhancements for obstructing the case. They ruled that his Fifth Amendment invocation was not proper and is not applicable, doesn't affect either his conviction or his sentence. And there were also additional sentence enhancements for the type of pornography that he had on his computer because it was especially aggravating. The circumstances were particularly aggravating.
Dave Bittner: Yeah.
Ben Yelin: So the result of this is this person is going to go to federal prison for a long time.
Dave Bittner: Yeah.
Ben Yelin: And I don't see any proper grounds, at least in my reading of the legal case, for appeal. So I think this is the final disposition of this case.
Dave Bittner: It really is fascinating how often, I guess, the chipping around the edges seems to happen around this - these kinds of crimes, right? Because I guess they are inherently - tend towards privacy in a weird way.
Ben Yelin: Right. I mean, it's people trying to conceal something that they have. So necessarily you are going into people's personal devices.
Dave Bittner: Yeah.
Ben Yelin: The Supreme Court has said that to get into a cellphone, because of the contents, the nature of the contents on one's cellphone - our entire life is in these little tiny devices - generally, the government needs a warrant - that was Riley v. California - including when it is incident to arrest. So I think depending on the circumstances here, what Dashem could have said is, I'm invoking my Fifth Amendment privilege. Come back with some type of specific warrant to open the device and we can talk. Eventually, after the arrest took place, the government was able to obtain a warrant to send it to the forensics expert to actually unlock it. So clearly, there would have been probable cause to unlock that device, but Dashem might have been able to buy himself a little bit of time by invoking his privilege and demanding some type of judicial solution. But yeah, I mean, by necessity, this is going to be some type of an invasion of privacy for criminal defendants because it's something that they are trying to keep secretive on their own devices...
Dave Bittner: Yeah.
Ben Yelin: ...Devices that they control. It's their domain. They have the passcode. They control the kill switches. So, yeah, I think you're right that that's the nature of these cases.
Dave Bittner: Yeah. All right. Well, we will have a link to Professor Kerr's tweet about this (laughter), as well as an article covering it - or actually, a document about the case itself. We'll have that in the show notes.
Dave Bittner: All right, Ben. Well, my story this week actually comes from the EFF, the Electronic Frontier Foundation. This is a - I guess you'd call it an opinion piece by Cory Doctorow. And it's titled "Facebook Says Apple is Too Powerful. They're Right." Now, how often do you see the EFF siding with...
(LAUGHTER)
Ben Yelin: Agree with Facebook, yeah. That might be a first.
Dave Bittner: Right? So, I mean, admittedly a provocative headline to generate interest. And guilty as charged - it made me read it. This article starts out talking about the efforts that Apple made to sort of cut down on Facebook's ability to track us and by making that ability opt in on their iOS platform. And of course, the vast majority of people did not opt in to Facebook's ability to track them. Facebook claims that that costs the company $10 billion in the first year.
Ben Yelin: Do you see these crocodile tears? They're flowing from my poor eyes.
Dave Bittner: I know (laughter). I'm playing the world's smallest violin.
Ben Yelin: Yeah.
Dave Bittner: But Facebook has shot back at Apple and is saying that, basically, Apple's App Store is onerous, that the fact that Apple does not allow you to load apps from anywhere except the App Store on your iOS device, unless you jailbreak the device or something like that, they're saying that's problematic. That gives Apple too much control over - by having control over what goes in that app store, that Apple has too much control over the device. And the EFF is making the case that Apple should allow alternative app stores. So there should be private app stores, non-Apple app stores. I guess this is much the way that Google handles things with the Google Play Store, where you can go through the Google Play Store, but you can also, on an Android device...
Ben Yelin: Just purchase the app, yeah.
Dave Bittner: ...Just load things - well, and this is the way it works on Mac OS, on Mac's desktop machines. You can go through Apple's App Store, or you can just load an app.
Ben Yelin: Right.
