Podcasts
Caveat
Ep 138
Caveat 8.18.22
Ep 138 | 8.18.22

The U.S. and China's cyber relationship.

Show Notes
Transcript

Luke Tenery: It's varied, you know, from year to year or over, you know, even the decades - but clearly, you know, different dynamics now versus 2015. But I would say the one, you know, consistent theme is the persistency of the threat and the evolution of the aspects of, you know, targeting different types of information.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner. And joining me is my co-host, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Today, Ben shares an appeals court case on free-speech rights and social media. I've got the story of online health tracking services oversharing with Facebook. And later in the show, my conversation with Luke Tenery of StoneTurn - we're going to take a look back at the OPM breach. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, we got some good stories to share this week. You want to kick things off for us here? 

Ben Yelin: Sure. So we're getting into back-to-school season - for those of us with kids - and so I thought we could share a case relating to First Amendment protections for off-campus speech on social media for students. And in this case, it was a high school student. So this article comes from the Electronic Frontier Foundation. They were involved in this case. They wrote a friend-of-the-court brief to argue on behalf of the student. So the student - they never release the full names of minors in these cases - but it's - C1.G. v. Siegfried is the name of the case. 

Dave Bittner: OK. 

Ben Yelin: This student was caught making, really, an offensive Snapchat post outside of school. He was with his friends on a Friday night at a thrift shop. He was basically putting on Nazi paraphernalia and made a pretty derogatory joke about Jewish people in a community - this is actually in the state of Iowa, but it's in a community where apparently there are a lot of Jewish students. He deleted the post a couple of hours later and apologized for it, but somebody else had taken a screenshot of the post. It got around. Kids share these things, as they do. It got to the principal of the school. There was a big outcry among the Jewish community and other students, faculty, staff, parents at the school. The student was suspended while they did an investigation. Ultimately, he was expelled. 

Ben Yelin: So the student is challenging his expulsion - as is his right because it is a public school - on First Amendment grounds, basically saying that he has a free-speech right to post on social media - on online media - not during school hours without facing the consequence of expulsion. And this case made it to the 10th Circuit Court of Appeals, which is in the Upper Midwest. The 10th Circuit really relies on a case we discussed last year. It was a Supreme Court case called Mahanoy v. B.L. - a pretty similar case, actually, where a cheerleading student wrote F cheer - basically saying, F her cheerleading friends and coaches. And the Supreme Court held... 

Dave Bittner: Friends in quotes - in air quotes. 

Ben Yelin: Exactly. Yeah. 

Dave Bittner: Right. 

Ben Yelin: She was not happy with her cheer team. 

Dave Bittner: Right. 

Ben Yelin: The Supreme Court came up with this standard that, yes, there is diminished First Amendment protection when we are talking about things that take place in public schools. If we gave full free-speech rights to public school students, that would be very disruptive. If a public school student could go up to a teacher and say, go F yourself, that would be very disruptive to the school day. The school wouldn't be able to maintain order. There's this whole concept of in loco parentis, which is fancy Latin for in lieu of the parents, meaning the school is playing the role of a parent - they should be able to enforce discipline, maintain order. All of that is necessary for a public school. 

Ben Yelin: But what the Supreme Court said is that generally doesn't apply to off-campus speech. Off-campus speech is only unprotected under the First Amendment if it would cause or would be very likely to cause disruption at school itself. So if it's something where somebody is making a threat to a student at school - a direct threat - if there are fighting words or if it's an obscenity at another student that would cause unrest or some type of dispute in school, in school hours, then it is not protected speech. But if it's something that is off campus, even if it is patently offensive - which the speech certainly was here - that is protected First Amendment speech. 

Ben Yelin: And so this student's expulsion was reversed by the 10th Circuit Court of Appeals, and we now have another example of a case where courts are recognizing students' - young kids' free-speech rights on social media platforms, even if it would have some sort of effect on what happens in school. And I got to be honest - I don't want to be a Debbie Downer here... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Or somebody who's coming down hard on the kids. 

Dave Bittner: Right. 

Ben Yelin: I'm not sure I agree with the outcome of this case. I'd want your perspective. But if the standard is - speech is allowed, as long as it doesn't disrupt what happens during the school day - as long as it's not likely to cause dissension at school - something that would interrupt students' ability to learn. That's the standard. I think something that's this patently offensive, where parents take note, the principal learns about it - it could cause certain students to feel unsafe or unvalued at school. 

