The clock’s ticking and the bots are clicking.
[ Music ]
Dave Bittner: Hello, everyone. And welcome to "Caveat," N2K CyberWire's privacy surveillance law and policy podcast. I'm Dave Bittner and joining me is my cohost Ben Yelin from the University of Maryland Center for Cyber Health and Hazard Strategies. Hey there, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: On today's show Ben has the story of a critical cybersecurity law at risk for expiration later this year and I've got a look at AI errors in the legal system. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover please contact your attorney. All right, Ben. Let's jump right in to our stories here this week. You want to start things off for us?
Ben Yelin: Sure. So mine comes from the weekly cybersecurity newsletter on Politico which is a great source, by the way. They didn't pay us to say this. But a very good way to get news on cybersecurity law and policy stuff.
Dave Bittner: Yeah.
Ben Yelin: So on September 30 of this year the 2015 Cybersecurity Information Sharing Act is set to sunset. So it is going to expire unless Congress takes some type of action. This is the law that probably most of our listeners are familiar with as the key information sharing vehicle between the private sector and government entities on cybersecurity threats.
Dave Bittner: Okay.
Ben Yelin: Because there's some kind of semantic confusion here because CISA is the agency and this law has the acronym of CISA generally this is known as CISA 2015 because that's when the statute was enacted.
Dave Bittner: Okay.
Ben Yelin: And it's been called by many stakeholders the most successful piece of cyber legislation in this country's history. So despite the fact that this bill is supported by the Trump administration, by most entities in the private sector who appreciate information sharing, by members of Congress from both parties, and really from all stakeholders across the country, the law for a couple of kind of weird reasons may end up expiring on September 30 unless Congress gets its act together.
Dave Bittner: Well, let me pause you for a second. And can we just review what this law covers and why it's so successful?
Ben Yelin: Sure. So this law enables real time collaboration between the government and private sector on evolving cyber threats. It allows industry leaders, trade organizations, cybersecurity companies, to have a platform for information sharing. It is entirely voluntary. There are no mandates that are laid out in this legislation.
Dave Bittner: I see.
Ben Yelin: So that's kind of the genesis and impact of CISA 2015. So what's happening in Congress is kind of curious. And the house the chairman of the committee of jurisdiction, the homeland security committee, just resigned from Congress to take a job in the private sector which is always an interesting signal when that happens that Congress must be that bad if you're willing to just leave it to take another job.
Dave Bittner: In the middle of your term.
Ben Yelin: Yeah, especially when you're a powerful committee chairman.
Dave Bittner: Right.
Ben Yelin: This chairman by the name of Mark Green just didn't have the extension of CISA 2015 as one of his legislative priorities. They marked up other bills, especially bills relating to immigration policy. This is not one that had been marked up.
Dave Bittner: Okay.
Ben Yelin: And there are only 20 legislative days remaining until September 30, the deadline here. And Congress has to pass appropriations bills to fund the government. So you really question if there's going to be enough time for them to put this bill in committee, mark it up, get it to the floor of both chambers before September 30. There's now a new chairman of the house homeland security committee, Andrew Garbarino of New York, and he seems to have the extension of CISA 2015 as one of his priorities. So that might help move it through the house committee. Really it's just a matter of time. There's support in the senate from the chair and ranking member of the armed services committee which is one of the committees that has jurisdiction. But the other committee that has jurisdiction in the senate is the senate homeland security committee and that is chaired by Rand Paul. So Rand Paul is a very principle legislator. He has his own views on what the government should and shouldn't do. And out of that principled opposition from a libertarian perspective he opposed the enactment of CISA 2015 when it first came up. And at least so far he said that the renewal of this law is not one of his priorities. So this is kind of like 1950s/1960s style congressional stalemate where most people support the bill, but it's being held up by committee chairs. And the cost of this type of inaction might mean that we lose this critical cybersecurity information sharing tool and information sharing platform. So the clock is ticking and I'm just very curious to see if Congress can get its act together to pass a clean extension.
