Podcasts
Caveat
Ep 285
Caveat 11.6.25
Ep 285 | 11.6.25

Face to face with controversy.

Show Notes
Transcript

[ Music ]

Dave Bittner: Hello, everyone, and welcome to "Caveat," N2K CyberWire's privacy, surveillance, law, and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin, from the University of Maryland Center for Cyber Health and Hazard Strategies. Hey there, Ben.

 

Ben Yelin: Hello, Dave.

 

Dave Bittner: On today's show, Ben talks about a couple of instances of AI companies reining in their chat bots. I've got the story of ICE's controversial facial recognition operations. And later in the show, my conversation with Dr. Sasha O'Connell, Senior Director for Cybersecurity Programs at Aspen Digital and former FBI Chief Policy Advisor for Science and Technology. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. [ Music ] All right, Ben, we've got some interesting topics to cover here. You want to kick things off for us?

 

Ben Yelin: Sure, so I have a couple of stories that are kind of on the same theme, and it's something that I've been interested in a lot recently, which is regulation of chat bots. We've seen these horror stories of these AI chat bots giving terrible advice, driving people to commit self-harm, various other types of abuse. I know this is something that state legislatures across the country have looked at, putting guardrails around these chat bots, particularly as it relates to kids. There's a bipartisan proposal in Congress to do the same thing, to restrict access to AI chat bots for kids who are using chat bots for companionship, for therapy in a way that could be potentially dangerous. So I was very interested to see -- I'll go first to this New York Times story about Character.ai barring children under 18 from using its chat bots. So I don't know if you dabbled around in Character.ai?

 

Dave Bittner: No, no, I don't know. I'm -- I've heard of it, but I have not played with that one.

 

Ben Yelin: So basically, you can create different characters and just like engage in various everyday interactions. And prior to this announcement, kids could do so as well, or at least there was no age-verification process. So kids could be involved in some very inappropriate things, like semi-sexual relationships, obviously nothing physical through your computer.

 

Dave Bittner: Right.

 

Ben Yelin: But relationships, etc., with a chat bot or even companionship of a friend who's giving terrible advice, somebody that they've relied on or, again, talking about things like therapy. So the company has decided that it will ban users under 18 from engaging in open-ended conversations, starting later this month. Starting immediately, there's going to be a two-hour limitation on kids using this service. So they're kind of instituting this policy gradually. I think the decision comes from a couple of lawsuits, one we talked about on this podcast, the death of 14-year-old Sewell Setzer in Florida, who had extensive interactions with a chat bot and ended up taking his own life. And then there was another similar case as well, for a young girl named Juliana Peralta. Starting today, as I said, that you're gonna have that two-hour daily limit. Starting November 25, minors will be able to read past conversations, but they cannot engage in new chats. There will be alternative features for under 18 users, so you can still in kind of a very walled environment create videos, stories, and streams with AI characters. And then they're going to institute an AI safety lab to try to establish proper safeguards. It's kind of an open question how they're going to do age verification, so they claim it will be a behavioral analysis with social media data, which doesn't seem like a 100% foolproof system, if you ask me.

 

Dave Bittner: Nothing is foolproof for a talented fool.

 

Ben Yelin: Right, exactly. I mean, I could have -- I could have pulled off behaviorally acting like an adult at 16, don't you think?

 

Dave Bittner: Yeah, and you're still doing it today.

 

Ben Yelin: I think they want to avoid what some states are requiring, like uploading your ID. They don't want to be one of those companies. So I think that's their best method for now. They've not previously required any type of age verification during sign-up. So this will be something that's new for new users. So that's one story. And then I think kind of on the same theme, we got news from Ars Technica that Google removed the Gemma model from AI Studio. This all seemingly stemmed from a complaint by a Republican senator named Marsha Blackburn, who has a resourceful staff. And the staff asked Gemma, which is Google's AI chatbot, has the senator ever committed sexual assault? And they hallucinated an entire story about the senator committing sexual assault, which never happened.

 

Dave Bittner: Wow, wow.