Dave Bittner: It's all the kids are going to be talking about on Monday. 

Ben Yelin: Right. 

Dave Bittner: Yeah. 

Ben Yelin: And maybe it really is. I'm just not sure I agree with the outcome of that case. But I guess, as a First - somewhat of a First Amendment absolutist, I should probably come down on the side of protecting the First Amendment. 

Dave Bittner: (Laughter). 

Ben Yelin: I guess I'm wrestling with this in my own head here... 

Dave Bittner: Yeah. 

Ben Yelin: ...But I'd love your... 

Dave Bittner: Hypocrisy is a hell of a drug, Ben, isn't it (laughter)? 

Ben Yelin: It is. I'd be interested in your perspective on it, though. I mean, from a legal sense, we - the First Amendment is incredibly robust. It is the First Amendment for a reason. It says Congress shall make no law, and that's been imputed to the states. And that's pretty absolute. It means we can only restrict speech in a very limited number of circumstances. 

Dave Bittner: Yeah. 

Ben Yelin: And so I recognize that right, but I'm also going to be the parent of somebody entering kindergarten, and if somebody posted something like this and it got into the school ecosystem during school hours, I could see how that would be somewhat disruptive, even though it was on Snapchat outside of the school day. 

Dave Bittner: Yeah. So yes, I have thoughts. I - my impulse here is that the school's ability to apply its discipline to - a school's ability to apply its own consequences should not extend beyond what happens on campus. That's my impulse. 

Ben Yelin: Sure. 

Dave Bittner: In other words, now, I - and I'm - and admittedly, I'm coming to this from a pre-social media experience, right? So my thoughts on this are formed by, you know, Dave is a jerk at the video arcade, right? 

Ben Yelin: Which he is. 

Dave Bittner: Yeah. 

Ben Yelin: Let's admit that. 

Dave Bittner: Sure. 

Ben Yelin: I'm sure, yeah. 

Dave Bittner: Yeah. And it's - everybody's talking about that. That shouldn't lead to a suspension or an expulsion in school because I didn't do anything at school. 

Ben Yelin: Yeah. I mean, that's the really interesting angle here, and this is why we're talking about it on this show - this is really a case about the power of social media. 

Dave Bittner: Right. 

Ben Yelin: If this was somebody making an offhand comment and they took a Polaroid picture in the 1980s... 

Dave Bittner: Yeah. 

Ben Yelin: ...That type of thing just doesn't get around. It's kind of impossible to spread. The kids themselves would probably keep it private - maybe put it up on a bulletin board, and a couple of friends will see it. That's fine. This is still somebody's personal device. It's not like they're sending this image to the school email list. However, it is social media, meaning probably most of the students' peers are on Snapchat. So even though if it was deleted, many of his friends, including some who might take offense to what he did, were able to see it. 

Dave Bittner: Right. 

Ben Yelin: And even though it occurred outside of school hours, it's something that really could permeate the school doors. The other thing I think about is we went through this period of virtual learning. So I think this dividing line between - within school doors or outside school doors is a little murkier than it was 2 1/2 years ago... 

Dave Bittner: Yeah, that's a good point. 

Ben Yelin: ...Especially since you never know when we're going to have to do that again. And how far does the school's reach go in regulating virtual activity? So I just don't really know the answer to those questions. I think that, from the court's perspective, none of that is as important as protecting First Amendment free-speech rights for the students. I guess I'm just kind of torn on this case. 

Dave Bittner: Yeah. You know, it reminds me - earlier this week, I saw on Twitter - and I apologize - I don't remember who it was who posted it. But it was a woman who was a mom, and, you know, getting ready for this upcoming school year, the school had sent out their - more than a social media agreement. It was sort of a student code of conduct, I guess. 

Ben Yelin: Right. 

Dave Bittner: And also - I don't know what the term of art is, but it was - these are the rules. Sign here to show that you agree to the rules. 

Ben Yelin: Right. 

Dave Bittner: Right. And the student signs it, and the parent signs it. Well, this parent had pointed out that on this agreement was - the school reserved the right to inspect a child's social media posts on their personal device, even things that took place outside of school. And the mom was like, oh, no, no, no, no, no, no, no, no, no (laughter). 

