The battle for trade secrets and national security.
Dave Hickton: To some people, it was extraordinarily bold and unbelievable because it just wasn't really on their radar screen as a threat. And the idea that we would indict the People's Liberation Army in Pittsburgh just seems farfetched. But there were a lot of people who were, you know, in some of the bigger districts that were dealing with national security concerns that were not only aware of it, but they coveted the case.
Dave Bittner: Hello everyone, and welcome to Caveat N2K CyberWire's Privacy Surveillance Law and Policy Podcast. I'm Dave Bittner, and joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hey there, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: On today's show, Ben covers TikTok's new lawsuit against the federal government. I've got the story of some senators taking issue with facial recognition at airports, and later in the show my conversation with David Hickton. He is founding director at the Institute for Cyber Law, Policy and Security at the University of Pittsburgh. He's also a former US attorney. We're discussing the 10th anniversary of the first indictment of Chinese PLA actors. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice or official legal advice on any of the topics we cover. Please contact your attorney. [ Music ] All right, Ben, we got some good stuff to cover this week. You want to kick things off for us here?
Ben Yelin: Sure. So President Biden signed a foreign policy bill into law a couple of weeks ago. The headline items were funding for Israel, funding for Ukraine and its battle against Russia, some funding for Taiwan and its effort to step up its defenses against China. And then there was this provision that essentially bans TikTok in the United States. This originally was a bipartisan idea from members of both the House Democratic and House Republican, caucus and conference respectively. They couldn't get this bill passed as a standalone measure, so glom it onto the must-pass thing. And both the House and Senate voted for it and sent it along to President Biden. The way the law is structured is that it compels TikTok and its parent company ByteDance to divest from its Chinese ownership within pretty much a year. It goes up to incidentally, January 19th, 2025, the day before the next presidential inauguration. And then the president can extend that deadline by 90 days with some written explanation. But if they do not divest from Chinese ownership within that time, then TikTok is banned in the United States. It cannot be sold or downloaded from app stores. It's out. Predictably, TikTok has sued the federal government seeking an enjoinment of this law and an injunction against the Justice Department from enforcing the law. I read through their complaint, and frankly, it's pretty compelling. I do not want to come off as pro-TikTok here. I don- I'm not a huge participant in TikTok. I won't say if I've ever used it, but it's not, you know, it's not one of my go-to social media sites. And I think it actually does do a lot of harm. But basically there are a few good legal arguments that TikTok has. The biggest one is that this is a major violation of First Amendment rights of both TikTok itself and of its subscribers. So, for TikTok itself, it's saying that it has its own free speech interests here. It expresses a viewpoint as a company. It promotes certain TikTok posts on things like Earth Day and, you know, diversity and various viewpoints that might seem innocuous, but they are viewpoints. So we would be stripping them- this would be Congress stripping TikTok as a company from expressing its viewpoints from a First Amendment perspective. And then there's the hundreds of millions of TikTok users in the United States. It is a very popular application, especially among young people. And this really would disenfranchise, I guess not disenfranchise, but would stop people from being able to communicate via this very popular application. And there's really no question that that is a suppression of speech. You can ban speech in this country only under very specified limited circumstances. When we're talking about a content or viewpoint-based restriction on speech, which I think this is, since it's restricting the content on just one service, one application, then the government has to have a damn good reason of enacting this law.
Dave Bittner: Right.
