Caveat 5.18.23
Ep 172 | 5.18.23

A hand in crafting cybersecurity legislation.

Transcript

Ben Yelin: And this is really what keeps me up at night, these potential attacks on our critical infrastructure, and that things that we rely on to survive. People can do without electricity for, you know, a couple of days if necessary. Anything longer than that, it becomes a huge issue.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner, and joining me is my cohost, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hello, Ben.

Ben Yelin: Hello, Dave.

Dave Bittner: Today Ben talks about a case dealing with the timing of computer search warrants. I look at copyright, and Apple's loss in court in an iOS case. And later in the show, Ben and I discuss some recent cybersecurity legislation that he had a hand in crafting. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. Alright, Ben. We've got some interesting things to cover today, and should say also that we're departing from our usual format a little bit in that we are going to have a conversation after our usual stories where we usually have a guest slot, you're the guest this week [laughs].

Ben Yelin: Unfortunately for for listeners, you are stuck with me the entire episode.

Dave Bittner: [laughs] That's right.

Ben Yelin: So if you get tired of this voice, this is just to warn you in advance.

Dave Bittner: There you go. So this is -- we'll dig into the details when we get there, but Ben actually had a hand in some interesting legislation that made its way through Maryland here, and I just thought it'd be interesting to talk about a little bit of the behind-the-scenes. So we get a little view on how the sausage is made. So --

Ben Yelin: Always the fun part, yes.

Dave Bittner: [laughs] So stay tuned for that. But let's dig into our stories. What do you have for us this week?

Ben Yelin: So my story's about a case. I found out about it through Professor Orin Kerr. I know, we get a little repetitive here. But he writes for a blog called "The Volokh Conspiracy," which used to be hosted by The Washington Post. It's now on the Reason website. So it's largely a collection of libertarian-leaning attorneys. And this is a case about computer search warrants, specifically a case from the northern district of California. It's a federal case, United States v. Kopankov. So local law enforcement in California obtained this guy's iPhone as part of a criminal investigation back in 2019. And this person was technologically sophisticated. His iPhone was pretty well encrypted. And law enforcement wanted to get into his device to find incriminating evidence they could use at trial. But they couldn't do it. They tried all the easy traditional methods. None of them worked. So they sent that device over to the FBI, and the FBI initiated a brute-force attack. I actually sent a YouTube clip to Orin Kerr, because it reminds me of a Family Guy bit where Stewie is trying to reach Lois, and he tries every single set of seven phone numbers to try to reach her. So he goes 111-111-1111, 111-111-1112.

Dave Bittner: Right.

Ben Yelin: So that is basically what happened here, just it was automated and if you think about passcodes, you know, a six-digit passcode, the number of potential passcodes is almost limitless. There's just a ton of different combinations. So even with this brute-force method, it just takes a while to find the particular passcode that unlocks the device.

Dave Bittner: Right.

Ben Yelin: They were finally able to decrypt the device, like, three weeks ago.

Dave Bittner: Oh.

Ben Yelin:Twenty-twenty-three. So it took up to four years for them to decrypt the device. They were able to do it. I won't get into the technological methods, but it just took a really, really long time.

Dave Bittner: Right.

Ben Yelin: There's just one problem here, which is that the magistrate judge who approved the warrant to search the device included a supplemental portion of his opinion that put a time limit on this type of forensic search. So he said that this warrant authorizes the government and then it ended up being the FBI, because it was sent to the FBI. They have x number of months to try and get into this device. That's how long the warrant is valid.

Dave Bittner: Okay. Does this sort of tie into the right to a speedy trial notion?

Ben Yelin: Not really. I mean, I think it's more about the particularity requirement of the Fourth Amendment. That you don't want an overbroad authorization, which we'll get to in a second.

Dave Bittner: Okay.

Ben Yelin: Because I think --

Dave Bittner: Okay. Sorry, I'm jumping the gun [laughs].

Ben Yelin: No, no. That's okay. I mean, I think the essence of this is that Professor Kerr believes that those types of restrictions, what he calls ex ante rules and restrictions, are just not proper in Fourth Amendment analyses. And shouldn't be within judges' purview within his view to set these type of arbitrary time limits.

Dave Bittner: Okay.

Ben Yelin: but I think what the judge is saying in this case, and we'll get to that in a second too, is that this was -- there was a time limit placed on this warrant. Once that time limit expired, and I think it was extended once or twice, but once it expired, that warrant was no longer authorized, and therefore, this was a warrantless search.

Dave Bittner: Okay.

Ben Yelin: Now, warrantless searches can still be reasonable under a Fourth Amendment analysis, under the right circumstances. But here, this warrant was search -- because it was invasive, because it was going into an individual's device, was not considered reasonable. Therefore, all the evidence gained from decrypting this phone is inadmissible at trial as fruits of the poisonous tree.

Dave Bittner: Wow.

Ben Yelin: So that's really going to kill your case, right?

