Liesyl Franz: [00:00:09] We need to keep talking about the nexus between network security and international security.
Dave Bittner: [00:00:14] Hello, everyone, and welcome to another episode of "Caveat," the CyberWire's law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hey, Ben.
Ben Yelin: [00:00:26] Hi, Dave.
Dave Bittner: [00:00:26] On this week's show, Ben has an update on NSA's phone surveillance program. I've got a story about cars snitching on their owners. And later in the show, my interview with Liesyl Franz - she's from the U.S. Department of State in the Office of the Coordinator for Cyber Issues. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.
Dave Bittner: [00:00:59] We'll be right back after a word from our sponsors. And now some reflections from our sponsors at KnowBe4 - what's a policy? We've heard a few definitions. Some say it's an elaborate procedure designed to prevent a recurrence of a single nonrepeatable event. Others say it's a way that the suits play CYA. Still others say it's whatever happens to reside in those binders the consultants left behind them right before they presented their bill. How about a more positive approach? As KnowBe4 can tell you, better policy means better security. And getting the policies right is a big part of security. So is setting them up in ways that your people can actually follow them. We'll hear later in the show about how you might approach policy.
Dave Bittner: [00:01:42] And we are back. Ben, why don't you start things off for us this week?
Ben Yelin: [00:01:46] So we are back in the NSA surveillance world.
Dave Bittner: [00:01:49] (Laughter).
Ben Yelin: [00:01:49] This is an issue that kind of pops up every few months.
Dave Bittner: [00:01:52] It won't go away despite - seems like NSA kind of wants it to, right?
Ben Yelin: [00:01:57] They do. That's what makes this so interesting.
Dave Bittner: [00:02:00] (Laughter) Right, right.
Ben Yelin: [00:02:00] So to try and keep the background to a minimum, in 2013, Edward Snowden, as part of his disclosures, told the public about the NSA phone metadata program.
Dave Bittner: [00:02:10] Right.
Ben Yelin: [00:02:10] As part of that program, every 30 days or so, the major telecommunications companies would submit metadata from all of their domestic phone calls to the NSA as a matter of course. This was approved periodically by the Foreign Intelligence Surveillance Court. We had a big uproar about that. Congress changed the law in 2015. Now that data remains with the telecommunications companies, and Congress can only obtain those phone records with a court order from the FISA court.
Dave Bittner: [00:02:39] Right.
Ben Yelin: [00:02:40] Cut to five years later, and this program is up for reauthorization in Congress. Without any action, it is set to expire on March 15. And with that deadline looming, there have been bipartisan calls to discontinue the phone metadata program for a variety of reasons. The New York Times in this article talks about probably the main reason, which is that it did not yield any valuable foreign intelligence information. The headline to this article is that the phone program cost $100 million but produced only two unique leads. So that's hundreds of thousands, potentially millions of records that have been collected. Many of them, we now know, were collected inadvertently, were not supposed to be the subject of collection under the USA Freedom Act.
Dave Bittner: [00:03:22] Right.
Ben Yelin: [00:03:22] And there have only been two unique leads in almost five years, so that is not a very good record of success. So Congress, led by Senators Burr and Warner in the Senate - and that's a bipartisan coalition - and the House Judiciary Committee are considering competing proposals to do away with the phone metadata program entirely. And they have an unlikely ally in their effort, and that's the National Security Agency itself.
Dave Bittner: [00:03:47] Right.
Ben Yelin: [00:03:48] ...Which has told Congress, please shut us down.
Dave Bittner: [00:03:51] (Laughter) Right. We want to do this anymore.
Ben Yelin: [00:03:53] We do not want to do this anymore.
Dave Bittner: [00:03:54] Yeah (laughter).
Ben Yelin: [00:03:54] It's a headache for us.
Dave Bittner: [00:03:56] right.
Ben Yelin: [00:03:56] Not only are people freaking out about the constitutionality; it's costly, and it doesn't yield useful information.
Dave Bittner: [00:04:02] Mmm hmm.
Ben Yelin: [00:04:04] To my eye, there are really only two individuals who seem to want this program to continue, who have attained positions of great power. One of them is Attorney General William Barr...
Dave Bittner: [00:04:15] Yeah.
Ben Yelin: [00:04:15] ...Who went to Congress last week, spoke with the Republican Conference in the Senate and requested reauthorization of this program. And the other is Senate Majority Leader Mitch McConnell, who is obviously incredibly powerful, and his vote in the Senate and his influence holds a lot of sway.
