Caveat 4.20.23
Ep 169 | 4.20.23

The U.S. Government and a cybersecurity budget.


Ilona Cohen: This is an area where bipartisan cooperation is available, and it's important for our collective security.

Dave Bittner: Hello everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner, and joining me is my cohost, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hello Ben.

Ben Yelin: Hello Dave.

Dave Bittner: Today, Ben has the story of a proposed Montana state law to ban TikTok. I've got the story of the FTC taking action against an Amazon merchant, and later in the show, Ben's conversation with Ilona Cohen of HackerOne to discuss President Biden's cyber strategy and national budget allocations for cybersecurity. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. All right, Ben, we've got some good stories to cover this week. Why don't you start things off for us here?

Ben Yelin: So for my story, we take a trip up to the great state of Montana, Big Sky country. If you've never been there, it is spectacular. Highly recommend Glacier National Park. [laughter] But our story concerns a proposed state law that would ban TikTok entirely within the state of Montana. This has passed the state House and the state Senate, so it is on the desk of the Governor, Greg Gianforte, who is deciding sometime in the next 10 days whether to sign this into law. It would be the first bill of its kind in the entire country to explicitly ban TikTok. Now, we've seen a bunch of other states ban TikTok on state-issued device.

Dave Bittner: Right.

Ben Yelin: That's become increasingly common. This would ban TikTok within the state, meaning Google and Apple would not be able to have the app available within the jurisdiction of Montana. There could be criminal or civil penalties for a person who violates that ban on TikTok. There are several problems with this. Before we get to the constitutional issues, there's the matter of enforcement. Both Google and Apple have said that this is virtually impossible to enforce. They can't tailor an app store so that an app is just not available in a single state in the United States. That's just beyond their current capabilities. I can certainly understand why it would not be in their interest to have that capability.

Dave Bittner: Yeah.

Ben Yelin: They don't want to be beholden to a bunch of over-aggressive state legislators who are just banning applications.

Dave Bittner: Right. [laughter] Just -- I'm sorry, forgive me, but I just -- I couldn't help thinking, imagine what would happen if Florida got their hands on this kind of thing, right.

Ben Yelin: Yes. Disney+ would certainly not be available there.

Dave Bittner: That's right.

Ben Yelin: You'd have to watch bootlegged versions of the old Little Mermaid.

Dave Bittner: Right, right.

Ben Yelin: Then there's the question of the border. Montana is adjacent to a bunch of other united states. I'm not geography expert, but I believe it touches Wyoming, Idaho. Because it is in close proximity to those states, and there are some border towns, I remember West Yellowstone National Park is in Montana --

Dave Bittner: Mm-hmm.

Ben Yelin: -- you could be connecting to a cell phone tower in another state to download TikTok. And there's some question about whether that would actually violate the statute. So those are just two practical problems. People using VPNs or disguising their location would be an obvious way to get around this ban. So it's almost certainly going to be unworkable. That's almost besides the point, because what we're really interested in here is the major constitutional issues.

Dave Bittner: Okay.

Ben Yelin: And I'll try and run through them. There was actually a really good Techdirt article that listed some potential constitutional problems here. The first is what's called a Bill of Attainder. So the Constitution forbids laws that target certain individuals or certain companies. It's a little unclear how that would apply to legislation passed in the state legislature, but certainly courts would look disfavorably on that. That's why most well-crafted laws that do things like ban TikTok are drafted in a way that doesn't make it obvious that you're targeting one company. So, for example, when Congress tries to defund Planned Parenthood, they'll say, no funds, and this should be available to a national abortion provider who has more than 100 and whatever million dollars in revenue.

Dave Bittner: I see.

Ben Yelin: So the effect would be targeting one company, but it's not explicitly targeting that one company.

Dave Bittner: Huh? Okay.

Ben Yelin: So that's one problem. There are the First Amendment rights of TikTok itself. This would basically be the equivalent of the government banning a magazine form printing a state or the government seizing a printing press. I'm not sure that that's entirely accurate, so I was quoting there from the Techdirt article. I think there are some important differences. TikTok is posting third-party content. It's not necessarily their speech.