Dave Bittner: Yes.

Ben Yelin: All the evidence was on this device. Basically what Professor Kerr argues is that this is an improper formulation of Fourth Amendment analysis. The Fourth Amendment is concerned with whether a search or seizure is reasonable. And reasonableness can be determined in a number of ways. One of them is by showing that a warrant was properly issued based on probable cause. And here, at least in the plain text of the Fourth Amendment, you have a probable cause to termination. You were able to get a magistrate judge to agree to issue that warrant. That is sort of all the necessary information that goes into a Fourth Amendment analysis. A magistrate judge can place all different types of ex ante restrictions on that warrant, but that is -- that does not bear on whether this is a constitutional Fourth Amendment search. It's an entirely separate enquiry. So the search itself can still be reasonable even if the particular magistrate judge puts time limits on it. I think this is important in our modern digital landscape, because as decryption -- or as encryption, rather, gets more sophisticated, it becomes more difficult to unlock devices, law enforcement agencies are going to need more time and/or more resources to get the inform that they need to effectuate a search. And if this judge's opinion was adopted, we could see circumstances where magistrate judges do arbitrary time limits on these computer searches. Those time limits expire, and then even if you find the most incriminating evidence possible, it's a warrantless, unreasonable search, and therefore that evidence has at be suppressed at trial. And I think from Professor Kerr's perspective, that is an unfair outcome for law enforcement. They went through the necessary steps to try to secure a valid Fourth Amendment search warrant. They were able to do so, and the time limits are immaterial to the constitutionality of that search. I usually agree with Professor Kerr on these things. I'm a little uncertain in these circumstances, just because of the particularity requirements and the Fourth Amendment, and knowing the historical context behind our FA, which is about avoiding these general warrants or writs of assistance. And there is sort of a fine line between setting arbitrary time limits, and what I think could happen the absence of any time limits, which is that you could have sort of these endless warrants, right? Where 30 years down the line, somebody's able to decrypt the device, and this person who's been in legal limbo is subject to criminal prosecution. I think that might be an over broad warrant. So I think that is not easy of an issue to resolve, frankly.

Dave Bittner: It reminds me of a related issue with cryptography, where as quantum computers are making their way to the forefront and the development continues with those, that what is not unencryptable today may be unencryptable tomorrow.

Ben Yelin: Right.

Dave Bittner: And so, there's this notion --

Ben Yelin: It's coming!

Dave Bittner: Yes. And there's this notion that particularly, for example, nation states will vacuum up encrypted communications from their adversaries, knowing that if they sit on it long enough, some day they'll be able to decrypt it. Now, you know, if those communications are valuable 10 years from now or 20 years from now or two years from now, who knows? But this makes me think of that. And I guess I'm concerned that, you know, does this mean I can get a warrant for something and basically there's no statute of limitations?

Ben Yelin: Right!

Dave Bittner: There's no, you know, that doesn't seem the spirit of our legal system.

Ben Yelin: I don't think it is either. I mean, with the way Professor Kerr would see it is, the government had a search warrant based on probable cause. The Fourth Amendment in his view permitted the government to search the phone. It's immaterial to a Fourth Amendment analysis whether the government can break into the phone quickly, or whether it'll take several years. Whether it's quick or whether it will take several years is a question that gets into advances in quantum computing and the technology to decrypt certain devices. And I also am afraid of a future where there is this level of uncertainty. Where people would have -- whether it's private individuals or law enforcement, as you say, would have incentive to try and get devices within their dominion, within their control. Even if the devices or that particular form of communication is well-decrypted, and just wait it out. See if you can, at some point, whether it's a month down the line or 10 years down the line, have access to that information.

Dave Bittner: Right.

Ben Yelin: Now that might be some other type of legal violation under statute, but at least as it comes to the FA, we're dealing with law enforcement. If the view of professor Kerr were to hold, that would be -- that would just have no bearing on the constitutionality from a Fourth Amendment perspective. And I think, you know, the alternative view would be you have to look at the Fourth Amendment analysis holistically. Any reasonableness determination weighs the security value to the government of being able to access information against the invasion of privacy on the individual. And if you have kind of this ticking time bomb where somebody captures a device, and they're just waiting for the technology to be able to decrypt it. I think that can have significant inhibitions on the privacy of those device-holders, and it goes against the spirit of the Amendment where there are confines on these warrants. I mean, a warrant has to particularly describe the thing to be searched, the person to be seized, et cetera. And if you don't nail down that level of particularity, if the warrant is relatively unimpeded, and the period of the warrant is active is unending, I think that can create some privacy concerns on behalf of that device holder. It's certainly a difficult issue. I mean, I don't think from a legal perspective it's black and white. I can understand the perspective of the judge here.

Dave Bittner: Yes.