Ben Yelin: And the means have to be closely tailored to achieving that purpose. TikTok argues, I think, persuasively that well, concerns about foreign adversaries like China could potentially be compelling. It's not clear that this law would actually alleviate those concerns. Specifically because it only targets this one company as it applies to all other companies. There is kind of a legal process where if the federal government thinks that too much of the company is hold by- held by our foreign adversaries there would be this sort of this period of review. And then they might have the authority to prohibit that application in the United States as well. But that doesn't apply to TikTok. TikTok is a noted exception in the bill. They are de facto banned if they are not divested in throughout the next nine months or so. And then separate from that First Amendment argument, which I think is quite compelling, is this argument about this being a bill of attainder. So the Constitution prohibits bills of attainder, which target an individual or a group which could be a company. Basically, the legal test for a bill of attainder is there has to be some specified punishment for the individual company that's not a punishment levied against an entire industry or a much broader population. And the fact that TikTok and ByteDance are both named in this legislation, I think leads me to believe that this could run into major bill of attainder problems. The issue for both the First Amendment arguments and the bill of attainder arguments from the government's perspective is that Congress didn't really do its homework. In order to protect yourself from these lawsuits, you have to include a bunch of legislative findings. The findings help persuade the court that the purpose that you've elucidated for the law is actually backed up by something. It's backed up by the facts. Some facts that are beyond dispute. And Congress didn't really do that. Everything in the statute itself is very conditional. It's like, you know, the Chinese government could have a malign influence on young people. The Chinese government could be using our devices to spy on us. There's nothing in the form of the type of affirmative proof that would make this compelling regulation on First Amendment-protected interests. I think Congress was a little hasty about this because they included it in this broader supplemental foreign funding bill. They didn't go through the kind of rigorous legislative process where they would've written down all of their legislative findings. And really, the members who spoke in favor of this bill didn't do the piece of legislation any favors in court. Because TikTok cited a bunch of legislators giving conflicting rationales for why this bill should be signed into law, including one by a democratic lawmaker who said, well, this is going to protect against misinformation and disinformation. Sounds great, but from a legal perspective, that means that this is a content-based restriction. And that makes it much more difficult for a court to uphold this ban, this potential regulation. So, another last interesting element to this before I finally shut up. I know I've been talking for a long time, it was written into the law that the DC Circuit Court of Appeals has original jurisdiction over this case. Normally, a case like this would have to go to the Federal District Court in Washington DC but I think in anticipation of this litigation, Congress wrote in the law that the circuit- the DC Circuit Court of Appeals has originals jurisdiction to be the finder of law, finder of facts as this case progresses. And therefore, it would only be appealable to the United States Supreme Court. So it's DC Circuit or bust. I suspect we'll get a panel of judges on the DC Circuit. There might end up being a preliminary injunction against this law coming in- into place. Although it's possible that we don't see that immediately, because the actual ban on TikTok would not be instituted until next January. But that's where we are. I think it's a compelling lawsuit. I think TikTok put forward some arguments that aren't very strong, but I think their core First Amendment and bill of attainder arguments are quite strong.
Dave Bittner: Do you suppose that senators could come back at this and give it another shot? You- do the homework and come back with a stronger, more bulletproof bill?
Ben Yelin: Yes. I do. It would only come after this particular piece of legislation was thrown out in court. I think it would require an injunction against this legislation. And then maybe the House and Senate could go back into the drawing board, have more compelling legislative findings, and make a law that was less obviously a bill of attainder or a First Amendment violation by making it kind of a broader data privacy bill that set industry-wide standards on divestment from foreign adversaries, instead of just targeting this one individual company. I think that would put it on much firmer constitutional ground. And they very well might do that. It could still be ostensibly targeted at TikTok and ByteDance, but you could do so in a way that would make it easier for the courts to uphold this regulation.
Dave Bittner: Right.
Ben Yelin: And they might be willing to do it if it's backed up by significant factual findings that might allow the court to say that the government does have a compelling interest here.
Dave Bittner: Can you come at it like, I don't know, I don't want to say through the back door, but like, suppose they came up with legislation that said, you know, all social media companies are- or, you know, have these rules and these apply to social media companies that have more than X percent of foreign ownership, right? So that sort of by default, all of the US social media companies are fine, right?
Ben Yelin: Except for one.
Dave Bittner: Except for one. Like, would- would a- would a court poo-poo that because it's obvious what you're going after here?
Ben Yelin: It's kind of hard to tell. So Congress has never succeeded in being able to defund Planned Parenthood. But that has been the central legal question at their efforts there. The legislation itself that Congress has put forward in the past to defund Planned Parenthood has said, no federal funding shall be available to an abortion provider that has X number of- that performs X number of abortions in X number of states. It's written in such a way that only Planned Parenthood would qualify.
Dave Bittner: I see.
Ben Yelin: But it hasn't been tested in court because they haven't actually been able to pass it. That is the closest analog to me here. Is something that's obviously intended for one company or one entity, but it is written in a way that's legislatively neutral. I kind of go 50/50 on whether that would be acceptable. It just depends on the draw of the judges you get and how compelling it is that you really are looking not just to punish one company, but to protect the United States against incursions from foreign adversaries. I mean, I think that's the ultimate issue here, is you have to put together- do your homework, put together the factual findings that said- that say, you know, this is the concrete harm that will result from a company that has 50% plus investment from foreign adversaries. Here are the actual concrete harms. And until you have that, I think the law is both kind of over inclusive and under inclusive.
