Podcasts
Caveat
Ep 30
Caveat 5.27.20
Ep 30 | 5.27.20

Tech and cyber competition with China.

Show Notes
Transcript

Adam Segal: The Chinese are still not yet kind of creating new-to-the-world innovations that create whole new industries. 

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's law and policy podcast. I'm Dave Bittner. And joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hi, Dave. 

Dave Bittner: On this week's show, I describe how law enforcement may be using a new technique to access suspects' iPhones, Ben takes a look at a Senate vote that may signal surveillance reform and, later in the show, my conversation with Adam Segal, senior fellow at the Council on Foreign Relations on tech and cyber competition with China. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: And now a few words from our sponsors at KnowBe4. You know compliance isn't the same thing as security, right? How many times have we all heard that? It's true, too. Having checked the legal and regulatory boxes won't necessarily keep the bad actors out. They're out-of-the-check-box kinds of thinkers. But what about compliance itself? You've heard of legal exposure and regulatory risk. And trust us, friend; they're not pretty. So again, what about compliance? We'll hear more on this from KnowBe4 later in the show. It's not a trick question, either. 

Dave Bittner: All right, Ben. Let's kick things off with some stories this week. Why don't you start for us here? What do you have? 

Ben Yelin: Sure. So we had some rare legislating going on in the United States Senate last week related to electronic surveillance. And it was actually a very eventful day of votes on amendments. In the previous episode, we talked about how the Senate is considering reauthorizing portions of the USA Patriot Act. And we talked about specifically what they're reauthorizing, which is a number of provisions, including parts of Section 215, which talks about the ability to collect tangible things without a warrant. And we'll get to why that's important in the context of what the Senate did last week. 

Ben Yelin: So there were a couple of amendment votes from privacy advocates that were supported by privacy organizations like the ACLU and the Electronic Frontier Foundation, EPIC and others. One of them passed, which was actually a surprise to surveillance advocates. It was a huge victory for surveillance advocates. And one of them failed by a single vote. And I'll go into both of them in a little bit of detail. 

Ben Yelin: So the one that passed - we'll start with the good news - is the Leahy-Lee Amendment, and that empowers court-appointed advocates - so these so-called amici friends of the court - to be present at a much greater share of Foreign Intelligence Surveillance Court proceedings. The current law states that you can only have these advocates present at cases that present novel issues that the court has not yet considered. You know, the problem with FISA hearings in general is they're generally not adversarial. So you only have the government trying to justify why it wants to spy on somebody without somebody representing the person who is going to be surveilled. So the current law, which was part of the USA Freedom Act passed in 2015, allows a privacy advocate only in those limited circumstances. This amendment would broaden that universe. So privacy advocates, attorneys, would be able to be present in cases involving significant First Amendment concerns, new technologies, requests to approve surveillance programs - so requests on a programmatic level - sensitive matters involving political, religious or journalistic activities. And I'm getting this - I will cite the Brennan Center, who put together a really good summary of these amendments. 

Ben Yelin: So this is really a profound change in how the FISA court is going to operate. And the amendment got wide bipartisan support. This now expands the universe to where I would say a majority of hearings in front of the FISA court are going to now be adversarial for the first time ever. You're going to have people representing the privacy interests of individuals subject to surveillance. 

Ben Yelin: I really think this only is possible due to the kind of moment of political time that we're in. We have some Republicans and most Democrats who are generally suspicious of the surveillance state and have fought for a long time for FISA reform. And one of those is Senator Lee, who is a co-sponsor of this amendment, a Republican. And then we have other Republican members who are still angry at what happened with the FISA proceedings related to Carter Page and the Russia investigation. And so they're also amenable to reforming this process. So we're just kind of at this unique period where both sides are amenable to this type of radical change. 

Dave Bittner: Everybody has something to be upset about. 

Ben Yelin: Exactly, exactly. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: And the amendment passed 77-19, which is, you know, it's a rarity in the Senate for something remotely controversial like that. 

Ben Yelin: So now to the bad news from the perspective of privacy advocates is this Wyden-Daines amendment. That amendment would require warrants for web browsing and search history, and I know we talked a little bit about this on the podcast last week. 

Dave Bittner: Right, right. 