Ben Yelin: Yeah. 

Dave Bittner: Right? 

Ben Yelin: And I can understand that. I mean, that does seem very, very invasive. 

Dave Bittner: Yeah. 

Ben Yelin: I think the difference with a social media - I mean, I guess it depends on the reach of this person's Snapchat account and how many people saw it before it was deleted. Generally, my instinct is to agree with this mother that that is very intrusive... 

Dave Bittner: Yeah. 

Ben Yelin: ...That that's none of the government - and in this case, the government is the public school administration - that is none of their business. I can control what happens with my kids at home just the way that they're in charge of my kids when they're at school. But I think those lines really get blurred because what happens outside of the school really can have a substantial impact at the school. 

Dave Bittner: Yeah. 

Ben Yelin: Now, what the court did here is go through that test, really examine the facts and see if this is the type of speech that would be likely to cause disruption at school. And they really determined that even though this was controversial and it went to the principal, and it went to parents and teachers - even despite all of that, it wasn't something that was going to be disruptive during the school day because it wasn't - I'm going to beat up Johnny tomorrow. 

Dave Bittner: Right. 

Ben Yelin: Come to the lunchroom for a fight. 

Dave Bittner: Yeah. 

Ben Yelin: Or I'm going to beat up all the Jewish kids at school. It wasn't that. It was theoretical and wasn't directly related to something that was going to happen at school. 

Dave Bittner: Yeah. 

Ben Yelin: I just guess that's really a fine line. I mean... 

Dave Bittner: I don't want to give the kid a pass, but it sounds like a kid being a dumb kid... 

Ben Yelin: Right. And he... 

Dave Bittner: ...You know? 

Ben Yelin: ...Was being a dumb kid, and he apologized for it. 

Dave Bittner: Yeah. 

Ben Yelin: Although I will note, if you actually read the case, his apology made several spelling errors that kind of rendered it more laughable. He spelled the word meant M-E-N-T, so... 

Dave Bittner: (Laughter) Maybe he needs to spend more time in school. 

Ben Yelin: In class, yeah - maybe it really is interrupting his school day. 

Dave Bittner: So let me ask you this. When I'm - so at school, we agree that it is the school's right to search my locker. 

Ben Yelin: Right. 

Dave Bittner: OK. Is it within the school's right to search me? 

Ben Yelin: Yes, yes. It's not - while you are in public school, you don't have traditional Fourth Amendment rights. There is some level of protection. There couldn't be arbitrary searches. You can't have, like, a generalized stop and frisk policy. 

Dave Bittner: OK. 

Ben Yelin: But you wouldn't have to go get a warrant if you suspected that a kid was carrying drugs. You could check his pockets in school. Generally, that's the accepted standard. 

Dave Bittner: OK. So I guess the question is, does that right to search me include my mobile device? 

Ben Yelin: Would the - I'm just kind of thinking about what the Supreme Court would say. They say that a mobile device really is something special. You can't just search an incident to arrest as if it was somebody's pocket notebook or something. That's what they said in Riley v. California, is that there's so much personal information that just because somebody is arrested - you need to have a separate warrant in order to search that device. So there is this increased level of protection beyond the physical things that you find in somebody's pocket when it comes to mobile devices. And I get that. But again, this wasn't, like, somebody's personal diary that they wrote in notes. This is something that they did share publicly. 

Dave Bittner: Right. Right. Right. 

Ben Yelin: So, yeah, it's just one of those - it's kind of a 50/50 issue, but it shows that - another example of where the standard - the legal standard that's set up here about disruption to the actual school day gets a little more complicated when we're talking about social media because the reach of social media posts is so much larger than anything that could have happened outside of school doors 20 or 30 years ago. So it's interesting that the court standards have really not changed, despite the fact that social media posts themselves are so prevalent and so public. And it's almost as if - you know, if every kid in the school is on Snapchat, it's like saying something over the loudspeaker. That's how far the reach is. 

Dave Bittner: Yeah. 

Ben Yelin: So it's just - it's - it was just a very interesting case from my perspective. 

Dave Bittner: Yeah, for sure. All right. We will have a link to that in the show notes. My story this week comes from Forbes. This is written by Alexandra Levine - might be Levine. I apologize, Alexandra. And it's titled "Digital Medical Companies Funnel Patient Data to Facebook for Advertising." I don't even know if we need to read the article here, but (laughter)... 