Dave Bittner: Right.

Ben Yelin: But there is, I think, an argument to be made that you are suppressing the free speech rights of TikTok creators who have a right to have -- to put their content out there. I mean this is a very popular platform. There are certainly political messages, artistic messages that you really couldn't spread to the masses unless you had access to this platform that has 150 million users within the United States. There are the First Amendment right of app store operators. They can or at least should be able to determine which applications they do and don't distribute. So putting a ban on Google and Apple from having this in their app stores would be that kind of inhibition. Then there's this issue, and this is getting really into the legal weeds, so I'll try and gloss over this, of the dormant commerce clause. So --

Dave Bittner: Oh, that old chestnut.

Ben Yelin: -- I know. I know. For everybody who is going to be too bored by legal mumbo jumbo, you can just tune out for like 10 seconds while I --

Dave Bittner: Skip ahead. Press the 30 second skip ahead button.

Ben Yelin: Yeah. I will try to explain this quickly. [laughter] But basically, Congress has the power per the Constitution to regulate interstate commerce, and the way courts have interpreted that is that states do not have the power to pass laws that inhibit interstate commerce in any way. So it is certainly conceivable that a law like this would be an inhibition on interstate commerce simply because it would force the app stores to use their own resources to make special exceptions for the state of Montana. I mean the foundational Supreme Court cases on this were about the state of Iowa coming up with laws banning certain kinds of truck, and that was a major inhibition on interstate commerce because those trucks had to go around the state of Iowa, which is pretty hard to do if you're on Interstate 80 going across the country, and that would be an improper inhibition on interstate commerce.

Dave Bittner: That's interesting.

Ben Yelin: So those are just a few of the issues. Really, the First Amendment ones, I think, are the most serious, and I anticipate that within days of this law being signed, if it is signed, we will see a lawsuit from the ACLU on behalf of TikTok users, who are going to have their free speech rights suppressed at least in the state of Montana. One, I think, really interesting element in this Techdirt article is they quote, "A friend of our podcast, Riana Pfefferkorn, noted Stanford academic, who says that a law like this is really the U.S. mimicking China. China is the reason we're told we need to ban TikTok, but in trying to ban TikTok, we are acting like the Chinese communist party. Our idea, in her words, of countering China is to act more like China. Putting up a so-called great firewall that censors its citizens free access to the flow of information." And especially, this is true especially because of the popularity of the application. So this will create all different types of legal problems for the state of Montana. I hope the attorney general for that state has hired some very talented attorneys, because they're going to be spending a lot of time defending this law in court.

Dave Bittner: Now, can we agree that the main concern here is exfiltration of data? That's why they're coming at TikTok?

Ben Yelin: That's the main concern, but some of the findings that are included in the legislation, these pieces of legislation have what are called whereas clauses, where they explain the genesis behind the law. And as part of that whereas paragraph, they talk about how TikTok fails to remove and may even promote dangerous content that directs minors to engage in dangerous activities including but not limited to throwing objects at moving vehicles, etc., etc. It gets funnier.

Dave Bittner: [laughter] Okay.

Ben Yelin: They talk about TikTok inspiring people to light a mirror on fire and then attempting to distinguish it using only one's body parts. Inducing unconsciousness through oxygen deprivation. This is true, between --

Dave Bittner: These are oddly specific.

Ben Yelin: I know. Someone's been, somebody has been watching too many TikTok videos.

Dave Bittner: Okay.

Ben Yelin: So, part of the justification is that our data is sensitive to Chinese -- the Chinese government, which --

Dave Bittner: Right.