Dave Bittner: Has -- well, what's Rand Paul's opposition to this that everyone else likes [laughs]?
Ben Yelin: It's hard to tell because the author of this article reached out to the office of Senator Paul and he refused to comment. I think his opposition in 2015 as articulated was just that this was outside the scope of what the federal government should be doing. You know, it's a very traditional understanding of the federal government and enumerated powers. There's nothing in Rand Paul's view in article 1 section 8 of the constitution that would allow Congress to enact this bill which would provide for an executive level of information sharing.
Dave Bittner: I see.
Ben Yelin: Facilitated by the presidential administration.
Dave Bittner: So it's really like a pure libertarian approach to whether or not the government should be in this business at all.
Ben Yelin: Yeah. Totally. And Rand Paul's like one of the few members of Congress who legitimately believes in this stuff and is not situational about it. And if you have a genuine belief that the scope of the federal government has grown beyond its intended means then you do have to kind of put your foot down and say, "This is an improper use of federal power. This is a duty that's best left to the states." Now if I were to take up a case in court arguing against Rand Paul I'd say this is clearly something that affects interstate commerce. Congress has the power to regulate interstate commerce. And if there are a bunch of cybersecurity threats against state and local governments, against private companies, and there's no information sharing or no platform to share threats or talk about threat vectors, strategies, then the consequences could ripple down across the states. This is not something that's going to be contained to just one state although, you know, we have seen cyber attacks on a single state's government. For the broader attacks that we've talked about, the salt typhoons of the world, even things like the attack on Colonial Pipeline, even a localized initial impact is going to have a ripple effect that filters down to the national economy, that will filter down across states. So it's just hard for me to conceptualize this as an issue best decided by the states. And again Rand Paul is on an island on this. I mean we have the chair and ranking member of the other senate committee of jurisdiction and we have the new chair of the house committee who are ready to move this. But it's just a matter of timing and these kind of old school committee level barriers that might prevent this from getting passed.
Dave Bittner: And what happens if it doesn't get passed?
Ben Yelin: Then that's when the consequences run out. So they talked to a couple of private sector folks about what would happen post September 30 if this was not renewed. And this guy by the name of James Hayes who's senior vice president of global government affairs at Tenable said that this law remains one of the most effective methods for enabling real time collaboration between government and the private sector. The absence of this law would be a step backwards. John Miller who is the senior VP of the Information Technology Industry Council spoke to the author of this article and said, "This is arguably the most successful cyber law we've ever had passed in this country, and letting it lapse for no reason would be unfortunate to say the least."
Dave Bittner: Yeah.
Ben Yelin: You just lose the authority of the federal government to enable this type of information sharing. And maybe they'd be able if it lapsed for a couple of days or a couple of weeks to not lose too much ground and pick up where they left off. If it goes longer than that then they might lose some of the not only the infrastructure that they built up, but just the good will and the spirit of collaboration between the private sector and the government in sharing this information.
Dave Bittner: Yeah. I mean personally I would think gosh can't Rand Paul see the forest for the trees. You know, like this is to me almost definitionally a public good. Right? There's no downside to this other -- I mean I get where he's coming from if he says philosophically that this is not the business that the government should be in. But on the flip side everybody involved in this is saying what a good thing it is for everybody. And it's money well spent.
Ben Yelin: Yeah. Yeah. You know, there is another element of this where when the bill passed in 2015 Paul and other critics talked about how this might undermine the Freedom of Information Act, that even though this sharing is voluntary it could allow for the facilitation of private information or people's private data getting in the hands of government. To my knowledge, you know, even you had somebody like Edwards Snowden 2015 who said a vote for this bill is a vote against the internet which I don't think that came to pass. Fortunately for us the internet's still here. But I don't think like the worst of those outcomes ended up happening. I haven't really seen the type of organized opposition that we saw to this in 2015 when it was coming up for consideration.
Dave Bittner: Yeah.