Dave Bittner: So it really- I guess it's easier for it to be reactive than proactive?
Ben Yelin: You mean the law itself?
Dave Bittner: Yeah. In other words, it's easier to say, these are the things that have happened, and so we need to fix this rather than to say, these are the things we're afraid might happen.
Ben Yelin: Totally. I mean, even for establishing standing in a case, you- it's always more compelling to show an actual injury.
Dave Bittner: Right.
Ben Yelin: But in passing a type of law like this, it's far more compelling to a court. If you are going to restrict the content and viewpoints contained in First Amendment protected speech, you have to have a really good reason to do it. So the more compelling the reason, the more based it is on facts that are already in evidence, on documented instances of these actual harms, instead of something that's unduly speculative, the better it's going to do in court. Now sometimes you can say, this is going to happen in the future because we have this evidence of what's happened in the past. That can be compelling as well if you can convince the court that that injury is certainly impending. But you know, the vaguer you get with your description of the harms and saying things like, this might allow the Chinese government to spy on US citizens instead of, here are the documented cases in which it's already happened, or here's exactly how it's going to happen in the future, the less likely the government is going to do in winning the case.
Dave Bittner: Can you think of any examples from the past of concerns or things being clamped down on with foreign influence here in the US? I mean, I can think of back in the '80s when, you know, Japan was really at the height of their economic powers.
Ben Yelin: Yeah. We were all terrified of Japan back then. I guess you were. I wasn't very conscious at the time.
Dave Bittner: But, you know, they were buying up real estate, you know, office space and real estate. And they were buying up, you know, Hollywood media companies and all that sort of thing. So there was concern of the possibility for undue influence. Do we have any historic precedence that you can think of where as a nation we actually took action?
Ben Yelin: Yeah. I mean, there- we have laws in place that allow us to take action against foreign adversaries if they are buying too much of our stuff in a given industry.
Dave Bittner: Okay.
Ben Yelin: And that's actually what President Trump tried to use. He tried to use one of those statutes in his effort to ban TikTok. Basically, you can directly, if you can support with factual findings that because a Chinese or Japanese company has invested in these American industries, that it presents some type of national security harm, then the federal government can stop the sale of property to that company or stop the sale of whatever to that foreign-owned company. That has happened in the past. The reason the Trump administration did not succeed in court when they tried to institute a TikTok ban using these sort of foreign policy statutes as their authority is that they too did not offer compelling evidence that this type of maligned foreign influence was actually happening. I think it was two separate district courts enjoined that regulation from going into effect in the first place so.
Dave Bittner: So we are at strike two of Congress not doing their homework here on this issue?
Ben Yelin: Yeah. And part of it is, I don't necessarily blame them. They had a really short amount of time to turn something into legislative language and glom it on, you know, the minnow that attaches itself to the shark, it's glommed onto broader foreign policy legislation. And maybe it was better for them just to pass something and see how it fares in court. And also there's no guarantee that if you go through the full legislative process, you're still going to end up with a product that can pass both the House and the Senate. So it's kind of like, maybe it's just worth taking the risk, getting it out there, seeing what happens in court, rather than let's take nine months to do a comprehensive study, and then maybe in the lame duck session in December, we can get something across the finish line. That's just not- that's not a bet that's a very good prospect for Congress.
Dave Bittner: So how do you suppose this is going to play out from here?
Ben Yelin: So we'll see an answer at some point from the Justice Department. They'll respond. They will- there will probably be preliminary motions, but sometime in the relatively near future, because of the time constraints in this bill, I think we'll have oral arguments in front of the DC Circuit. DC Circuit is kind of more of a- and I don't even really know how politics plays neatly into this, but it is a little bit more of a liberal-leaning circuit. So for whatever that's worth, if I had to guess, I think we're going to get an injunction against this law, at least temporarily. Especially given the lack of documentary evidence that Congress included as to the actual harms here. That's just my guess. Don't bet any money because of me. I don't think this is up on FanDuel yet so. We'll play it by a year.
