Caveat 6.10.20
Ep 32 | 6.10.20

Cybersecurity at the global, national, and state levels.

Transcript

Katie Fry Hester: It's not just the programmers and the coders that have a role in cybersecurity. It's going to touch every single part of our state's economy going forward.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's law and policy podcast. I'm Dave Bittner. And joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hi, Dave. 

Dave Bittner: On this week's show, I've got the story of a class-action privacy suit targeting Google. Ben takes a look at surveillance in a time of protests and unrest. And later in the show, Ben's interview with Maryland state Senator Katie Fry Hester. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's jump in with our stories here this week. Why don't you start things off for us? 

Ben Yelin: Sure. So we like to keep current with what's going on in the world. And, obviously, for the past week or so, we've been dealing with protests and unrest related to the George Floyd incident in Minneapolis. There have been protests in cities all across the country. And this Washington Post article I stumbled upon talks about the prevalence of surveillance methods during protests to be used both by law enforcement and by the protesters themselves. 

Ben Yelin: So from the perspective of protesters and activists, technology brings many tangible benefits. First and foremost, the incident itself - we only found out about it because somebody recorded it with a smartphone. And it's an extremely effective organizing tool, using social media to get people to show up to organized peaceful protests. But it also - technology in general presents these pitfalls for protesters as it relates to surveillance, and that's what this article gets at. So not only do you have to deal with sort of external forms of surveillance - those are security cameras outside of stores, facial recognition software, this article talks about Clearview AI and other facial recognition, Ring devices on the doorbells of homes and businesses - but you have to think about surveillance related to your own personal device, so whether that is location tracking or law enforcement gleaning information from social media posts. Maybe they'll use those social media posts for scraping, you know, using the facial recognition to identify people in a protest photo for the possible prosecution of crimes. Or, you know, maybe the law enforcement will just use it for tactical purposes so that, you know, they know where a protest is going, where the next threat is headed. 

Ben Yelin: I think, you know, what's important for protesters to know is the way the world is now, somebody is always watching. And this article talked to several protesters who are, I think, appropriately aware of that fact and have tried to take some measures to conceal their privacy. One that protects you against facial recognition, ironically, is face masks, which many people are wearing anyway because of the COVID epidemic. 

Dave Bittner: Right. 

Ben Yelin: So, you know, that's an interesting coincidence that we're dealing with both of these crises at the same time. But as it comes to one's own device, you know, there are a number of measures that privacy groups recommend - putting your phone on airplane mode to disable location tracking. In order to avoid having metadata collected on photos and videos that you take, at least for photos, you can use screenshots, not the photos themselves. So there are, you know, countermeasures you can take against this pervasive surveillance state. Obviously, you and I both know that it takes a certain savvy and knowledge of the technology itself and a certain awareness of how pervasive surveillance is to, you know, know that you should protect yourself. And so I think as a result, you know, a lot of protesters might be surprised at how much the government and the rest of us are watching. 

Dave Bittner: Yeah, it's interesting to me on a number of levels, one of which is you actually have law enforcement - I've seen from some of the local police organizations, but also the FBI - saying, please send us footage. So if you - if there's someone that you think is instigating violence or something like that, please send us footage, which is interesting, again, on a number of levels because that assumes a certain level of trust in law enforcement, which I think is, at the moment... 

Ben Yelin: Yeah, not at its peak right now. 

Dave Bittner: That's a good way to say it. I was going to say fraying a bit. But, you know, do you trust your local police? Do you trust the FBI? Who's acting in good faith here? So I think that's interesting. 

Ben Yelin: Yeah. That's a great question. One frankly hilarious anecdote in this article - and I know it's a very serious subject, but we always need a chance to chuckle - is the Dallas Police Department put out a notice on its social media accounts saying, please send us your videos if you see anything suspicious. We can help identify, you know, people who are doing looting, et cetera. And they got an influx of people dancing to K-pop, which was, you know... 

Dave Bittner: Right. 

Ben Yelin: ...Just people pranking them, so they had to delete that tweet. And obviously, that did not prove to be a successful tactic. 

Dave Bittner: Yeah, people overloading that system. A couple other things that come to mind here - you know, there's the ubiquity of police officers having their own body cameras. But we saw that over in Louisville, the police chief was fired after none of his police officers who were involved in a fatal shooting had their cameras activated, which is interesting from a surveillance and camera point of view. 