Dave Bittner: Apple makes the case that iOS is much more secure because of that. I think that's a fair case to be made. Certainly iOS is comparatively secure relative to a lot of the other operating systems out there. And a lot of that is because of the scrutiny that things get on the App Store. We've certainly seen that things aren't perfect and things get by the App Store that are problematic. There's been malware and tracking apps and all sorts of things that make their way through. But it's interesting that the EFF is making this case. There is some legislation that some - the Congress is working on to try to make this - or to make the case that Apple should allow sideloading. What's your take on this, Ben?
Ben Yelin: So it reminds me of that Onion meme of the worst person you know - tragedy, the worst person you know just made a great point.
Dave Bittner: (Laughter).
Ben Yelin: I see people posting that poor guy's picture.
Dave Bittner: Right.
Ben Yelin: And now we're supposed to know what the meme is.
Dave Bittner: Right.
Ben Yelin: I think that's kind of the spirit of this article, that even if you're not sympathetic at all to Facebook, they are making a good point about Apple and the iOS operating system. One subheadline here is that benevolent dictators are still dictators.
Dave Bittner: Yeah (laughter).
Ben Yelin: I think that rings particularly true. What Apple is doing here is giving its customers the option to opt out of these tracking services. That's great, but that's a unilateral decision Apple has made that necessarily has to apply to all applications downloaded onto an iOS device. And they have made that decision unilaterally, which is obviously - at least the way the current law stands - within their rights. But they are - they control such a large portion of the market that they are basically dictators.
Dave Bittner: Right.
Ben Yelin: They exert this type of dominance over the app market, which goes against competitive practices. And as you noted, this isn't true for the major other app store, a Google Play where you can either download the app from Google Play or you can download it from an internet browser and just have the app on your device, and, as you say, for Mac desktops, MacBook Airs, MacBooks, etc.
Dave Bittner: Yeah.
Ben Yelin: So I think Facebook does have a point that users should be able to choose other app stores. I think Apple, in the view of EFF, is wrong to state that just by downloading an app from somewhere besides the Apple store, that they are necessarily going to be predatory and invasive apps. I think that's an anti-competitive practice and not necessarily grounded in reality. It would be nice if Apple and Facebook, these two behemoths, could join forces to kind of get the best of both worlds here where...
Dave Bittner: (Laughter) OK. Go on (laughter).
Ben Yelin: I know. I - this might seem a little bit too idealistic, but it would be great if there were competition and where we could download applications and every user had the right to opt in or opt out of Facebook's tracking shenanigans.
Dave Bittner: Yeah, but I mean, let's play this through, right? So I think what Facebook is getting at here is that Facebook - so let's say Apple allowed a third-party app store, right?
Ben Yelin: Right.
Dave Bittner: So what happens next? Facebook pulls its app from Apple's app store and says, if you want Facebook, you have to sideload it.
Ben Yelin: Right.
Dave Bittner: And if you want Facebook that's sideloaded, guess what? Now, Apple no longer has control over our ability to track you. So if you want Facebook, you get tracked.
Ben Yelin: Right.
Dave Bittner: Are we better off?
Ben Yelin: That's a good question.
Dave Bittner: (Laughter).
Ben Yelin: I meant for that sigh to be particularly audible.
Dave Bittner: Right. Right.
Ben Yelin: I think from most users' perspective, we would not be better off. Because for most users, there's not a discernible difference between sideloading and downloading an app from - directly from the Apple store.
Dave Bittner: Yeah.
Ben Yelin: What they really care about is whether they're being tracked or not. So from that perspective, if the benevolent dictators at Apple are saying, if you want to be part of our Apple store, you have to allow people to opt out, I think for most people, that would be a better solution. If we did a survey of people who use the Facebook application, they would probably say, yeah, I'd like the option to opt out, but I don't care whether the application is sideloaded. That makes no difference to me.
Dave Bittner: Right. I...