Ben Yelin: The way Section 215 works is it allows law enforcement to collect tangible things, and that has been interpreted to mean metadata of electronic communications. And the government can collect that without a warrant. What this amendment sought to do would be to prohibit internet search history and web browsing records from being considered tangible things under the law. Therefore, if this amendment had passed, the government would've had to have obtained a warrant to get internet browsing history. If the bill as it currently stands gets signed into law, this amendment will not be included, and therefore, it is possible that the collection of tangible things could include internet search history and web browsing records, which I think is very disturbing to most people just because that's about, you know, the most private information that's available for us. We're very sensitive about our browsing history. 

Ben Yelin: So a little legislative nerding around here - and I'll be brief about this - the amendment needed 60 votes to pass because of the arcane (ph) rule of the Senate. It got 59. There were several senators who were absent for a variety of reasons, largely related to the COVID epidemic, and a few of them said after the vote that they would have supported the amendment had they been present. So this leaves us in a very interesting place. It seems as if a sufficient supermajority of the Senate would have approved this amendment, but they did not. 

Ben Yelin: The bill - the underlying bill passed the Senate. Now it goes back to the House. I think it's incumbent upon the House and the Democratic majority therein to say, we're not going to accept this bill until the Senate reconsiders the Wyden-Daines amendment. And the House might ping-pong the bill back to the Senate with a version of the bill that includes this amendment or a close facsimile thereof. So I would suspect that we might see privacy advocates in the House of Representatives play some hardball here, and that creates a certain level of intrigue. I will also note for you political junkies out there, one of the senators that missed this crucial amendment vote is a guy by the name of Bernard Sanders, independent from the state of Vermont. 

Dave Bittner: That name rings a bell. 

Ben Yelin: Yeah, it might. It might, yeah. 

Dave Bittner: (Laughter) Well, help me understand - because when this went down last week, what I saw on Twitter was just an avalanche of people saying that this means that they can, you know, look through our browsing history. And I guess that there was some confusion or some misunderstanding that I hope you can clarify for us of does this actually change anything? In other words, do they already have this ability, and this just allows them to continue the ability that they already had? And I guess the other bit of confusion, which you just clarified, is whether or not this was something immediately going into effect. Like, this is going to ping-pong around for a while. 

Ben Yelin: I think it could ping-pong around for a while. We'll see what the House of Representatives does. 

Dave Bittner: Yeah. 

Ben Yelin: The House has a mixed history in, you know, accepting whatever sausage the Senate puts together. So we'll see what happens in these circumstances. 

Ben Yelin: The law right now is silent on the issue of collecting internet browsing and search history. What this amendment would have done would be to end that silence and say, these types of records do not count as tangible things. The way the law is now is it's up to a court in an individual circumstance to interpret the term tangible things to figure out whether that includes internet browsing data. And courts have come to varying conclusions on that question. 

Ben Yelin: The problematic part of this from a privacy perspective is most people whose internet browsing records have been searched under Section 215 would have no idea that their browsing records had been searched and thus would never be able to challenge the search in a court of law. The only way they could have done that is if they were criminally prosecuted. And in that case, they would be able to raise the collection of these records as part of their defense. 

Ben Yelin: We don't really have reliable data on exactly what the National Security Agency and other law enforcement agencies are currently doing related to the collection of internet browsing data. And so that's why this language was so important. It would've - this amendment would've declared once and for all that those types of records do not qualify as tangible things. If you want them, you need to go get a warrant, presumably from a federal court or the FISA court. And that's obviously a much more difficult process for law enforcement than what the standard is now, which is just a reasonable suspicion that these records would be relevant to an ongoing investigation, which is a pretty low standard. I mean, a lot of things might be relevant to an ongoing investigation. 

Ben Yelin: So I would say if you are an advocate on this issue on the pro-privacy side, the best thing for you to do right now would be to call your member of the House of Representatives and tell them that you will only accept a Patriot Act extension that includes a version of the Wyden-Daines amendment. It was a bipartisan amendment. It got votes from both Republicans and Democrats, and that would be the best way to ensure that this prohibition is put into the final version of the law. But until then, we are in sit-and-wait mode. 

Dave Bittner: All right. Well, as with so many things that we discuss here, time will tell, right (laughter)? 

Ben Yelin: Stay tuned. Yeah. 

Dave Bittner: (Laughter) Absolutely. 

Ben Yelin: Next week on "Caveat," yeah. 

Dave Bittner: (Laughter) Right, exactly. 