Ben Yelin: Yeah, absolutely. So, you know, usually it's part of a policy or a police union contract that you're required to turn on your body camera in certain circumstances. And in Louisville, that policy was violated, and there was an incident over the past several days during the protests where an individual was shot and killed. And now there is, you know, no known surveillance footage of the incident. And, you know, Louisville had already been under the microscope because of the Breonna Taylor incident several months ago. I think more and more people are sort of becoming aware of that story as there have been protests across the country. And so I think the time was ripe for the police chief to be fired. 

Ben Yelin: But, you know, the broader point is body cameras, you know, because we have so many law enforcement officers in the streets, that's just another opportunity for the government and its agents to, you know, have its eyes and ears on what's going on in the protests. It's not each individual, distinct surveillance method that's necessarily going to, you know, lead to somebody's prosecution, but it's the combination of tools that we have. It's cellphone tracking. It's the use of metadata from, you know, real-time photos and social media posts combined with security cameras. You know, we know in Baltimore City we have aerial surveillance technology from an unmanned plane. Combine that with people using Ring devices on their homes and businesses, and it's just very difficult for protesters to have any sort of expectation that their actions are going to be private or are not going to be concealed. And I think that's going to have an effect on - you know, once more protesters become aware of this, I think it might change the nature of protests themselves. And that can have both positive and negative effects. 

Dave Bittner: Well, the other thing that it makes me think of is there was that case captured from video by bystanders of someone who was breaking windows at an auto parts store who many people speculated was an instigator, you know, someone who was there just to stir things up and cause trouble. And that individual was not only dressed head-to-toe in black and wearing a mask and a hood but was carrying an umbrella in order to shield himself from security cameras, which are, you know, often looking down from a high angle, so someone who had the surveillance cameras in mind and was taking active measures to hide himself from them. 

Ben Yelin: Yeah. And, you know, I think we're going to see more of that once people discover these surveillance methods. Now, when we talk about things like cell site location tracking, it's going to be a little bit harder to conceal oneself. But there are going to be some people who are going to be knowledgeable enough to use those protective measures. And because of the entrepreneurship of tech companies and the creativity of protesters and agitators themselves, people do have the ability to conceal themselves both in person and electronically. So it's just kind of this race against one another between law enforcement and protesters. 

Ben Yelin: I still think, you know, just anecdotally, it does not seem like most protesters are acting as if they're aware of this type of pervasive surveillance. You know, I've just been looking at photos to see how many people are wearing masks. And hearteningly, because of the pandemic, I think a lot of individuals are, but certainly not everyone. But, you know, then you see things like the ubiquity of social media posts. So even if it's not you yourself tweeting a video, it's perhaps a person protesting next to you who's going to catch you committing an illegal act that's going to subject you to prosecution. So it's just - it's one of those instances where there really is always somebody watching. And that can have positive effects because we can prosecute actual crimes. Unlike this AutoZone person, most people isn't going to be concealing themselves head-to-toe with an umbrella. 

Dave Bittner: Right. 

Ben Yelin: So that's good. But then there are negative effects. It could have a chilling effect on people's First Amendment right to free speech and protesting. If police are suspicious of somebody because they were saying something incendiary on a social media post, that might lead to greater surveillance of that individual even though that person was only exercising their First Amendment rights, and I think that's certainly a cause for concern. 

Dave Bittner: Yeah. All right. Well, it's a - it's an interesting story. We'll have a link to it in the show notes. My story this week has to do with a lawsuit aimed at Google. This is from The New York Times. The title of the article is "Suit Claims Google's Tracking Violates Federal Wiretap Law." It's written by Daisuke Wakabayashi. And I love in the intro here they call it a novel complaint, which is always fun to put in front of you, Ben (laughter). 

Ben Yelin: Yeah. That perks my ears up. It's like... 

Dave Bittner: Right (laughter). 

Ben Yelin: I'm like a dog, you know, hearing that the dog food can has been opened. And I'm like, oh. 

Dave Bittner: Right, exactly. So what these folks are after - they've got a class-action lawsuit, and they're claiming that Google has violated federal wiretap laws. And basically, it seems to me like what it comes down to - correct me if I'm wrong here, Ben - is that it's not just that Google allows advertisers and others to track people's activities online. It's that they continue to do so even after people make attempts to stop them. 