Ben Yelin: But, you know, I think yes. This is a collective action problem, but Rand Paul has a very set belief system that just because something presents itself as a collective action problem doesn't mean it's within the purview of the federal government. I disagree with that view, but I understand it. And in some ways I admire his intellectual consistency because unlike a lot of other members of Congress he does not apply this selectively. He voted against the one big beautiful bill because he thought that was big government. Even with tax cuts, it added a bunch of new spending, particularly on things like immigration enforcement, and it significantly increased the federal deficit. And Rand Paul was one of three Republican senators who voted against the bill. So not afraid to go against his own party. I just question when we're talking about a bill dealing with voluntary information sharing is this really the hill you want to die on. I guess what he would say is there's never a good time to support something that he doesn't believe in. So and he certainly has that prerogative.
Dave Bittner: You mentioned timing. As we're recording this I've seen reports this morning that the house is getting out of dodge early.
Ben Yelin: Yeah. They generally take a extended August recess.
Dave Bittner: Okay.
Ben Yelin: So starting around the end of July and going through Labor Day Congress usually isn't in session. The house might have to go on break early for various Jeffrey Epstein related reasons that I will not get in to. The senate incidentally might stay in session because the president wants additional nominees confirmed. So who knows? Maybe the senate will report this out first as long as they have nothing else to do sitting around in August voting for presidential nominees. Maybe hold a hearing on this. And if there are issues with the way the legislate -- the legislation is currently structured maybe use this time in committee to work out those issues.
Dave Bittner: Okay.
Ben Yelin: But yeah. I mean I think when you have both the chair and ranking member of the senate armed services committee saying that a lapse in this law would weaken cybersecurity defenses, would send the wrong message to foreign adversaries, cyber criminals, and hacktivists looking to exploit vulnerabilities, I think you can see that probably the writing is on the wall here and it's a matter of time. It's just whether we're going to have an unnecessary and potentially harmful lapse come September.
Dave Bittner: Yeah. Well, yeah. It's hard to say. Who knows? I mean we've seen tremendous cuts to organizations like CISA. So I -- your guess is as good as mine. Right?
Ben Yelin: Yeah. It's funny though that the administration supports this bill even as they have cut personnel from the agency and from other agencies that have cybersecurity related functions. But that has not filtered down to the enactment of this legislation. They have been supportive. CISA, the agency, during the first Trump administration was quite active and quite effective, although now the president is going after the leader of that agency from that time period. So, you know, things can change.
Dave Bittner: Yeah.
Ben Yelin: But yeah. This is not something where DOGE or the administration has called for cuts or, you know --
Dave Bittner: Right.
Ben Yelin: Throwing this entire program under the bus. This is an instance where the administration has been supportive. And in the international context they've gone to international summits and said, you know, "One of our most effective cybersecurity tools is this law." It's a good tool not against -- not just against domestic threats, but against our foreign adversaries as well.
Dave Bittner: What kind of pressure can people put on Rand Paul to let this through?
Ben Yelin: You can call his office or the committee office. A lot of CEOs could get together and write letters advocating for the importance of this information sharing and can share it with the committee. You know if worse came to worse there are legislative vehicles to discharge bills from committee. So if Paul refused to let this go through, but the remainder of the senate was intent to see it go through you could hold a vote to discharge the bill from committee and have it considered on the floor of the senate.
Dave Bittner: I see.
Ben Yelin: Which might happen if there's sufficient bipartisan support.
Dave Bittner: Okay. So you can do an end around.
Ben Yelin: You can do an end around. That is far more time consuming. If Rand Paul wants to throw, you know -- wants to gob the works, he has procedural tools to do so.
Dave Bittner: I see.
Ben Yelin: But we'll just see if this is something that he's really willing to go to the mat for.
Dave Bittner: Yeah. All right. Well, cross your fingers. We'll see how it goes. Here's hoping. For me anyway. You know it seems to be like this is a why mess with success.
Ben Yelin: Yeah. It's such a - I mean to me it's something so innocuous. Like why would we not want information sharing? Some of the horror stories that we heard that might happen because of this bill certainly to my mind have not come to pass, although I'm certainly open to hearing from people who think that this bill has not been a success.