 

Ben Yelin: That had something to do with her security detail. Like they went into great detail on this completely made-up story. So this is a recognition that hallucinations are a big problem. They announced this decision that it was pulling Gemma at least temporarily from the platform. They didn't attribute it directly to the senator's experience, but the timing made it seem like that's exactly the impetus for this decision, and she had written a letter to Google basically demanding an explanation of why the model would fail in this way. And this kind of goes along with what she's been saying and other senators have been saying, congressional hearings about the harms of these chat bots. So I think the common theme here is in the face of impending lawsuits and in the face of state regulations, companies are taking it upon themselves to put guardrails around these chat bots as we're just kind of discovering the full extent of their dangers. I know there is an organization called Common Sense Media, which I know has been doing really interesting work in this space. So I think with their push with state legislation, with congressional hearings, the pressure is now on these companies to take actions on their own, and that's what we're seeing here. So I just found that very interesting.

 

Dave Bittner: Can I be snarky?

 

Ben Yelin: Yes, always.

 

Dave Bittner: My initial reaction, which is admittedly unfair, is that I'm sure these tech companies will do as good a job keeping kids away from these chat bots as they have keeping kids away from online pornography.

 

Ben Yelin: Yeah.

 

Dave Bittner: Right?

 

Ben Yelin: I mean, that's the cynical -- that's the cynical view here, and I think there's a good reason to have it. I mean, the age verification procedures seem kind of haphazard to me. Again, I'm not an expert in this, but just kind of like doing behavioral analysis when we're talking about the difference between a 17-and-a-half-year-old and an 18-and-a-half-year-old seems kind of like an imprecise type of metric.

 

Dave Bittner: Right.

 

Ben Yelin: So there's that and the fact that they are only doing this in response to impending lawsuits, which, again, makes sense, but obviously they're not doing this out of the goodness of their own heart.

 

Dave Bittner: Right.

 

Ben Yelin: They are trying to avoid litigation, but yeah, I mean, I guess doing something is still better than doing nothing --

 

Dave Bittner: Yeah.

 

Ben Yelin: -- if you want to take it a little bit less cynically.

 

Dave Bittner: Well, I guess one company doing this is -- what's to keep a kid from just hopping over to the next platform, to the one next door, right? So I guess my question is if we really want to make a difference here, wouldn't it be better to have some sort of regulatory regime that says all AI platforms must age check and either prohibit or limit what's available to users under 18?

 

Ben Yelin: Yeah, I mean, I think that's the ultimate goal. This is a temporary measure taken by these companies, I think, to improve their own PR, publicity. I mean, they want to thrive in the market going forward. And a lot of people who might be potential users of these chat bots are news consumers and potentially parents. And it's also to come up with a temporary solution while states figure out the best way to institute guardrails around these chat bots, as well as the federal government. I mean, the fact that we have this bipartisan Holly, Josh Hawley from Missouri, the Republican; Blumenthal, Richard Blumenthal from Connecticut, a pretty progressive Democrat, have teamed up on this. So it's something that has legislative momentum. I think this is just a temporary measure while we wait to see what legislators do to solve the problem writ large so it's not just these companies. But sometimes there's a cascading effect. If companies have self-respect, they'll realize like, okay, the bigger players are doing this. We don't want to be the inappropriate alternative for minors.

 

Dave Bittner: I'm sorry, did you just say if companies have self-respect?

 

Ben Yelin: Yeah, man, it's rare that you exceed me in cynicism in an episode.

 

Dave Bittner: Maybe we just caught me in a mood today.

 

Ben Yelin: I'm impressed. I'm frankly impressed at this level of cynicism. I've trained you well.

 

Dave Bittner: Yeah, that's right, you wore me down.

 

Ben Yelin: Exactly. You're the one who's supposed to be saying like, oh, can't they have a good reason for doing this? And I'm the one who's supposed to say no, they cannot.

 

Dave Bittner: Yeah, right, right. Doesn't California have something coming up here? I think, what, beginning of next year they've got some guardrails for AI that are going to be going into effect --

 

Ben Yelin: Yes.

 

Dave Bittner: -- leading the way?