Ben Yelin: -- we've talked about many times on this podcast, has that close relationship with ByteDance, the parent company of TikTok. That's just one basis of the impetus behind this legislation. The legislators here seem to have come up with a finding that TikTok beyond being, making our data vulnerable, is also just dangerous for kids and other people who are going to be very impressionable. So, I just think the way this law is drafted, if it had been narrowly tailored to address this issue of data security, I think it might stand a better chance in court. If you're going to have an inhibition on speech, you better have a darn good reason to have that inhibition on speech, and perhaps it's at least conceivable that Montana would have been able to convince a judge, a federal judge, that this was fulfilling a compelling state interest on behalf of Montana. But when we're talking about protecting people from videos of somebody attempting to break an unsuspecting passerby's skull by tripping I'm or here into landing face first onto a hard surface, that makes this law seem like, frankly, kind of a joke. So I do not see this law being upheld as constitution. If it is signed, and assuming that it is challenged, but then again, courts are doing some weird things these days. So, you never know.

Dave Bittner: So a couple things come to mind here. First of all, why? Why Montana? Why has Montana chosen to lead the way with this? I guess I'm trying to see the potential political posturing here. I mean we always talk about, you know, protect the children. You can always make hay with that one, right.x

Ben Yelin: Yes. This is sort of the, what's Reverend Lovejoy's wife in the Simpsons?

Dave Bittner: Right. Think of the children.

Ben Yelin: Somebody think of the children.

Dave Bittner: Right, right, right. So is it partially that?

Ben Yelin: I think it's a large art that -- so the attorney general in Montana, a guy by the name of Austin Knudsen, is supposed the person who drafted the bill. And he said one of the inspirations for the bill is parents complaining to the Montana state government that their kids are getting access to drugs, suicide, and/or pornography. But the fact that kids would potentially have access to that type of offensive content would not be a justifiable reason to shut off the entire platform. Because if that were true, we would close libraries because they might have some books that offense to children. I'm not trying the give the Montana legislature any ideas, by the way.

Dave Bittner: Right, right.

Ben Yelin: Or shutting off any other type of social network because some content might be offensive. So it was certainly a legislative response to this kind of, I don't want to call it a moral panic, but it is sort of a moral panic of parents within the state of Montana not wanting their kids to view this type of content on their personal devices. I'm surprised that even if this were the real justification that they didn't at least pretend that it was about data security, because I think that would have put them on firmer constitutional ground, and the fact that this seems so targeted at pretty clear expressions of free speech is going to make the legal posture of this law more difficult to defend.

Dave Bittner: I guess the other thing I'm thinking of is this just, to me, emphasizes that what we really need is a federal privacy law, that --

Ben Yelin: Pretty much true for every story, yeah. So, Congress could clearly preempt this state law and other state laws like it if they were to pass a federal statute that occupied the field. So the federal government, in areas where they have jurisdiction, can supersede state power because of the supremacy clause in the Constitution, and that means that if Congress wanted to pass a statute, putting some type of regulation on TikTok, which we've seen that they've tried to do, I think they would be on firmer ground. At least you'd have a uniform national standard, and this wouldn't be the practical difficulty of the app stores trying to restrict this application only in the state of Montana. So it would make things a little bit easier for the companies, and at least theoretically, Congress would have more time to consider the national implications of this type of legislation. So, Congress could preempt this, but we've talked about it in previous episodes. So far their efforts to curtail TikTok have not really gone anywhere. There is bipartisan support, but I think it's going to be very difficult to find a package of reforms that could win the support of a republican House and a democratic senate. So I think we're a long way from that happening, and in the meantime, you're going to see more states take this type of action even if they know or suspect that the law is going to be struck down as unconstitutional.

Dave Bittner: Yeah. You could still make a pretty compelling political point by passing a law like this at the state level. I wonder too, and I don't know the answer to this, and I'm curious on your insights and take on this. I'm reminded of back, I think forever ago, when Obamacare was making its way through, right, and you would see statistics that said like, you know, 70% of people, bipartisan, don't like Obamacare, but when you dug in, you found that people on the right didn't like it for one reason, and people on the left didn't like it for another reason. Like some people thought it went too far, and the other people thought it didn't go far enough.