Ben Yelin: So there's something called Incognito mode, which is sometimes used for not nefarious purposes. Sometimes it's used to get around paywalls. But, you know, when you go into Incognito mode, you get a little warning saying, we're not tracking your cookies. We're not doing X, Y and Z. But this will not protect you in the following ways. And one thing Google warns you about is it won't stop websites from collecting information about individuals. It also says something like, this doesn't protect you from the people behind you. Good life advice. 

Dave Bittner: (Laughter). 

Ben Yelin: Thank you, Chrome Incognito browser. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: So that's the nature of this dispute. What these plaintiffs are claiming in this class-action lawsuit is that Google is misrepresenting Incognito mode. They're representing to the consumer that the consumer's web browsing will not be tracked. What Google says is that's not correct; we've given our users fair warning of exactly what is going to be tracked. The lawsuit claims that Google doesn't mention in those warnings in the Incognito browser that other tracking tools are used that, you know, are not as public. So, for example, Google can track users by collecting information on their IP address. They can collect some browser and device information. And so that would go beyond the warning that's indicated in Incognito browser. 

Dave Bittner: What do you make of this? Coming at them from this direction, is there anything here? 

Ben Yelin: I really have my doubts. So they're using something called the Federal Wiretap Act, which prohibits any entity from illegally intercepting communications. And there are exceptions to that as it relates to law enforcement activities and the like. Knowing what I know, that seems to be a stretch. I've never heard of the Federal Wiretap Act being used for something like this. It just seems so far outside the realm of what I think we would expect for a cause of action related to Incognito browsing. And one of the main statements on behalf of the plaintiffs is that they have a reasonable expectation that their browsing habits are going to remain private. And I think if I were a judge in this case or even if I were Google, you know, I would say that the warning that shows up when you open an Incognito browser should pierce any idea that a person has a reasonable expectation of privacy in that information being tracked. 

Ben Yelin: Now, perhaps this will lead to Google having to be more specific about their warnings in the Chrome browser as it relates to Incognito browsing. And maybe that, you know, is the goal of the lawsuit. If they decide to settle, they might, you know, pay a limited amount of compensatory damages and say, we'll now include, you know, a warning about collecting IP addresses. But I have a hard time seeing this lawsuit being successful just because the use of the Wiretap Act is really novel in these circumstances. 

Dave Bittner: Does the Wiretap Act even apply to online communications? I mean, my - correct me if I'm wrong here. My sense is that that is mostly about telephones, right? 

Ben Yelin: It originally was about telephones. It has been applied in case law over the past 30 or 40 years to electronic communications. So those would certainly qualify. As far as I'm concerned, I don't know if it's ever involved, you know, either Big Tech companies or users, you know, using these platforms for their own searches. You know, most federal wiretap acts are illegal wiretapping on behalf of the government that violates constitutional rights or a private party illegally collecting information. And states like California, where this took place, there are two-party consent laws where both parties have to consent for information to be shared in that context. That's part of the cause of action here. I've never, you know, heard that apply to an entity like Google, which is a search engine and a platform. And it just seems like it would really, as you said at the beginning, require a novel interpretation... 

Dave Bittner: Right. 

Ben Yelin: ...That we've never really seen with the Federal Wiretap Act. 

Dave Bittner: All right. Well, it's an interesting one. Again, we'll have a link to the story from The New York Times in our show notes. Ben, it is time to move on to our Listener on the Line. 

(SOUNDBITE OF DIALING PHONE) 

Dave Bittner: Our Listener on the Line this week comes from a listener named Patrick (ph). He sent us this note. It reads like this. 

Dave Bittner: (Reading) How does one legally determine membership in a group? That is, it's easy to tell who - say, a Girl Scout or a member of an American Legion post or a member of a swim club. It's harder but still possible to identify members of loosely affiliated groups. That is, it's possible to tell who's an Orioles fan. It's even possible to say with some degree of clarity who has various affinities - like communist sympathizer, anti-Semite and so on - by reading what they write or listening to what they say. But groups like Anonymous seem to land in none of these stools. They don't have lists of members, but they seem more organized than Orioles fans or communist sympathizers. So two questions. First, even under the famously loose American defamation laws, when are you in the clear for calling someone a thug, a goon or a white supremacist, since truth is an absolute defense against an allegation of slander? And second, what does it take to establish that someone is a member of a criminal conspiracy? 