Dave Bittner: [00:04:31] Sure.
Ben Yelin: [00:04:31] President Trump - obviously, as the president of the United States, he'll have to sign a reauthorization bill one way or another - has offered conflicting views on this issue. So he had previously stood with his attorney general in supporting reauthorization of this program, but apparently, he suggested to Senator Rand Paul separately that he would not sign any renewal of this program unless, you know, there were further amendments to FISA in general. And I think that's largely due to his concern about spying on his own presidential campaign and the controversies related to the Carter Page warrant, which I know we've discussed on this podcast.
Ben Yelin: [00:05:09] But it's good, I think, that Congress now has all the information it needs to make an educated decision on this program. There is a group that set up a government agency authorized by Congress called the Privacy and Civil Liberties Oversight Board. They wrote the original report on Section 215 in 2014 kind of laying out what it did, whether it was legal, whether it was constitutional. And they're the ones who just came out with this report saying, you know, we spent a lot of money on this as a government; we collected a lot of records; we collected a lot of records inadvertently, not by any malfeasance, but just by not having proper ways to filter the data that was coming in.
Dave Bittner: [00:05:49] Mmm hmm.
Ben Yelin: [00:05:50] And it hasn't been an effective counterintelligence tool. And so it will now be up to Congress to determine whether to listen to the Privacy and Civil Liberties Oversight Board, to many bipartisan members and to the NSA itself as to whether the curtain should finally descend on phone metadata.
Dave Bittner: [00:06:07] Is there any indication from Barr and McConnell as to why they still want this to be reauthorized?
Ben Yelin: [00:06:12] From what Mitch McConnell said - and I think it was noted in this article. He just thinks - he spoke very generally about, we need all the tools we can to protect against terrorism. You know, one thing that's always difficult on these national security issues is a lot of the information is classified. Some parts of this report, the Privacy and Civil Liberties Oversight Board report, have been redacted because there might be classified information in them.
Ben Yelin: [00:06:36] So I'm always hesitant to say there's no way this program should continue based on the information we know because there's - there may be information we don't know. But it's not like, in my view, Senator McConnell and Attorney General Barr have offered a compelling rationale. And furthermore, if they were privy to classified information, then Senator Burr, a Republican from North Carolina who's the chair of the Senate Intelligence Committee, is, of course, privy to that same exact information.
Dave Bittner: [00:07:04] Right.
Ben Yelin: [00:07:04] And he has proposed a bill to discontinue bulk phone metadata collection. So, you know, I don't think there's anything that's secretly been told to the attorney general and to Senator McConnell that would justify reauthorization of this bill besides what I think they would say, which is that we need to have every tool in our toolbox; even if we're not using this phone metadata now, and the NSA is not currently operating this program as we speak, we may need to use it in the future.
Dave Bittner: [00:07:31] Yeah.
Ben Yelin: [00:07:31] And so I think that's what those two individuals would argue.
Dave Bittner: [00:07:36] It reminds me of some of those stories that we've heard where the Army goes to Congress and says, hey, we've got plenty of tanks; if there's one thing we do not need, it's more tanks. And Congress says, you know what? We're going to build some...
Ben Yelin: [00:07:47] You're getting more tanks, yeah.
Dave Bittner: [00:07:47] We're going to build some more tanks (laughter).
Ben Yelin: [00:07:51] See; what's different here - and I sort of had a problem with the way this article was framed.
Dave Bittner: [00:07:54] Yeah.
Ben Yelin: [00:07:54] ...Because it said, you know, we spent a hundred million dollars. I hate to be one of those actually people, but...
Dave Bittner: [00:08:00] Uh-huh (laughter).
Ben Yelin: [00:08:00] That's actually not a lot of money in the context of the federal budget and, really, in the context of our surveillance budget and our national security budget.
Dave Bittner: [00:08:08] Mmm hmm.
Ben Yelin: [00:08:09] To me, it's less about the money to be made here. I don't think anybody's making a buck off of this, whereas you could say...
Dave Bittner: [00:08:15] Right.
Ben Yelin: [00:08:15] New tank - you know, some defense contractor is getting rich.
Dave Bittner: [00:08:18] Yeah.
Ben Yelin: [00:08:18] Here, I think, it's really - there are legitimate concerns about having all of, you know, our intelligence tools in our toolbox.