Ben Yelin: Right, right.

Dave Bittner: And so, I wonder if, when we talk about bipartisanship for things like federal privacy legislation and having broad support, if you dig in, is that broad support really coming from the same place or not? I wonder.

Ben Yelin: Yeah, I mean we've seen that with Section 230 reform as well. Both parties hate Section 230 but for very different reasons.

Dave Bittner: Right.

Ben Yelin: And so it would be hard to come up a law that would satisfy all of those justifications. I think that would be true with a TikTok ban. It might be a little bit easier because the end result is the same. You would be empowering the President or the Secretary of Commerce to ban TikTok if they find that it's too closely in cahoots with foreign governments. But there are still disagreements among the political parties, and I think as this moves through the legislative process, you're going to start to see more organized opposition as this becomes sort of a real threat when it's clear to people that they're, Congress is loaded gun with real bullets that they're willing to fire. I think you're going to have groups like the ACL coming out in full force and talk about the First Amendment implications of this.

Dave Bittner: Yeah.

Ben Yelin: One potential solution, which I think would satisfy everybody but that probably will not happen is for TikTok to be purchased by a U.S. company so that we don't face these overseas data collection concerns. But that has thus far not happened, and I think it's wishful thinking to assume that ByteDance is just going to sell some enterprising U.S. customer. Although, who knows? Elon had 40 billion for Twitter, so maybe he could spare another 40 the 50 billion to by TikTok.

Dave Bittner: Right. Right. If you could take care of the problem by ruining the platform, by having someone incompetent buy it and run it into the ground.

Ben Yelin: Exactly. We certainly have precedent now.

Dave Bittner: So it just provides a zero interest funding for some billionaire who has aspirations of running a social network.

Ben Yelin: Side note, please don't tear us off Twitter, Elon. We love you.

Dave Bittner: All right. Well, we will have a link to that story in the show notes. Again, that is from the New York Times. My story this week comes from the folks over at Engadget. It's just written by Igor Bonifacic , and it's titled "The FTC Fines a Supplement Maker $600,000 for Review Hijacking Amazon Listings." So this is interesting. This is the first time that the FTC has come after an organization for this thing called review hijacking. So let me try to explain what's happening here. So we got a company who makes supplements. You know, your vitamins basically, and they make all sorts of supplements for all sorts of different things, and this company is called Nature's Bounty.

Ben Yelin: Yeah, most of these things, by the way, don't actually work, but that's a subject of a different podcast.

Dave Bittner: Right, right. It's a whole different type of perhaps needed regulation, right. So, but, you know, lots of people enjoy these, and they use these, and they find value in these, and so, they're widely available. You can go to your local pharmacy and you'll see aisles full of these sorts of supplements. This is a company called Nature's Bounty, and they are one of the big vendors in this sort of thing. So, it turns out that on Amazon, if you sell a product, Amazon has a way for you to list highly similar products in the same listing. So, for example, what it's meant for is like let's say that I'm selling a transistor radio on Amazon, and that radio comes in three different colors. It comes in black, red, and white. So what I can do is I can have the black version of the radio be listed, but then within that listing, you can also click on the one that's white or the one that's red and purchase either of those. But what that --

Ben Yelin: That seems sensible, yeah.

Dave Bittner: Yeah, it makes it easier for the consumer, but what it does is it also consolidates all of the reviews for those products, all of the rankings for those products. The badges for those products. So if it gets, you know, a highly popular badge or, you know, those sorts of things that you see on Amazon, best seller, you know, those kinds of things, and then this all makes sense within that sort of framework, right. If I'm selling something that just comes in different colors, well, what the FTC alleges or concluded, I guess, right --

Ben Yelin: Right. Yeah. We have a consent order meaning --

Dave Bittner: Right, right.

Ben Yelin: -- yeah, they admit it --

Dave Bittner: Right. Yeah.

Ben Yelin: -- as they say in the meme.

