Podcasts
Caveat
Ep 52
Caveat 10.28.20
Ep 52 | 10.28.20

The tools have changed, but the tactics have remained basically the same.

Show Notes
Transcript

Morgan Wright: Social media is an advanced form of social engineering.

Dave Bittner: Hello, and welcome to "Caveat," the CyberWire's law and policy podcast. I'm Dave Bittner. And joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, I have a story about the U.S. Department of Justice bringing antitrust charges against Google. Ben looks at the increased use of phone-cracking tools by law enforcement. And later in the show, my conversation with Morgan Wright - he's chief security advisor at SentinelOne. He's a former senior law enforcement adviser for the 2012 Republican National Convention and senior adviser in the U.S. State Department Anti-Terrorism Assistance Program. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's jump in with some stories here. What do you have for us this week? 

Ben Yelin: So mine comes from The New York Times by Jack Nicas in the technology section, one of those stories that was sent to me by my dad three hours before recording. So... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Little shout out to him, always looking out for the interests of our podcast. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: And the title of the article is "The Police Can Probably Break Into Your iPhone." So there was this group, this nonprofit research organization called Upturn in Washington, D.C., that did a study on the extent of access that law enforcement has to our smartphone devices. And they found that 2,000 law enforcement agencies across all 50 states now have tools to get into locked, encrypted phones and extract their data. And they did this research using available public records. So this is largely what we know about on the surface. And this is just more - I think more extensive than most people believe in terms of law enforcement getting access to our encrypted devices. 

Ben Yelin: What's ironic about all of this to me is that there have been these major legal battles, dating back to the Apple v. FBI when it came to San Bernardino and a couple of other instances where the tech companies have had these standoffs with law enforcement, saying we're not going to break our own encryption in order to grant you access to this device. You know, we promote the security interests of our users. And law enforcement makes a big show about how, you know, you're protecting terrorists and murderers, et cetera. 

Dave Bittner: Mmm hmm. 

Ben Yelin: If you take this article to be true - which I do - none of that really matters because law enforcement already has these advanced tools to break into these encrypted devices. And while getting into an encrypted smartphone requires a warrant, in most cases, if you have a good suspicion that there's going to be evidence of a crime or terrorism or something else on a device, you're going to be able to obtain it. So I think this is just pretty eye-opening because we now see the extent to which law enforcement across the country - it's not just the big police departments - are getting access to this technology. 

Dave Bittner: Yeah. And one of the things that struck me in this story was that, as you say, it's not just the big police departments with the big, high-profile cases. This article outlines some cases where, like - I don't know - there was a couple of guys had a disagreement over $70 at a McDonald's. And (laughter) law enforcement was unlocking their phone to find information. So... 

Ben Yelin: Well, Question 1 is, how would you spend $70 at McDonald's? That, I really want to know. 

Dave Bittner: (Laughter) Well, you know - so just really hungry, I guess. 

Ben Yelin: Yeah, 35 happy meals. 

Dave Bittner: Those fries are delicious, Ben (laughter). 

Ben Yelin: They are. They are the best of the fast-food fries. 

Dave Bittner: So we're talking about small-town police forces that have invested in these tools and are using them routinely. 

Ben Yelin: Yeah. And so one thing that this article kind of opened my eyes up to is, if the local police departments don't have the resources to get into these devices themselves, they are all part of a network with some of these big companies that decrypt iPhones and other devices. Like, Cellebrite and Grayshift are the two that they mentioned here. The more prominent police departments can buy flagship tools that cost a lot of money, but it allows them to exploit some of the security flaws on these devices themselves. The smaller police departments can, on an ad hoc basis, send these devices to their state or federal partners and largely get the same result. So even if it's prohibitively expensive for small law enforcement agencies to buy these tools in bulk, they can still use them. 

Ben Yelin: So really, nobody is safe, you know, across the country in all 50 states from having their iPhones searched, even if they have the most recent security patches, et cetera. These companies are very good at exploiting security flaws in smartphones. And law enforcement agencies across the country in the aggregate have the type of resources, and it's worth it to them to exploit those weaknesses. 

