Podcasts
Caveat
Ep 281
Caveat 10.9.25
Ep 281 | 10.9.25

From alerts to aborts.

Show Notes
Transcript

[ Music ]

Dave Bittner: Hello, everyone. And welcome to "Caveat," N2K CyberWire's privacy, surveillance, law, and policy podcast. I'm Dave Bittner and joining me is my co-host Ben Yelin from the University of Maryland Center for Cyber Health and Hazard Strategies. Hey there, Ben.

 

Ben Yelin: Hello, Dave.

 

Dave Bittner: On today's show Ben discusses Apple's decision to remove the ice block app after pressure from the White House. I've got the story of the secretary of defense dialing back cyber training for troops. And later in the show Ben's conversation with Will Daugherty, U.S head of Norton Rose Fulbright Cybersecurity Practice. They're discussing the expiration of CISA 2015. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover please contact your attorney. All right, Ben. We've got a lot of stories to cover here today. You want to kick things off for us?

 

Ben Yelin: Sure. I'll start with a mini tangent which I swear will relate to my story.

 

Dave Bittner: All right.

 

Ben Yelin: So on my way in to record this podcast today I used the Google maps application and Google maps alerts me when there is a state trooper on the road so that I can slow down a little bit. Not be napped for speeding.

 

Dave Bittner: Right.

 

Ben Yelin: Well, an enterprising app creator named Joshua Aaron tried to create something similar but for ICE agents. Since there are mass deportation efforts afoot in our country led by Immigrations and Custom Enforcement, this app creator thought that he could create a version of the feature that I used in Google maps to identify where ICE agents are conducting busts, where they're located.

 

Dave Bittner: Right. Sort of a crowd sourcing kind of thing.

 

Ben Yelin: It is crowd sourcing. Exactly. So people can report "I just saw ICE outside of this Home Depot" and then theoretically people who are worried about immigration enforcement would not go to that Home Depot.

 

Dave Bittner: Right.

 

Ben Yelin: So the app is called ICE Block and it had been online available in the Apple app store. You could download it on your Apple device. As of last week upon receiving pressure from the White House Apple wrote, and I quote, "Upon reevaluation the app does not comply with app store guidelines around objectionable and defamatory, discriminatory, or mean spirited content." And the app has been removed from the app store. Apple's justification which they explained in a statement was that they were concerned about violence against ICE agents, that people who are being led to ICE agents through this application or alerting agents or alerting people as to where those agents were would have the opportunity to commit violence against ICE agents. And in fairness there have been some violent acts against ICE agents, which is terrible. They are doing their job. They are federal law enforcement agents and they have the right to live free from violence. But I do think it's really interesting and I think a reflection on our time that Apple gave in here because this is not -- you know, the reason I shared that anecdote in the beginning, this type of technology is not new. And there have been some efforts going back decades. I remember listening to the former attorney general of Maryland saying he tried hard to get the Waze application which was the first I think to do this kind of crowd forced where are the police on the road thing -- he tried to get that application removed from the app store.

 

Dave Bittner: Right.

 

Ben Yelin: But we've kind of come to accept that that's a feature of not just Google maps, but by the way Apple maps.

 

Dave Bittner: Right.

 

Ben Yelin: Where you can identify law enforcement. And the fact that Apple gave in to this pressure to remove this application I think says a lot about our current moment. Apple has always held itself out as being a pro privacy pro civil liberties company, I guess you could say. They famously stood up against the FBI when the FBI was trying to get them to break their own encryption in the San Bernardino terrorism case. They've worked hard to earn that reputation. And now over the past six months you see Tim Cook or as the president calls him Tim Apple going to the White House and bringing diamond encrusted gifts and then Apple caving to White House pressure on something like this. So I just think it's really interesting. I'm very curious to see where this goes next and if Joshua Aaron, the creator of this application, files some type of legal challenge and where that would go.

 

Dave Bittner: Yeah. So I'm intrigued at your comparison to navigation apps like Waze and -- which I use all the time. And so I know no question that Waze has saved me from speed traps and things like that by alerting me. I can hear it in my head. Police reported ahead. However what I wonder is what would Apple's response be if there were just a stand alone app that was just called police block or police spotter or something like that. In other words, not being an additional feature within a navigation app which unquestionably has value, and the police spotting is really a subcategory of a feature category because not only can you report police. You can report objects on the road. You can report traffic. You can report weather in these apps. So do you think there's a distinction there or is it a distinction without a difference?