Dave Bittner: All right, well, my story this week comes from NBC News, and it's titled "iPhone Spyware Lets Police Log Suspects' Passcodes When Cracking Doesn't Work." This is written by Olivia Solon. And so this story outlines a bit of software made by a company called Grayshift, and that's a company that makes iPhone-cracking devices for law enforcement. And the bottom line here is that it seems as though Grayshift has the capability to take a phone - let's say, Ben, I get arrested, and the police - I know. It's hard to imagine. 

Ben Yelin: What did you do, Dave? What did you do? 

Dave Bittner: Well, it's a dark, dark history there. But let's put that aside for the moment. 

Ben Yelin: We'll say it was a crime of passion. 

Dave Bittner: There you go. Absolutely. So - and the key to the case is on my iPhone. And I say to the coppers, you know, go pound sand. I'm not turning this over to you. I'm not unlocking it for you. So they take my phone. They plug it into this device by Grayshift, a gadget called GrayKey. And allegedly, this puts a bit of software on my phone - even though my phone is not unlocked, it puts a bit of software on my phone that allows them to log my passcode next time I log into the phone. So the police then come back to me. They hand me my phone and they say, hey, good news. We're going easy on you. We're going to let you call your lawyer, or we're going to let you call your wife or your best friend or... 

Ben Yelin: Such trickery by these law enforcement agents. 

Dave Bittner: We're going to let you call that scumbag Ben Yelin, your two-bit lawyer, right (laughter)? And you're not laughing very much at that joke, Ben. I don't understand (laughter). 

Ben Yelin: Yeah, I'm more of a 1-bit lawyer, so yeah. 

Dave Bittner: OK, very good. So they hand me my phone back. I unlock my phone, make my phone call, do whatever I need to do, lock my phone again, give it back to them. And unbeknownst to me, my passcode has been logged on the phone, which they can then go plug back into their device, get my passcode, unlock my phone and game over. 

Ben Yelin: This is something else. 

Dave Bittner: Now (laughter)... 

Ben Yelin: Yeah. 

Dave Bittner: ...Let's unpack what is going on here 'cause there's a lot of elements to this. First of all, what is your take on this? 

Ben Yelin: So, I mean, it was kind of astounding to read. The company Grayshift basically says, you know, what you would expect in their official statement once this information was released, saying, well, you know, we have all sorts of tools available to law enforcement agencies to catch the bad guys, but we have a lot of safeguards in place to make sure that the software is not abused in any way. I just am very skeptical of something like this, you know, I think partly because it's so devious. First of all... 

Dave Bittner: Is it legal? 

Ben Yelin: I think it is. 

Dave Bittner: Is it legal for the police to be devious? 

Ben Yelin: Yes. 

Dave Bittner: OK. 

Ben Yelin: That's why I think this is ultimately legal. You know, let's talk about a context not involving an electronic device. The police catch you. You're put into a holding cell. And they really have free rein to try and get you to confess to a crime. And they might do things like, you know, say, hey, your buddy in the room next to you just ratted on you. The only way we're going to go easy on you is if you admit to the crime. And since your buddy ratted on you, you might as well just admit to the crime since, you know, it's a foregone conclusion anyway. The police are free to just lie about that stuff. They do it all the time. It's part of normal police work, and it's why people, if they are arrested and booked, should invoke their right to an attorney, so that they don't fall for these tricks. You know, most people don't have the wherewithal, the capacity, the institutional knowledge to ask for an attorney. 

Ben Yelin: This seems to me to be the exact same type of trickery because I don't think we're invoking any Fifth Amendment self-incrimination issues because a person doesn't have any idea that they would be incriminating themselves. The person who's given their phone just thinks that they're unlocking it for some other purpose, for their own purpose, you know? The police might say, you can call your attorney, as you said. They might say, make your one phone call to your friend or relative who can bail you out or something like that. 

Dave Bittner: Right. 

Ben Yelin: Or they can just say, here's your phone. You're free to surf Facebook while we, you know, do some of the paperwork. And they'll be forced to unlock their phone, and that'll be logged. So to me, it's not really a self-incrimination issue. It's kind of a law enforcement trickery issue, which for the most part is legal. 

Dave Bittner: Are they subject to the Computer Fraud and Abuse Act? 

Ben Yelin: So that's a complicated question because the Computer Fraud and Abuse Act is about unauthorized access to devices. And, you know, I think one of the general exceptions is law enforcement. And if this is a legal law enforcement tactic, it's not going to be prohibited by the Computer Fraud and Abuse Act. But this hasn't been tested in court, so we don't know for sure. My tendency is that, you know, in other areas of the Computer Fraud and Abuse Act, law enforcement does have more discretion than your average hacker out there in terms of facing prosecution under that act. So I wouldn't anticipate problems with the Computer Fraud and Abuse Act, although it is possible. 