Dave Bittner: Yeah. So that the Nature's Bounty folks were doing was they were taking advantage of that functionality to put different products in those slots. Rather than highly similar products, they were putting totally different products in there. And what that did was it meant that those new products, which in this case were not selling very well, were getting the ranking, the rating, and the reviews --

Ben Yelin: The five-star glow. Yeah.

Dave Bittner: Right. For products that were selling very well. And in fact, this company, they had some internal communications from this company, who where they basically were talking to each other about how, hey, we put these things in here, and this was not a popular product, but when we put them in here like this, they said that it spiked the second we variated the pages, and they continue to grow.

Ben Yelin: What's the lesson here, Nature's Bounty? Do not admit to fraud in your emails. If you're going to engage in fraudulent activity, try to do it over the phone where it's less traceable.

Dave Bittner: Okay. I'd say, call me crazy but don't commit fraud.

Ben Yelin: Yeah, I mean there's that too. There's that too. [laughter] That's probably a good place to start.

Dave Bittner: Right. I hope the bar association isn't listening, Ben --

Ben Yelin: Yes.

Dave Bittner: -- as you're giving advice for how to --

Ben Yelin: I'm just kidding, bar association.

Dave Bittner: -- commit fraud to our listeners.

Ben Yelin: Yeah.

Dave Bittner: So I just think it's really interesting that this caught the attention of the FTC, and they came after them for it.

Ben Yelin: Yeah. I am actually pretty impressed that the FTC took this action. Like you said, it is the first time that they have countered this type of review hijacking, and we have a pretty serious consent order that was formed in response to these allegations, is a $600,000 fine for Bountiful, the parent company here, and bars the company from employing such tactics in the future. Six hundred thousand dollars, probably in the context of their million dollars of revenue, isn't going to break the bank, but it's certainly a message to other companies that they shouldn't be engaged in this very clearly fraudulent activity. I mean it's distorting the market --

Dave Bittner: Right.

Ben Yelin: -- which is why the FTC is involved. It's changing people's perceptions and therefore their purchasing decisions. So it is absolutely proper for the FTC to be involved, and I'm impressed that they were involved here. I think the broader concern is, well, if this one company is doing it and they were caught, is this happening across the entire Amazon platform where people are taking advantage or companies are taking advantage of this functionality to boost products by leeching off five-star reviews for other products. Amazon, in response to this case, claims that more 99% of the products people view on its marketplace contain "only authentic reviews" and that there is an avenue for consumer complaints if the consumer suspects that a company is recommending or is engaging in this type of deception.

Dave Bittner: Yeah.

Ben Yelin: Ninety-nine percent sounds really high.

Dave Bittner: Yes, it does.

Ben Yelin: So think about how many things that Amazon sells.

Dave Bittner: Yes, it does.

Ben Yelin: I mean probably in the last month you, our listener, on average has bought, how many products do we think off Amazon?

Dave Bittner: Yeah.

Ben Yelin: You know, maybe 15, 20. Multiply that by 330 million people in the United States, and that's certainly a lot of product. So even 1% being based on faulty reviews is cause for concern. So I guess it's good that the spokesperson for Amazon said that they're going to be working closely with the FTC to make sure that this type of abuse does not happen on their platform.

Dave Bittner: Yeah, and I suppose that when you see something like this, that does get Amazon's attention, so maybe they'll focus on this more, where before they weren't. I don't know how much I -- how much faith I have in this Amazon spokesperson. I do believe that Amazon is attempting to come at this, but I just think it's so broad, and it's just -- we've said this a million times, you know, that, well, we can't police this at scale. Well, then maybe you shouldn't do it.

Ben Yelin: Right.

Dave Bittner: Right. There's no way they can do this at scale, and, you know, as our colleague, Joe Carrigan says, when you're looking at reviews on Amazon, throw out all the five-star reviews. Throw out all the zero-star reviews, and make your decision based on the ones in the middle --

Ben Yelin: Right.

Dave Bittner: -- because those are more likely to be authentic.