 

Ben Yelin: I think there is a distinction there. I mean it's about whether the app is primarily about crowd sourcing the location of law enforcement or if that is a sub feature of the application.

 

Dave Bittner: Right.

 

Ben Yelin: If it were about federal law enforcement and it wasn't related to ICE, if it was about like where are FBI agents, I'm sure the White House would have asked to have that taken down as well. I don't know if local police departments have enough influence that they could go to Apple and say, "It's dangerous for this application to identify the location of police patrols."

 

Dave Bittner: Yeah. I mean they tried. That was the case when Waze started reporting police locations. They -- the police forces were making the case that this was a safety issue, that, you know, people with ill intent would know where a police officer was parked and could --

 

Ben Yelin: Right. And my recollection -- right. My recollection is the app stores told them to stuff it.

 

Dave Bittner: Yeah. Exactly. Yeah [laughs]. I would say just the app stores responded with silence. No response at all.

 

Ben Yelin: Right. Which I think is their way of saying like "We are a pro freedom application." Or, "We are a pro freedom company. We believe in individual rights. And we are not going to tip the scales on the side of law enforcement in those circumstances." It's just very notable that they didn't do it here. And I think there's another element of it that we have to mention because I think it's relevant, that Trump has threatened Apple with steep tariffs for making its iPhone overseas. Tim Cook was very worried about that. That's when he brought his gift to the White House. And now the Trump administration has exempted electronic products made by companies like Apple from most of the tariffs that have been imposed during this year. So Apple has still had to pay about $1 billion per quarter in tariffs, but it's far lower than it would have been without the administration's actions.

 

Dave Bittner: Right.

 

Ben Yelin: So there's at least the appearance here of a quid pro quo. Like "We gave you a break on the tariffs. You guys need to get this application out of your app store." The question I guess is, you know, is this actually a violation of Apple's terms of service? The guidelines are an app that is objectionable, defamatory, discriminatory, or mean spirited content shall be removed from the app store. All of those words are pretty vague, but to me the ICE Block doesn't meet the definition of any of those terms. So it seems like this is sort of an ad hoc justification to remove this application that doesn't fit the reasons that Apple usually removes applications because they have illegal content or things that are blatantly discriminatory. So yeah. I just I'm really not sure about this decision. Again I understand the government's interest here. I actually think it's entirely appropriate for the government to ask Apple to take down this application.

 

Dave Bittner: You don't think it's a first amendment violation?

 

Ben Yelin: Well, just in the same way that when the Biden administration went to the big platforms and said, "You guys need to do a better job policing BS content that's, you know, shedding -- that's feeding anti vax conspiracy theories on your platforms," they have the right to pressure the companies to do that and to ask them to do that. And the Supreme Court basically affirmed that. The case that related to those requests ended up being decided on standing grounds, but the Supreme Court basically in so many words said, "There has to be kind of explicit coercion." And there wasn't really anything cognizable against individual companies. So I think it's within the administration's power and purview to publicly criticize Apple for allowing the application to exist in the app store and for them to ask for the application to be taken down. It's Apple's conduct here that I question because I think if they hold themselves out as being an independent company who's not going to cave to pressure from not just our government, but more hostile foreign governments, then I'm surprised that they just lied down in these circumstances.

 

Dave Bittner: Yeah. I guess I wonder if at this point we're giving Apple too much credit or crediting Apple with the independent spirit of Steve Jobs who has been gone long enough that his spirit has faded. And that the --

 

Ben Yelin: That black turtle neck is fading further from our eyes.

 

Dave Bittner: Look. Also that a lot has changed for Apple. They are one of the largest companies in the world now, one of the most successful. And they're so tied to China with their manufacturing that that I think it's an unexpected vulnerability. I think it's fair to say Apple probably didn't see these tariffs -- this tariff regime coming. Right? In the way that it's come.

 

Ben Yelin: Yeah. And I think they had to -- they had to figure out a way to act to prevent significant financial harm to their own company. And the way they did it is to curry favor with the administration. And that's -- I'm sure if I were an Apple shareholder that's probably a decision I would support. You know, maybe I am an Apple shareholder in one of my mutual funds. I don't know. Probably am. Right?