Dave Bittner: How far do you think it'll go? I mean, is this- could this go before the Supreme Court, or will it likely peter out before then?
Ben Yelin: I think it definitely could.
Dave Bittner: Really?
Ben Yelin: I think it definitely could. You know, unlike a lot of other cases we cover on this podcast, we have this very well-defined time limit here. Certainly, TikTok would suffer irreparable harm if they were not able to properly divest. And they claim it's impossible from a practical legal perspective for them to completely separate themselves from the Chinese investors. I don't know how much faith I put in that argument, but that's at least what they're pleading here. That this is for all intents and purposes, a ban, even though they're technically being given the opportunity to separate themselves from this Chinese company.
Dave Bittner: Right, right, right.
Ben Yelin: So yes, I do think we could see this happening in the near future. The other thing I forgot to mention is that TikTok went through a significantly lengthy process going on since 2019, where they were working with federal agencies to help solve this concern that the federal government has about Chinese influence. And they came up with this, so-called Texas Plan where the data would be secured in a Texas facility and monitored by a third party, which would be Oracle. And part of what TikTok is saying here is, hey, we worked in good faith to come up with this agreement. You guys are just ignoring it and passed a new law that unduly punishes us. So that might hurt the federal government because TikTok could say there were less restrictive means to achieve the goals of this legislation. You could have worked with us seeing through that process. And instead of doing that, you just passed this rather draconian law.
Dave Bittner: Yeah. I mean, I put on my cybersecurity hat and say, I've seen plenty of reporting that despite what on their face are, as you say good faith efforts, that there has been compelling evidence that a lot of that information is still flowing behind the scenes to China.
Ben Yelin: Totally. It totally is. And I think that's why the federal government is taking the action that they're taking here is however good faith the process is, there are still significant concerns. And given the opportunity to clamp down and try and force this separation from Chinese entities, they jumped at that opportunity.
Dave Bittner: Yeah. What an interesting thing. I mean, if- I mean, let's- if we imagine the worst case scenario that the Chinese government is using TikTok as- for influence operations.
Ben Yelin: Right, right. Or spying. Yeah.
Dave Bittner: Yeah. It's kind of using our First Amendment against us. Right?
Ben Yelin: Totally. Yeah.
Dave Bittner: Because we couldn't do the same to them.
Ben Yelin: Nope.
Dave Bittner: Right? They would just shut it down. And that'd be it.
Ben Yelin: It's not just China. I mean, most- even Western democracies don't have the same type of robust, free speech protections that we have. There are certain categories of speech in the United Kingdom and Germany that can just be shut down entirely by the government. That's the trade-off we have. You take the freedom, you also have to accept the possibility that other countries will take advantage of our First Amendment laws and try to wield influence against us. I think for somebody like me who believes strongly in the First Amendment, that's a trade-off I'm willing to accept. But your mileage may vary on that one.
Dave Bittner: Okay. All right. Well, interesting one that we'll be following for sure. We will have a link to that in the show notes here, some reporting from the Washington Post about that story. My story this week comes from we've got a couple of sources here, the New York Times and the Hill both reporting on a bunch of senators, bipartisan group of senators who before the passage of the FAA authorization Act- authorization- FAA reauthorization legislation. Is that how we --
Ben Yelin: Yeah, Reauthorization Act. Yeah.
Dave Bittner: Yeah. There were a handful of senators who were upset with use of facial recognition at airports. Now, Ben, I don't know how much you've traveled recently, but I think, you know, for me, certainly out of our main airport here, we fly out of BWI most of the time, Baltimore-Washington International. And it's just part of the routine that when you step up to the person at TSA who checks your ID and your boarding pass that you smile for the camera.
Ben Yelin: Yep. Yeah. They don't even really check your boarding pass. They just match your face ID against your driver's license, right?
Dave Bittner: Right. Yeah. And I think part of the issue here is that they kind of got you. Like, if you make a stink about that, you could miss your flight, right? It's a such an imbalance of power, I guess.
Ben Yelin: And it's sort of like, accept the facial recognition, or we'll give you a nice little pat down. And you'll feel our rubber gloves all over your body.