Ben Yelin: Yeah. That does not sound good. 

Dave Bittner: So basically what's happening here, there is a research group called the Light Collective, and they have a peer-reviewed study that they published in a journal called "Patterns," which evidently is a journal covering data science. And they were looking at the ways in which people's health-related activity online is tracked across websites or platforms and then used for advertising purposes on Facebook. And they studied five different online tools that people who are cancer survivors or people who are going through cancer diagnoses, you know, living with cancer... 

Ben Yelin: Right. 

Dave Bittner: ...That sort of thing, fighting cancer. And they use these online digital health tools. And what they found was that there are third-party ad trackers used by those health tool companies. And these tools - surprise, surprise - track them around the web and then send the information off to Facebook to be used to target them for advertising. 

Ben Yelin: Yeah. I mean, this obviously rubs me the wrong way. There are a couple of striking things about this article. First is that they contacted these five companies that run these online medical services, and only two of them responded and basically said, we're looking into it. And then a third one gave the sort of nondenial denial saying, we don't purposely share... 

Dave Bittner: Right. Your privacy's important to us. 

Ben Yelin: It's very important to us. Yeah. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: We would never do anything to jeopardize the personal relationship we've established with you on our website. 

Dave Bittner: Yeah. 

Ben Yelin: The other interesting element is a spokesperson for Meta, the parent company of Facebook, basically said, yeah, they really shouldn't be doing that with us. We have a very clear policy about what advertisers are able to share on our platform and how information breadcrumbs collected on the internet can turn into targeted advertising. And that's not how it's supposed to work. I don't think any of that would have come to light, and none of those statements, either by these companies or from Meta, would have come to light without this peer-reviewed study. So it makes you question what else is going on under the hood that we're not going to discover. 

Dave Bittner: Right. 

Ben Yelin: And we're talking about very personal information - I mean, we're - people with cancer diagnoses. Perhaps they haven't shared that diagnosis with family members, their employer, and now it's being used to target their advertisements on Facebook. I think it's kind of a big deal. 

Dave Bittner: Yeah. 

Ben Yelin: And it's a little disturbing that not only are the companies doing this, they don't really seem to be aware that it's happening. 

Dave Bittner: Right. This article points out that a couple of the companies are doing this in direct - contrary to their own privacy statements. 

Ben Yelin: Right. I think we have to look at why they're potentially doing this, and it's really about quite a robust profit motive. There's a great quote here from - I guess it's the people who drafted this study. While the digital medicine ecosystem relies on social media to recruit and build their businesses through ads and marketing, these practices sometimes contradict their own stated privacy policies and promises to users. I think what that tells us is they can't really resist - or maybe they're willing to look the other way - the pull of online advertising. 

Ben Yelin: It's hard for some of these companies to be profitable. It's hard for any online company to be profitable in isolation. One of the ways you can be profitable is your most valuable asset, which is the information your users share on your website. And there's a lot of money to be made from that. And that's why there are so many third-party sellers because there's a lot of money to be made from it. 

Ben Yelin: So one thing that I think is worth noting - we've talked about how people don't actually read the privacy policies. It seems like the companies themselves might not be taking their own privacy policy seriously... 

Dave Bittner: Yeah. 

Ben Yelin: ...If they're willing to look the other way and kind of let these things happen. 

Dave Bittner: Yeah. There were a couple things. One of the organizations that they looked into is called Health Union. And they spoke to the president of Health Union, Lauren Lawhon, who said that - she said that, you know, when you log on to their site, they have pop-ups giving them the choice to accept or reject cookies. Well, we've all seen those. 

Ben Yelin: Right. 

Dave Bittner: What do you do? 

Ben Yelin: I want to read the - I want the information. I'm checking the box. 

Dave Bittner: Right. 

Ben Yelin: Yeah. 

Dave Bittner: And there's also - she said there's also a do not sell my information link at the bottom of their pages. Well? 

Ben Yelin: You probably need some significant eyeglasses to... 

Dave Bittner: (Laughter). 

Ben Yelin: ...See that typeface. 

Dave Bittner: Right. Right. And then also, the folks at Health Union point out - wait for it, Ben - they're not covered under HIPAA because they're not health care providers. 