Dave Bittner: [00:08:26] Yeah.
Ben Yelin: [00:08:26] But the negative aspects of the program are not necessarily money-related either. I think the reason that people find this program so objectionable is not because it's costly. It's because it potentially is a major invasion of privacy, encompasses many conversations between Americans that people are not expecting to be troved (ph) through by the National Security Agency.
Dave Bittner: [00:08:49] Right.
Ben Yelin: [00:08:50] And it inadvertently was used to collect information that the NSA was not authorized to collect.
Dave Bittner: [00:08:55] Right. But if the agency themselves are saying, we've had enough of this; let us spend our energy and our money on other things; please let this go - I mean, it - does it makes sense that perhaps - oh, I don't know - we should trust the NSA to know their business - to a certain degree, anyway?
Ben Yelin: [00:09:13] One would think so. You can certainly think of other instances where the head of an agency in the government makes some sort of policy recommendation, but ultimately, the powers that be, whether it be the president or the attorney general, you know, decide that that decision isn't going to be followed. And just because the president and attorney general have a certain view doesn't mean it is, per se, wrong if it's...
Dave Bittner: [00:09:34] Yeah.
Ben Yelin: [00:09:34] ...Not held by the NSA. But I just think in this case, the NSA feels the way it does because the evidence is so overwhelming. It's been laid out by the NSA itself and now by the Privacy and Civil Liberties Oversight Board.
Dave Bittner: [00:09:48] Right. That oversight is important.
Ben Yelin: [00:09:50] Absolutely.
Dave Bittner: [00:09:51] Yeah.
Ben Yelin: [00:09:51] So you have these nonpartisan bodies that have come to the same conclusion, and now the decision really rests with members of Congress. And as I've said many times in this podcast, if your plan is to rely on members of Congress to do something, you're probably going to end up being disappointed.
Dave Bittner: [00:10:06] (Laughter).
Ben Yelin: [00:10:07] ...Which means, if I had to guess as to what happens on March 15, I bet that this program is temporarily reauthorized maybe for a period of a couple of months while they continue to try and work out these issues.
Dave Bittner: [00:10:18] Mmm hmm, kicking the can down the road (laughter).
Ben Yelin: [00:10:20] That's what we do. Yup.
Dave Bittner: [00:10:23] All right. Well, my story this week comes from The Washington Post, written by Geoffrey Fowler. He's their technology columnist. And it's titled "My Car Was In a Hit-And-Run. Then I Learned It Recorded the Whole Thing." And what Geoffrey Fowler is getting at here is that more and more cars these days come with all sorts of cameras and recorders built in. And he happens to drive a Tesla Model 3, which is a very nice car but certainly nothing too exotic. You see them around fairly regularly.
Ben Yelin: [00:10:51] You were just in the Bay Area, so you probably saw them on every block, but yes.
Dave Bittner: [00:10:54] (Laughter) That's true. Actually, you know, it's funny; that's the first place I ever saw a Tesla Model 3, was in the Bay Area. And I thought, oh, here we are, San Francisco. Yeah.
Ben Yelin: [00:11:02] Yeah. I mean, if you take 280 between San Francisco and San Jose, every other car will be a Tesla.
Dave Bittner: [00:11:07] Yeah. You know, it's funny. A listener of the CyberWire who happens to work over at Fort Meade once made the point that there are more Teslas than Humvees in the parking lot at Fort Meade, which...
Ben Yelin: [00:11:17] Interesting.
Dave Bittner: [00:11:18] Yeah, which is funny.
Ben Yelin: [00:11:18] Yeah.
Dave Bittner: [00:11:20] Yeah, funny. No (laughter). OK. Anyway, back to our story - so Geoffrey Fowler found himself in the situation where his car was parked somewhere, and it got hit - turns out it got hit by a city bus. But the car was automatically recording video, 360-degree video. And so he had a record of what happened to the car. He came back to his car, found his car had been damaged, pulled out the memory card from his car, put it in his computer, and he had video of this city bus hitting his car. So in his case, turned out good for him because he was able to go to the city and say, hey, you know, you need to pay to repair my car; your bus hit my car - actually had video of the driver of the bus so they could identify who was driving and all that sort of stuff.