 

Dave Bittner: So, you know, that's -- who does Tim Cook ultimately serve?

 

Ben Yelin: I think we have our answer here.

 

Dave Bittner: Yeah.

 

Ben Yelin: I mean what he would say is he's serving the interests of the shareholders. But really you're rewarding government coercion by -- or at least government pressure by ceding to this request in a way that I think previous generations of Apple leaders would have looked poorly upon.

 

Dave Bittner: Yeah. At the same time, though, I mean Apple has given in to requests from?China. You know, they did away with the Taiwanese flag emoji in IOS in China. So they --

 

Ben Yelin: They're not immune to --

 

Dave Bittner: No. Exactly. They're not immune to requests from folks who have the ability to make life difficult for them.

 

Ben Yelin: To me there's something different about blocking something from the app store because I think like there are only basically two usable app stores. And Apple and Google merely provide the platform for app developers to put their apps in there for either for sale or for download. And I think there should be a very high standard to have that removed because I do think there are first amendment interests at play there. ICE Block since the request also went to Google and as of press time here I don't know how Google responded, but they can't just go in to some alternative app store and try and sell themselves.

 

Dave Bittner: Yeah. Well, a couple details. I mean my understanding is that ICE Block was only available for IOS. But also --

 

Ben Yelin: I think there were similar applications that were available on -- in Google Play. But your point stands.

 

Dave Bittner: Yeah. Yeah. But I've seen people say that a possible solution to this would be for the developer to turn it in to a web app. So basically if you -- if you made it in -- if you made this database in to a website instead of an app then people could still access it on their mobile devices and they could have it functionally be a web app on their mobile device. And then they could still access the database without having to go through Apple's gate keeping.

 

Ben Yelin: Yeah, and I think there's definitely something to that. I suspect that the founder of this company will try to do that. It introduces additional steps for people who want to use the application and it's certainly not as user friendly as just downloading an app on your device. I mean have you ever tried -- do you have that frustrating feeling when you want to do something, but none of the apps that you have are able to do it? And you have to open up like Google Chrome and search for it like you're in 1999 or whatever.

 

Dave Bittner: Yeah. Yeah. Or wandering around in a foreign land where I do not speak the language.

 

Ben Yelin: Yeah. So there's -- there's something to that. And I just think on principle I mean somebody has to host that website. So is the host of that website -- and granted there are a million different hosting services so I guess that's what makes it different. But maybe that's what's so objectionable, that there are only two serviceable app stores and if these app stores are very prone to government pressure today it's ICE Block, but you know what about other applications that imply political rights or free speech rights?

 

Dave Bittner: Sure.

 

Ben Yelin: And again this was not -- you look at something like Tik Tok which Congress duly passed a law saying that unless there was divestment Tik Tok had to be removed from the app stores. That was an act by Congress signed in to law by the president. So that is a little bit different. There's still free speech implications because Congress cannot usurp constitutional rights. But here that didn't even happen. We're just talking about White House pressure and coercion which again that is within their purview to put that pressure on the companies. I just think if the companies want -- like Apple want to sell themselves as bastions of free speech and democracy even though they've certainly tripped up at points in the past, I would have expected a little bit more resistance here. That's all.

 

Dave Bittner: Yeah. I think I don't disagree with what you're saying. I think, you know, folks who had that impression of Apple have in the past few months had their hearts broken by, you know, Tim Cook delivering a golden statue, a golden award, to our president.

 

Ben Yelin: There is an anti trust angle here too because like people like me and you who strongly disagreed with Tim Cook's actions in theory we could be like, "All right. I'm getting rid of all of my Apple products." And I'm going to go --

 

Dave Bittner: Let's not be hasty, Ben. Let's not be hasty.

 

Ben Yelin: Yeah. I mean that's just not going to happen. There just aren't sufficient alternatives out there.

 

Dave Bittner: Right.

 

Ben Yelin: So yeah. I just I don't really know what an equitable solution would be here.