Ben Yelin: If we're - yeah, sorry. Go ahead.
Dave Bittner: No, no. I mean, I just think it's kind of rich in a way that Facebook is accusing Apple of not providing alternatives. And yet, Facebook is a platform for which there are no real alternatives.
Ben Yelin: Yeah, I mean, it is literally the worst possible spokesperson...
Dave Bittner: (Laughter).
Ben Yelin: ...For what is otherwise a valid argument...
Dave Bittner: Right, right. OK (laughter).
Ben Yelin: ...'Cause Facebook doesn't have anti-competitive principles. If they did, they would not be Facebook or Meta.
Dave Bittner: Right (laughter). Right.
Ben Yelin: And they certainly have very little ground to stand on here. But just like that onion meme, on this very narrow point, they happen to be right, at least according to EFF. And I think EFF is right in their evaluation here.
Dave Bittner: So there are other scenarios where this very thing has happened. I think folks have made the case that, for example, video game consoles - right? - Nintendo has absolute control over what you can put on their game system.
Ben Yelin: Right.
Dave Bittner: So even if you're a third-party provider, your game has to be approved by Nintendo, and you have to pay a percentage of your proceeds to Nintendo.
Ben Yelin: And Bowser can be very selective...
Dave Bittner: (Laughter).
Ben Yelin: ...In which games he allows, so...
Dave Bittner: That's right. That's right.
Ben Yelin: Yeah.
Dave Bittner: So, you know, there's precedent here, and I don't see a whole lot of people having problems with that in the way that they have with this - obviously, bigger ecosystem, not exactly the same sort of thing. But I guess my point is this is not the first time this has happened, nor is it the only place where this sort of thing exists.
Ben Yelin: Yeah, I think you're right that it's the scale here that matters, and we're talking about the two behemoths.
Dave Bittner: Yeah.
Ben Yelin: Not everybody is a gamer, but pretty much everybody purchases apps or downloads apps, free apps, from Apple store...
Dave Bittner: Right.
Ben Yelin: ...And or uses Facebook on their mobile device. So I think it's just an issue about scale here. If we're going to have this fight, this is the largest profile version of this fight that we're going to have. Yeah. So I think from a theoretical perspective, Facebook is right. But I also think Apple, given that they have already made this anti-competitive decision to only allow apps to be downloaded through that app store, at least I think they're making the right decision by giving people the opt in, opt out option for Facebook.
Dave Bittner: Yeah.
Ben Yelin: But yes, I agree that it would be better if there wasn't this singular market, if there were a way for app developers to get onto people's devices without going through this really restrictive gatekeeper.
Dave Bittner: All right. Well, we will have a link to that article in the show notes. We would love to hear from you. If you have something you'd like us to consider for the show, you can send it to caveat@thecyberwire.com.
Dave Bittner: All right, Ben, I recently had the pleasure of speaking with Blaise Wabo. He is a health care and financial services director at a firm called A-LIGN. And our conversation centers on some of the major cyber regulatory changes that are coming down the pike. Here's my conversation with Blaise Wabo.
Blaise Wabo: Today in 2022 we certainly live in a different world in comparison to two years ago. So it's important that different standards have to evolve from a risk standpoint that are relevant with the threats today to be able to address those risk and ensure there are controls in place to mitigate them as well. Obviously, post-pandemic - or at least hoping to be out of the pandemic soon - certainly most people are working now remotely. And there are definitely new threats from a working remotely standpoint, especially when you look at the health care industry, when you think about the evolution of telemedicine just in the last two years. Statistics show that telemedicine has grown by over 2,000% just in the last two years. That's an incredible number, right?
Blaise Wabo: Now, when you have a physician or a primary care provider that may be at the convenience of their home, and the patient as well, and they're using a remote session, usually with video - and there are device manufacturers that would have what is called a remote patient monitoring device that's either collecting data or transmitting data during the session or, you know, ongoing - on an ongoing basis as well - certainly exposes us to a new level of threat. So it's important that different regulatory bodies are updating their standards to ensure that they are capturing the relevant threats that we're currently dealing with.