Dave Bittner: Lots to unpack here, Ben. 

Ben Yelin: Yeah, it's really an excellent set of questions. I'll say that for both Orioles fans and communist sympathizers, it's been a tough 30 or so years. 

(LAUGHTER) 

Ben Yelin: But that's besides the point. I'll actually start with the second question here. So how do you establish that somebody is a member of a criminal conspiracy? In this country, we generally have these racketeering statutes. The most famous is the federal RICO statute, and that basically says that you can be convicted of a crime even if you didn't commit it yourself if you are part of a larger criminal conspiracy, even if you were not part of planning that conspiracy, if you're part of a criminal organization. And this was designed to go after organized crime. 

Ben Yelin: You know, you'd have your "Godfather" instances, where you'd have, you know, the higher-ups demanding that people who have just joined an organized crime organization go out and commit crimes. And it wouldn't be fair to just have those lower-rung individuals convicted on those crimes without holding, you know, the bosses, the mob bosses, accountable. So at least according to the RICO statute, you kind of have to establish a bunch of different things in order for there to be a conspiracy charge or a racketeering charge. You have to establish that some sort of organized group exists. That organized group could be a legal entity. It doesn't have to be a legal entity. It could be, you know, any nonlegal organization, an underground organization. So Anonymous would certainly qualify on those grounds. 

Ben Yelin: But the other prong that I think is perhaps problematic is that there has to be a pattern of racketeering activity. So this organization has to have previously engaged in criminal acts. The statutory period for measuring this is usually about 10 years. There's somewhat of a disincentive here from law enforcement's perspective 'cause you kind of have to wait for a racketeering organization to commit crimes before you can really go after them using RICO statutes. 

Dave Bittner: So is that famously why you see, you know, on TV that they have a big bulletin board with strings all over, you know, different pictures and printouts and things that they've taken all this time to establish their case? 

Ben Yelin: Yeah, absolutely. Because if you can enrapture all of the members of a conspiracy, you could theoretically charge the entire criminal organization, even if just one individual committed a crime. And it's a great tool for prosecutors because they can prosecute this organization and its members without figuring out who exactly was the ringleader for this particular event. So in terms of the question asked here, you know, I'm not familiar enough with Anonymous to know whether they've committed those predicate acts to establish themselves as this type of criminal organization. And so I think that would be the determining factor in the case. 

Ben Yelin: As to the first question, our defamation laws are relatively loose. The defamation laws are different as they relate to public and private figures. Generally, defamation suits from private individuals are more likely to be successful because defamation against public figures is largely governed by The New York Times v. Sullivan case, which says that you can only prove defamation if the defaming individual or institution showed actual malice, so that they knew that what they were saying was false or they showed reckless disregard for the truth. So it is hard, especially when we're talking about public figures, to sustain a defamation suit. And the rationale there is, you know, we want to have a very broad public debate. And if people are subject to lawsuits for, you know, defaming public figures, that cuts against that robust debate. 

Ben Yelin: In terms of calling an individual a thug, a goon or a white supremacist, you know, that could potentially be a defamation. You'd have to show that not only was the information completely false - as this user says, truth is an absolute defense to a defamation lawsuit - but you'd also have to show that you suffered some sort of material loss of reputation, and that can be sometimes more difficult to establish. White supremacist, thug and goon aren't specific enough charges that it would be hard to disprove that somebody wasn't a thug or a goon. If I accused you of being a member of the Ku Klux Klan, you as a private individual might have a very reasonable cause of action against me for defamation 'cause that's easily falsifiable. 

Dave Bittner: I see. 

Ben Yelin: You've never taken any action to indicate that you're part of that organization. 

Dave Bittner: Right. 

Ben Yelin: But just sort of vaguer insults - it would just be much harder to establish. And that's why, you know, we don't see - despite many threats we see from public figures, it's very difficult for these defamation lawsuits to succeed unless there's that sort of more specific falsifiable charge. 

Dave Bittner: Now, getting back to the criminal conspiracies and so forth, where does this align with this notion of guilt by association? 