Ben Yelin: Who thought that the warrant had expired. I can also understand the perspective from Orin Kerr, which is why should we let this magistrate judge put random arbitrary time limits on otherwise authorized Fourth Amendment searches? Why does the magistrate judge get to play God in that context? There was a probably cause determination, should matter for Fourth Amendment purposes when the FBI was able to decrypt that phone. I think you have to kind of look at it more holistically. It's not 100% irrelevant as Professor Kerr says, that the brute-force attack took three years. I think that asl to be concluded in consideration as to whether the search was reasonable for Fourth Amendment purposes. and I think a holistic approach would be a better way of solving this problem than just throwing out any sort of arbitrary time limits all together.

Dave Bittner: Is there a danger that this could be a back door path to incarceration? In other words, you know, hey Bob, we have probable cause that you did something. We got your phone here. Probably going to take three or four years to decrypt that thing, so sit tight and enjoy your time under our roof.

Ben Yelin: Right! I mean, there are certainly circumstances where you have probable cause, but you don't have the type of proof that you would need to convict at trial. But yes, I mean if those circumstances would be one -- and again, this is relatively unlikely in our legal system where, you know, somebody is remanded to custody without bail, then you do have the potential to have that person unlawfully or -- maybe not unlawfully, but improperly detained for an extended period of time because it takes so long to gain that evidence.

Dave Bittner: Right.

Ben Yelin: I think it's more likely to benefit the defendant, because when we're talking about the length of these brute-force attacks, it's more likely that the development wouldn't be able to establish probably cause or establish guilt beyond a reasonable doubt, because that evident is missing for such a long time.

Dave Bittner: Is there any indication here that the judge had any sort of framework for the time limit?

Ben Yelin: I don't think so. I mean, that's the other mysterious aspect of this case is it does seem to be rather arbitrary. I think in the original warrant, he put that the phone had to be decrypted within a certain number of days. The government applied and obtained an extension of that warrant through about a year later. So the FBI had requested an extension to, I believe, June 2021. That is from that time, so 2019 through 2021, presumably every single day the FBI was trying to decrypt that device.

Dave Bittner: Right.

Ben Yelin: They were not able to obtain a further extension, but just with the passage of time, in 2023, they were able to create a mirror image of the device before they were able to apply for another warrant to search that image. So I think in the judge's view here, after that original warrant expired, it was incumbent upon the government to apply for an additional warrant to cover that extended time period, and if the warrant hadn't authorized the search in 2023, they would need a separate warrant to search the device once it had been decrypted. And the fact that they didn't do that means all of that evidence has to be suppressed at trial.

Dave Bittner: So where does this leave us now with cases going forward?

Ben Yelin: So this is a district court case. You know, it's an interesting case and relatively persuasive, but the district court is below the court of appeals. There's some indication that in other courts of appeals, one of them being the Eleventh Circuit, judges have at least been more deferential to this idea that we should not have arbitrary time limits on computer search warrants. There was a case called United States v. Nicholson, which was decided last year, where a magistrate judge required the computer to be -- a computer that was seized to be forensically searched within 60 days. And the court in that case, and this was in appeals court, held that a search beyond that 60-day period did not violate the Fourth Amendment, because there is no Fourth Amendment limit on when that forensic search occurred after the computer was seized. The question in that case came down to remedy. So what Professor Kerr would argue is that there was no remedy at all. This is just kind of an improper -- this is kind of an improper judicial standard that doesn't create a proper remedy. What the court in that case said is that an ex ante warrant violation was comparable to a violation to the rules of criminal procedure, which I think -- and not to get too deep into the weeds here -- would be too much of an inhibition in Professor Kerr's view on the government. So there is some precedent in another judicial circuit that judges, at least appeals court judges in that circuit, are skeptical of these time limits. And don't think that these time limits are related to a broader Fourth Amendment analysis. That hasn't necessarily been adopted by other circuits, including the Ninth Circuit, where this case will now head. And I would suspect that the government is going to appeal the denial of access to this evidence. And we'll see it come in front of a panel of the Ninth Circuit. Maybe they come to the same conclusion as the Eleventh Circuit, and maybe they do not. It's to be determined.

Dave Bittner: Alright. Well, stay tuned, right?

Ben Yelin: Yes, I think it's just a really interesting story where I can understand both perspectives, and it's a legal issue where I don't think there's really a clear answer.

Dave Bittner: Alright. Well, we will have a link to that story in the show notes. My story this week comes from a ruling from the Eleventh Circuit Court of Appeals.

Ben Yelin: A lot of shoutouts to the Eleventh Circuit today! You think they'd be paying us, right?

Dave Bittner: [laughs] They're in the middle of everything, right?

Ben Yelin: Yes!