Ben Yelin: I love this one. 

Dave Bittner: And I'm imagining our friends over at the "Help Me With HIPAA" podcast, you know, leaning back in their chairs, cackling out loud (laughter). 

Ben Yelin: Shout-out to Donna Grindle... 

Dave Bittner: That's right. 

Ben Yelin: ...I mean, if she's listening somewhere. 

Dave Bittner: Right, right. She just did a spit-take with her coffee or whatever. But they say they're not a health care provider, but rather a publisher owning various health-related websites, which is true. 

Ben Yelin: It is true. 

Dave Bittner: But - I don't know. Letter of the law, spirit of the law, right? 

Ben Yelin: Yeah. People always think that HIPAA is going to save them. It's protected health information. Either A, I don't have to share it if you ask me, or B, whichever organization I'm giving my personal health care information to is obligated under HIPAA not to share that information. You'll have to be very careful with that. HIPAA only applies to covered entities. That starts with medical providers and those who service medical providers. It's been extended to companies like LabCorp, online data - companies that maintain online databases for medical providers. But it doesn't extend that far beyond that. So people's general presumption should be that HIPAA is not covering a particular website or a particular service. Better safe than sorry, and in many cases, HIPAA is not going to save you. 

Dave Bittner: Yeah. 

Ben Yelin: I do think it violates the letter - or the spirit of the law because people here are sharing rather personal health information. 

Dave Bittner: Right. 

Ben Yelin: But the letter of the law is quite clear. And I think in order for some of these more non-health care provider organizations to be covered under HIPAA, you need a significant change to the law and a significant change to the definition of covered entities. 

Dave Bittner: Yeah, to me, this really points out the need for some kind of federal legislation. Look, make this opt in. I think, just make - if you want to sell my information, I have to opt in. You can't automatically opt me in with anything medical, like there - anything personal. You know, just that one thing would - think about how much that would change. 

Ben Yelin: Absolutely. I think all roads lead to Congress should pass a federal data privacy law. 

Dave Bittner: But it's a long and winding road, Ben (laughter). 

Ben Yelin: Yeah. I mean, we could - maybe 80% of our stories we could sum up with Congress would pass a... 

Dave Bittner: There ought to be a law. 

Ben Yelin: There ought to be a law that does that. 

Dave Bittner: (Laughter). 

Ben Yelin: I do think there's some hope. Many of our guests on this show have said the same, that there might be momentum towards a federal data privacy law. Exactly what that would look like and when it will happen, we don't know. 

Dave Bittner: Yeah. 

Ben Yelin: But, yeah. So many of these problems exist because there is a vacuum at the federal level. There is no federal data privacy law. We have a patchwork of laws that apply in various circumstances, HIPAA being one of them. And then we have state laws, CCPA being the most prominent example. But until we have a clarifying federal data privacy law, we're going to get a lot of these articles where it's like, hey, that shouldn't be legal. But it is because we do have this policy vacuum. 

Dave Bittner: Yeah. All right. Well, we will have a link to that in the show notes. We would love to hear from you if there's something that you would like us to cover on the show. You can email us. It's caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Luke Tenery. He is from an organization called StoneTurn. And we took a look back at the OPM breach - one of the biggies, right? - and had a conversation about that, some of the history there and also some of the takeaways, how it's informed some of the things that folks are doing today in the privacy and data security field. Here's my conversation with Luke Tenery. 

Luke Tenery: Really impactful, then - I would consider the OPM breach a watershed event. It goes back to 2015, quite a bit of impact, essentially to government employees, particularly those for the federal government. For those that don't know what the OPM is, it's essentially like the HR function for the federal government. And in this particular case, an adversary or a threat actor compromised the network. And there were essentially two separate but related cybersecurity incidents - as has been disclosed, mind you - that affected the information of federal employees. In one category, it basically says the information of federal government employees, their HR-related information was compromised. And then another group, those related to background screening, particularly for kind of more sensitive clearances - their background screening form information. I believe it's called the - some of the SF forms or SF 86, I believe it is, were compromised. 

Luke Tenery: So you can kind of think about the value of that information, particularly those that are, you know, pursuing or the government is designated as a need to know to sensitive information. The people that have gone through the background screening process for those levels of clearance, their information was compromised as well. And not just those people, but there's a ripple effect to that in that, you know, when those forms - they cite different references, close parties of contact, spouses, et cetera, family members. And so you can imagine the level of sensitivity that would have been contained in that combined incident. 