Dave Bittner: You know, it strikes me that, having come through the pandemic and people adjusting to, as you say, in the medical world, being able to have these remote visits, this is something that consumers want. I think this is a convenience that people have grown accustomed to. Do you suppose that the regulatory agencies are going to be able to pivot quickly enough to make this the new norm?
Blaise Wabo: I think so. I think there is hope. We know about a month ago, President Biden declared a state of urgency, especially for the health care and financial services sector, to ensure that they're implementing their cybersecurity practices to protect their infrastructure. Right? So essentially, the government is looking for the marketplace to be on guard - right? - to put their guards up. From a medical device standpoint, recently, there's been the release of a new standard called the NIST 1800. Essentially, that standard protects the manufacturers of medical devices. So from the standpoint of manufacturing, before it's even deployed into production, the manufacturing companies need to make sure that they're following best practices from a security standpoint. And the FDA came and approved that as well, so the FDA is pushing for those regulations as well. Recently, I saw that the ISO standard - which is an international standard, by the way - recently updated their 27001 standard to ensure that they're using their risk assessment approach. So it's important that everybody is basically doing whatever they need to do to address the relevant risk and ensuring that they are implementing the appropriate controls as well.
Dave Bittner: You know, I think it's probably fair to say that industry in general doesn't like new regulations and new burdens of new regulations. But how are they responding to these? Are they - is there a recognition that these are, you know, being presented in good faith and for the sake of consumers?
Blaise Wabo: Yes, absolutely. Dave, I think it's necessary - right? - 'cause when you think about it, especially with the growth of ransomware - which, by the way, ransomware has grown by over 750%, based on a Delaware Consulting magazine - just in the last two years. So now it's not a matter of if you get breached. It's a matter of when you get breached, right? So things like ransomware that can cripple a business plan - it's important that organizations have an incident response plan or a breach notification plan in place, and also some disaster recovery plans. Right? Nobody wants to pay millions of dollars for ransomware. By the way, the government has advised the private sector not to pay those fines or ransomware, I should say, whenever somebody is demanding those things.
Blaise Wabo: So it's important that organizations across the spectrum have controls in place, they're performing a risk assessment ahead of time, they are ensuring that they have an incident response plan, updating those periodically. More importantly, they are not storing their incident response plan and their disaster recovery plan in the cloud 'cause if your servers or your systems are crippled, there goes your plan as well, right? So having that offsite, updating those periodically, training your employees to ensure that they're paying attention on phishing attacks, not clicking on links that they shouldn't click on, everybody is taking it seriously. We've passed the days - day for cybersecurity is the concern of the IT team or the CISO, for example. Cybersecurity today is a concern of everybody, right? It's important that consumer data is protected. It's paramount, or it will cost companies, you know, millions of dollars or possibly even shut down and go bankrupt it.
Dave Bittner: With the folks that you work with, are you finding that particular industries are best suited to adapt to these changes? Are there certain sectors that are more flexible than others?
Blaise Wabo: Yeah. So I think time has proven that the financial sector's usually above or ahead the curveball when it comes to protecting their systems. And obviously that's where the money is, right? So they need to be ahead of the curveball to ensure that people's assets are protected. However, as they implement more controls, the bad guys become more sophisticated. So I'll give you an example. During the pandemic, there is a new term that came out called ransomware as a service. Essentially, what that is - the professional cyber attackers are marketing a product called ransomware as a service, where if you are not as savvy in attacks, you can buy ransomware kits in the marketplace, in the dark web, to launch your attacks, right? So it's becoming commercialized, essentially, right?