Ben Yelin: You know, the other thing I'll mention here is the lack of transparency is crucially important. This is another instance where this information was shared secretly. It was leaked to a media source. This is not something that was announced by the company publicly. So the general public isn't aware that these tools exist. So there is really a lack of transparency, which leads to a lack of accountability. When you are voting for your county sheriff, you're not aware that they're using or that they're willing to use these types of devices, and I think that's particularly problematic. 

Ben Yelin: My interpretation is that it is legal. It's possibly unethical. It is a sort of below-the-belt police tactic. But I do think it's something that would probably be upheld in a court of law. 

Dave Bittner: Do you suppose this could be something that could become a routine part of giving someone their Miranda rights? It's fair game that you need to be informed about this kind of stuff, or is this too much on the edge? 

Ben Yelin: I think this is something we could see as a normal law enforcement tactic. You know, usually, it just takes a couple of police departments across the country to figure out that this is an effective tool to gain access to somebody's iPhone. Now, the check against this power is going to be Apple. The manufacturer of the iPhone is going to try to come up with a security patch. You know, this is a vulnerability that has been identified with the device. 

Ben Yelin: As the article mentions, there is sort of this cat-and-mouse game between companies like Grayshift and Apple. Apple will create the device, will create the software; Grayshift will find a vulnerability. Based on that vulnerability, they'll try and make a sales pitch to law enforcement, saying we can help you because we found this vulnerability in the device. And Apple, because it wants to represent itself as protecting its user privacy and the integrity of the data stored on these devices, will say we're going to come up with a security patch. And then the cycle continues. So I think the best chance to stop something like this is going to be in the private sector. It's whether Apple can out-innovate companies that are friendly to law enforcement, like the one identified here. 

Dave Bittner: All right. Well, it's an interesting development. We'll have a link to that story in the show notes, as usual. It is time to move on to our Listener on the Line. 

0:18:18:(SOUNDBITE OF DIALING PHONE) 

Dave Bittner: Our Listener on the Line this week comes from a listener named Mark (ph). He writes in and asks, how are health clinic sign-in sheets not a violation of HIPAA? Well, Ben, I checked in with Donna Grindle. She is the host of the "Help Me With HIPAA" podcast. She's a former guest on our show. She is also delightful (laughter). 

Ben Yelin: She is delightful. She's wonderful. 

Dave Bittner: She really is. And so it's a treat to have her back. She was kind enough to share her expertise and answer Mark's question. Here's Donna Grindle. 

Donna Grindle: Hi, Dave. I got your question about why aren't sign-in sheets at a health clinic a HIPAA violation. It's actually built into the HIPAA privacy rule how to handle these kinds of issues. When you sign in at the front desk or your name's called for an appointment, even, it's considered an incidental disclosure under HIPAA. That means very little information would be disclosed, and only for the purpose of bringing patients in and out of the office, and only to the individuals who happen to be paying attention at the same time that you're there. 

Donna Grindle: It's up to the offices to make sure, though, that they only disclose as little information as possible. Every group can implement what they feel is best for their environment and their patients, and that's why you'll see it done differently. As long as you are signing in with basic information and not information like, it's Donna Grindle seeing Dr. Cardin (ph) for a problem with an ingrown toenail at 4:30 - it should simply be, Donna Grindle, 4:30, maybe Dr. Cardin. And it's the same with calling out my name. It should just be Ms. Grindle or Donna - whatever, but bare minimum information, and then you're covered under HIPAA. If the office isn't following the minimum necessary requirements, then it could be a HIPAA violation, but most groups handle this appropriately. Hope that covers it for you. Stay safe. 

Dave Bittner: All right. So first of all, thanks to Donna for coming back on our show. Do check out her podcast, the "Help Me With HIPAA" podcast. Not only do you learn about HIPAA, but you get to spend more time listening to Donna, which is a treat, right (laughter)? So what do you make of this, Ben? 

Ben Yelin: First of all, yeah, again, thanks to Donna, again, for answering this question, coming back on our humble podcast. Yeah, I mean, she is the expert here. I think she's absolutely right about this. This is an incidental revelation of personal data. It's so minimal just because it's somebody's name, it's somebody signing in. There's no other information attached to it. There's no context for anybody else that's in the waiting room that it's something that's allowed under HIPAA regulations. And, you know, I think it makes sense. If HIPAA was broad enough to encompass sign-in sheets, it would just make the process of medical care far too cumbersome, and that's not the purpose of HIPAA. HIPAA was not created to make the entire process of receiving medical care absolutely miserable for patients. 