 

Dave Bittner: Let me ask you this. Suppose Waze or Google maps or Apple maps added some granularity to their police reporting. In other words, rather than just saying, "Police reported ahead" what if they had a subcategory that said "Federal police reported ahead," "State police reported ahead." Right? Like it seems to me like you could get what you're after here with a subtle feature bump on some of these apps without overtly saying --

 

Ben Yelin: Saying it's with ICE.

 

Dave Bittner: Yeah.

 

Ben Yelin: It would be the Bureau of Alcohol, Tobacco, and Firearms. You never know.

 

Dave Bittner: Right. Exactly.

 

Ben Yelin: Yeah. I mean --

 

Dave Bittner: It could be somebody out checking for fishing licenses. Right?

 

Ben Yelin: Exactly. Oh no. Not the Fish and Wildlife Service. They're on to me.

 

Dave Bittner: Yeah. Yeah.

 

Ben Yelin: Yeah. I think that's certainly an option. I still think like the administration could come back and say, "We know the intention here is to target ICE officials and they still face safety threats." So you might be trying to hide that intention through the way your app is structured, but we know what your intention is. But yeah. I mean that could be an interesting work around.

 

Dave Bittner: Do you think the safety argument holds water?

 

Ben Yelin: I think it's a legitimate argument. I guess ICE is under the microscope right now which I understand. There's a lot of people who are angry at ICE who might be prone to commit acts of violence against ICE agents. That is completely understandable. But at various points in the past you could have said the same thing about state and local law enforcement. Like there have been periods of great distrust between citizenry and state and local law enforcement and yet Apple allowed applications to identify where cops were on the road when people were driving. So I think the same dangers are present there, but the apps were not removed from the app store. So it's just a matter of consistency. And it's fine to not be consistent because these are different circumstances and you don't want to get on the bad side of an administration who could destroy you with tariffs. But I think they kind of have to sit back and admit that and we all have to be disabused of our notion that Apple is going to stand up for civil liberties.

 

Dave Bittner: Yeah. I also think it fails to acknowledge the power mismatch between the ICE agents and let's just let's say protesters in that the ICE agents are armed wearing body armor, most often masked, so they're anonymous, they're the ones with the tear gas. Right? They have -- it's not -- it's not a fair fight. So this notion that ICE agents walking around in their camouflage with their weapons and their masks are in grave danger from citizens in my mind is at the very least overstated. But I'll admit I'm probably -- well, I admit I'm totally biased when it comes to --

 

Ben Yelin: Yeah. And there have been instances. They mentioned one in the article we're going to put in our show notes. There have been instances of violence against ICE agents in Dallas, for example. That is certainly a risk. They are under the microscope. But also there's a fine line because there is a constitutional right to protest ICE and its agents and the administration's policies. And then the question is are you just trying to protect them from violence or are you worried that they won't be able to fulfill their immigration policy goals which is a separate question entirely. And is it Apple's responsibility to concern themselves with effectuating the administration's immigration enforcement goals? That's a different question entirely. Like they're saying it's about officer safety which is legitimate, but --

 

Dave Bittner: It makes it harder for them to do their jobs when people have -- are tipped off that they could be on their way to your neighborhood.

 

Ben Yelin: Right. Yeah. Exactly. Exactly.

 

Dave Bittner: Yeah. All right. Interesting discussion, and we will have a link to that story in our show notes. We'll be right back after this message from our sponsor. [ Music ] All right, Ben. My story this week comes from the Department of Defense slash War depending on who --

 

Ben Yelin: To be clear, it's still in statute referred to as the Department of Defense.

 

Dave Bittner: Right.

 

Ben Yelin: The administration has given it a secondary nickname of the Department of War. So pick your poison on that one.

 

Dave Bittner: So, you know, recently Secretary Hegseth brought together the military's leaders, pulled them in from all over the world to have an in person discussion, a talking to. And his emphasis was on this warrior ethos that our military needs to pay more attention to physical fitness and appearance.

 

Ben Yelin: Do your pull ups, people.

 

Dave Bittner: Do your pull ups. He pointed out that it was no fun strolling around the Pentagon and seeing fat generals. I will add commentary that I believe it was Churchill who said "I don't need my generals to be able to run 10 miles. I need them to be able to outsmart the enemy." So there is a memo that was just released as we record this from the DOD that is reducing cybersecurity training for DOD personnel. This is a policy shift. They're shifting their resources from cybersecurity training towards this sort of emphasis on physical fitness. Those sorts of things. Critics are pushing back on this and saying "Our military, our government, our society, is under more and more attack from cyber foes than ever." In fact this is the war space right now in a lot of ways. So there's a lot of criticism that we see this shifting in priorities from the DOD. What do make of this, Ben?