Ben Yelin: That are authentic, yeah.

Dave Bittner: Yeah, yeah.

Ben Yelin: I mean, yeah, this gets us into a whole conversation about reviews themselves, which I mean, I think beyond the allegations here, there are ways in which reviews can be gamed. So you question the trustworthiness regardless of the allegations here, but I think this is a very specific instance of a very, I think, discoverable type of fraud.

Dave Bittner: Right.

Ben Yelin: And it's good to see that our federal regulators have taken notice and have taken action.

Dave Bittner: Yeah, I agree. All right. Well, we will have a link to that story in the show notes, and, of course, we would love to hear from you. If there's something you'd like us to consider for the show, you can e-mail us. It's

Dave Bittner: Ben, you recently spoke with Ilona Cohen from HackerOne discussing President Biden's cyber strategy and the national budget allocations for cybersecurity. Interesting conversation. Here's Ben speaking with Ilona Cohen.

Ilona Cohen: When I was in the White House, and I think really until recently, the focus in the government had been on adversary nations thinking that those nations likely had the possibility and the capability to wreak havoc on our infrastructure. The reality is, and I think that this has been largely driven by the Colonial incident, is that really anyone can wreak havoc on our infrastructure, you know, that we had underestimated the risk of a single criminal group and their ability to exploit a vulnerability leading to an emergency that affects, you know, dozens of states. So, or at least, you know, over a dozen. So what keeps me up at night is just, you know, that there are significant areas where we remain vulnerable and that there are multiple actors who can take advantage of those vulnerabilities.

Ben Yelin: I think that's -- that rings true. I mean as somebody who was on the East Coast during the Colonial Pipeline disaster and saw gas lines for really the first time in my conscious life, it seems like there is sort of this increased public consciousness of the kinetic effects of cyber incidents. Can you talk a little bit about how you could leverage that sort of newfound awareness into potential policy changes, especially at the federal level?

Ilona Cohen: Absolutely. And I think you see that in the national cybersecurity strategy. You know, there are folks who are in the White House who talk about the Colonial Pipeline incident as an awakening because of the potential impact there. And so, that is primarily why the strategy calls for less of a voluntary approach to critical infrastructure, cybersecurity, and more toward a, you know, set of mandatory requirements that they are looking to implement. You know, the threat landscape we're in is sophisticated, and you know, we need to have a whole-of-nation approach when we're tackling such serious problems because nobody wants to have service disruptions or, you know, breaches that can lead to disruptions of such significant effect.

Ben Yelin: Do you think that the vulnerabilities in our critical infrastructure are largely technical vulnerabilities, or do you think there are also kind of governance issues that are inhibiting particularly in the private sector our ability to respond to these incidents?

Ilona Cohen: I think it's probably a combination of both. I think we're in the situation we're in because of the constantly evolving landscape, but also there has, in certain industries, there's been, you know, a lack of resources, you know, perhaps budgetary constraints, a workforce shortage, right. So there are any number of shortcomings that lead to the situation we're in.

Ben Yelin: So, I've done a little bit of work recently just here in Maryland, just in the world of policy consulting, on inquiring from some of the local utilities about how amenable they'd be to mandatory cybersecurity requirements. And I guess to put it mildly, there's definitely been some pushback. So, I guess my question for you is, based on your experience, how do we work with that, how do we work with that pushback and how do we convince these utilities and other owners of our critical infrastructure that even though it might be more burdensome for them in the short run that it would benefit all of us in the long run?