Ben Yelin: I mean, this is literal guilt by association. That's how our criminal conspiracy statutes and the common law works. 

Dave Bittner: Right. 

Ben Yelin: And, you know, it's purposeful in that respect. The criminal act is joining the group itself, being a member of a group and having committed predicate acts as part of that group. Once you've joined that group, then you are criminally liable for that group's action. Now, there's some gray area. You know, maybe you incidentally went to one meeting, but, you know, you're not normally part of the organized crime unit. But for all intents and purposes, it is the overt act of joining a criminal organization that subjects you to criminal liability for no matter what that organization does. Whether that's fair or not is certainly an open question. 

Ben Yelin: But it does try at least to disincentivize people from joining criminal organizations - gangs, you know, the Mafia, et cetera - because unless you have - you know, unless you are the proverbial gang leader, you might not know what crimes your co-conspirators in your criminal organization are going to commit, and you could be potentially liable for those - criminally liable for those crimes. So it really is guilt by association. You know, it has to meet a certain number of elements to qualify under the RICO statute, but it is almost by definition guilt by association. 

Dave Bittner: Yeah. Interesting, interesting. All right. Well, thanks to our listener for sending in that thoughtful question. That was a good one. And we would like to hear from you. We have a call-in number. It's 410-618-3720. You can also email us your question. You can send it to caveat@thecyberwire.com. And we would love to hear your question and share it on the air. 

Ben Yelin: Dave, in the words of Michael Scott, oh, how the turntables. I... 

Dave Bittner: (Laughter). 

Ben Yelin: I did the interview this week. 

Dave Bittner: Yes. 

Ben Yelin: My conversation is with a Maryland state senator, Katie Fry Hester, who represents Howard County in the state of Maryland. We discuss the major cybersecurity policies that were under consideration in the last session of the General Assembly in Maryland and the future of cyber policy in general in the states. 

Katie Fry Hester: My background is in agricultural and biological engineering. And when I got to Annapolis, then-Senate President Mike Miller asked me first to serve on our Judicial Proceedings Committee, which is a standing committee. And then second, he said, I'd also like you to co-chair the Joint Committee on Cybersecurity, IT and Biotechnology. And so this committee has been around for a long time. I don't know how those three - I mean, cybersecurity and IT kind of go together. I don't know how the biotechnology got added in. 

Ben Yelin: Yeah. 

Katie Fry Hester: But, you know, as a female engineer, I was absolutely thrilled to step up and join that committee. And that's actually when my interest in cybersecurity started was, you know, Day 1 in the Senate. And, you know, I didn't really have much of a background since then. But then following, you know, that and the huge attack we saw on Baltimore, it just seemed like it wasn't an area that really needed attention. And so I dove in with both feet. 

Ben Yelin: Absolutely, yeah. And as having been in Baltimore for our ransomware attack, it certainly interrupted our life, although not compared to what we're going through now, I suppose. Given that cybersecurity is such a national issue in scope just because networks are so interconnected, why do you see it as something that's important to tackle at the state level? 

Katie Fry Hester: Well, I think it's important to tackle at the global, the national and the state level. And obviously, they all need to work together. I think it was earlier this spring, the federal government's bipartisan U.S. Cyberspace Solarium Commission issued its final 182-page report. And in that, they said, you know, the U.S. government isn't currently designed to act with the speed and agility necessary to defend the country in cyberspace. And they just really, you know, came out and said, you know, we've got to address this. And at the federal level, they're looking at reaching down at the state level. And I think at the state level, you know, first and foremost, protecting our state agencies is our No. 1 job. But then after that, it's how do we be more organized and push down to our local county governments and our local school systems? I mean, the bottom line is we are so interconnected right now. I mean, I can't imagine going through this pandemic without, you know, an IT system, right? 

Ben Yelin: (Laughter) Yeah. 

Katie Fry Hester: And if it falls apart, our basic everything from, you know, the way our logistics for food work... 

Ben Yelin: Sure. 

Katie Fry Hester: ...To our online education to our health care systems... 

Ben Yelin: Our critical infrastructure, yeah. 

Katie Fry Hester: Yeah. It all falls apart without good IT that's secure. 