 

Ben Yelin: So California passed a law. It was signed into law by Governor Newsom very recently. It will institute some regulations on chat bots. In talking to folks from Common Sense Media, they ended up opposing this bill because it didn't go far enough. I think they are looking for something that really holds these companies accountable. That would include not just regulation, but a private right of action so that somebody negatively impacted by this could sue the company. And they're advocating for trouble damages, meaning like you could really, really punish these companies for harm done to individuals. You potentially could hold them liable under a theory of products liability, which means it's a -- it's a lower standard when you're talking about product liability to prove that the company was negligent in its product design. So they want all of those things. This bill didn't do that. It's more of a regulatory bill and -- but it is something, and it's going into effect January 1, and I think we'll see what happens with other bills. I know Common Sense media and other organizations are working with legislators here in Maryland. I've been a part of some of those conversations, and I know New York has undertaken an effort to regulate these types of chat bots as well. So there's kind of the nuclear approach, which the companies hate, which is the private right of action, and then there's the less nuclear approach, which is death by a thousand cuts through regulation.

 

Dave Bittner: What do you make of the right of private action in cases like this?

 

Ben Yelin: I mean, it's something that's critically important so that the victims actually get compensated for the harm done. Obviously, in many circumstances, you can't fully compensate the victims. If your loved one has taken their own life, there is no proper level of compensation for that, but the best you can do is to provide significant damages so that, in the interest of fairness, the wrongdoer is actually paying the victim. And that doesn't exist in regulation. If you are just seeking an injunction to get the company to stop doing something, that doesn't make the victim whole, if that makes sense?

 

Dave Bittner: Yeah.

 

Ben Yelin: Only through at least the threat of that private right of action can you actually get that money from the alleged perpetrator to the victim, and that's why advocates, I think, have been so adamant about including this private right of action.

 

Dave Bittner: What about any sort of criminal charges? I'm thinking of a, you know, let's just say, hypothetically, a therapist was malicious and, you know, headed in for a kid and talked them into suicide as an avenue, and the kid follows that, presumably, that therapist out of -- with using malice --

 

Ben Yelin: Right.

 

Dave Bittner: -- could have criminal charges brought against them. Is that a, at all, a possibility when we talk about these tech companies?

 

Ben Yelin: I think it's definitely under consideration. It gets much harder because it's easy to figure out in a civil case how to take money away from these companies. It's harder to figure out who you're going to actually arrest. And that's why using a regulatory system for something like this is much easier. I guess you could arrest the CEO. It's just something that's not really the proper remedy in these types of circumstances where it's this very diffuse, large company and the chat bots been trained by a number of different people, not just the company's leadership, but also other individuals in the company who have developed the algorithm, and then the algorithm kind of helps develop itself in a lot of ways.

 

Dave Bittner: Yeah.

 

Ben Yelin: So it's just hard to properly assign criminal liability, whereas civil liability, it's just like this company did it. They have a certain amount of assets, and we are going to take some of those assets.

 

Dave Bittner: Yeah, I guess you got to make it hurt, though, right? There's just so many things.

 

Ben Yelin: Yeah, I mean, and that's why they're interested in what's called treble damages, which is basically triple the amount of compensatory damages. So regular damages, you try and put the victim back in the same position he or she would have been in, absent the negligent behavior. So when you triple that, then you can -- you're really starting to talk about real money here.

 

Dave Bittner: Right.

 

Ben Yelin: Because even just without treble damages, it could be a significant amount of compensatory damages if there is a wrongful death of somebody's family member. And then when you triple that, that could absolutely have an impact on these companies, and that would, at least, in theory, give them incentive to put up stronger guardrails.

 

Dave Bittner: So you mentioned that you've been involved with conversations dealing with these sorts of things. Is your sense that this is an area that legislators want to focus on?

 

Ben Yelin: I think so. I mean, I think this is the next frontier in AI regulation, particularly when you have these horror stories that have really galvanized legislators, and you're dealing with human beings and these legislators who have kids. And just in talking to people I know who do this stuff for a living, I mean, I think that's had an emotional impact on them. I feel like a lot of people feel like they're losing their kids to screens, and this is kind of downstream from that, that, as a parent, you feel like you lose influence if your child is getting advice from this very human-sounding chat bot. And so I think this is something that legislators are very interested in for that reason.

 

Dave Bittner: Yeah, that's fascinating. All right, well, we'll keep an eye on it. I mean, this is, as I say, rapidly developing story and an area, so we'll have some links to those stories in the show notes. We're going to take a quick break here. We will be right back after this message from our sponsor. [ Music ] And we're back. Ben, my story, this week, this comes from the folks over at 404 Media who are always doing the hard work when it comes to these sorts of privacy stories. This is about a system that ICE has put in place, Immigration and Customs Enforcement, that is a facial recognition system where imagine you or I or somebody else is walking down the street, and we cross paths with an ICE person, and the ICE person says, stop, I need to scan your face to see who you are and whether or not you are a citizen and entitled to be here. According to this report from 404 Media and the internal documents they got from DHS, you are not allowed to opt out of a facial scan.