Dave Bittner: Yes. [laughs] yes. So this is Apple versus a company called Corellium. And the finding is that copying functional software like iOS falls under fair use. So Corellium made a virtual environment, you could run iOS code in a virtual environment. This is primarily for folks who are doing security research to be able to test vulnerabilities in a controlled environment on their systems to have, you know, your desktop computer to basically emulate iOS, which is Apple's mobile operating system. And to be able to do things that you need to do. So Corellium came up with a way to do this. Apple sued them, saying that this was violating Apple's copyright, that iOS is protected by copyright, and it made its way through the courts, and as we say, the Eleventh Circuit Court of Appeals said no, that this does fall under fair use. That it is transformative. I find this very interesting, and I'm curious for your take on this, Ben.

Ben Yelin: I think this is absolutely the correct decision. So something counts as fair use if it is transformative. If it is used -- if the purpose of the use is largely functional, and not to make money based on the intellectual property of the original creator, and in that case that would be Apple, who created the iOS operating system. And I think the purpose of copying the system in this controlled, artificial setting is to improve the security posture of iOS devices generally and just devices generally.

Dave Bittner: Right.

Ben Yelin: It's clearly just an instance of retyping to simulate certain attacks, to figure out how to protect against security intrusions. And that certainly counts as a transformative use. It is a largely functional use of the software. It's not intended to profit off the work of that software. And that to me falls under the standard definition of fair use. I think this is important for -- in the broader context, because it will augment the ability for companies like Corellium to test out different security features without running afoul of intellectual property laws. There's a quote from somebody who submitted an amicus brief in this case, a senior policy council at Public Knowledge, which is an advocacy group. And she said that today's ruling represents a victory for both security and fair use, is well-established in copyright law that protected works can be used in their entirety if necessary for the purpose of course criticism, commentary and other transformative uses. And that's exactly what happened here. You're using the software to create valuable tools without using it to try and independently make a profit. And because this is security research, this bodes well for other security researchers who want to emulate a common operating system but don't want to be accused of violating somebody's intellectual property.

Dave Bittner: Right.

Ben Yelin: So I think this decision is right on the merits. I think this is clearly an example of fair use, and I think from a policy perspective, this type of judicial decision should be encouraged, because it will augment the ability of companies like Corellium to improve our collective cybersecurity posture.

Dave Bittner: Yes.

Ben Yelin: So I think it's a good decision from the Eleventh Circuit.

Dave Bittner: I was reading through the decision itself, and there were a couple things here that caught my eye. There's a section titled "The Nature of The Copyrighted Work." And they make the point, they say -- I'm reading right from the decision here, they say, the Supreme Court has explained that, quote, "computer programs are primarily functional, making it difficult to apply traditional copyright concepts in that technological world." And then later in this section, they say, for these reasons we conclude that iOS is further from the core of copyright than protected works like paintings, movies, and books. This I find fascinating in that I'm just imagining, you know, folks at Apple, who very much fancy themselves artists, right?

Ben Yelin: Right.

Dave Bittner: Their software is --

Ben Yelin: It's part of the culture there.

Dave Bittner: Right. Exactly. To have the court say that this operating system is primarily functional and is not a work of art, [laughs] right, I can imagine that rubbing them very much the wrong way. But I -- again I'm curious what your take is on this This is not -- I was unaware of this perspective, and that the Supreme Court had weighed in to this specificity when it comes to things like operating systems. As tagging them as being more functional than a creative work.

Ben Yelin: so while I agree with the decision, I'm not entirely sure I agree with that particular statement. I think there certainly is some creativity that went into developing the iOS system.

Dave Bittner: Yes.

Ben Yelin: Certainly the design elements of it are a form of creative work. Some of the functional uses are creative. I mean, some creative thought went into making our iPhones look beautiful.

Dave Bittner: Right, right.

Ben Yelin: It's not entirely a functional creation. It's not like we're, you know, just typing in, like, certain lines of code to get what we want to see.

Dave Bittner: Yes, you're not staring at a command line.

Ben Yelin: Exactly!

Dave Bittner: Glowing green screen. Yes.

Ben Yelin: Exactly! There are bright, beautiful colors that we can look at when using these systems. So I think there is a creative element there. I just think this is a fair use of that element. I think you can still say that Corellium's use of the iOS platform is still fair under our intellectual property laws, without denigrating the work of building out the -- building out iOS on the part of Apple by saying that it's less creative than somebody's painting. I don't think you have to go that far to still acknowledge that this is fair use.

Dave Bittner: Yes. Again, reading -- there's a section here where they talk about balancing the factors. And they say, first Corellium software is a transformative product that furthers copyright's aims in advancing science through research. Second, iOS is primarily functional, so it falls outside the core of copyright's protection. Third, Corellium didn't over help itself to iOS -- that's interesting. And fourth, we can't say as things stand, that CORSEC -- that's the company that's Corellium's, you know, mothership company.

Ben Yelin: Parent company.

Dave Bittner: Yes, parent company. Thank you. Substantially harms the iOS market or any iOS-derivative market in the end by creating an innovative product that advances scientific progress without superseding iOS. Corellium has captured the balance that copyright is after. Without foreclosing a future claim based on future facts, we conclude Corellium on this record made fair use of iOS. I guess a part of me also is surprised that we didn't come down on the side of Big Tech in a copyright case, right?