Dave Bittner: Yeah. Yeah. All right. I'll tell you what. Let's take a quick break to hear a message from our sponsor. We will be right back. [ Music ] All right, Ben. So my story this week is from the folks over at Ars Technica and this is kind of a broad policy issue about the use of AI in our legal system in courtrooms and so on. This comes from a case it was actually a divorce court case. So family law case. And there was a vacated order. And I'm going to ask you as we go along here, Ben, to jump in and explain what --
Ben Yelin: Explain what words mean?
Dave Bittner: Explain what -- I'm just a country lawyer myself, Ben. I don't understand these high falutin words that you city lawyers use.
Ben Yelin: I basically paid a good deal of tuition money just to be a glorified legal dictionary, but --
Dave Bittner: There you go. Well, and I appreciate it.
Ben Yelin: Yeah.
Dave Bittner: So you've got this issue in a divorce dispute in Georgia and evidently the order was drafted by the husband's lawyer which is -- this article says is a common practice because the judges are overburdened.
Ben Yelin: Yeah. It really is a common practice. I mean oftentimes even if it's not directly cribbed from one the parties' attorneys it's nearly verbatim from one of the parties' briefs. So if you side with one of the parties, you know, the reason you're siding with them is the 30 reasons that they already provided you in their brief when the case first came to court. So yeah. Judges are overburdened. I mean that's -- that is definitely a real concern.
Dave Bittner: Right.
Ben Yelin: It's not just that they're lazy. And again the judge him or herself is reliant on clerks who are mostly 25 year old recent law school grads to do a lot of the due diligence here. And not to go out of my way to defend our esteemed judges, federal judges, federal and state judges in this country, but they really do have significant workloads and I sympathize with wanting to kind of use any advantage you can get to get one of your cases off of the docket.
Dave Bittner: Right. So in this case the attorney who was named Diana Lynch had some fictitious citings in the order. So fictitious cases. And also irrelevant cases. So cases that were real, but really had nothing to do with this case. And so just help me understand here, Ben. So these citings are made to bolster the case being made. Right?
Ben Yelin: Yeah. And what we've seen through the use of generative AI tools for legal briefs is the tools will make up cases out of whole cloth.
Dave Bittner: Right.
Ben Yelin: It's hard to explain exactly why that happens. I think it's trying to replicate what actual legal briefs and judicial decisions do which is reason in the current case by citing past cases. Because past cases themselves are so obscure and there are so many of them I think our AI systems are kind of like, "Oh. My instructions seem to be just find a couple of names, put a verse in the middle, and that can be the citation that we're relying on." Because that's pretty much what the entire law profession is anyway. Like there are all these cases. By the way, I'm putting myself in the mind of a generative AI service. So I don't know exact -- I don't know exactly what it's thinking, but it's very common to have these hallucinations. And these will be not just case citations, but you'll have fake quotes from decisions. Case citation includes the name of the case, but also every case has numbers involved with it basically where it's located and whatever the reporting mechanism is. And those are all concocted out of thin air. And then sometimes it will cite cases that have nothing to do with the matter at hand. So maybe they're not even divorce law cases. Now I've had some students do that just by mistake. They'll cite a case and thinking that I'm going to be too lazy to check on it in a paper. I'll realize that like, oops, that's the wrong carpenter.
Dave Bittner: Oh.
Ben Yelin: This one was about a guy named -- a guy who was a carpenter who was sued for violating a contract to reupholster the carpet or something.
Dave Bittner: Yeah. Yeah.
Ben Yelin: So it is something that happens increasingly. The thing is like it's really hard to discover if you're not anticipating that these hallucinations will happen. Like you have to actually go in and research every case that's cited.
Dave Bittner: Right.
Ben Yelin: I think judges have gotten used to not doing that because they just trust that the lawyers would have a sense of shame about not providing false case names or false citations and there would be a concern that, you know, just like an IRS audit you don't want to get in trouble even if only 1 out of 1 million tax returns is subject to an audit or criminal liability.