Blaise Wabo: So the financial sector is ahead of - is ahead of the curveball in comparison to other sectors in the industry. However, they are the ones that are being attacked the most. The healthcare sector proves to be lagging quite a bit. A lot of regulations are being pushed. President Trump in January of 2021, before he left office, he signed what is called the HIPAA Safe Harbor, essentially providing some sort of - not total safe harbor but some sort of safe harbor for companies that are implementing cybersecurity practices just to ensure that if you do have an incident and you do have cybersecurity practices in place, it reduces any fines that the Office of Civil Right, the OCR, would enforce to you. It might reduce the amount of the investigations as well in terms of a time and resource perspective.
Blaise Wabo: The manufacturing industry, as we both know, Dave, has taken a major hit from a supply chain standpoint, not necessarily from the attacks, mostly from the pandemic. And due to lack of resources, now there they are the most exposed, I would say, right? So it's important that the manufacturing sector is, you know, moving the ball forward, collaborating with agencies and the whole supply chain spectrum to ensure that the third party after third party after third party has controls in place to secure the whole supply chain, essentially.
Dave Bittner: You know, we see ongoing guidance from government organizations like CISA. But then I also think of, you know, schools, organizations that are chronically underfunded but still have to provide services. Is there a role for the government themselves to step up and help provide some of the services that these chronically underfunded organizations may need?
Blaise Wabo: There are debates on both sides of the House on that, Dave, and I do certainly have my own opinions. One thing that's important to highlight is in America, at least, we handle things a little differently than the Europeans and the rest of the world. So, for example, in Europe or in Asian Pacific, the government will pass regulations and force everybody to do that. An example is GDPR, right? That's a EU privacy law. That was passed by the EU, you know, Parliament or government, right? In the U.S., one thing that's different is that the government try to push down all those things to the private sector, which I think in my opinion is more beneficial for the private sector to handle that.
Blaise Wabo: However, what the government should do is provide subsidies to big corporations. Think about corporations like Verizon or Comcast or many of the several companies that are out there like Apple. If they provide tax benefits and subsidies to those companies so that they can, in a bigger scale, go to the rural areas and provide free internet, as we saw in a lot of rural areas that happened - you know, America stepped up, but it was mostly done by the private sector, right? But they were getting subsidies and tax benefits from the government in order to provide free Wi-Fi and some sort of level of hardware as well for students, underprivileged students that could not afford a laptop, for example. The private sector was stepping up. T-Mobile donated millions of dollars, so as Verizon and Apple as well, from the hardware standpoint. And Dell provided several - I mean, hundreds of thousands of computers. So to answer your question, yes, the government has to do that. However, in contrast to what the EU is - usually does, I think instead of the government passing out regulations - that's why we don't have a federal privacy law in the U.S. You know, the federal government allows the different states and the private sector to regulate that. And it provides subsidies to companies that are forward thinking and tax benefits as well to ensure that if the private sector does that, they are being supported as well.
Dave Bittner: What sort of advice are you giving for the organizations that you work with in terms of, you know, them being on top of this and making sure that they're prepared for these regulations that are going to be coming and also just protecting the organizations themselves?
Blaise Wabo: Sure. That's a great question, and there are two aspects of that question. The A part (ph) - access regarding regulations. From my perspective, you need to have a legal team in place - right? - a legal team that understands the types of data that you have internally. Obviously, the legal team is working with your security team as well. Once you understand the types of data that you have and you classify them based on the level of risk, then, you know, the experts from a legal standpoint are monitoring the regulations to ensure that the organization is then up to date on those regulations and they are not violating any rules and things like that. Now, you know, in order to do business in California, which I think most organizations do collect information from Californian residents, you have to comply with the CCP, the California Consumer Privacy Act, right?