Ben Yelin: I know, I know! Like, I'm sure Corellium isn't actually the little guy here.

Dave Bittner: Right, right.

Ben Yelin: They have billions of dollars, but like --

Dave Bittner: Yes.

Ben Yelin: -- to have an intellectual property case against Apple, and to win it is kind of, you know, a fun little story. It's a little bit of a David versus Goliath. One of the reasons I think it's a right decision is looking at the original constitutional purpose of our intellectual property laws.

Dave Bittner: Right.

Ben Yelin: So the purpose of copyright, and this is in Article 1, Section 8 of our Constitution, is to, quote, Promote the progress of science and useful arts. SO you want to protect people's useful creations. But in doing so, you have to balance that against the benefits you would get from fair use, such as improving security features. And I think that's kind of inherent in that definition. You are promoting the creative use of IOS and all different other types of platforms by seeing what its security vulnerabilities are, and figuring out how to correct for those vulnerabilities. I think that furthers the mission of promoting the progress of science and useful arts. And I think the point about this not being -- this not fostering any kind of direct competition to the operating system is compelling as well. Nobody's going to go out and purchase a Corellium operating system to compete with iOS, right? It's just not the nature of what they're trying to do here. You know, I was trying to think of what an analog would be in the non-digital world, and it would be sort of like a local fire department recreating a private, but like the offices of a private business to practice firefighting.

Dave Bittner: Oh yes.

Ben Yelin: They are not competing with that private business. You know, even if they put the logo of that business on there. Even if they include some of the distinctive features of that physical business, they're not trying to compete with that business. They're not trying to use that business's creative works or intellectual property to make money for themselves. And I think all of us would understand in that context that it's certainly fair use.

Dave Bittner: Yes.

Ben Yelin: So if you want a non-digital way to try and think about it, I can, you know, I can provide that admittedly shaky metaphor for you.

Dave Bittner: Yes. Well, they also point out that it's not -- they're not running afoul. Corellium is not running afoul by making a product that they charge money for. That doesn't automatically disqualify them from fair use.

Ben Yelin: Right. Because I think it has to do with how they're making the money. Because it's not the direct -- they're not providing an operating system. So they're not in direct competition with the company that they're allegedly violating the copyrighted works of. I just ended a sentence with a preposition. It's going to bother me for a while.

Dave Bittner: Slap on the wrist, yes.

Ben Yelin: I know. But you know, they're making money of their security research. So it's not a direct connection or a direct competition with that original company that's the subject of the lawsuit. So I think that's absolutely right that you can still have fair use, even if they are making money, they're making money as a security company.

Dave Bittner: Right.

Ben Yelin: They're not making money as a company that runs an operating system.

Dave Bittner: They're not selling mobile devices with iOS installed on them.

Ben Yelin: Exactly! Now that would be a very clear copyright violation.

Dave Bittner: Right.

Ben Yelin: That case would be a very easy one for a court to decide and it would certainly would not be fair use, but thats just not what's happening here.

Dave Bittner: Alright. Well, we will have links to all of these stories in our show notes, and of course, we would love to hear from you. If there's something that you'd like us to cover, you can email us. It's caveat@thecyberwire.com.

Ben, we re taking a little different path this week. Rather than having a guest, we are going to talk, you and I, about some recent legislation that you had a hand in here in Maryland. I just think it'd be really interesting to hear the behind-the-scenes of how something like this makes its way through a state. So let's start with the beginning here. You're sitting there at the University of Maryland Center of Health and Homeland Security, minding your own business.

Ben Yelin: As I do, yes.

Dave Bittner: [laughs] As you do. You know, scrolling through your computer, reading all of the works of Orin Kerr, when suddenly you get an email or a phone call; what happens?

Ben Yelin: So about three years ago, I ended up -- this was right before the pandemic. I ended up in a meeting with a state senator who's actually been on the show, Senator Katie Fry Hester, members of the Maryland Department of Emergency Management, and members of the Department of Information Technology. We had an informal conversation about changing cybersecurity governance. The cybersecurity governance security structure in Maryland.

Dave Bittner: Okay.

Ben Yelin: There was this growing problem where units of local government were suffering from cyberattacks, and they didn't quite know how to respond. They didn't know where to find resources. There wasn't enough money for them to improve their own security posture, or there wasn't dedicated money for them to do that. There wasn't proper coordination among jurisdictions. So I was part of a process, and it ended up being a three-year process to try and solve some of those problems. And they were borne out of real experiences. Baltimore City suffered a ransomware attack in 2019. The Baltimore County school district suffered a ransomware attack during a period of virtual learning towards the end of 2020, early 2021. We've had smaller jurisdictions, like the town of Leonardtown that suffered a ransomware attack. And then there's the separate issue, which is the attacks on critical infrastructure. So critical infrastructure is defined in federal law, but to boil it down very simply, it's public utilities that we rely on to keep us moving, to keep us living. So water utilities, electric utilities, gas utilities. These all qualify as critical infrastructure for the purpose of cybersecurity. And here in Maryland, those companies are regulated by a company called the Public Services -- or the Public Service Commission.