Dave Bittner: Yeah.
Ben Yelin: But now that AI is being used with greater frequency I think it's possible that judges have to do their due diligence or at least their clerks have to do due diligence and make sure that every case cited in these orders and these decisions is well grounded. And perhaps start issuing sanctions against attorneys for including hallucinated cases. And some of those sanctions could be in the form of suspension of license to practice law if it happens a certain number of times or as we've seen in this case having an initial order thrown out because it was based on false legal precedent.
Dave Bittner: Right. And this lawyer was sanctioned $2,500.
Ben Yelin: If you're a good lawyer that's like -- you know, for me that's a pretty hefty amount, but yeah. If you're a very high powered attorney that's chump change.
Dave Bittner: Yeah. Yeah. So another thing that this article points out is that judges are not equipped to contend with this. That very few jurisdictions have any rules requiring judges to maintain competency when it comes to technology or keeping up with these sorts of things, and that when the judges are relying on lawyers to draft the orders that increases the risks of these. They refer to them as rubber stamping errors.
Ben Yelin: Right. You know, what's interesting to me is that there are some helpful suggestions about how to ameliorate that problem.
Dave Bittner: Yeah.
Ben Yelin: My favorite comes from an expert in the space, Dazza Greenwood chairs MIT's task force on responsible use of generative AI for law.
Dave Bittner: Okay.
Ben Yelin: Which, by the way, you know, if you need an extra person on that task force, happy to volunteer myself. So Greenwood recommended that courts create a bounty system whereby counter parties or other officers of the court receive sanctions payouts for fabricated cases cited in judicial filings that they reported first. I like this idea. So you hire a bounty officer for the court whose sole job is to go through the cases that are being cited for judicial orders and to see whether they are fake AI citations.
Dave Bittner: Right.
Ben Yelin: And that person's incentive is they get a cut of the lawyer's penalty if they are the first person to discover that error. It kind of fits within the contours of our legal system which is very adversarial to begin with.
Dave Bittner: Yeah.
Ben Yelin: I mean our courts, and this is not true in a lot of other western countries, treat judicial proceedings like a game where may the best man win, whoever has the best most competent counsel who can outwit opposing counsel, who can get the judge on their side, the jury on their side. That person is the winner regardless of what the truth so to speak is. And I feel like that solution fits within the character of that system. So a bounty system that does not involve actual physical harm to anybody else. I can see myself getting behind that.
Dave Bittner: Well, and they also pointed out in the article that some people would say that the system is working here because the appeals court did vacate the order. It was discovered and it got vacated. So system's functioning as it should.
Ben Yelin: Yeah. That's just not always going to be the case though. There are going to be some times when the appeals court doesn't do their due diligence. I mean they are burdened as well. So I think you can't rely on that for being an all time solution to this problem. Even the Supreme Court, and they get more clerks than your average district court or appeals court judge, it's not 100% certain that they're going to be free from making these types of mistakes or that they're going to be free from discovering errors, especially if these errors becomes more ubiquitous as the AI tools get better. So I just think people should focus if you do work in the legal profession on good uses of generative AI which I've certainly found. You can use it to summarize briefs from other parties and if you assume that the briefs that you're summarizing are written honestly and were not generated through the use of AI then AI as a way to summarize a large cache of material in to something that's digestible that you can put in to your own brief, that's a good use case. Writing a legal brief and asking it to find citations to back up your legal argument at this point in time is not a proper use of generative AI in the legal world.
Dave Bittner: Right.
Ben Yelin: Which incidentally is why I think a lot of lawyers at least that I have talked to are encouraged that they are not fully replaceable by our AI overlords yet. The fact that they -- that these hallucinations do exist mean there's still some role for human oversight of our judicial system. And that requires guys and gals who went to law school.
Dave Bittner: Well, and for goodness' sake if you're a lawyer and you're using some of these tools, these AI tools, either fact check it yourself or have one of your clerks do it for you or your interns or somebody to just go through and verify because --
Ben Yelin: Totally. I mean it's not like people haven't made mistakes in the past. It's just much easier now because AI does it with such confidence. An intern might make a mistake, but it will look stupid when you're reading it because the form of the citation might be wrong or it's so implausible that a 19th century case would be governing a matter of 21st century concern, although that does happen.