Ilona Cohen: So, I take a somewhat different approach, and I guess that's in part, it's maybe worth me mentioning my background for a second here. So I was the former general counsel of the Office of Management and Budget, and the Office of Management and Budget, which some call, you know, the most important agency you've never heard of, is the agency where all rules and regulations affecting, you know, they have over $100 million impact. They all flow through OMB. So I have a slightly different take on regulations. Of course, they can be burdensome and too broad and too complex and that stifles innovation in the marketplace, and that is never the intent. But when they're narrowly tailored and they're sophisticated enough to like directly impact the threat landscape, some actors, especially the ones who are interested in, you know, ultimately, you know, addressing the issue as a whole, actually prefer them because then every player in the field is on a level, you know, playing field. And you know, that is actually a benefit because it helps ensure that everyone in the private sector is enforcing a consistent set of standards. For those who you spoke with, I would say, make sure they participate in the rule-making process. These rules are meant to be written with the collaboration of industry. That's part of the process, and so, you know, there should be a lot of cooperation with the private sector as all of these mandates are written.

Ben Yelin: One thing I know you've talked about, and I read this editorial that you wrote in The Hill, is how we need to more closely tailor regulations to the specific industries we're trying to regulate to the size of the purveyors of critical infrastructure the size of these utilities. Can you talk a little bit about the importance of more narrowly tailoring these types of regulations?

Ilona Cohen: Yeah, of course. I mean you can't impose a rule that no one could conceivably comply with. That's not the goal. The goal [inaudible] is not these overly burdensome and complex regs because then they'll be ineffective, and there will be no enforcement of those rules because, you know, you'd have an entire industry failing to adhere to them. So you do need to have, as I mentioned, very, you know, outcome-oriented and flexible and tailored regs. And not all sectors are the same. I mean I think that's when I put in that bed, right. You have water services are going to be different than healthcare, which is going to be different than transportation generally, and so you need to make sure, and each of those agencies, you know, I'm sorry, each of those areas are -- some are further along than other in terms of their cybersecurity sophistication. And so you really do have to tailor the rules to make sure that different sectors can be treated differently but all for the same outcome, which is a security across the board.

Ben Yelin: Can you talk a little bit about coordinated vulnerability disclosure, and I know you mentioned that as a favorable aspect of the administration's cybersecurity strategy, but can you talk about its advantages in your view?

Ilona Cohen: Yeah. Absolutely. Thanks for that question. So the cybersecurity strategy calls for coordinated vulnerability disclosure across all sectors for all technologies, and that's because, look, the best way to respond to a breach is to prevent it from happening in the first place. The strategy calls it out because it is so successful in helping companies and the government identify cybersecurity flaws in their system so they can actually, you know, mitigate those vulnerabilities, correct them, and prevent cyber criminals from exploiting them. So we're really thrilled that the, you know, HackerOne, of course, does provide, you know, cybersecurity services, and you know, we are the leading expert on coordinated vulnerability disclosure. And so we're delighted that they called, that the government called out that specifically because we do think it can really help prevent breaches from happening.

Ben Yelin: Interesting. So, I guess slightly switching gears, there are kind of two avenues to a federal cybersecurity strategy. There's the policymaking avenue and the rule-making process, and then there's budgeting. And I guess taking advantage of your expertise from OMB --

Ilona Cohen: Yeah.

Ben Yelin: -- where do you see, I guess in terms of properly allocating federal resources to these cyber threats, are there areas where you think we could use improvement or where money could potentially be reallocated, where we're not allocating enough?

Ilona Cohen: So, there are two aspects of this strategy. You know, the first aspect is the amount of effort it takes in order to put out a strategy like this really does help the entire government see a -- like come together and work toward a common goal. And, but it is a blueprint. The strategy is in essence just a blueprint. Now, some of these things they've already done, they have the authority to do, and they've already taken action, but others will require funding. And so, it's not coincidence that the White House put out their budget just a few weeks after putting out the strategy, and in it, they called for, I think, a 13% in cybersecurity for civilian agencies. So that's a total of $12.7 billion. So that's a sizeable increase especially given last year there was also a pretty sizeable increase. But look, you know, it requires -- in order to implement that budget, it will require a lot of coordination between Congress and the administration, and you know, I hope that they'll ultimately get there, because it will, I think, you know, if you read the President's budget, you'll see, you know, he's interested in a more diverse cybersecurity workforce, transitioning Legacy systems in the government to more modern infrastructure, and then, of course, like further enabling the zero-trust architecture among, you know, many, many other things. But those are, we have to be able to prioritize, you know, resources for cybersecurity in order to be able to implement the vast majority of the actions in the strategy.