Dave Bittner: Okay.

Ben Yelin: So we were tasked at the Center for Health and Homeland Security to do some background research on all of these problems, and to try and recommend some governance solutions. And we made a series of recommendations in two reports. One of those reports related to state and local cybersecurity. So some of the issues we were seeing at state agencies had to better coordinate among agencies how to have more of a centralized model of cybersecurity, run out of the office of our state SISO, some of those governance problems. That was addressed in a report drafted by a subcommittee, an ad hoc subcommittee of the Maryland Security Council.

Dave Bittner: Okay.

Ben Yelin: And that report inspired three separate laws that were enacted in 2022 that dealt with some of those governance issues. There was a separate issue, this Public Service Commission/critical infrastructure issue, that was the subject of a separate report. I want to give a major shout-out to an NSA fellow who was working with the office of the Attorney General. Her name was Laura Corcoran. And she put in a summer of effort -- she was a great researcher -- in delving into this problem of cybersecurity vulnerabilities among Public Service Commission-regulated entities.

Dave Bittner: Okay.

Ben Yelin: So power companies in Maryland, our water utilities, and we've seen how those vulnerabilities can have kinetic effects. It wasn't a public utility, but the attack on the Colonial Pipeline created a major supply shock in terms of the availability of gasoline in this state.

Dave Bittner: Right.

Ben Yelin: And even though that was not a public entity, it certainly had detrimental downstream effects. Then there was this incident -- really scary incident, maybe somewhere like six to nine months ago where the U.S. Attorney's office in Baltimore was able to thwart an attack on the Baltimore City and Baltimore County electrical system by an alleged white nationalist who had gotten relatively advanced in planning this attack. And they were going to exploit some of these cybersecurity vulnerabilities with that public utility, to perpetuate an act of terrorism. So to cut off our power. And this is really what keeps me up at night, some of these potential attacks on our critical infrastructure, the things that we rely on to survive. People can do without electricity for, you know, a couple of days if necessary. Anything longer than that, it becomes a huge issue. People can do without electricity for, you know, a couple of days if necessary. Anything longer than that, it becomes a huge issue.

Dave Bittner: Right.

Ben Yelin: People need to go to dialysis centers. The hospitals have generators, but those are only operable for a certain amount of time.

Dave Bittner: Right.

Ben Yelin: Any damage to the water supply, you do the math. It's going to be very difficult. So in 2022, a version of this bill that ended up becoming law to institute cybersecurity regulations on both the Public Service Commission and regulated public utilities failed in the legislature. One of the reasons it failed was widespread opposition from the utility companies themselves, and really lukewarm support if not secret opposition from the Public Service Commission itself. Basically they thought that this bill would be overly onerous, it'd be duplicative of measures that are already in existence. They have to comply with federal cybersecurity standards. So they thought that this bill would be duplicative. As oftentimes occurs in the Maryland General Assembly, once there's that level of institutional opposition, sometimes it's the proper political move to just withdraw the bill and take another stab at it next year.

Dave Bittner: I see.

Ben Yelin: Because the state legislature here in Maryland only meets for 90 days. If you can't get it through that 90-day sessions you always have another bite at the apple in the next legislative year. So that's exactly what happened here. Senator Katie Fry Hester and her counterpart in the House of Delegates, a gentle lady by the name of Lily Qi introduced a bill that was largely modeled off the report from that NSA fellow, Laura Corcoran.

Dave Bittner: Yes?

Ben Yelin: But was melded to try and soften some of the opposition from the Public Service Commission and from regulated utilities. So the bill contains a number of provisions. It requires that one or more employees that are experts in cybersecurity are on the staff of the Public Service Commission, which is a really profound, importance provision to get some of that institutional expertise and that very powerful Public Service Commission that regulates these utilities. The Public Service Commission now has to consider the protection of a public service company's infrastructure against cyberattacks in the process of promulgating regulations. So now by statute as a result of this law, cybersecurity has to be consideration in every single rule, every single regulation that comes out of that commission. So those were the regulations imposed on the commission itself. Each public service company, and they accepted common carriers and telephone companies -- I'm going to get to that in a moment -- has to take certain specified actions related to cybersecurity. By a deadline set out in the bill, that's July 1st, 2024. And then every two years thereafter. So they have to contract with a third party to undergo a cybersecurity assessment, and have to submit certifications of compliance to -- with those cybersecurity standards to the Public Service Commission.

Dave Bittner: Okay.