Ben Yelin: Absolutely. Going forward - I mean, I know you sponsored some legislation this past session. Do you want to talk a little bit about that? And then we can address sort of what you see our priorities for in the intermediate time frame as a state relating to cybersecurity. 

Katie Fry Hester: I had a number of bills that I worked on. In addition to chairing this Joint Committee on Cyber, IT and Biotech, I am also the subcommittee chair on Workforce Development. So my legislation kind of fell into two buckets within cybersecurity. One was on the emergency management side, and the other was on the workforce development side. And if I speak first about emergency cybersecurity, Senate Bill 1036 would've established the Cybersecurity Coordination Operations Office within the Maryland Emergency Management Agency. And basically, that office would have been dedicated to performing, you know, the outreach to the localities between our state CISO and our localities to connect them with the proper resources for preparedness and response. And I think having this connection and these kind of boots on the ground and the forethought for a local IT person to go through MEMA in case of an attack, you know, really will save time, save resources and help us get everything that we need to prepare in place. So this bill passed the Senate unanimously. Delegate Michael Jackson, who is my co-chair on the joint committee - you know, I introduced the bill late, and his version got stuck in Rules - totally not his fault. But because we didn't have the bill moving at the same speed in the House, when the Senate Bill 1036 moved over to the House, it had one hearing in House Government Operations, and then we only had two days left. 

Ben Yelin: Right, because the session was shortened due to the pandemic. 

Katie Fry Hester: Yeah. If we had those extra three weeks, I think it would've passed the House unanimously as well. So... 

Ben Yelin: Yeah. 

Katie Fry Hester: ...Definitely, you know, a shame, but going to bring it back next session. 

Ben Yelin: Fantastic. And then the other side you were talking about. 

Katie Fry Hester: Yeah, so workforce development. We have - I was just trying to find recent statistics. But, you know, across the United States, it's something like we'll have 3.5 million open jobs by 2021. 

Ben Yelin: Wow. 

Katie Fry Hester: And my goal - I mean, when I was looking at this, I always said that we've got a number of jobs unfilled right now, you know, state, local jobs, but also private sector jobs. I had set a vision for our group having, you know, 25,000 filled jobs by the year 2025 in Maryland, which would've been, you know, both filled our vacancies and also added new jobs. But basically, I had a few different pieces of legislation. Senate Bill 895 was an expansion of the Maryland Technology Internship Program. And basically, this is an existing program, but this would have allowed state agencies to take those interns, work with them and have their full costs covered by the state government, so that the agency having to match it at 50%. 

Ben Yelin: Oh, yeah. 

Katie Fry Hester: And that would have been great because it would've given the interns vast experience working with state agencies and also provided that kind of internship-to-career pipeline to get more folks employed in cybersecurity at the state level. I also had the state IT Hiring Act of 2020, SB724. And this really looks at, you know, how the state is procuring these professionals. And it would've required the secretary of DoIT and the secretary of the Department of Budget and Management to basically rewrite state IT job descriptions so they're more geared towards classification and qualifications as opposed to degree requirements. 

Ben Yelin: Which makes a lot of sense just because we're looking for particular skills and not necessarily for particular degrees. And I know workforce issues probably at the beginning of the session feel a little different than they did at the end of the session now that we know we're probably looking at a major economic contraction, where it seems like, at least, cybersecurity might be one of the few fields that's still actually going to be hiring over the next couple of years as a lot of us move to do our work remotely. 

Katie Fry Hester: Yeah. It's so hard to predict what's going to happen. We've never seen anything like this. I do know from talking to private sector companies that they are more and more in demand. I mean, you know, early on, when I was, you know, speaking on the Senate floor to get that MEMA Cybersecurity Bill, you know, passed, I said something like, coronavirus clicks are the new, like, kind of bait. 

Ben Yelin: Yeah. 

Katie Fry Hester: We're seeing increased phishing and not only on cyber but also over the phone, hopefully not door-to-door, given social distancing demands. It is - I just - and it breaks my heart that people will... 

Ben Yelin: It does, yeah. 

Katie Fry Hester: ...That people will attack you during a pandemic, right? 

Ben Yelin: Right. Click here for the miracle cure. 

Katie Fry Hester: It's so sad. 