Dave Bittner: [00:12:04] But he makes the larger case that with these cars doing so much recording of not only video, but also the data about what the car is doing - the cars have GPS built in now - right now. They have - they'll measure how fast the car was going. They'll measure how hard you're hitting the brakes. The - all of this information that is gathered by the car automatically - well, all that information, it can be used to your benefit, but there's a potential it could be used against you.
Ben Yelin: [00:12:30] I'd hate to have my car know that much information about me. And I'm sorry that the writer or this author got in a car crash, but the article that came out of it was pretty illuminating. And he talks about the potential dystopia of mass surveillance emanating from our vehicles. So it's not just external surveillance, which, you know, was obviously useful in these circumstances but also has more detrimental impacts. For example, the exterior cameras activate automatically when somebody comes within a certain distance of a car.
Dave Bittner: [00:12:59] Right.
Ben Yelin: [00:12:59] So in a dense, you know, urban area, that might be a lot of different people who are unknowingly subjecting themselves to video surveillance. So that's just one issue - and not to mention, you know, the meticulous log that these cars take of a driver's every action. Let's say, as he says in this article, the insurance company gives somebody an incentive to opt into this program, which for Tesla is called Sentry, and the person complies. They're potentially letting the insurance companies see how safe a driver you are, when you were going 70 in, you know, a 35-mile-an-hour school zone, when you were doing what's called a California roll, where you don't actually stop at the stop sign.
Dave Bittner: [00:13:37] (Laughter).
Ben Yelin: [00:13:37] You slowly slow down and then continue through the intersection. And I think that's particularly compelling. Where I always think about this in a legal perspective is that our legal system is not built currently to handle the type of surveillance technology that exists because, you know, as it applies to individuals on the street, that's sort of covered by the plain view doctrine. If you're putting yourself out there in public, anything captured on a camera, the government does not need a warrant to obtain it.
Ben Yelin: [00:14:06] And I think that any driver data would almost certainly be covered by the third-party doctrine. You are voluntarily letting your Tesla collect information on you. As soon as you press that button that turns on the car, you know or should know that they're compiling a pretty extensive record of all of your driving maneuvers. And so you sort of assume the risk of engaging in that behavior.
Dave Bittner: [00:14:30] As far as I know, with a lot of this stuff, there's no way to opt out of that - you know, when the brakes are pressed, when the - all of that functional operational data that the car is always collecting. I don't believe there's a menu - I know in my car, I've looked for it. There's no menu item that says, please don't gather this. It's part of the operation of the car. And the manufacturers will say for maintenance and safety mode, which could be a legitimate...
Ben Yelin: [00:14:56] And absolutely.
Dave Bittner: [00:14:56] ...Article - or argument.
Ben Yelin: [00:14:58] Yeah. In terms of the Tesla, I think there are some provisions for opting out. But as a general point, absolutely, there are going to be certain things you cannot opt out of.
Dave Bittner: [00:15:05] Right.
Ben Yelin: [00:15:05] And yes. I completely understand the safety rationale there, but I just think we have to sort of take a step back, stop and think about whether the benefits outweigh the massive invasion of privacy that comes with, you know, the type of surveillance that now goes on in our vehicles. Maybe if we look at it objectively - and I think that's what the author of this article does - maybe the benefits do outweigh the costs. Being able to see the bus that sideswiped you on the street, using that to get some sort of settlement or cash from your insurance company and having to put up with your spouse being able to see what you're doing, you know, inside that driving console - maybe that's a trade-off you're willing to make.
Dave Bittner: [00:15:47] Well, let me ask you this. So let's say I'm out and about driving my car, and I get in an accident. And the insurance company or the police or anyone who has an interest in knowing what happened here, if they come to me and they say, we want all the data from your car, what is within my rights to say yes or no to that request?
Ben Yelin: [00:16:08] You can say no to that request. They could potentially subpoena those records from Tesla or whatever car you happen to drive.
Dave Bittner: [00:16:15] OK.
Ben Yelin: [00:16:15] So if those records are retained with that auto company - which, presumably, they are because they probably collect them - records for their own purposes.
Dave Bittner: [00:16:24] So they would have to get a warrant.
Ben Yelin: [00:16:26] No. They would not have to get a warrant because you don't have a Fourth Amendment right or the state equivalent in information that you are voluntarily conveying to the car, you know, when you turn it on. So that's information about your own driving habits, and that's, you know, the video cameras that are spying on you while you're driving.