Ben Yelin: And the Public Service Commission, Public Service Commission, has to submit a report every two years with information about these public service companies and their cybersecurity posture to the state chief information security officer or his or her designee. So this imposes some significant requirements on both the Public Service Commission and those regulated utilities. And during the consideration of this legislation, some of that opposition that we saw last year from the utility companies came back and reared its ugly head. So if you looked at the opposition file for this bill, so basically, all the written testimony submitted in opposition, it was a who's who of Maryland utility companies. Baltimore Gas and Electric; PEPCO, which covers the DC area; they all wrote in opposition saying that this was duplicative. That this was going to be overly burdensome. And because of the cost involved here, those costs were going to be passed down to the consumer.

Dave Bittner: Right.

Ben Yelin: So during the consideration of this legislation, there was a discussion amongst us stakeholders, amongst us people who had been involved with this legislation and with this policy for awhile, that perhaps it would be a good idea to scale the bill down a little bit. We don't want to throw out the baby with the bath water. If we couldn't regulate these public utilities and have them comply with cybersecurity requirements, at least we could include the provision requiring a cybersecurity expert to be hired at the Public Service Commission. That was kind of the minimum we wanted to accept, to have that dedicated cybersecurity staff. That's kind of what I was expecting to be the end outcome here. But Senator Hester and Delegate Qi were able to convince their colleagues to make this bill significantly stronger and include those biannual third-party cybersecurity assessments for those public utilities. And they pushed for it publicly and privately through the committee process, and the bill was able to make it across the finish line. And it was signed into law last week as we're recording this. And I was there for the signing, because it was the culmination of a lot of hard work, a lot of research on really the best public policy solution to the cybersecurity vulnerabilities of our critical infrastructure here in Maryland.

Dave Bittner: Wow.

Ben Yelin: So I get that that's a long story, but I think the passage of this legislation really does go back into some of these meetings that we had to try to address these vulnerabilities. And I'm proud that the product that emerged was something that's significantly stronger than what I expected several weeks ago. So I'm encouraged. I was glad to be there, standing behind the governor in that picture. And hopefully this is something that's going to protect the interest of Marylanders going forward.

Dave Bittner: To what degree does this have teeth? Like, who -- you know, if a utility misses their deadline or fails to report in a way that is expected of them, who comes at them, and what kind of tools do they have to do that?

Ben Yelin: Well, that's always the question. Is compliance, you know, without teeth is sometimes companies are going to decide it's not worth complying. Even if something is written down in statute, what are they going to do to us? Are they going to punish us? You know, the Public Service Commission itself has the power to regulate these entities, and you don't want to get on the bad side of the Public Service Commission, especially as they will now have experts dedicated to cybersecurity on staff. And they're required to submit a certification of the company's compliance with standards at least -- or to the level or greater than the standards adopted by the Public Service Commission for itself. And if they don't comply, if they don't submit that certification that they're complying with those standards, the Public Service Commission certainly has it within their power to institute some type of penalty. That's the beauty of the Public Service Commission. They are regulating -- they're a quasi-public entity that's regulating these companies, and so they have the power of enforcement. So they could certainly do something like institute civil penalties on these companies. You can also just kind of publicly shame them. You know, why was this one company the one that didn't submit to its bi-annual cybersecurity assessment? What are they trying to hide?

Dave Bittner: Right, right [laughs].

Ben Yelin: You know? Is it creating an unnecessary vulnerability for the state? And as a Public Service Commission, should that require us to take action against this company? And I think it's the strong hammer of the Public Service Commission itself that's going to be charged with making sure that these regulations have teeth.

Dave Bittner: How did the TELCO's get a pass?

Ben Yelin: That is a great question. In talking to the sponsors of the bill, I didn't get a good answer to that question.

Dave Bittner: [laughs] Okay. So we're talking politics, right [laughs]?

Ben Yelin: Yes.

Dave Bittner: I guess, I mean -- yes.

Ben Yelin: I mean, I think --

Dave Bittner: Interesting.

Ben Yelin: -- you -- whether it was lobbyists who got in the ear of a powerful committee chairman, sometimes that happens. I think this question is not -- this question is not firmly decided. I think there's going to be other chances to go out and try to apply some of these regulations for the utilities that were excluded from this bill. And I've already heard rumors that that's going to be addressed in future legislation.

Dave Bittner: Okay.

Ben Yelin: It might be the vet was just too big of an ask in a single legislative session. You wanted to start with other critical infrastructure companies beyond the telecoms, that I think present a little bit more urgency, because we're talking about electric, gas, water systems. You want to get something in place for those systems for which there would be really deleterious, kinetic effects.

Dave Bittner: Yes.

Ben Yelin: And then you'll worry about the common carriers and the telecomm companies in the next legislative session. So I would say stay tuned. I don't think this is the final word on public utility cybersecurity requirements. You know, there are also still other gaps in a state cybersecurity governance. We're looking at doing research on the cybersecurity posture of Maryland public schools and our 24 public school systems. So that's something that can be addressed in future legislation as well. But I can't give you a great answer as to why they were eluded from this bill, but I don't think that necessarily means that they're going to be excluded in the long run.