Dave Bittner: Or even we might just sit you down in this little windowless room for a couple of hours while we sort things out and, oh, gosh, you've missed your flight. You know, what a shame. So there's a group of senators, again, like I said, a bipartisan group of senators, this is including Jeff Merkley, John Kennedy, Roger Marshall. They raised concerns about privacy and civil liberties regarding this facial recognition technology at airports. They sent a letter to both Senate majority leader Chuck Schumer and minority leader Mitch McConnell urging them to include restrictions on facial recognition in this FAA reauthorization bill. It didn't happen. The bill went through without these things. But I thought it was noteworthy that there are a group of senators who are trying to keep watch on this. What do you make of this, Ben?
Ben Yelin: Yeah. So first of all, note, it did pass the Senate but it still has to be ratified by the House. So if any House members want to tank this and hold out for regulations on facial recognition, you know, that's in their purview. I think this is really interesting. The fact that it's bipartisan, the fact that includes such a large number of senators and the industry opposition here, I think are all really interesting dynamics. The US Travel Association jumped in and said that this would be extremely burdensome. I think what they're primarily concerned about is efficiency. If you cut down on the use of this facial recognition technology, if it's even regulated, even if we say something like, what we're doing now is okay, but we can't develop additional tools over the next few years making use of facial recognition software, that could increase lines at airports. It might require the TSA to hire more agents. It's going to end up hurting the travel industry. So this has been, it's probably justified as a safety measure, but it's also improved the efficiency of air travel. It probably cuts down on the time we spend in security lines. So I do think it's notable though, that you have some of the most liberal and conservative senators saying, at the very least, we need to look into this, see how this is being used. See if this data is being improperly sold to data brokers. See what other use is being made of the images captured through facial recognition. I think it's encouraging to see that there are some senators who just want to put up a stop sign and say, let's figure out what's going on here.
Dave Bittner: Yeah. I wonder too, what is the appetite these days for airport security? And I include the facial recognition scanning with that. You know, I- my experience in traveling lately is that there is some inconsistency, and I know a lot of this is controlled at the state and airport level, rather than the federal level.
Ben Yelin: Like sometimes they'll just decide this line doesn't have to take off their shoes.
Dave Bittner: Right. Exactly. Some places you have to take out your laptops. Some places they- you have to keep your laptops in the bags and I guess part of it, what's frustrating as a traveler is that they're not really nice about it.
Ben Yelin: No, they're not.
Dave Bittner: Like, so you come from one airport where they're like, no, keep your shoes on, keep your laptop in, and then you get to the next place and they're giving you the business because the rules are different here. And you didn't know that so, you know.
Ben Yelin: Yeah. I mean, I once had a device that was kind of part laptop, part tablet. This was several years ago. And so I took the rules literally that you didn't have to take out your tablet. So I didn't take out that device. And I got quite a talking to from the TSA agents in Houston. They were not super thrilled with my decision there. Yeah. I think, you know, we're 23 years post 9/11 where at the time, it was really- it felt really worth it to us to institute the security measures. They made us feel safer. The pre-9/11 airline security was not great.
Dave Bittner: Oh, my gosh. No.
Ben Yelin: It was managed by private-
Dave Bittner: They did not check your ID.
Ben Yelin: They never checked your ID.
Dave Bittner: No.
Ben Yelin: Their level of checking through both metal detectors and like bag and carry-on bag scanners was, I mean, I have memories of this, was kind of minimal at best. Like, we would just go pick people up at the airport and we'd go through the same line as the travelers. And just, you know, put our backpacks right on the conveyor belt and walk in. So yeah, they professionalized the TSA. Has it helped prevent other terror attacks since 9/11? It's hard to say. I tend to think at least some of it certainly has. We've gone 23 years without a terrorist attack through aviation and certainly, I think TSA security has played a role in that as have things like enforced cockpit doors on airplanes.
Dave Bittner: Yeah. It's definitely a harder target than it used to be.
Ben Yelin: It is a much harder target than it used to be. So mission accomplished in that respect. But some of it does feel so arbitrary. You know, particularly this stuff about, we still have to take our shoes off because one guy tried to detonate a shoe bomb 23 years ago. This whole thing with liquids and gels. I mean, we've been doing that now for 18 years, where we can't bring a water- bottle of water in, but we can bring food items and then we have to buy a bottle of water past security. It feels frustrating. It certainly does.