Ben Yelin: And all of a sudden, yeah, they've gained access to your system and - yeah. So how should I put this delicately? There are a lot of politicians who might not be as literate in cybersecurity issues as you are, either due to just age or lack of experience in discussing these issues. How do you try and make cybersecurity policy accessible to legislators, stakeholders that are just - that just don't really know the language? 

Katie Fry Hester: That is a really good question. I have tried to focus on the cost of the damage. 

Ben Yelin: Right. 

Katie Fry Hester: So, like, in Baltimore City, that cost - I've seen estimates upwards of $18 million. And if we could've saved that money by making sure we had certain patches in place, you know, I think everybody - whether they understand cybersecurity issues or not, they understand the state budget. 

Ben Yelin: Right. 

Katie Fry Hester: And furthermore, I mean, you just look at the technical deficit and the legacy systems that we have. I mean, I saw the call from the governor of New Jersey asking for programmers and - was it COBOL? 

Ben Yelin: Mmm hmm. 

Katie Fry Hester: And, I mean, the fact that I have 10 to 15 phone calls, emails a day about unemployment insurance. And, you know, our Department of Labor is doing an amazing job staffing up, but this - I mean, we could've avoided this if our IT systems were up to snuff. 

Ben Yelin: Yeah. And from what I know, it sounds like that system is something that's a little bit outdated. I'm not - I'm certainly not an expert in that. I just - it's something I've kind of heard through the pipeline. So, yeah, I mean, that's super interesting in these confusing times. Where do you see the long-term cybersecurity issues at the state level? Like, what are your goals five to 10 years down the line, your vision for how our state can be a leader in cybersecurity policy? 

Katie Fry Hester: Well, first and foremost, you know, I think that we truly are already, you know, a leader. We've got so much that we're doing here because of our links to the federal government. You know, you look at both on the private sector and the defense side. I think what we need to do is to really almost think of Maryland as the cybersecurity Silicon Valley of the East Coast. 

Ben Yelin: Yeah. 

Katie Fry Hester: And make sure - you know, when our Workforce Development committee met, it was amazing how much was already going on. But tying the pieces together for maximum efficiency to scale up - like, we have great cybersecurity demands because we have so many cybersecurity companies here. 

Ben Yelin: Right. 

Katie Fry Hester: And so it's just making sure that, you know, all the right incentives are in the right place, that we are tapping into every single student and letting people know that it's not just the programmers and the coders that have a role in cybersecurity. It's going to touch every single part of our state's economy going forward. I'd really come back to, in terms of the workforce, you know, us, you know, trying to achieve these 25,000 jobs by the year 2025. 

Katie Fry Hester: And then in terms of, you know, security, just being a model for how Maryland can, you know, implement best practice from the federal government to the state government to the local government so that we are all playing by the same songbook and kind of ready to go. And I think - once again, I think that we have an amazing array of folks here who are... 

Ben Yelin: We're uniquely situated in this state. 

Katie Fry Hester: We are, but we need to invest in it. 

Ben Yelin: Yeah. 

Katie Fry Hester: I mean, and I really hope that one of the things this pandemic shows us is how important it is to invest in our cybersecurity, our personnel delivering cybersecurity and our - upgrading our state legacy systems. 

Ben Yelin: Right. 

Katie Fry Hester: We are working on kind of borrowed time with these systems. And it's not sexy for politicians to ad for upgrading the unemployment system. 

Ben Yelin: Never is, yup. 

Katie Fry Hester: (Laughter). 

Ben Yelin: No one - yeah, no one would ever, you know, use that in a political ad (laughter). Or, you know, it would never be the item that, you know, you'd have a press conference at for - you know, at Lawyers Mall in Annapolis. But it's just one of those issues that's crucially important. Well, this has been fantastic, by the way. Thank you very much. I want to just kind of give you an opportunity. Is there anything else you'd want to say to a bunch of people who are interested in cybersecurity policy, especially young people? Are there particular voices that are influential to you in making decisions in terms of which legislation to co-sponsor, sort of the gurus that you rely on, you know, in your own decision-making process that are good for other people to know about? Just kind of want to leave that open for you. 