Dave Bittner: Right (laughter). 

Ben Yelin: It was to protect confidential patient data. And so I think this is a reasonable interpretation of the law from federal regulators. 

Dave Bittner: Yeah. It seems to me - it strikes me as one of those things where, you know, don't let the perfect be the enemy of the good, where there's a lot of good in HIPAA. And, yeah, it's not perfect, but that's OK, you know? It's better to have than not. 

Ben Yelin: Yeah, it is. And it's just there's so many other ways in the context of daily life that you could find out somebody's name, for instance, overhearing somebody else talking to them, seeing a person's ID tag hanging off their purse. 

Dave Bittner: Right. 

Ben Yelin: It is really not that useful a piece of information relative to the kind of information that HIPAA is intended to protect. So personally identifiable information, confidential medical records, medical information, information on somebody's preexisting medical conditions - that's really what HIPAA is designed to protect. 

Dave Bittner: I'll note, too, that I've seen, when I've gone to visit different doctors, that a lot of times they will take care with that sign-in sheet. I've seen some where the names are actually on a part of the sign-in sheet that sort of peels away like a sticker so that as people get checked in, their names actually get removed from the sign-in sheet. I've seen some places that will sort of Sharpie out the names as people get checked in so that if I come late in the day, I can't just browse through that sign-in sheet and see the names of all my friends and neighbors who may have been there earlier in the day. So I think, as Donna pointed out, lots of people are taking reasonable steps to just try to do the right thing here. 

Ben Yelin: Absolutely. I've heard of some doctor's offices who will now only call patients by their last name. And, I mean, I think there are a number of impetuses for doing that, but protecting patient privacy is one of them. There are a lot of doctors' offices out there. Even though this is not a prohibition under HIPAA, doctors' offices and hospitals can put policies into place that are more rigorous than those required under the law. And hospitals might have the incentive to do so to show to their patients that they take patient privacy very seriously. 

Dave Bittner: Well, again, thanks to Donna Grindle for joining us. She is the host of the "Help Me With HIPAA" podcast. Do check that out. And, of course, we want to thank our listener, Mark, for sending in the question. We would love to hear from you. We have a call-in number. It's 410-618-3720. That's 410-618-3720. You can also send us your question at caveat@thecyberwire.com. 

Dave Bittner: And now back to that question we asked earlier about compliance. You know compliance isn't security, but complying does bring the security all its own. Consider this. We've all heard of GDPR, whether we're in Europe or not. We all know HIPAA, especially if we're involved in health care. Federal contractors know about FedRAMP. And what are they up to in California with the Consumer Privacy Act? You may not be interested in Sacramento, but Sacramento is interested in you. It's a lot to keep track of, no matter how small or how large your organization is. And if you run afoul of the wrong requirement, well, it's not pretty. Regulatory risk can be like being gobbled to pieces by wolves or nibbled to death by ducks. Neither is a good way to go. KnowBe4's KCM platform has a compliance module that addresses in a nicely-automated way the many requirements every organization has to address. And KCM enables you to do it at half the cost in half the time. So don't throw yourselves to the wolves and don't be nibbled to death by ducks. Check out KnowBe4's KCM platform. Go to kb4.com/kcm. Check it out. That's kb4.com/kcm. And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Adam Segal. He is a senior fellow at the Council on Foreign Relations. And we spoke about tech and cyber competition with China. Here's my conversation with Adam Segal. 

Adam Segal: We see two large trends, I think. On the U.S. side, a long 30-year decline in federal support for basic research and development, lack of support for universities at the state level, inability to get immigration policy right. And so moving from the predominant power in science and technology to one where there are increasingly regional competitors and the most important one being China. 

Adam Segal: And so that is the second large trend, which is that over the last same three decades, the Chinese have really focused on science and technology and the ability to produce their own technology as critical to their national security and economic interests. So while we often refer to China as the factory to the world, you know, the Chinese don't want to be stuck as the factory - polluting, energy intensive, labor intensive - and they want to make sure that they can control the intellectual property and technology standards that they think are critical to competitiveness. And so double-digit increases in spending on R&D over the last two decades and then a number of very high-profile industrial policies, particularly in the areas of AI, semiconductor, quantum and synthetic biology. 