 

Ben Yelin: So if you opt out, basically, you're just detained and arrested?

 

Dave Bittner: I assume so.

 

Ben Yelin: Yeah.

 

Dave Bittner: I don't know if they hold you down and scan your face, but --

 

Ben Yelin: Give me your face! Give me your face! Yeah.

 

Dave Bittner: I'm speculating, but, you know, given the -- what we've seen with interactions ICE has had with citizens on the street, it wouldn't surprise me. Of course, no small irony that ICE covered -- most ICE officials cover their own faces.

 

Ben Yelin: It sure is an irony.

 

Dave Bittner: Right, right? So this app is called Mobile Fortify. It was developed by Customs and Border Protection. They shared it with ICE. It's used by field agents to verify identity and immigration status. And the way this works is they take your photo on an ICE mobile device. That image is checked against the Custom and Border Protection traveler verification service, which they say has a database of about 200 million faces, and then it returns details like name, date of birth, nationality, your alien number, and any deportation orders. The ICE agents can also capture fingerprints and your GPS location data from the encounter, and they say that they can collect biometric data from anybody, not just non-citizens because the agents don't know if you're a citizen before they scan.

 

Ben Yelin: Right, by definition, I mean, and that's where the implications become clear and probably less politically palatable to the administration. I think the administration knows that they are at least strongly believes they have a mandate for internal immigration enforcement. But if this starts happening to US citizens, especially those that have been profiled for various reasons, then it starts to impact the constitutional rights of US persons, which is an entirely different ball game.

 

Dave Bittner: Right, so I want to get to the constitutional elements of this in a second, but we've talked here many times when it comes to facial recognition that facial recognition software is conspicuously bad at dealing with people of color.

 

Ben Yelin: Yes.

 

Dave Bittner: And that's who we're talking about here. So we have technology that objectively is -- functions less well with the very people that the -- that ICE is most likely to be going after with this, so that's problematic.

 

Ben Yelin: It sure is, and it's all -- I know we're supposed to be putting off the constitutional issues, but it's just worth mentioning that in one of the ICE cases that's made it up to the Supreme Court, Justice Kavanaugh, in a concurrence, said that race could be used as a factor for immigration enforcement and kind of a common sense if we're trying to deport people who've largely come from Central and, I guess, parts of South America, then at least as an initial matter, race is an acceptable reason to establish suspicion. So we're already kind of tilting the scales in that direction and then by using facial recognition, we are further tilting the scales because, as you've said, we have just, you know, now, decades of proof that facial recognition is not good at differentiating faces between individuals of color, and you can understand what the implications of that are. People could be falsely detained and falsely deported. And it seems, based on this article, correct me if I'm wrong, that they are treating a recognized face as definitive, so --

 

Dave Bittner: Yeah, yeah. That's ultimate -- I was, yeah, that's terrifying to me.

 

Ben Yelin: Sorry, I cut ahead of you there.

 

Dave Bittner: No, no, no you -- no, no, it's good. So they spoke -- the folks from 404 Media spoke with Congressman Benny Thompson, who is a Democrat from Mississippi. According to him, ICE treats a biometric match from this app as definitive, overriding documents such as birth certificates. So you're walking down the street. You're minding your own business. You cross paths with ICE. They scan. You have your birth certificate, your passport, your ID, saying you are a US citizen. If this app says, no, you're not, then it's handcuffs.

 

Ben Yelin: Yeah, I guess the thinking is that all of those other documents can be forged, and you can't forge your own face. We don't know that that's the reasoning because this article claims that DHS did not respond to them in terms of questions for comment. But I think that's probably the rationale that like the most sure you can be is through the use of biometric data.

 

Dave Bittner: We know that's not true.

 

Ben Yelin: And we know that's not true. Like if we knew that biometric data was perfect --

 

Dave Bittner: Right.

 

Ben Yelin: -- then maybe that would be a reasonable solution. But if you have robust physical IDs, like something like Real ID, which is supposed to be secure enough that you can use it to fly on airplanes --

 

Dave Bittner: Yeah.