Dave Bittner: Right.
Ben Yelin: But yeah. There are usually other clues you can look to. But AI just speaks with such immense confidence that it's hard to without doing due diligence to understand what's real and what's fake.
Dave Bittner: Right. Right. And I guess the time you save in using the AI could then just be lost in the fact checking of it.
Ben Yelin: Right. Exactly. I mean it's kind of the same way that the way people used to cheat in academic work was like cribbing off of Cliff Notes or Spark Notes or other tools. And as somebody who may or may not have dabbled in such techniques at earlier points in my life --
Dave Bittner: Whether or not you're actually a good lawyer.
Ben Yelin: Yeah. Or friends of mine. Let's say friends of mine.
Dave Bittner: Okay. Sure. Sure.
Ben Yelin: The time it takes to make sure that you are not plagiarizing material you could have just been actually reading the book and writing an honest to god book report. Right? So sometimes if we get to the point where it's not saving any time, that the due diligence required supersedes the time that you're saving by using AI in the first place, then that might be another way that we can cut down the use of AI if there's just a time consequence for trying to use this as a shortcut.
Dave Bittner: What about the really big picture of this which is the possibility of this eroding public trust in the legal system itself?
Ben Yelin: I think that's a big concern. There is already a level of distrust in the legal system that's increased recently. I mean I think most people who aren't in the legal community know the legal system by Supreme Court decisions and judge a lot of those by their own political views. But there has been increasing distrust in our judicial branch as a neutral arbiter of cases. And yeah. I could see this kind of further undermining our judicial system which would be bad because it's something that we all rely on. If I were to talk about the top threats to our judicial system in this country -- reminds me of an old Dana Carvey bit where he said anybody saying the judicial system sounds drunk.
Dave Bittner: [Laughs] right.
Ben Yelin: But if I were to categorize the top threats to that system this would probably be like number five instead of number one.
Dave Bittner: Yeah.
Ben Yelin: When you have either judges that are going rogue and issuing decisions that are so far beyond the bounds of the law or you have other branches of government that are refusing to follow district court and appeals court decisions, and in some cases that's been well documented, I think that's a greater threat than AI, at least in the near term. But yeah. This is just another way that could erode distrust in the system, and once we lose trust in that legal system I mean it affects our democracy. If we can't trust that disputes will be adjudicated fairly then, you know, all hell breaks loose.
Dave Bittner: Yeah. I mean I think about how so many people these days reflexively when they see a story in the media that they don't like they just wave their hand and say, "Oh fake news."
Ben Yelin: Right.
Dave Bittner: And what if that comes to the legal system?
Ben Yelin: I don't think that's that far off.
Dave Bittner: Fake, you know -- fake -- fake verdict. You know, the AI must have made that verdict or, you know, AI influenced that. You know, why should we -- we don't have to follow that.
Ben Yelin: And that's not that large of an intellectual leap because already you see it with politicized cases. It's like, "This is nonsense because I don't like this judge." Or, "I don't like the president who appointed this judge." So it's like why don't you actually -- like we do have a system. Why don't you actually read the case and judge the case by its reasoning and not just assume that it's BS because you didn't like the person who appointed that judge? So we're already there. That level of distrust already exists. This will just add to it. And that's certainly a concern that I have.
Dave Bittner: Yeah. All right. Well we will have a link to that story in the show notes and of course we would love to hear from you if there's something you'd like us to consider for the show. You can email us. It's caveat@n2k.com. [ Music ] And that is "Caveat" brought to you by N2K CyberWire. We would love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this summer. There's a link in the show notes. Please do check it out. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Tre Hester. Peter Kilpe is our publisher. I'm Dave Bittner.
Ben Yelin: And I'm Ben Yelin.
Dave Bittner: Thanks for listening. [ Music ]