Ben Yelin: I know budgets are -- a President's budget proposal is rarely received well on Capitol Hill, and his was certainly no exception. And there are going to be months of negotiations, and we have some deadline with the debt ceiling and September 30th with the end of the fiscal year. In terms of sort of handicapping where do you foresee some controversy in the realm of cybersecurity or what might be some issues in this subject area where there might be snags in negotiations based on your experience or just your view of the landscape.

Ilona Cohen: Yeah, well, look. You know, we have some narrow majorities in Congress, a divided Congress. Cybersecurity is actually one of those rare areas where there is a lot of bipartisan cooperation. And so, if anything, you know, whether it bears the desire to have this particular program funded, you know, exactly the way the President proposes or that that program is, you know, who knows? But it is, I don't think it's easy for this cybersecurity aspect to just get caught up in the, you know, entire sort of political posture that we find ourselves in where you have, you know, a desire to both increase the debt ceiling and, you know, pass funding bills that will go much, will be much broader than just cybersecurity. I have long since stopped predicting what Congress will and won't do.

Ben Yelin: That's probably a wise choice on your part, yeah.

Ilona Cohen: Yeah. So I'm not going to do that, but I do want to say like I think there really is, this is an area where bipartisan cooperation is available, and it's important for our collective security.

Ben Yelin: I think so too, and it has been promising that generally cybersecurity has not been befallen by polarization in the way a lot of other issues are.

Ilona Cohen: That's true.

Ben Yelin: Now that you are on the private side, is there a message that you would give to industry generally about the promise and perils of federal regulation and how they can be constructive partners in participating and implementing the cybersecurity strategy?

Ilona Cohen: Well, I would say that the promise is really, look, there's a rule-making process. That process requires, you know, a notice and comment period. So whatever the government is thinking in the form of regulation, it has to publish in what's called the Federal Register and ask industry for comment. How will this affect you? What have we thought about? What are we not thinking about? And I would just encourage those who might be wary of the rule-making process to be more active participates in it. You don't have to be the former general counsel of the Office of Management and Budget in order to read those notices and participate. It really is available to everyone, and so, you know, that will definitely shape what the rules ultimately look like and how they'll be applied to various sectors. So that's a lot of promise actually, and you know, I would say not participating would result in a peril, just because, you know, the government can't possibly know how everything that they're thinking about will ultimately affect private industry. You know, I hate to please just be a participant in you know, the civic process, that's all, and it's like my call to action.

Dave Bittner: All right. Interesting conversation, Ben. Boy, what a great guest. Just super knowledgeable, and what a broad range of experience.

Ben Yelin: Yeah. I mean having that experience in OMB, being on the inside and knowing how the regulatory process works, we don't often get a chance to speak to people who have had that type of high-level position.

Dave Bittner: Yeah, yeah. Absolutely. I thought it was interesting, you know, her insights kind of mirroring what we've discussed here today, you know, just how hard it is to get anything through Congress, the sort of sense of resignation that this is why we can't have nicer things, right.

Ben Yelin: I know. I feel like so many of our interviews end on that depressing note where it's like if Congress could just get its act together and step in, we could improve our nation's cybersecurity posture. We could institute all of these very practical reforms that in a perfect world, you know, we could snap our fingers, and they would come into existence, but Congress is just not like that.

Dave Bittner: Yeah.

Ben Yelin: Yeah.

Dave Bittner: Yeah. All right. Well, again, our thanks to Ilona Cohen from HackerOne for joining us and sharing her expertise and insights. We do appreciate her taking the time.

Dave Bittner: That is our show. We want to thank all of you for listening. The Caveat podcast is proudly produced in Maryland at the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Ben Yelin: And I'm Ben Yelin.

Dave Bittner: Thanks for listening