Dave Bittner: [00:16:45] The argument here would be is, if I didn't want that data collected, I should drive a, you know, '67 Chevelle or something, right? (Laughter).
Ben Yelin: [00:16:52] Yeah. I mean, as this author made clear in his piece, we're getting to the point where the government is now requiring new cars that are manufactured to have certain safety features that might invade people's privacy.
Dave Bittner: [00:17:05] Right.
Ben Yelin: [00:17:05] Every new car after 2018 has to have some version of a backup camera, and, you know, that could be used for surveillance purposes. It certainly has been, probably for a variety of legitimate crime-fighting investigations. But, yeah. I mean, if you are asked, you can say that you do not want to turn it over. The government can get a subpoena if this is a law enforcement matter without having probable cause that a crime has been committed.
Dave Bittner: [00:17:31] Interesting. So I would have suspected that they would need a warrant, but not so.
Ben Yelin: [00:17:35] My read is that they would not just because, again, this is something that you're doing voluntarily. You know, there's been a lot of conflicting case law about constitutional rights within one's car. You know, there is a general exception to the warrant requirement that the cops can search your vehicle if you've otherwise been pulled over even though that is a constitutionally protected space. But my read of this is all of the information you are giving to Tesla is equivalent to the information you give your phone company when you make a phone call.
Dave Bittner: [00:18:03] I see.
Ben Yelin: [00:18:04] If you know that this record is being collected as a result of you using the vehicle, then you don't have an expectation of privacy in those records. And as a result, you do not have constitutional protection in those records. That's just sort of the nature of that third-party doctrine, which, again, was created at a time when we didn't have Elon Musk putting cameras in every last corner of our Teslas.
Dave Bittner: [00:18:27] Right.
Ben Yelin: [00:18:27] It was created at a time when, you know, these types of tools just did not exist.
Dave Bittner: [00:18:31] Yeah.
Ben Yelin: [00:18:31] So until the laws catch up with modern technology, I think we're just going to keep running into these problems. The only thing you can say is, at the very least, there are tangible benefits to these forms of technology, as I think the author made clear in this piece. So it's not like we're not getting anything out of this pervasive surveillance, but it's just a trade-off that we have to consider. And it's useful to have all of the information at our disposal, and I'm glad that Geoffrey Fowler put that in this article.
Dave Bittner: [00:18:58] Yeah. All right. Well, coming up next - my interview with Liesyl Franz. She is from the U.S. Department of State and the Office of the Coordinator for Cyber Issues.
Dave Bittner: [00:19:08] But first, a word from our sponsors - and now we return to our sponsor's point about policy. KnowBe4 will tell you that where there are humans cooperating to get work done, there you need a common set of ground rules to ensure that the mission is accomplished but in the right way. That's the role of policy. KnowBe4's deep understanding of the human dimension of security can help you develop the right policies and help you train your people to follow them. But there's always a question of showing that your policies are not only sound but that they're also distributed, posted and implemented. That's where the policy management module of their KCM platform comes in. It will enable your organization to automate its policy management workflows in a way that's clear, consistent and effective. Not only that - KCM does the job at half the cost in half the time. It's your policy, after all. Implement it in a user-friendly, frictionless way. Go to kb4.com/kcm and check out their innovative GRC platform. That's kb4.com/kcm. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:20:22] And we are back. Ben, when I was at the RSA Conference in San Francisco recently, I had the pleasure of speaking with Liesyl Franz. She is from the U.S. Department of State. She works in the Office of the Coordinator for Cyber Issues.
Liesyl Franz: [00:20:35] Well, it's important to make the point that we are the Office of the Coordinator for Cyber Issues, which means we deal with cyber policy as a foreign policy imperative.
Dave Bittner: [00:20:45] OK.
Liesyl Franz: [00:20:46] We are not - there is a whole separate part of the department that works on the security of the department, its networks, its computers, personnel, that kind of thing. So it's important to make that distinction.
Dave Bittner: [00:20:58] Sure.
Liesyl Franz: [00:20:59] Our office was created about nine years ago - almost to the day, actually - to do just that, to make - reflect the international nature of cyberspace, the need for dealing with cyber policy as a foreign policy issue, be able to build relationships and coalitions with other countries to deal with, you know, the global issues and the global problems that we've seen.
Dave Bittner: [00:21:22] So what is the day today like? What sorts of things - the interactions that your - you and your team are taking part in?