 

Ben Yelin: -- why is that not acceptable for documentation purposes so that a person like they can at the airport can opt out of facial recognition?

 

Dave Bittner: Right.

 

Ben Yelin: At the airport, it might make your life a little bit more inconvenient. You might have to wait in a separate line, but you do have that as a meaningful option in a way that I just don't think you do in these circumstances.

 

Dave Bittner: Yeah. They also point out that any photos or fingerprints that are taken by the app, including those of US citizens, are stored for 15 years --

 

Ben Yelin: Great.

 

Dave Bittner: -- regardless of whether you're found on a hot list or not. They just -- they hang onto it.

 

Ben Yelin: And that matters, because if somebody is arrested, they check it against existing databases for facial recognition, so you've already kind of implicated yourself.

 

Dave Bittner: So let's dig into the constitutional quandary here.

 

Ben Yelin: Sure.

 

Dave Bittner: What -- where are we possibly crossing paths with the Constitution?

 

Ben Yelin: So, I mean, I guess there's a question of whether this is a search in the meaning of the Fourth Amendment. You don't have a reasonable expectation of privacy when you are on a public thoroughfare. But I think when that was developed as a doctrine, there wasn't an expectation that we could just scan people's faces. Like the expectation was if somebody recognizes you in public, that's not a constitutional search. Like if a cop recognizes you, but now we don't -- we were just doing it at a scale that was not in any way contemplated. Assuming this is a search for constitutional purposes, which, again, is not a safe assumption, then you would look at whether this is an unreasonable search. And I think what the government would say is our interest in removing undocumented immigrants from this country is important enough for national security purposes that it can justify an invasion of privacy in a way that we're doing here. And government has won in many cases making that argument. I mean, I think if courts are properly convinced that the interest is strong enough and that the incidental burden on privacy is weak enough, then they're willing to defer to the government's judgment here. So I certainly don't think this is a slam dunk Fourth Amendment case for a potential defendant. First of all, we'd have to get somebody who has standing. So somebody would have to be falsely detained and resourceful enough to get an attorney to, you know, take their case and move it through the court system. So we have to do that first and then I, just with current jurisprudence, I don't see how this is a per se Fourth Amendment violation, which, in and of itself is a problem. I think that's a moral and policy problem in some ways more than it is a constitutional problem, despite the fact that I think it violates the spirit of the Fourth Amendment.

 

Dave Bittner: So if a US citizen is walking down the street and crosses paths with a law enforcement officer, what is within the officer's right to stop that citizen, detain that citizen, scan that citizen?

 

Ben Yelin: According to DHS policy, which has not been enjoined by any court, there is no right. They can just do it. And I guess they can compel you to do it with force, given that they are a form of law enforcement. So they could potentially hold you down and put the camera in front of your face to scan it. At least, that's the implication from this policy without it being reviewed by a court, and that's how it's been interpreted by the Department of Homeland Security. So you really don't have any constitutional rights that are at least are being enforced right now.

 

Dave Bittner: Yeah.

 

Ben Yelin: I think it's possible that if somebody politely refused, then that person, if ICE was still suspicious, could be detained, pending adjudication of the claim, but we've seen ICE detain up a lot of people who are US citizens over the past several months, just as part of this very broad operation to do a version of mass deportations. So in that way, it doesn't really change things that much. It's just a tool that'll make these types of arrests easier when ICE can deploy it at scale.

 

Dave Bittner: And suppose this did make its way to the Supreme Court? And again, you know, stringing together hypotheticals, suppose it made it to the Supreme Court and the Supreme Court said, no, you can't do this? How would that affect ICE's ability to do their business? Could the Supreme Court just say, hey, facial recognition is off the table?

 

Ben Yelin: What they'd probably say is that since it is a Fourth Amendment violation, then a person probably has the ability to opt out of it, would be my guess. And then if people were aware of the possibility of opting out, presumably more people would opt out, and it wouldn't be as effective of a tool. That's kind of the theory, though. That's just not really how it works in real life.

 

Dave Bittner: Yeah.

 

Ben Yelin: Like we've seen that with other prophylactic measures that the court has imposed upon law enforcement. But when you actually get into the situation, it's like, all right, the guy with the gun is asking me to do this and is threatening me, so I'm just going to do it.

 

Dave Bittner: Right, and through the use of force can make it a really bad day for me if I resist.