Dave Bittner: And what led to the U.S. cutting back our budgets? Was it the end of the Cold War? 

Adam Segal: Part of it is just inability from both Republicans and Democrats to justify government spending on science. Some of it has been, yes, the decline in the Cold War. A lot of the space has been taken up by the private sector. So the private sector investment in R&D has gone up a great deal, but that type of investing is not the same type of investing we saw that the Defense Department and DARPA and others were doing that were kind of blue-sky, long-term investing that really created a whole, you know, new range of technologies - the internet, GPS, touch screens, other things that, you know, we're still kind of milking the innovations to this day. 

Dave Bittner: And where do we find ourselves compared to other nations, like China, when it comes to innovation? 

Adam Segal: Well, I think we are still the predominant power. I think what we see in China in particular still tends to be what we would think of as incremental innovation or business or process innovation. So there's no doubt that, for example, in FinTech or, for example, if you look at all of the services that are available through WeChat or some of the other mobile platforms in China, that they have really moved ahead of where the United States is in similar social media or other social platforms. 

Adam Segal: But the Chinese are still not yet kind of creating new-to-the-world innovations that create whole new industries. There is a big question about will they make the breakthroughs in quantum or AI, and I think here, you know, it's a much closer race. Although the U.S., I think, is still certainly leading in quantum computing, although the Chinese, I think, probably have the lead in quantum communication. And then AI, you know, really, it's the Chinese that are leading in implementation, but the U.S. still has huge strengths in both on the research side and, particularly concerning for the Chinese, on the chip side and computational power. 

Dave Bittner: Now, you were the project director for the Council on Foreign Relations' Independent Task Force. In the report they put out, it was "Innovation in National Security: Keeping Our Edge and Defending an Open, Global, Secure and Resilient Internet." Can you give us a little background on this report itself? 

Adam Segal: Council Task Force are independent, and we try to bring together a large group of former government officials, entrepreneurs, tech representatives and kind of analysts to kind of address a problem. And this one was brought together by the idea that that the U.S. innovation lead was being challenged. It was led by Dr. James Manyika of the McKinsey Global Institute and Will McRaven, the former head of Special Forces. 

Adam Segal: So the desire was really to kind of look at where the U.S. was and to try and address some specific policy areas where we thought the U.S. needed to act. We identified four different areas, looking at funding, immigration, STEM kind of pipelines, what a foreign policy of innovation would look like and then, finally, how do you ensure that the technologies flow from the private sector to the defense department and to the people who actually need it to kind of fight wars and keep U.S. military advantages. 

Dave Bittner: Well, let's go through those together. Share some of the details with us. 

Adam Segal: On the funding side, the simplest one is basically to raise government federal support for R&D back to the historical average, which is about 1.1% of GDP. We're now down to about 0.7%. We also looked at funding for specific R&D centers at universities, $20 billion over five years, probably - to address kind of specific national security or social problems. I mean, we spent a lot of time thinking about 5G, but you could also look at cybersecurity or other areas. And then also some kind of moonshot, again, government-focused research problems on national security or social problems. Of course, this happened before COVID. 

Adam Segal: So I think the response that we got to the funding side of things, not surprisingly, when we brought their recommendations to the Hill, was - people that get this or who spend a lot of time focusing on competition with China support this. But then all of their colleagues - we basically heard that this is hard to justify, that they don't really want to hear that they should spend more money. It's hard for congresspeople to go back and, you know, say we're spending more on basic R&D 'cause people don't see the impact on their daily lives. So we tried to prove all the economic justifications for it and to show how widely dispersed the outcomes are. 

Adam Segal: I think after COVID, whenever that may be, we could reenergize that and, you know, point to, hopefully, if there is a breakthrough that comes from the National Institute of Health or some other U.S., you know, basic science research as a reason why we should keep doing this. And I think we're going to have to have some leadership and to create kind of a narrative and strategic purpose for it, for the support for it. 

Dave Bittner: Yeah, that's interesting. And it makes me wonder, historically, has funding for these sorts of things been reactive? In other words, you know, Sputnik goes up and that gets our attention, or the Soviet Union starts testing nuclear weapons and that gets our attention. Have we relied on those sorts of triggers along the way to kick us into a mode where we're spending money on these sorts of things? 