Liesyl Franz: [00:21:29] Well, we cover sort of what the - cyber policy can cover a lot. One is - that we focus on is international security. That's sort of the bread and butter for the State Department to deal in multilateral venues. And we also work within the interagency - with other departments and agencies on bolstering what we call cyber due diligence, which is more along the lines of cybersecurity as we see it here at RSA. We work with others on the messaging and promoting efforts to combat cybercrime. We talk about sort of global governance of the internet. We talk about internet freedom - those kinds of issues that sort of run the gamut.
Liesyl Franz: [00:22:08] And we work a lot within the department, with the other offices that deal parochially with those issues and the interagency. And we take that abroad. So what does that mean? We work sort of in what I would call three concentric circles of venues. One is our bilateral relationships with country to country or our work in regional organizations or regional - subregions in - around the world. But that would include things like the security - regional security organizations like the Organization for Security and Co-operation in Europe or the Organization of American States or the ASEAN Regional Forum, things like that - and then take it even further out into the big multilateral organizations like the United Nations.
Dave Bittner: [00:22:55] So on the global stage, where does the United States sit in terms of leadership when it comes to cyber policy issues?
Liesyl Franz: [00:23:06] Well, probably no surprise to hear me, sitting at the department of - yes...
Dave Bittner: [00:23:10] Your unbiased opinion, yes, yes (laughter).
Liesyl Franz: [00:23:10] ...Say that we have been a driving force and a policy lead on this issue for decades, really. Let's just focus on the international security aspect of this. This sort of came into the purview of the United Nations in 1998, and we have led a process - well, a process of processes (laughter)...
Dave Bittner: [00:23:31] Right. Right.
Liesyl Franz: [00:23:31] ...In something called a group of governmental experts, which is a smaller body of U.N. members, to deal with, what is responsible state behavior in cyberspace? And through a series of these groups - we've just started the sixth group over the course of the years - we've managed to develop what we call a framework for responsible state behavior. And it's articulated in the consensus reports that have come out, particularly in 2013 and 2015, and affirmed - they will be guided by these principles. And, you know, it has three key components. One is that international law applies to cyberspace - existing international law. So first of all, we have a legal framework, and we don't need to create a new legal instrument because we already have - we have that framework.
Dave Bittner: [00:24:24] I see.
Liesyl Franz: [00:24:25] The second is this - the articulation of voluntary, nonbinding norms of responsible state behavior, and there's 11 of them articulated in one of the reports. But things like CSIRTs, or computer security incident response teams, should be used for good, not for bad. A state should not attack the critical infrastructure of another state - things like that...
Dave Bittner: [00:24:51] Sure, yeah.
Liesyl Franz: [00:24:51] ...That sort of lay out a framework of what is deemed acceptable and responsible behavior.
Dave Bittner: [00:25:00] Yeah.
Liesyl Franz: [00:25:00] And the third is a little bit more practical. It's developing and implementing confidence-building measures in cyberspace - so utilizing, you know, old diplomatic tools of the trade...
Dave Bittner: [00:25:11] Right.
Liesyl Franz: [00:25:12] ...And applying it to the cyber issues that we face. Like, what are the kinds of things that countries can engage in that build trust, reduce the risk of conflict, reduce the risk of escalation if something were to happen - things like sharing information about points of contact or sharing information about your national doctrine, sharing what your organization - your institutional fabric is in the country to deal with cyber issues.
Dave Bittner: [00:25:40] You're taking part in several panel discussions here at RSA this year.
Liesyl Franz: [00:25:45] Yeah.
Dave Bittner: [00:25:46] Can you give us an overview? What are the kinds of things that people can expect to hear?
Liesyl Franz: [00:25:49] Sure. Well, I just finished the first one, actually. I spoke on the year of the nation-state, which was dealing with how states behave and what is the cyber domain. And...
Dave Bittner: [00:26:00] Right.
Liesyl Franz: [00:26:01] ...That gave us all an opportunity to talk about deterrence and deterring malicious actors, whether that's working or not, what else we need to do. And one thing I was able to highlight and there was quite a bit of conversation about was the drumbeat of public attributions that we as the U.S. government have done to call out states for their malicious cyber behavior.
Dave Bittner: [00:26:26] Yes.
Liesyl Franz: [00:26:27] And the most recent was, last week, we made a statement to publicly attribute attacks on Georgia to Russia, to the GRU.