 

Ben Yelin: Right, especially if you're sure that you are a US person, you think that you can be exonerated. I guess not really exonerated, but cleared.

 

Dave Bittner: Proof of -- proof -- prove your innocence.

 

Ben Yelin: Prove your innocence of actually being a US person.

 

Dave Bittner: Right, right.

 

Ben Yelin: But, yeah, I mean, I don't -- I don't think this is something that, even with a court remedy, is going to go away overnight. I mean, I just think this is such a priority of the administration that they are willing to pull out all the stops, and they will say, not incorrectly, that this is their mandate, that this is what they ran on, and they are going to pursue policies to effectuate that mandate.

 

Dave Bittner: Yeah.

 

Ben Yelin: Just watch any Stephen Miller interview. He'll tell you exactly what the philosophy is behind this.

 

Dave Bittner: Well, and they're also saying that this does save them a lot of time and energy to -- this is a powerful tool for determining who people are, whether or not they are who they say they are. And so from a law enforcement point of view, you can see it streamlines the work they have to do. And so why wouldn't they use it?

 

Ben Yelin: Totally.

 

Dave Bittner: Yeah.

 

Ben Yelin: Yeah.

 

Dave Bittner: All right, well, we will have a link to that story in the show notes. Again, if there's something that you would like us to consider for the show, you can email us. It's caveat@n2k.com. [ Music ] Ben, I recently had the pleasure of speaking with Dr. Sasha O'Connell, who is Senior Director for Cybersecurity Programs at Aspen Digital. That's a program of the Aspen Institute. Dr. O'Connell is also a former FBI Chief Policy Advisor for Science and Technology. Here's our conversation. [ Music ] So I would love to start off with a little information about the Aspen Cyber Summit. You all are celebrating 10 years, which is quite a -- quite a milestone. Can you take us through a little bit of the history of the summit itself and what's led you to where you are today?

 

Sasha O'Connell: Sure. So, yes, I've only been at Aspen for just over a year, but I really stand on the shoulders of really great folks who have come before me and built -- and built a really strong foundation and growing program that has been focused on convening leaders in this space for, as you mentioned, just about a decade now. You know, in cyber, we always talk about public-private partnerships being at the core of our ability to address the threat. And at Aspen Cyber, that was sort of the nascent idea is to create that space to make sure that's happening in a trusted environment. And you know, my predecessors here at the program really laid an amazing foundation, and the program has been growing there ever since. You mentioned the summit is one part of that work. We also run a US cyber group and a global cyber group. Those are a mixture of public and private leaders that meet Chatham House, so those private conversations that go on two, three times a year on a cycle, and that creates that opportunity for folks to not only meet each other and discuss issues of the day, build trust, and then do work and projects that spin off of that. And then the summit, as you mentioned, coming up November 18, here in DC, we're super excited. That's the -- our time we really get to open our doors to the public as well and have all those public-private partnerships, all that teamwork that's been built, that great thought leadership. We get to put that on the main stage and include a broader audience in that conversation. Our event has been called the Coachella of the cyber policy world, and we really lean into that moniker. We cover a lot of sort of heady policy cybersecurity ground, but we also try and have a good time.

 

Dave Bittner: Well, you mentioned foundations, and your own background comes from a place in public service as well. Can you tell us a little bit about that?

 

Sasha O'Connell: Sure, so I spent just shy of 15 years at the FBI. I was neither an agent nor an intel analyst. I was kind of the non-traditional, what we called at the -- at the FBI, at the time, MAPA, or Management and Program Analyst. I had an opportunity to work over that 15 years on strategy and policy and performance management a lot of time on a lot of different programs, but I spent the last, really, five, six years at the Bureau focused on the cyber program inside the FBI and then ultimately on interagency policy as it relates to many things, but what came to the top was tech policy and cyber policy.

 

Dave Bittner: I see. Well, let's talk about Aspen Digital and some of the policy priorities that you and your colleagues have there. What is top of mind for you these days?