 

Ben Yelin: Honestly it's kind of a W for Hegseth. I mean I'm half joking. As somebody who's been through so many university based cybersecurity trainings, part of me is like "You lucky people. You don't have to hear, you know, don't open suspicious phishing emails for the 8,000th time."

 

Dave Bittner: Okay.

 

Ben Yelin: That was my initial reaction as a lay person. But as somebody who cares about cybersecurity I do think this is not great. Obviously the threats against the Pentagon or the Department of Defense could pose significantly more problems than the threats of a cyber attack against even a big university system which I think augers for more cybersecurity training instead of less. I'll also note that like most people who work in the Pentagon aren't what Pete Hegseth would refer to as war fighters. Like there are a lot of analyst positions of people who never went to basic training, but -- and probably like me can't actually do one pull up, let alone many pull ups.

 

Dave Bittner: Right.

 

Ben Yelin: But they still have extremely important jobs. So why would we take away requirements that those type of people continue the same level of cybersecurity training? I think it's penny wise pound foolish.

 

Dave Bittner: Yeah. My sense is, and this is my opinion, that this emphasis on appearances is misplaced, that in -- you know, our -- one of the reasons our military is so effective and proportionally compared to other nations around the world, and what is the statistic? I think we spend more than the next six nations combined on our military.

 

Ben Yelin: Yeah.

 

Dave Bittner: You know, part of that is the equipment that our soldiers are given, the training that they're given, and I contend that cyber training is part of that, particularly when all of your soldiers have mobile devices. They're carrying their phones and we know this is an avenue to get to them. So this --

 

Ben Yelin: And they're prone to things like espionage and blackmail. I mean I think you have to have very specialized training that you don't have in other workplaces. And we have seen attacks against branches of our military. There was a recent data breach in the air force that has reportedly been tied to Chinese threat actors. So it's not like the threats have gone away. And I just think if you're going to decrease cybersecurity trainings in any realm probably the Department of Defense would be the last one that I'd choose just given their responsibility and the potential harm against our country from cyber intrusions.

 

Dave Bittner: Yeah. No. All of these cuts to cyber have left me scratching my head. You know, obviously you know I'm -- it is the area that I am most involved with and probably know the most about when it comes to government operations comparatively, but the cuts at CISA and then seeing things like this it's hard for me to imagine how shifting priorities away from cyber in this world makes sense.

 

Ben Yelin: Yeah. There are elements of short termism here where it's an easy thing to cut because in the absence of a major catalyzing cyber incident most normal people, i.e not us, aren't thinking about cybersecurity. So it's like a painless way to make cuts. I mean that was true pre 2020 for spending on pandemic preparedness. No one noticed in 2018 when, you know, we drastically reduced our CDC capabilities and pandemic monitors in China, that sort of thing. But when the thing does happen then you realize that it was a mistake to lower your guard.

 

Dave Bittner: Right.

 

Ben Yelin: I mean it's just a principle of emergency management.

 

Dave Bittner: The FEMA cutbacks will hit hard when a hurricane hits.

 

Ben Yelin: Totally. Yeah. Totally.

 

Dave Bittner: That sort of thing.

 

Ben Yelin: And maybe we have to wait 10 years, but we're still going to feel it.

 

Dave Bittner: Yeah. No. It's a good point. All right. We will have a link to my story in the show notes and again we would love to hear from you. If there's something you'd like us to consider for the show you can email us. It's caveat@n2k.com. [ Music ] Ben, you recently had the pleasure of speaking with Will Daugherty who was the U.S head of Norton Rose Fulbright Cybersecurity Practice. You all were discussing the expiration of CISA 2015. I suppose it's worth noting before we go to the interview here that when you recorded this it was still a bit a question mark as to whether CISA 2015 was going to expire. Is that right?

 

Ben Yelin: Yes. Yep.

 

Dave Bittner: And it did.

 

Ben Yelin: It did. We are about seven days in to its expiration.

 

Dave Bittner: Right.