Dave Bittner: Well, and the scanner thing, you know, where they can, you know, see through your clothes and all that sort of thing that I think people justifiably feel is an invasion of privacy.
Ben Yelin: Yeah. I mean, my impression is that most people just care about getting to their flight on time. And it's like a mild inconvenience that most people don't think about. And I'm al- that always kind of concerns me is that somebody has to care about this stuff, otherwise it's truly going to become dystopian. So it's good that there are some senators standing up and at least raising awareness of this issue. Because otherwise we just kind of become sheeple and just arbitrarily accept all of these security measures, even when many of them are kind of ridiculous or might infringe on our civil liberties. So I respect senators for even if they were not successful in securing an amendment on this, at least raising this issue.
Dave Bittner: Yeah. It's creeping, you know, it's creeping. You- at first, you kind of bristle at it, and then it just becomes normal. And there goes that civil liberty, right?
Ben Yelin: Yep.
Dave Bittner: So I agree. It's good that some folks are trying to be vigilant about this. And, you know, I guess I'm trying to think of like, what's the downside? What is the bad thing that could have happened or has happened as a result of someone getting their face scanned by TSA that is more than theoretical?
Ben Yelin: It's hard to tell, but some- I feel like there's going to be a story that we cover at some point where somebody is- because of facial recognition, somebody is stopped from making their flight because they were falsely flagged in the system as being on the No Fly list when really just the facial recognition system isn't good with recognizing minorities and women. And that story is going to come.
Dave Bittner: Oh, right. Right.
Ben Yelin: If it hasn't come already.
Dave Bittner: Sure.
Ben Yelin: And I think that would be the real harm here. I think that's along the lines of at least what some of the senators here are raising that these concerns aren't really abstract. We've seen abuse of facial recognition software in other contexts. And at the very least, it needs to be highly regulated if we're going to use it in our airports.
Dave Bittner: All right. Well, we will have a link to this story in the show notes, and Of course, so we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's caveat@n2k.com. [ Music ] Ben, I recently had the pleasure of speaking with Dave Hickton. He is the founding director of the Institute for Cyber Law, Policy, and Security at the University of Pittsburgh. He is also a former US attorney. And he really led the charge when it came to going after, you know, Chinese threat actors when it came to online activity. Really fascinating conversation. Here's my talk with Dave Hickton. So today we are taking a look back as we're just about at the 10-year anniversary of a significant event in cybersecurity. Can you take us back and give us an idea of what things were like for you in the position you were in, and then also your colleagues at the FBI?
Dave Hickton: Certainly. So I was sworn in in August, 2010, and I was very serious about discharging the primary responsibility in my hands, which was to allocate the resources, which were the people and the dollars in my office to deal with the greatest threats to the district. So I did a survey directly with many of the stakeholders in the district by going out and meeting with people and asking them what concerned them. And one of the most pivotal moments in that survey was a breakfast meeting with United Steelworkers President Leo Gerard, and then US Steel President John Surma, where they described to me the problem of hacking of intellectual property of our basic industries, especially our steel industry in Pittsburgh, also our aluminum industry. And they talked about the tire industry up in Ohio. And they told me the consequences of this hacking. And they asked me to make it a priority to investigate this hacking and if possible bring cases charging those who were stealing the technology.
Dave Bittner: And what was your understanding of cybersecurity at the time and the various players? Was this something that in your position, you were already familiar with?
Dave Hickton: I was basically a little bit familiar with, because I was not a career DOJ civil servant. I had worked in private industry and I had represented a lot of clients on a national basis. And it was becoming clear that the ubiquitous nature of the internet, we were now going away from our day calendars. We were placing all of our records on the internet at that time. We're creating an exposure risk. You could establish attribution and someone could say, well, there's countervailing reasons why we don't want to bring that case. You know, that's a person that we may be cooperating with. Or there's reasons with, you know, in the State Department or other components of the government. Or you could get ready to bring it and there could be an agreement reach that would avert the announcement of the case. So that's one of the reasons that a lot of US attorneys didn't want to do this. But I thought it was hugely important to do. I also felt that it could never be done from Washington. That even though US attorneys come and go, there's just a basic trust deficit between the corporate community and main justice. It can never be resolved fully so that the cases really have to be driven by local US attorney's office. So I was then, I became, and I remain a missionary for the position that everything is local in this area. This is a- when you're talking about nation state hacking and intellectual property theft, this is a assault on our sovereignty by a foreign power. I recognize that. But the threat comes through the private portal of companies who must be convinced that they will not be revictimized if we bring the case. And that was a huge piece of my work.