 

Sasha O'Connell: We just started rolling out a whole series, a special project series, on offensive cyber operations. So the Trump administration has been forward-leaning in this area and expressed an interest in beefing up both capabilities and activities as it relates to going on the offense in cyber. So we picked up that nod, that head nod, and said, okay, what do our -- the folks in our network, both public, a lot of former public sector leaders as well as private sector leaders, civil society, and academics, you know, what advice do folks have? What have they seen in this area? Where do they see this going? So about four weeks ago, we launched this series. So that is one priority for us. Additional priority that does come as a response to the priorities of this administration is the focus on what it means to move responsibility for cyber to the state and local level. So after the administration issued an executive order to this effect back in March, we've done a series of convenings that, then again, have resulted in a series of thought leadership publications we've put out, sort of discussing and interrogating this idea. What does it mean to move responsibility back to the states, if you will? What are best practices there, challenges, and how do we help inform that? So that's just an example of two things we're working on there. Another one that's more kind of, I would say, proactive, coming from our members, there's a lot of work happening now around public education, around cybersecurity and frauds and scams. Here at Aspen Digital, on behalf of Craig Newmark Philanthropies, we lead a public service awareness campaign called Take9, and it's a consumer-focused public service awareness campaign that's really focused on getting folks to see themselves in the effort to address cyber frauds and scams, and the core message is around slowing down, right? We say, in cyber, creating friction in the system. In this context, we're talking about the human in the loop, and asking those humans to literally slow down for nine seconds. That nine seconds, it turns out, science has told us, helps move us from reacting to responding when we get that email, that phishing email, or a deepfake phone call, right, with deepfake voice, for example, all of these sophisticated tools. So that public service and communication around cyber as well as frauds and scams is another priority area for us.

 

Dave Bittner: Well, I would love to dig into two of the topics that you mentioned, starting with offensive cyber. I mean, I think it's certainly a hot topic for discussion these days, and a lot of folks are wondering how this could play out. My sense is that people are kind of hanging back and seeing, you know, how is this going to be enabled, right? How are we -- how we're going to be given legal protection and cover to be able to do these sorts of things? What are your insights?

 

Sasha O'Connell: I think that's right. I think we're waiting and seeing a little bit. As you know and your listening audience knows, it's a complicated area where because so much of the critical infrastructure in this country and the data in this country is owned in the private sector, this idea of offensive operations and how, what -- how and what the private sector's role in that should -- can and should be, as you mentioned, liability. These are all open questions, so that's exactly what we've been sort of exploring and exploring different opinions, right? Because opinions do vary in this regard, and I think time will tell where this administration is really headed. There's also a point of view that we shouldn't solely focus on offense. We shouldn't lose track of the basics when it comes to resiliency, right, in cyber and that that is ultimately, you know, a good defense, ultimately being really key to a good offense. Sean Joyce just wrote a really interesting piece that's up on the Aspen Digital website about that as well, right? So while we wait to see where things shake out on this move -- to move to more offensive capability and action -- there's also, you know, the line of thinking that says let's not forget about the fundamentals is a key component as well.

 

Dave Bittner: Yeah. Well, and let's shift then to talk about responsibilities shifting to the states and local municipalities. I mean, I think, well, my take here is that it's left a lot of people scratching their heads that the states might not be ready for this sort of thing.

 

Sasha O'Connell: That too is an open question. I think the key thing when we think about state, local, tribal responsibilities in cyber is that they are -- there's such a wide variety, right? We, most of us, are familiar with the examples of what's happening in New York State, for example, and their leadership in this area. Texas stands out, obviously, too for having a new and innovative model and -- but then there are other states, right, and there are rural communities that may not have those resources to address, for example, you know, their water critical infrastructure, and whose responsibility is that when there aren't the resources at the state and local level? So yes, I think we're leaning heavily into this. There are national organizations, the National Governors Association, for example, and others who are really taking up this mantle and sorting it through. There are best practices, but it's not one-size-fits-all, and you almost need a, you know, small, medium and large is overly simplistic, but we need to think about a variety of models that folks can use. Also, I mentioned we do a lot of work with what we consider a call the Cyber Civil Defense Community, and that's a community largely funded through Craig Newmark Philanthropies, but, you know, beyond his grantees are included in that community as well. They are doing direct service work in this area, be it the creation of volunteers to literally help on the ground at rural water utilities, for example, or the cyber clinics at universities that are helping with workforce development. There are a series and network of organizations. Again, we refer to them as the Cyber Civil Defense Community, largely funded by Craig Newmark Philanthropy and others that are doing this work in the interim while, you know, we sort of sort out government capabilities and resources, be they federal, state, or local.