Dave Bittner: Was there any looking at what other states are doing as this was being crafted? Or is, you know, is Maryland blazing a trail or copying what some other states have already done? Where did it come from that point of view?

Ben Yelin: So this, to varying degrees, has been adopted in a number of other states, and that greatly informed the research we did on this product. I will brag that some of our externs from the Center for Health and Homeland Security were instrumental in collecting data from other states and how they have tried to institute cybersecurity requirements on both their equivalents of Public Service Commissions and their regulated utilities. So Maryland is not exactly blazing a new trail here. The fact that other states have instituted similar regulations, that was noted in the report from the NSA fellow, and that certainly informed the passage of this legislation. I think it made it more palatable. Any time that other states have done something, I think it makes legislators a little bit more receptive to doing it in our state.

Dave Bittner: To what degree was this a collaborative process? I mean, you mentioned that the folks that this is going to affect, they were against it, certainly against certain parts of it. But despite that, are they giving input that say, you know, hey we don't like this, but here's some ways maybe we could go along with this?

Ben Yelin: Yes, I mean some of their opposition was actually constructive and was reflected in the final amended version of the bill. So there were some letters from utility companies that we're purely in opposition. Some others had constructive ideas for amendments that removed certain requirements, added others. So there certainly was that level of collaboration at the committee level. Some of those recommended changes were adopted in the final version of the bill. I still don't think the utility companies were happy. And I will note that none of them were at the bill signing.

Dave Bittner: Oh, interesting. Okay.

Ben Yelin: Yes. We weren't standing there with representatives from BG and PEPCO. I don't think they were particularly thrilled about having these requirements foisted upon them.

Dave Bittner: But the lights stayed on, right?

Ben Yelin: The lights did stay on.

Dave Bittner: The lights didn't flicker? The -- [laughs].

Ben Yelin: There was no sabotage.

Dave Bittner: Right. Good, good [laughs].

Ben Yelin: And I think both the companies and the Public Service Commission starting when this bill takes effect, which is July 1st, 2023, whatever they thought about the bill during the legislate process are now tasked with complying with its requirements.

Dave Bittner: Yes.

Ben Yelin: And I think that process will be collaborative. What's good about having the regulations come from the Public Service Commission is that we're leveraging these pre-existing relationships. The Public Service Commission already regulates these utilities, so utilities are used to dealing with all different types of regulations and reporting procedures with the Public Service Commission, and this just adds cybersecurity regulations and reporting.

Dave Bittner: I see.

Ben Yelin: So it's not completely reinventing the wheel. It's not creating a new agency, or a new enforcement authority. It's leveraging the enforcement authority that we already have, and I think that might make it -- even if these companies are in opposition, it might make life a little bit easier for them.

Dave Bittner: Yes.

Ben Yelin: As they're trying to comply.

Dave Bittner: You'd also have to think these companies must have seen this coming. I mean, it's not like there's anything mysterious or surprising that cybersecurity is going to be on the minds of legislators.

Ben Yelin: Not at all. Especially when we've seen these high-profile attacks. We've heard these horror stories. It's happened in other states where there have been cyberattacks on water systems. Water gets contaminated. This wasn't a cyber incident, but we had a boil advisory in Baltimore City several months ago, which really created significant havoc. Where the water system was unsafe for a period of days. There were concerns about -- there have been concerns about attacks on our electrical grids going back years. So yes, this is a very live issue, and certainly the companies had to expect that policymakers were going to wrap their arms around this, especially when Maryland has been a leader in developing cybersecurity policy. A lot of -- we can leverage the fact that we have great academic institutions in this state with cybersecurity experts, and a lot of great private sector entities who are committed to this mission of improving our cybersecurity posture. And that makes Maryland uniquely situated. So yes, I think this is something that they certainly could have accepted, or could have expected.

Dave Bittner: You're waving your adopted flag, Ben [laughs].

Ben Yelin: I sure am, yes. Side note, Maryland does have the best state flag of any of the 50 state flags.

Dave Bittner: I agree.

Ben Yelin: I will stand up for that flag any day.

Dave Bittner: I agree, but I'm biased. I'm certainly a homer when it comes to that. Alright. Well, Ben, thank you so much for sharing that perspective. I think it's really interesting to have an inside view of how something like this makes its way through the legislature. So I'm really glad you're able to share that story.

Ben Yelin: Absolutely and happy to talk about it. And again, my apologies for those who were waiting to hear a different voice in the interview segment. We'll get that going for you next week.

Dave Bittner: That's right. That's right.

Alright. Well, that is our show. And we want to thank all of you for listening. We'd love to know what you think of this podcast. You can write us an email at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like "Caveat" are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security teams supporting the Fortune 500, and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at N2K.com. Our senior producer is Jennifer Eiben. The show is edited by Elliot Pelzman. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Ben Yelin: And I'm Ben Yelin.

Dave Bittner: Thanks for listening.