Adam Segal: Yeah, that's exactly right. I mean, everyone's always talking about looking for a Sputnik moment. I think one of the problems we, you know, have and I think people have instead of getting the political support for these ideas is that, you know, the rise of China seems like a much slower Sputnik moment, right? It's been happening over three decades. There's no - so far, has not been one event that, you know, shocks and scares everyone like Sputnik, you know, circling the globe and beaming. 

Dave Bittner: Right. 

Adam Segal: It just beeps over. So it could be that, yes, the COVID crisis does act as a kind of shock to the system that mobilizes support for more support for the funding for R&D. 

Dave Bittner: You know, I recall hearing stories about manufacturing capabilities. And I believe it was an executive from Apple who was saying that, you know, even if we wanted to bring some of our manufacturing back to the United States, things that are being done in China, that we simply lack the expertise here because we've been out of that game for many years. Is that a reality as you see it? And how much do things like that present a national security issue and an issue of making it harder to innovate? 

Adam Segal: Yeah, I think that is a real problem. There was another study done about two years ago that looked at supply chain issues and manufacturing in particular for the Defense Innovation Base. And as you said, it's not only just a kind of factory capacity issue. There is an expertise issue that a lot of those people that have done precision manufacturing or other advanced manufacturing are getting to a point where they are retiring or, you know, just are aging out of the working population. 

Adam Segal: We see that, you know, so much of the innovation that's been happening in Silicon Valley and other tech clusters around the U.S. has been software-focused. It is hard to get money for hardware manufacturing. You know, an investment from a VC for software could, you know, be in the $5 million range. But to do something in hardware, you usually need at least 100 million, if not more, depending upon what type of manufacturing you're doing. 

Adam Segal: In the report, we kind of highlight the issue with drones, right? So, you know, the Chinese have close to 90% of the market now. I think the only other competitor is a French manufacturer. On the U.S. side, you know, there was a kind of decision made to focus on the software for drones, but we have a real supply chain issue on that. 

Adam Segal: So I think even before COVID, you were seeing a growing debate in the U.S. about, how do we ensure supply chain security? And are there specific sectors that the U.S. either needs to, you know, relocate or create more redundancy from China? And so you saw from Republicans interest in industrial policy, which you never would've seen before. And clearly, you're seeing COVID is really, I think, reinforcing that view that, you know, U.S. dependence for outside suppliers for PPE or reactants for pharmaceuticals - how do we, you know, both kind of decide which of those products we need to manufacture, and then how do we scale that up? 

Dave Bittner: What about on the policy side with diplomacy? You know, we hear all these stories about the Chinese, for example, stealing intellectual property and doing it in a very brash kind of way - that that's, you know, a big part of just simply how they seem to operate. What kind of influence can we use to try to slow that down, to say, hey, that's not acceptable in a global ecosystem? 

Adam Segal: Yeah. I think we're seeing the second wave of that attempted influence. So, you know, the first wave really happened under President Obama when the U.S. was publicly naming and shaming Chinese actors and then threatened sanctions against high-level Chinese officials and state-owned enterprises. And then you saw in September of 2015, President Obama and President Xi signed an agreement where both sides said they would neither knowingly support or tolerate the cyber-enabled theft of intellectual property. 

Adam Segal: And in that first year after that agreement, it seemed to be working. The Chinese signed similar agreements with the British and the Australians and the Canadians. The Group of Seven and the Group of 20 - the G-7 and the G-20 - both issued statements about cyber behavior that, you know, said that states should not steal intellectual property through cyber-enabled theft. And the companies CrowdStrike and FireEye and others all said, yes, we've seen a decline in the number of operations targeting U.S. commercial enterprises, although everyone warned at the time that decline, you know, might be symptomatic of either that they're becoming, you know, more stealth in their operations or we're just not getting - you know, we're just not catching as many. And what we seem to see now is that the attacks are back, right? We saw the exposure of the Cloud Hopper campaign against, you know, clouds and other IT services. And so what we're seeing now is a kind of second wave where the U.S. is working with what you would call probably the like-minded - right? - its, you know, intelligence partners, the Five Eyes, the United Kingdom, Canada, Australia and New Zealand, and working on joint attribution of attacks and a new round of indictments. So the U.S. has started indicting hackers for the Ministry of State Security. It indicted PLA hackers for the Equifax hack. And so now they're trying to kind of draw a line in the sand again about this type of theft. 

Dave Bittner: Now, from your point of view, how do you go about trying to muster up political will to see some of these proposals put into action? 