Dave Bittner: [00:26:37] Right. Right. My sense is that many nations have been reticent to draw sharp lines in the sand when it comes to behavior in cyberspace. It's - first of all, do you think that perception is accurate, and do you have any insights on that?
Liesyl Franz: [00:26:59] I think it's accurate to say that it's hard to draw...
Dave Bittner: [00:27:05] Yeah.
Liesyl Franz: [00:27:05] ...Bright lines a lot of the time, and so maybe that's what the reticence is. You know, as, you know, I mentioned, we've been working on these things for decades. But it's really only a couple - three decades, right? It's not 50 years or a hundred years.
Dave Bittner: [00:27:16] Right.
Liesyl Franz: [00:27:16] And so things are fairly new, and it's kind of hard even to draw a bright line around things like definitions. So one person's application is another person's "cyberweapon," quote-unquote.
Dave Bittner: [00:27:30] Sure.
Liesyl Franz: [00:27:30] I don't like to use that term.
Dave Bittner: [00:27:31] Yeah.
Liesyl Franz: [00:27:32] But that's what I mean. We can't even sort of draw clear lines around that. Or what is one person's security is another person's content control. So how to even draw a line is sometimes hard. So maybe that's what you're sensing.
Dave Bittner: [00:27:46] The sense that I've had is that it's - for - it could be that nation-states are reticent to draw lines in the sand because their own intelligence organizations may be taking advantage of some of that ambiguity themselves, so it's in their best interest to not be too specific about certain things because if we let this ambiguity stay out there for a certain amount of time, that may be in our own interest.
Liesyl Franz: [00:28:13] I think there's a point to that...
Dave Bittner: [00:28:14] Yeah.
Liesyl Franz: [00:28:15] ...Which is why we, as diplomats...
Dave Bittner: [00:28:17] Yeah.
Liesyl Franz: [00:28:17] ...Spend a lot of time negotiating text and the kinds of things that we - like, the outlines of this framework for responsible state behavior that I mentioned is a way to put what I think are clear expectations of state behavior but allow for the innovation and communication and, you know, technologies, which, frankly, are not only held by states, right?
Dave Bittner: [00:28:42] Yeah.
Liesyl Franz: [00:28:42] ...To develop, to move. And you know, if there's some ambiguity for countries, maybe that's reflected in some of that. But the bottom line is to be able to articulate what is acceptable and what isn't.
Dave Bittner: [00:28:58] Yeah. Is there a tension between the - as you describe, the pace at which diplomacy moves, which is very deliberate...
Liesyl Franz: [00:29:08] Oh, (laughter) yes.
Dave Bittner: [00:29:08] ...By its nature, and it has to be. But when it comes to cyber, it seem - you know, the pace is just accelerating year after year. And it seems to me like that makes the work that you all do even more challenging because of the different nature of the pace at which those things run.
Liesyl Franz: [00:29:27] Yes. It affects sort of the ability to put fine points on things...
Dave Bittner: [00:29:32] Yeah.
Liesyl Franz: [00:29:33] ...Or to draw bright lines, like you say. And it also means that, you know, I think we in the U.S. have a very flexible framework for dealing with the internet or cyberspace. And so trying to put a big blanket set of regulations, whether national or international, on this space is - would - well, by the time you would negotiate something like that, it would be obsolete. So trying to make diplomacy work with that space is sort of constant deliberation (laughter).
Dave Bittner: [00:30:07] But I suppose everyone...
Liesyl Franz: [00:30:08] But how to reflect that?
Dave Bittner: [00:30:09] I suppose everyone around the world is dealing with the same situation.
Liesyl Franz: [00:30:12] Yeah, yeah. Exactly.
Dave Bittner: [00:30:13] So it's not like you're in that boat by yourself.
Liesyl Franz: [00:30:15] No, that's true. And that's why we - you know, as I said, we talk bilaterally with countries; we talk regionally and subregionally, and organizations that have their own processes and then also in the U.N. - and in each case, we do try to preserve the ability for the space to grow...
Dave Bittner: [00:30:31] Right.
Liesyl Franz: [00:30:32] ...And to have greater understanding by more and more countries, not just, you know, either the great powers or those that are particularly cyber-savvy - to have greater understanding by more and more countries so that there's not a knee-jerk reaction to things because it's not as though nothing happens, right? So how do you deal with those in that kind of flexible framework is something we're constantly discussing and working with with our partners.