 

Dave Bittner: What are you seeing these days when it comes to critical infrastructure and the resources that are being put into those defenses?

 

Sasha O'Connell: It's so tricky. I mean, just, personally, this is such a broad area. I have spent the last six months or so really seeking to understand and doing a lot of work when it comes to water critical infrastructure. We know that, you know, nation state actors that China's prepositioned on our water critical infrastructure. And the question is what to do about it, right? It is such a fundamental. We always say hospitals run on water. Military bases run on water. It turns out people run on water too, right? We couldn't have a more fundamental example of something that is core to our security. So working with that Cyber Civil Defense Community, there's some really interesting work going on that also piggybacks on the Cyber Circuit Rider Program, which is a pilot grant program that I believe is -- comes out of EPA and is coordinated through the National Rural Water Association, where they are literally sending out trusted advisors to water entities to help be that last mile and translate. Because even in the case of water, you know, if you have access to sophisticated cyber tools, be they IT or OT, you need that translator, right, that trusted intermediary to help with application, and the Cyber Circuit Rider is a great example of that. Project Franklin, out of the University of Chicago, is a great example of that. The volunteer network that's being coordinated out of the Center for Long-Term Cybersecurity at Berkeley is a key player in that. So water is something front of mind, I know, for many, and it's really fun and inspiring to see this kind of grassroots effort to help sort of fill this gap while we wait for, obviously, a longer-term solution would have to come from Congress.

 

Dave Bittner: All right, and more and more, it seems as though our data centers are dependent on water supply as well.

 

Sasha O'Connell: Exactly. Yup, absolutely, absolutely. And we're not even talking about wastewater, right? There's water and wastewater.

 

Dave Bittner: Right, yeah.

 

Sasha O'Connell: So it's important to consider, for sure.

 

Dave Bittner: Yeah. Well, before I let you go, I'd love to hear about Aspen's Beyond the Beltway Initiative. This is really making a difference out there.

 

Sasha O'Connell: We like to think so. And again, this is, you know, we are in such a spot of privilege to be able to work inside the Beltway with leaders in cyber policy, but we really, I mean, not just because of this effort to move cyber back to the states, but because we know that's where cyber lives in real life, as we say, out past the Beltway, beyond the Beltway. We always keep an eye there. That exact title is used for a special project that is a series of blog posts from our network that is considering these implications as it relates to moving cyber to the states. But again, through the Cyber Civil Defense Network, we have the privilege of working with organizations well beyond the Beltway and making sure, to the extent we can, we are helping with economies of scale, connecting them to private sector entities or other nonprofits who are doing this work in our effort to be that convener, hopefully lifting all boats that really help build the resiliency here in this country, within the Beltway and beyond.

 

Dave Bittner: Yeah. Well, for our listeners who are interested in engagement, what's the best way for them to learn more about Aspen Digital and the potential opportunities?

 

Sasha O'Connell: Well, I would make a huge plug here to join us at the Aspen Cyber Summit, again, coming up November 18 here in DC. All the information about that is online at our website, and there are ticket prices that are all structured. So there's a nonprofit rate, a student rate, and so forth. So all of that information is available online. We do have really active social media that pushes out a lot of information about our events, about our thought leadership, both on LinkedIn and other places as well. So we'd love to hear from folks. Check us out. All our contact information is available online. Please reach out. We're always looking to expand the network and welcome all folks to join. [ Music ]

 

Dave Bittner: Ben, what do you think?

 

Ben Yelin: Well, I like the evangelizing about using -- going beyond the federal government and using state, local, tribal, and territorial governments to effectuate change. That's kind of the -- if I had to distill my career down to one talking point, I think that might be that talking point.

 

Dave Bittner: Right. So she's speaking your language.

 

Ben Yelin: She is speaking my language. In the absence of policy decisions from Washington, I think it's incumbent upon state and local governments to take the lead here, and in many cases, they have, which is encouraging.

 

Dave Bittner: Yeah. Well, our thanks to Dr. Sasha O'Connell for joining us and sharing her broad range of expertise. We do appreciate her taking the time. [ Music ] And that is our show. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to caveat@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Tré Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

 

Ben Yelin: And I'm Ben Yelin.

 

Dave Bittner: Thanks for listening. [ Music ]

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Cyber Health and Hazard Strategies, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: N2K Networks, Inc.