Blaise Wabo: So you need a legal team and a security team that's up to date on those standards and periodically monitoring the sort of data that you guys are collecting, the retention of those data and things like that. So having a legal team to ensure that you are staying up to date and abreast on regulations is super important, whether it's internal or external. He can have an external consultant as well help from that perspective. From a security standpoint, a risk assessment is critical, right? Performing a risk assessment to ensure that you are classifying all the different levels of threats to your organization's assets, you're doing a risk-based scoring system to determine, what score am I assigning to this particular threat to cripple organization? And then you're implementing controls to mitigate that risk, right? Having an incident response plan is super important, as I mentioned earlier, and a disaster recovery plan to ensure that you can resume business and continue servicing your customers if you have a - when, not if, but when you have a an attack or you have a down time. But it's also important to make sure that you're having cyber insurance.
Blaise Wabo: And, Dave, as we both know, today's cyber insurance, the premiums are not cheap. They continue going up year over year. Matter of fact, most cyber insurance companies are controlling the conversation. So what that means is if you don't have those minimum things that I described, like risk assessment and disaster recovery plans, penetration testing performed by an external third party, you probably will not even qualify to get cyber insurance in the first place, right? You need to have those minimum controls. But having cyber insurance is critically important today. Most investors from a venture capital standpoint will not even give seed money to any startup if you don't have some sort of cybersecurity practices and cyber insurance in place as well.
Blaise Wabo: So I think those are the minimum things that organizations need to do, and then do periodic audits, right? Things like ISO 27000 and SAP-2, and depending on what sort of data you're handling, PCI DSS and HIPAA and HITRUST and NIST 800, all of those things are important to do as well to ensure that you are monitoring your controls over time.
Dave Bittner: Ben, what do you think?
Ben Yelin: It's a really good interview. One of the most striking points to me is when you asked him, well, what can organizations do about this?
Dave Bittner: Yeah.
Ben Yelin: And the two things he mentioned where hire good attorneys and purchase cyber insurance.
Dave Bittner: Right.
Ben Yelin: Those happen to be like two of the most expensive things, especially for a small organization.
Dave Bittner: Yeah.
Ben Yelin: So I just - I am sympathetic to smaller companies who are faced with these large regulatory regimes that are very difficult to understand. And they don't have the resources to hire the best attorneys or purchase cyber insurance. So I think even when regulations are well-intentioned, as I think everything he was discussing, this interview is well intentioned, I just kind of - my reaction was, if the best way to ameliorate these problems is to hire expensive attorneys and get expensive cyber insurance, that's going to be a problem for a lot of companies.
Dave Bittner: You know, it reminds me. I have a friend who was an executive at a local bank, you know, a community bank, a small chain, you know, half a dozen local banks. And I was talking with her and just asking her about, how are things going in the banking world? And one of the things she mentioned was that she didn't think we were going to be able to have community banks for much longer because of the regulatory regime that had put in place. It was really hard for them to be competitive at the scale that they would run at. So in order to be compliant, she believed they would - it was in their best interest to basically be absorbed by a bigger company that could handle all of that. And she questioned, is that good for the community for there to be two or three banks in the nation, you know?
Ben Yelin: No, it's not good for the community. It's really bad. And there are a lot of scholars who have argued that sometimes the very companies that push for these stringent regulations are the ones who want to drive their smaller competitors out of business, and they're the ones who have the lobbyists that can make this this change happen. And it is really unfair. You know, the deck is stacked against these smaller companies.
Dave Bittner: Yeah.
Ben Yelin: So that's why - I think it's just something you have to keep in mind, not - regulations aren't inherently good or bad.
Dave Bittner: Right.
Ben Yelin: It depends on what the regulation is and where it's targeted. But it is a real phenomenon that oftentimes, even seemingly benevolent regulations end up hurting the little guys disproportionately. Yeah.
Dave Bittner: All right. Well, again, our thanks to Blaise Wabo. He is from the cybersecurity firm A-LIGN. We do appreciate him taking the time for us.
Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Ben Yelin: And I'm Ben Yelin.
Dave Bittner: And thanks for listening.