Dave Bittner: [00:31:03] What would you like people to know - I'm thinking specifically folks who are cybersecurity professionals - about the work that your department does, the Department of State? Are there any things you feel aren't getting the attention they deserve?
Liesyl Franz: [00:31:19] It's notable to me - this is anecdotally - that, you know, I've been coming to the RSA Conference since 2006, and I've been in and out in government, so I've represented both industry and government here but always in the policy space. And it used to be that the policy track at the RSA Conference were - have a few smattering of people in the room. The panel I just came from, we were full.
Dave Bittner: [00:31:40] Oh, interesting.
Liesyl Franz: [00:31:41] And so I think that the - that there is a greater understanding of what exactly governments do in this space and how we work together and that there is an - I think, probably, some people might have been surprised that our office is only nine years old. That doesn't mean cyber diplomacy wasn't happening before that, but that was when it was sort of coalesced into more regularized processes.
Dave Bittner: [00:32:03] Yeah.
Liesyl Franz: [00:32:03] Yeah.
Dave Bittner: [00:32:03] Yeah, a recognition of the...
Liesyl Franz: [00:32:05] Yeah.
Dave Bittner: [00:32:05] ...Of its status and...
Liesyl Franz: [00:32:07] Yeah.
Dave Bittner: [00:32:07] ...And necessity, I suppose.
Liesyl Franz: [00:32:08] And since, in the last nine years, other countries have developed roles or offices similar to ours in their foreign ministries. Many manner of countries have done that - Russia, China, Estonia, Germany - you know, you name it - Netherlands.
Dave Bittner: [00:32:24] Right.
Liesyl Franz: [00:32:24] And some of them are here. What I would like people to come away with maybe is the idea that we need to keep talking about the nexus between network security and international security...
Dave Bittner: [00:32:34] Yeah.
Liesyl Franz: [00:32:34] ...That there is a nexus there and we're working it.
Dave Bittner: [00:32:37] All right - interesting conversation, huh, Ben?
Ben Yelin: [00:32:39] Absolutely. You know, I don't think I've really learned as much about diplomacy in the cyber realm as I've sort of learned about other issues in the cyber realm, so it's just really interesting to hear that perspective. You know, one thing that jumps out at me, as in all the areas we talk about - the technology always moves quicker than the policymakers are able to adapt.
Dave Bittner: [00:33:01] Right.
Ben Yelin: [00:33:01] So there's so much that has to go into these multilateral diplomatic agreements that has to be very general because the technology is going to change by the time, you know, you can come up with a complex agreement. I think we saw that a little bit with the U.S.-Mexico-Canada trade agreement, which was negotiated over a period of two years, and there were certainly some technological-related elements to that. And it just - you have to kind of tinker around the edges until you really account for something that would encompass all types of technology.
Dave Bittner: [00:33:30] Yeah. I thought it was a really interesting perspective, that mismatch between - mismatch isn't the right word for it - that, like - I think I used the word tension between the velocity of diplomacy versus cyber itself...
Ben Yelin: [00:33:42] Right.
Dave Bittner: [00:33:42] ...And that everyone is dealing with it all over the globe.
Ben Yelin: [00:33:46] Yeah. Yeah. And we are not the only ones.
Dave Bittner: [00:33:49] No.
Ben Yelin: [00:33:49] It still might take that one defining cyber incidence where - I think we talked about this in our segment about cyber warfare - where it affects critical infrastructure or people actually get injured to really galvanize this as an area of diplomacy akin to, you know, issues of war and peace. But it's good to see that there are folks in the State Department who recognize the importance of this issue and are working with our global allies to come up with comprehensive solutions.
Dave Bittner: [00:34:17] Yeah, absolutely. Well, our thanks to Liesyl Franz for joining us. And that is our show. We want to thank all of you for listening.
Dave Bittner: [00:34:25] And we want to thank this week's sponsor, KnowBe4. If you go to kb4.com/kcm, you can check out their innovative GRC platform. That's kb4.com/kcm. Request a demo, and see how you can get audits done at half the cost in half the time.
Dave Bittner: [00:34:42] Our thanks to the University of Maryland Center for Health and Homeland Security for their participation. You can learn more at mdchhs.com.
Dave Bittner: [00:34:49] The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Ben Yelin: [00:35:03] And I'm Ben Yelin.
Dave Bittner: [00:35:04] Thanks for listening.