 

Ben Yelin: So we don't know at this time if it's going to be resolved as part of a funding agreement that may or may not come some time over the next few weeks since we're also currently in a government shut down.

 

Dave Bittner: All right. Well, let's listen in.

 

Will Daugherty: The Cybersecurity Information Sharing Act has -- is designed to help facilitate the public private sharing of cybersecurity threat indicators and defensive measures among federal agencies and between federal agencies and private entities. Prior to CISA 2015 there was some information sharing that occurred relating to cybersecurity among private entities, but at a very small scale. One of the main reasons of that low degree of sharing of information was largely due to the fact that there was a lot of legal uncertainty surrounding whether or not the information that was shared among private entities and between private entities and the federal government would -- could be used in a variety of ways. So, for example, companies were really hesitant to share information because among their peers because of potential anti trust liability under the Sherman Act so you think of large, you know, energy companies, telecommunications companies, there's strict legal prohibitions on how they work together. And the corporate lawyers were very concerned that by engaging in this threat sharing that could be viewed as an anti trust violation. There were also significant concerns that when you share -- private entities share threat information with the federal government that those would be subject to the Freedom of Information Act type of disclosures. So journalists and the public at large could request access to the information that these private entities were submitting to the federal government. There's also a significant number of privacy laws that a lot of attorneys were concerned that some of these threat indicators could have personal information included within those. So there was a big concern about whether or not they would be subjecting the organization to potential legal liability by inadvertently including that type of personal information when sharing that with the federal government. So really then Congress' central aim in 2015 was to normalize and de-risk voluntary real time public private sharing of cyber threat indicators or CTIs and defensive measures, DMs, while also putting some privacy and civil liberty guardrails around both government use and private disclosure. And it did this really in three primary ways. So first it required the federal government, namely the DHS, to set up real time intake and distribution process for CTIs and DMs. Secondly it authorized private sector monitoring and defensive measures so that they -- notwithstanding any other law. There were some concerns that being able to monitor your own environment, other environments, employing defensive measures like honey pots, that there could be some legal exposure there.

 

Ben Yelin: So we've seen CISA 2015 supported by the current administration, the previous administration, a bipartisan coalition of members in both parties in Congress, bicameral support. What is the nature of the opposition? If you were to play devil's advocate, why do people like Rand Paul oppose reauthorizing this legislation? What's kind of the controversial aspect of it?

 

Will Daugherty: Well, I think there's two sort of viewpoints. One I think there's always been a more privacy and big sort of government intake of individual data that could be used for surveillance or for other types of purposes, you know. And that was really the privacy concerns. Right? So I think the other component is what more specifically you reference Rand Paul. I think there's a perception that the government's obtaining this large amount of data through private entities, through this automated indicator sharing, gives them the ability, gives the government the ability, to potentially monitor and censor speech and other content. So I think that there is a concern that Rand Paul has specifically that this -- that the government won't use the information it receives in order to combat disinformation. Right? It's obviously very heavily in the news right now in where the government has any role in censoring content that organizations produce in the media. So I think that's a big concern that Rand Paul has. In practice do I think that this law really facilitates that? No. I mean these are indicators of compromise. These are defensive measures. So it's hard to see how -- that actually playing out to be utilized by the federal agencies to really use this information to combat disinformation or to hamper down on, you know, first amendment rights. So but that's the overall concern that we're hearing.

 

Ben Yelin: Is that -- just to understand the history here a little bit, is that why a sunset provision was written in to the law? I mean Rand Paul was in Congress in 2015. Why did they have this 10 year sunset provision in the first place?

 

Will Daugherty: Yeah. The sunset provision is -- was deliberately included in order to force periodic oversight and re-calibration of this law as both technology and privacy expectations evolved. And frankly that's -- this is a standard practice for cybersecurity and surveillance types of authorities. And so I think law makers recognize that the cyber threat landscape is evolving rapidly. So periodic review would be necessary to assess the law's effectiveness and also to re-calibrate it if it was needed. And again it was also designed to help address some of the privacy concerns by including guardrails so I think that the 10 year sunset allowed them to have a point in time where they can reassess whether or not those guardrails are appropriate, whether they're effective, or whether adjustments need to be made. So, you know, I think now a lot of us are wishing that that sunset provision wasn't included because kind of given where we are and the deadline so near and there doesn't seem to be a clear path for re-authorization. But I think that it made sense to include it at the time, and even there's some -- and we can talk about this later, but there's certainly some areas where I think the industry and the federal government would like to see some improvements to CISA to further facilitate and adjust to some of the changes in the threat landscape that we're seeing particularly around AI usage. We're obviously concerned about quantum computing. So, you know, I think it was rightfully, you know -- needs to be reviewed periodically to ensure that it's current to the latest threat landscape.