Dave Bittner: Ten years ago, when the indictments came down on these Chinese PLA actors, among your peers, among the folks in DC, how bold a move was this considered at the time?
Dave Hickton: Well, I don't want to exaggerate. To some people, it was extraordinarily bold and unbelievable because it just wasn't really on their radar screen as a threat. And the idea that we would indict the People's Liberation Army in Pittsburgh just seems farfetched. But there were a lot of people who were, you know, in some of the bigger districts that were dealing with national security concerns that were not only aware of it, but they coveted the case. And, you know, I spent as part of the great humorous tradition of the DOJ that you spend more time doing intramural competing sometimes than you do competing with the adversary. And, you know, districts like Eastern District of Virginia, which sits where the FISA court is, they wanted the case. They made a play for the case. The Southern District of New York, which is, you know, a story district in DOJ, you know, five, six times bigger than my office. You know, they made a play for the case. They tried to get the case, and there were others. So it was kind of different depending on where you sat at the DOJ. But the thing was, is that we kept it really quiet. Even within my office, it was kept very quiet. There were very few people who knew we were working on this case, and we kept the victims separate until three days before the case. We, you know, we worked very hard because I knew that if the case was talked about before it was ready to go, it was just too irresistible if it was, you know, in the chatterbox lane. And I just wouldn't let that happen. So I think there were five people in my office who knew about it. We talked on secure phones whenever we were talking business about it. Went in the skiff to do a lot of our work. And then, you know, three days before we announced, we announced on a Monday, that Friday we had a meeting at the FBI and we introduced the victims and the case to each other, which was a fairly pivotal moment. You know, that could have gone either way or sideways. But it ended up being a galvanizing force. Because I was afraid that one or the others of them would back out. I mean, it was very courageous for these companies to do this. It wasn't up to them really. But we went to great lengths, and I was primarily responsible for this, to build credibility with them and make them understand how important this was. And we understood that they were potentially financially at risk. Their commercial interests were at risk, their people were at risk. And we went to great lengths to tell them what steps we were going to take to ameliorate that risk. And it would not be an exaggeration that I spent thousand hours meeting with CEOs and boards and chief information officers and general counsels and business people at the various victims separately. And at that time, that meant all my meetings were a success, because- and you can assume that there were others that were possible participants in the case. So more than success. Because I took the extra step of having the same conversation multiple times separately to pay respect to the fact that each victim in the case deserved to be heard, deserved to feel that I was their advocate, that I was their protector. And that, you know, we were not going to let them be hung out here.
Dave Bittner: When you look back on it, what are your thoughts now? You are 10 years removed from it, and you see the effect that it's had going forward. What are your feelings there?
Dave Hickton: Well, I'm very proud of it. And I think no matter what I do the rest of my life, if I somehow accidentally stumble to win the British Open Golf Tournament, that will be the second thing that they say about me. The first thing will always be, you know, there was only one signature on this indictment, and it was mine. And I feel it is the most important thing we did. We did a lot of important things. I know that I have had to defend. And I still hear, and I respect the point of view, the people who say, well, when are you going to bring the guys to Pittsburgh and have the trial? But something far more important happened that I didn't even imagine could happen. And that was, President Xi came to the Rose Garden in September of 2015, you know, 11 months later, or no, I guess how many months later, 16 months later. And they, with specific reference to our case in Pittsburgh, announced an agreement to deal with the intellectual property theft problem. And as we had, when we announced the case, they made a distinction between regular spine, which always goes on. It's gone on pre-digitally. And we should probably embrace the idea that we have an intelligence network because it's a stabilizing force in the world. If we don't have surprise, the world has allowed us a sa- you know, a safer place. But doing intelligence for intelligence purposes is different than doing cyber infiltration for commercial purposes. And that was the key point we made in this case. I also feel the case was important because President Obama's order in 2011, where he staked out the protection of our intellectual property as a national asset to be protected, that this case vindicated that direction of the President. So to that extent, I felt like I was a one-star general on the battlefield who had achieved the goal that the five-star had announced. And I felt that it was extremely important that we tell the story with the indictment. That's why the indictment was 50 pages long. It reads like a novel. And it had exhibits at the back of it, including pictures of the perpetrators and a schedule to reflect that they did their work as a business. It was really a- an identified unit of the PLA that set it in a identified address in Shanghai. They had business cards and their work followed the normal workday, 9 to 12 with a recess at lunch, and then 1:30 to 5 just like anyone else doing another job. And we therefore, identified the China signature, which was a volume hacker of our material with a dedicated unit of their army. And the agreement between President Obama and President Xi was a good agreement. And it provided that the Attorney General and the Secretary of Homeland Security would have biannual meetings, one in Washington, one in Beijing with their counterparts. And in the Maine, most commentators believe that for a period of time, this basically held and Unit 61398, who we indicted was advanced persistent threat Group 1, the top cyber adversary of the United States.