Katie Fry Hester: I would just like to give a shoutout to the vice chair of the Education, Health and Environment Committee, Senator Cheryl Kagan. She has been amazing on 911 and a key partner on all these cybersecurity issues. She truly gets it, and I love working with her in the Senate. And my co-chair, Delegate Michael Jackson, he has been just an amazing advocate in the House. And ironically, he's also - in addition to my co-chair, he's also on the 911 committee. We had a webinar - I guess it was last week - with author Liza Mundy, who wrote "Code Girls," which is about the story of the women during World War II who stepped up to fill these coding jobs when the men went off to war. 

Ben Yelin: Wow. Yeah. 

Katie Fry Hester: And it's kind of like the "Hidden Figures," you know, version... 

Ben Yelin: Right. 

Katie Fry Hester: ...For cybersecurity. These women, like, broke the Japanese and German codes and helped, you know, win World War II. And it was at a time where, you know, women - it was really rare for women to go to college. And some of them who went to college, you know, went there to get married. And so it's a long book (laughter). I'm looking forward to reading it. But we had an amazing number of people join the call. 

Katie Fry Hester: And for all the young people out there, the world is dramatically interconnected. No matter what field you go into, cybersecurity is going to touch you. So don't be afraid to look widely as you plan your career path forward. And if you have any interest in cyber and coding, we have open jobs. And I would love, you know, just - you know, feel free to reach out to me, and I'm happy to mentor some of the especially young women out there. 

Ben Yelin: Fantastic. Well, thank you very much, Senator Hester, for joining us on the "Caveat" podcast. And we look forward to talking with you again soon. And best of luck during this break between sessions. And hopefully, for our next General Assembly session, whenever it might be, we can help push through some of that cybersecurity legislation. So thank you. 

Katie Fry Hester: Thank you, Ben. Stay safe out there. 

Dave Bittner: All right. Well, first of all, Ben, great interview. Well done. Really interesting conversation. 

Ben Yelin: Yeah. First, of course, many thanks to the senator for joining us. I thought her origin story of how she became interested in cybersecurity is just - it's very interesting to me. She was sort of thrust into it. I mean, she had experience in the nonprofit world with consulting, but, you know, she really didn't come with any sort of institutional cybersecurity knowledge. She was put on this committee... 

Dave Bittner: Right. 

Ben Yelin: ...And just sort of took ownership of the issue and is now one of the most knowledgeable cybersecurity experts at our state Legislature, which I just think is really cool. And, you know, she's used that knowledge that she has now to really be an advocate, especially for young women who are interested in the cybersecurity field, which was very promising to hear. 

Ben Yelin: In terms of, you know, where Maryland is as a state in terms of cybersecurity, I think our eyes were opened in 2019 when the city of Baltimore suffered a ransomware attack. I think that might've been the first time that cybersecurity was really on the radar from an emergency management perspective. And so I think we're going to see more efforts of the legislature to tie cybersecurity specifically to the structure of emergency management organizations, having cyber units at the state level and at the local level where you have, you know, people who are well-versed in the topic to be embedded in these offices in case they're needed for an institutional response. So, you know, obviously, that was something that caused a lot of harm in the city of Baltimore, but I think it really did open the eyes of policymakers for the first time. 

Dave Bittner: Yeah. I also thought it was interesting her expressing how seriously she takes her responsibility of communicating these issues to her fellow legislators here at the state level and how she puts it in terms that they can understand. And I hear this all the time over on the CyberWire that when cybersecurity professionals are trying to explain these things to folks on the board of directors, for example, that if you put it in terms of risk, you know, aside from the technology part - stop talking about computers and you put it in terms of risk, well, that's something everybody can understand. And so interesting to hear her speaking about her efforts to do that same sort of translation among her fellow legislators. 

Ben Yelin: Right. It's going to be much more persuasive to say, you know, this ransomware attack happens, the city is going to lose $18 million than to say, here are the origins of the ransomware attack. This is exactly how they, you know, infected the computers, WannaCry, et cetera, et cetera. You know, that's going to be - it's going to be meaningless to people who are just not well-versed in this topic. 

Dave Bittner: Right, right. 

Ben Yelin: So, yeah. I mean, I think that point was very well taken. 

Dave Bittner: All right. Well, our thanks to Maryland state Senator Katie Fry Hester for joining us. And that is our show, and we want to thank all of you for listening. 

Dave Bittner: Our thanks to the University of Maryland Center for Health and Homeland Security for their participation. You can learn more at mdchhs.com. 

Dave Bittner: The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.