 

Ben Yelin: Before we get in to how you think this law should be improved, which I think is critical, I kind of want to think about what happens October 1, 2025 if this law is not renewed. So I kind of think of two different scenarios. There's one where let's say it's attached to a continuing resolution and that's delayed a few days as congressional leaders talk among one another, but it seems likely that it will be extended in a few days. And then the second scenario is there's no path forward and it's not going to be extended. Can you talk about what you would see the reaction being from the private sector under those types of scenarios?

 

Will Daugherty: Yeah. I think one of the biggest accomplishments of CISA was to give private entities internal and external legal counsel comfort that the organization could share information in real time with the federal government without exposing the organization to significant legal risk. So by -- if CISA is not reauthorized and we lose those legal protections then I think there is a very significant concern that these private entities will no longer share that information with the federal government. I've seen some experts expect the amount of sharing to go down 80 to 90%. Right? Because the decision on whether or not the organizations, each organization, will be sharing this information really gets transferred from the current decision maker which is the CISO to the general counsel's office who will be assessing based upon their legal assessment whether or not the organization should be sharing this information.

 

Ben Yelin: You never want -- you never want the lawyers to be in charge. Sorry to interrupt. Yeah.

 

Will Daugherty: It will slow things down. I mean that's the reality of it. Right? And that's the one thing in this landscape that you can't afford. Right? Speed of sharing of information is critical to effective response. Right? And organizations relied heavily -- I mean this law really helped just -- as a catalyst of just increasing organizations' comfort with sharing information not just with the federal government, but with their peers. Right? Although we had information sharing and analytics centers we really saw an explosion of organizations using those to share with their peers in real time important threat information. And I really fear that that will be largely either slowed down or that spigot will be turned off because of those legal concerns.

 

Ben Yelin: Do you think there's any chance that if there's some -- let's say the law expires and there's some type of catalyzing event, a major cyber incident data breach. Is that the type of thing that you think would lead to a groundswell of support? I mean I hope we never get to that point, but is that something you think about in anticipating what happens when this expires?

 

Will Daugherty: Yeah. Unfortunately I mean that's how we see a lot of regulatory in Congress move is in response to these large events. Right? So certainly if something like that were to happen that affects particularly a critical infrastructure sector having something that really impacts a broad sector of the U.S economy would certainly galvanize I think Congress in to taking action. I don't think there's a strong opposition overall to CISA. It pretty much has bipartisan support. I think it's caught up right now in a very -- Congress is in a very difficult time of reaching consensus on anything. And certainly I think CISA is really just caught up in this kind of historical moment where it's hard to get Congress to agree on anything, but overall I think there really is bipartisan support. But if we don't have this reauthorized then I'm afraid that we won't have the incentive -- Congress won't have the incentive to subsequently pass similar law if it's not reauthorized soon until we have something that is significant and impacts a lot of organizations and pressure is put back on Congress to do something to help private industries improve their cybersecurity postures.

 

Ben Yelin: And I think now would be a good time to talk about what some of your reform ideas are if we're looking at extending CISA in to the future. How do you think it could be improved?

 