Dave Bittner: You know, I- as you've acknowledged, there were a lot of folks involved in this and you worked with some really top-notch folks along the way. I- I've- personally, I've had the pleasure of meeting and interviewing Keith Mularski, an outstanding person who was with the FBI. Your story really in my mind reinforces this notion that one person can make a difference. Your ability to take this risk, your perseverance really blazed a trail that folks are continuing down today.
Dave Hickton: Well, that's very kind. I certainly didn't do it myself. I had three really key people around me at the US Attorney's Office. There is nobody better than Keith and Chris Gary was involved, and Mike Christman. There were three key people at the FBI. Mike Rodriguez was the SAC at the time. And we had great support from those that followed him. Doug Perdue and the late Scott Smith came into town just in time to announce it. He had come from the Human Resource Department and then he left Pittsburgh to go head FBI cyber. I'm very proud of the fact that several of my former assistants received the Attorney General's Award for their work in cyber. That was a group that didn't even exist when I got there. And, you know, I think that one of the key ingredients of leadership is, you know, the campfire is just a little bit better when you left than it was when you arrived. And, you know, we had some great partners at the Department of Justice who helped us. They were critical in terms of working with the other components of the government. And I think the real star of that group was Lisa Monaco, who's now the Deputy Attorney General. In the middle of the case, she went over to the White House and became the Deputy National Security Advisor. And that was a key moment. And she was a great partner and I really credit her with being my key Washington partner on this. But, you know, it was lonely at times. And you know, I find it funny now that I asked others to sign with me at the Department of Justice when it was time to sign. Nobody wanted to sign. So I signed it really large, like John Hancock signed the Declaration of Independence, just in case. I worried that that meant that if it didn't go bad- and we had no idea what the reaction was going to be. We had no idea. There was no precedent for what the reaction would be. China could have called our debt. China could have seized our companies, they could have imprisoned Americans, they could have declared a trade war or worse, we did not know what their reaction was going to be. We now know that President Xi came to the Rose Garden and said he wouldn't do it anymore. I mean, I never imagined that that would happen. And that is a far better result than if we had gotten guilty pleas from the five defendants and we put them in prison and gave them housing and three square meals a day. So I can't imagine that. [ Music ]
Dave Bittner: Ben, what do you think?
Ben Yelin: Yeah, real trailblazer. He was talking about going after malign Chinese influence before we were. And I think it fits well into the story that we covered for our first story today with TikTok, is that there's now, because of the efforts of people like him and many others, this recognition of China misusing our data. And that's one of the weapons they deploy against us as our foreign adversary. So appreciate the work he has done for the past decade.
Dave Bittner: Yeah. A really example of somebody sticking their neck out, you know, professionally because I think he believed that it was the right thing to do, and history has proven him right.
Ben Yelin: Yep.
Dave Bittner: Yeah. All right. Well, again, our thanks to Dave Hickton for joining us again. He is the founding director of the Institute for Cyber Law, Policy and Security at the University of Pittsburgh. And we do appreciate him taking the time for us. [ Music ] That is Caveat brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to caveat@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Ivan. The show is mixed by Trey Hester. Our executive editor is Brandon Karp. Peter Kilpe is our publisher. I'm Dave Bittner.
Ben Yelin: And I'm Ben Yelin.
Dave Bittner: Thanks for listening. [ Music ]