Luke Tenery: But it goes back to 2015. It's sort of been resurrected a little bit of late, particularly for some of the claims that essentially are earmarked to or settlement to the victims. That's been the news of recent weeks. But obviously, people have made aligned comments to that with the suspected threat to that being - or suspected to be China, rather. And so, given recent tensions there, it sort of raises the recollection of that, even though it's a pretty dated incident at this point. 

Dave Bittner: I mean, my recollection, you know, having some friends who were in that cleared community was that they certainly considered it to be a big deal, you know, quite a violation. And I think it's fair to say that for the U.S. government itself, this was both a wake-up call and a black eye in terms of their cybersecurity. What happened in the immediate aftermath of this event? What was the response? 

Luke Tenery: Yeah. Beyond the - just their public statements on opm.gov and what, you know, I've sort of gathered from having relationships of - both formerly of the federal government, et cetera. The understanding that I have is FBI and, I believe, DHS investigated. So kind of think of the key government resources at the time - granted, much has evolved in terms of what a response to a cyber incident would look like in 2022 versus what it looked like in 2015. But ultimately, the FBI responded to investigate, and then DHS was involved as well. So Homeland Security had some level of apparatus to, you know, secure the environment as well, but ultimately investigation, security and response. And then, you know, in terms of the broader, I guess, remediation - all sorts of - sort of credit monitoring and identity-restoration-type protection services were allocated to, you know, give some level of service to the victims for broader identity protection services. 

Dave Bittner: Can you help us understand, if you're a government employee - if you're someone whose information was released as the result of this hack - what do you have at your disposal in terms of some sort of settlement with the government? What options do you have? 

Luke Tenery: The full sum of that is - again, I'm not a former federal government employee, and all I can tell you is what they have allocated is through the victim registration and interrelated services on the opm.gov site. But what I can tell, having been involved in breach response and protections for victims over time - over the last 15 years or so, where this was sort of a big deal - basic credit monitoring is certainly part of it - aspects of other identity theft prevention services. So kind of think trying to monitor for hits to your credit, random usage of social, et cetera, to not just open up lines of credit, but register for utilities and other services. Those are sort of the protections that, you know, were offered for these victims. 

Luke Tenery: And then just recently, as you mentioned, some level of litigation and settlement for harm or damages - I think a judge recently sort of approved or preliminarily approved somewhere in the neighborhood of 60 million - $63 million, which averages out to, I think, around - the current math is about $700, I guess, for victims that register in that way. But ultimately, you know, not much more than a typical consumer set of protections, to my knowledge, although there could be other protections or, you know, monitoring that the government has in place for the victims. I just don't know that by virtue of not coming from that area of the government. 

Dave Bittner: Sure. And how has our relationship with China both been informed by this event and evolved in the years since it happened? 

Luke Tenery: Yeah, I wouldn't say the relationship or - there are definitely certain dynamics and strings, likely, that came out of the OPM breach. But I would say the incident itself was probably more just symptomatic of prior and preexisting tensions - the dynamic around, you know, the nation-state adversaries, et cetera, that - by that point in time, there - it had been pretty well documented and known, even prior to 2015 and going back to the 20-aughts or 2000s, that there was some level of cyber activity - sort of non-kinetic activity between the U.S. and China from a cyber perspective. And so, you know, from that vantage point, the broader, you know, theft of intellectual property, gathering intelligence about our people or also our government employees - that sort of targeted information has been pretty well known, and we even can - seeing, from an adversarial sense, nation-states go after, you know, similar, more updated information. 

Luke Tenery: The Marriott breach comes to mind in terms of one of the more publicly known ones. You can imagine what adversary could do with that type of information in terms of, you know, identifying government employees, where they're traveling, or aspects, you know, from an OPM perspective, highly sensitive - people with clearance, potential politicians - and having that information at their disposal for things such as influence operations, identifying spies, assets of spies, et cetera. 