Will Daugherty: Yeah. I think there's a few areas that this would be a good opportunity to improve CISA. One I think expanding the definitions of cyber threat indicator defensive measure as well as the definition of cybersecurity purpose because those are essential to how the law functions. And liability protections are tied directly to these terms. So if we expand them that would allow companies and government agencies to share a wider range of information, conduct more modern cybersecurity activities without fear of legal repression. So just to give you a few examples, so I think if we updated right now the definitions of cyber threat indicators and defensive measures arguably don't cover types of social engineering attacks that result in business email compromise. That's actually like one of the largest financial losses organizations face is through business email compromises and transfer of funds through those social engineering tactics. Right now the law doesn't clearly encompass those types of threat indicators. So I'd really like to see some broadening of the language of the cybersecurity purpose in the CTIs and DMs to cover a more wide range of types of threats. I think we also need to keep up with the times. We are starting to see threat actors utilize AI in their attacks whether that be through development of new malware code to identify potential exploits of newly released vulnerabilities all the way through actually once they're inside of a victim organization's environment using AI to identify crown jewels for exfiltration, analyzing that data to put a price on what the organization would likely pay and ultimately even using that AI to develop a customized ransom note. So the threats are real. AI is here in terms of threat actors using that. So I'd really like to see CISA be updated to encompass these new AI threats by expanding definitions and making clear that, you know, these types of new threats are going to be civilly protected.

 

Ben Yelin: And then just in terms of obviously we don't give legal advice, official legal advice, on this show, but just in terms of what your broad message is to the stakeholders that you work with on the expiration of the statute, what's -- what do you -- what's one of the one or two things that you want stakeholders to understand about this process as they seek to kind of figure out how it's going to influence their company or organization?

 

Will Daugherty: If CISA does not reauthorize I'm advising, you know, clients that we really need to start looking at their existing sharing of threat indicators and the agreements that they have in place. And it's important to realize that CISA actually underpins a lot of federal government partnerships and services that they provide particularly to the critical infrastructure for providing free monitoring of their externally facing end points. They've provided a lot of these services. And CISA really underpins those services. And so those types of organizations that are utilizing those types of federal government services we need to take a look. We need to take a step back and look to see whether or not we're comfortable continuing on with these partnerships in light of the loss of these liability protections. So I'm also looking at and advising our clients to talk to their folks in D.C on the hill that are on policy making teams to really advocate for the re-authorization of this. Right? I think we need to be planning for the potential loss of this, but at the same time voices are really important. So going on the hill, speaking to the representatives and trying to get them on board, is really important.

 

Ben Yelin: And then just as a last thing do you think the regime we've created under CISA is in any way -- is there any way we could replicate it through things like voluntary contractual agreements or like associations of states who come together and shield companies from liability based on information sharing? Or is this something that you could only foresee working with the heavy hand of the federal government?

 

Will Daugherty: I really don't see a way I mean for anyone other than the federal government to be able to accomplish the goals that CISA 2015 wants. Again the anti trust laws are largely federal. Right? The privacy laws are there's both -- the types of liability protections that CISA affords are really hard to replicate on a state by state level. The other concern is that, you know, even if it were state we've seen in both privacy and cybersecurity space it's really hard to get all 50 states on board to -- on anything. Right? Asking the states to all come together and provide a similar type of protections is just unlikely. I think our best shot is at the federal level and I think that while private parties and entities will likely still find ways to share some information it's going to be at a significantly lower scale with a lot more friction of those legal departments getting the -- needing to review everything that's going to be shared prior to that. It's going to really delay things. So I think the federal CISA really was and is the best solution that we have right now. And frankly it's one of the most important cybersecurity regulations that we have. Right? It's one of the most important laws over the past 20 years and so really hope that we can -- Congress can find a way to get this reauthorized. [ Music ]

 

Dave Bittner: All right. Interesting stuff. What were the main take aways for you here, Ben?

 

Ben Yelin: I just think that there's so much private sector appreciation for the role that CISA 2015 has played in information sharing. And I think it's something that the people who know best in the private sector, who've done the type of evaluation on their bottom line that information sharing has done for them, seem to be the ones who are the biggest proponents of this. So that was really interesting. The fact that there is bipartisan support to reenact CISA 2015 with only minor changes, if any, I think just shows its importance and how information sharing is an alternative to coercive regulations that these companies have to comply with. So I thought it was a really interesting interview.

 

Dave Bittner: Yeah. Absolutely. All right. Again our thanks to Will Daugherty from Norton Rose Fulbright Cybersecurity Practice. We do appreciate him taking the time. [ Music ] And that is "Caveat" brought to you by N2K CyberWire. We'd love to hear from you. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to caveat@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Tre Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

 

Ben Yelin: And I'm Ben Yelin.

 

Dave Bittner: Thanks for listening. [ Music ]

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Cyber Health and Hazard Strategies, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: N2K Networks, Inc.