Adam Segal: Part of the problem, as we were talking about earlier, is this how do you both convey the threat and the benefits? And so, you know, the threat is you have to, I think, strike a balance between a real serious challenge from China. But also, you don't want to paint all of Chinese science and technology progress as a threat to the United States. 

Adam Segal: I mean, I think, you know, right now, even though relations between the two sides are probably as bad as they've been since the Tiananmen crisis in 1989, we would still be happy that a vaccine for COVID came, even if a Chinese scientist invented it. And we'd want to make sure that, you know, we could cooperate with the Chinese on scaling that up and everything else. But there is, you know, clearly a serious threat to U.S. national security and economic interests. And so that does focus people's mind, and you need to walk that line between how do you frame it? 

Adam Segal: I think, again, there has to be a more concrete narrative about the benefits of funding that goes to the National Science Foundation and NIH and other places. And here, you know, traditionally, you would have some leadership from the federal government. You know, in particular, you know, the president would make a speech about his big science goal. You know, under Obama, we had the BRAIN Initiative and new energy sources and things like that. And the Trump administration has done some good work on the AI side, but it has not been as kind of a comprehensive push as you might want to see. 

Dave Bittner: All right, Ben. Interesting conversation, huh? 

Ben Yelin: Yeah. It was kind of depressing to me, to be honest. 

Dave Bittner: (Laughter) Oh, no. 

Ben Yelin: The one thing that really stuck out at me is we've lost so much institutional knowledge and manufacturing that it's almost out of the realm of possibility that some of these tech companies could move manufacturing back into the United States. So that was depressing. And then just how hard it is to convince people in the political process to invest in research and development, it sort of reminded me of trying to convince people to take climate change seriously. You know, it's not something that's going to appear in your everyday life sometime in the next week or year. You may not be affected by it. So it's hard, you know, to get people to pay attention to that. People are worried about their own health care, getting food on the table, job security. That's sort of similar to any type of research and development. It's going to have benefits for us in the future, both for our economic well-being, for our national security purposes, but it's very hard for people to conceptualize that just because the research we do now might benefit us, you know, five to 10 years down the road. So, I mean, part of it - you know, it just - the interview reminded me that this is kind of a political messaging problem. How do we convince people to make these types of investments? I don't know if you had the same reaction. 

Dave Bittner: Yeah. I mean, it makes me think about how there's a necessity to keep a certain level of military industrial base here stateside (laughter) on... 

Ben Yelin: Yes. 

Dave Bittner: ...Our own land, you know? And we could talk all day about, you know, dialing in the appropriate amount of that. But still, you know, it doesn't do us any good to have all of our tanks and aircraft carriers built somewhere else because if we - you know, obviously, if we had a problem with the people who are building them... 

Ben Yelin: Whoops, yeah. 

Dave Bittner: ...That could be trouble. So it makes me wonder if that is something that needs to be a federal effort to keep those capabilities here. Is that a federal investment in the training, in that infrastructure? And then it could help us prevent things from - even the stuff we're seeing these days with all the concerns about Huawei and, you know, having a limited number of manufacturers of 5G infrastructure. And we've got this, I think, legitimate concern with stuff coming in from China for our own national security. And you have to say, well, part of that is because we're not making this stuff here anymore. 

Ben Yelin: Absolutely. And, you know, the geopolitical climate that we're entering in, largely due to the pandemic and the political leadership of both countries, is that we are in - we're going to enter a period of more geopolitical conflict with China. Our relationship in the short term, I think, is going to become more adversarial. So, you know, it just increases that need to be self-sufficient to an even greater extent. And, yeah, you've talked about how we apply that logic to other commodities like our defense industry. Even to things like oil production, it's been a talking point of politicians for as long as I can remember. We can't be reliant on these tyrannical foreign governments to obtain oil resources. That's why we have to frack, drill offshore, produce alternative sources of energy, et cetera. And I don't see those same arguments being made for something like 5G technology, and I think it would be nice if somebody did make that argument. 

Dave Bittner: All right. Well, our thanks to Adam Segal for joining us. And, of course, we want to thank all of you for listening. That is our show. 

Dave Bittner: We want to thank this week's sponsor, KnowBe4. If you go to kb4.com/kcm, you can check out their innovative GRC platform. That's kb4.com/kcm. Request a demo and see how you can get audits done at half the cost in half the time. 

Dave Bittner: The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our thanks to the University of Maryland Center for Health and Homeland Security for their participation. You can learn more at mdchhs.com. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.