Luke Tenery: You know, really, the intelligence treasure trove that that was was just kind of further symptomatic. They leveraged a cyber apparatus to compromise that information, but they'd really been targeting a variety of our - I'm not downplaying it at all, but they - up until that point, they had been targeting a variety of information, and it really was, you know, probably not really a known target of source - being OPM. But certainly, at that point, it was clear that, you know, a variety of nation-state adversaries were probably interested in kind of obtaining that level of sensitivity and information about federal employees. 

Dave Bittner: Is there a sense that, in the years since this hack took place, that the government has had the opportunity to make the adjustments that are necessary, and we're in a better place now? 

Luke Tenery: That's a difficult question to answer in some sense. We're coming off - I used the term watershed a few moments ago for OPM in 2015. And, really, we had a new iteration of a watershed cyber moment in late 2020 with SolarWinds - and so a totally different type of attack. It was of the supply chain variety, whereby, in this case, a different - likely different nation-state adversary compromised a third-party resource - that was SolarWinds - that, you know, many government entities leveraged their software products to protect their networks. But ultimately, it's still unclear. The fullness and panoply of information that was targeted in that sense could have been a variety of different circumstances. 

Luke Tenery: But ultimately, you know, there is this sort of cycle and iteration of evolution of attacks. And so I think the one expected or consistent theme is, in this case, Dave, that, you know, the nation-state versus nation-state - they'll continue to evolve. It's clear that the information that they target varies from year to year, depending upon circumstance. You know, many of - we know for years that one or more nation-states have targeted U.S. corporates and defense industrial base - or commonly referred to as the DIB - their information for, you know, defense - their own defense purposes, and then other, you know, even more corporate espionage dynamics for being more competitive in the landscape and global economy. 

Luke Tenery: So it's varied, you know, from year to year or over, you know, even the decades - but clearly, you know, different dynamics now versus 2015. But I would say the one, you know, consistent theme is the persistency of the threat and the evolution of the aspects of, you know, targeting different types of information using highly sophisticated means and well-thought-out and strategic attacks. That is a consistent theme. And, you know, what they intend to do with that information may evolve. 

Luke Tenery: But, obviously, you know, it's notable, over the last handful of weeks, they, you know, have shown different advancements in their military technology, including a new aircraft carrier, hypersonic weaponry. And so all these are visibly, to the layman, generelational (ph) updates to their capability that, you know, have taken a relatively short period of time in many respects. But ultimately, yeah, I would say the constant evolution of everything, Dave - increased sophistication, but then changing of targets of strategy are what - are kind of consistent between even 2015 to now. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: It was really a good retrospective on the OPM hack. I mean, I think that was - for many people, that was the first foray into cyber risk, especially for federal government employees who just didn't spend that much time thinking about what would happen if their information were hacked. 

Dave Bittner: Right. 

Ben Yelin: And then it was the scale of it because we're talking about millions of records. It became kind of the original sin of cyber incidents, in that it informs how we think about them. 

Dave Bittner: Yeah. 

Ben Yelin: It's kind of - not to return to the same theme here, but you'd think that the OPM hack, because it affected so many federal employees, would have led to more of a groundswell in support of robust cybersecurity legislation. And Congress has done a good deal to try to abate some of these risks, but it hasn't quite served as the motivator that many of us thought it would at the time. 

Dave Bittner: Yeah. Somebody needs to hack Congress, Ben (laughter). 

Ben Yelin: Don't say that out loud. 

Dave Bittner: Did I say that out loud (laughter)? 

Ben Yelin: Yeah. Keep that thought to yourself. 

Dave Bittner: Oh, gosh. Sure. 

Ben Yelin: Should we delete that? 

Dave Bittner: I'm using my outside voice. Oh, dear (laughter). 

Ben Yelin: We might need another - you know, we might need another disclaimer at the end of this show. 

Dave Bittner: That's right. That's right. That's right. Yes - things that Dave says out loud should not be taken seriously... 

Ben Yelin: Exactly. 

Dave Bittner: ...Because he is not a lawyer (laughter). 

Ben Yelin: I just have to be a little more careful. 

Dave Bittner: Yeah. 

Ben Yelin: You can really - I might have to funnel my thoughts through you just in case. 

Dave Bittner: Well, you - yeah, that's right. You probably have more robust insurance than I do, also (laughter). 

Ben Yelin: Fair enough. Yeah. 

Dave Bittner: All right. Well, again, our thanks to Luke Tenery for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by KnowBe4
Sponsored by KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.