Dave Bittner: Let me put you on the spot here 'cause I'm going to make a point here. How many digits is your security code on your mobile device, Ben? 

Ben Yelin: Six. 

Dave Bittner: OK. 

Ben Yelin: What about you? 

Dave Bittner: Mine is eight. And one of the points that they make here - so let's geek out for a minute here because I think it's worth mentioning that we're talking about kind of two different things here. I mean, the encryption on your phone - the technology that is encrypting the data on your phone is extremely strong. In other words, that part ain't being cracked, right? (Laughter). 

Ben Yelin: Right, exactly. 

Dave Bittner: They're using - you know, modern encryption technology, routines, algorithms, that is strong. 

Ben Yelin: Yes. 

Dave Bittner: What they're coming at is your passcode because your passcode is the keys to the kingdom. If you have a four-digit or a six-digit passcode, this article makes the point that a six-digit iPhone passcode takes, on average, about 11 hours to guess. A 10-digit code takes 12 1/2 years. So... 

Ben Yelin: So you're in much better shape than I am here, Dave. 

Dave Bittner: (Laughter) Well, at least a few more hours. 

Ben Yelin: Yeah. 

Dave Bittner: But I think there's an important point here, which is that part of this is in the user's hands. And if you want to secure your phone, use a longer passcode. Use a 10-digit code. Use a 12-digit code. Use a passphrase instead of a numerical code. That increases the security quite a bit. 

Dave Bittner: So there - it's not that there isn't anything that anyone can do. You can slow them down. You can thwart them. In fact, one of the folks who's quoted here - I don't remember who it was - who was speaking in front of Congress was saying that, you know, sometimes, they simply don't have the ability to unlock a device in the amount of time that would make a difference to their case. 

Ben Yelin: Right. So if you have a 10-digit passcode and that's going to take, you know, 10 or so odd years, then it's not worth it to try and (laughter) get the passcode to that device. So yeah, it's true. I mean, it's good in a sense that users do have a backstop here. They can, you know, increase their own security protection in a way that's not going to cost them a lot of money or resources. 

Ben Yelin: The other good news, I would say, from the consumer's perspective, is we have been having a debate in the state legislatures and in Congress about granting law enforcement backdoors to these devices. The latest such proposal, which we've talked about on this podcast, came out this year. One of the arguments I think that could be made against these types of proposals, this legislation, is these companies are already spending, you know, upwards of tens of millions of dollars on tools to decrypt these devices. Why would we want to make it easier for them, as part of a policy, to grant them an extra backdoor to make it more amenable to them to decrypt our phones and get into our devices? At the very least, you should make them sweat it a little bit. 

Ben Yelin: If it's very worth it for them to get access to the device, then it's probably in the best interest of the consumer that they use their own resources, and it's going to be more protective for users in that sense because they have a finite amount of resources. You know, you can't spend tens of millions of dollars to decrypt every single device. You have to make choices. You have to pick your battles. 

Dave Bittner: Right. 

Ben Yelin: And I think that could be a potent argument against some of these backdoor search legislations. Again, that's just conjecture. But, you know, from what our old friend Riana Pfefferkorn said in this article - and a shout out to her, friend of the pod... 

Dave Bittner: (Laughter) Yes. 

Ben Yelin: ...I mean, this has been sort of a backstop for - it's been a safety valve for the encryption debate. We haven't really had to go down the path of deciding once and for all whether we need to set up these proverbial backdoors. So you know, I think that's one perhaps benefit of this article coming out is lawmakers can say, why don't you use these tools that you already have? You can let the market settle the technology. You know, if these companies really want to make it a priority to protect their consumers' private information, let them try and get the market share for that. And then if it's worth it to these local law enforcement agencies to spend finite resources decrypting these devices and it really is a priority, then we have evidence that they can do that. 

Dave Bittner: I'm struck by the image, again, of making your password more complex, of, you know - you see in old movies, you know, comedy movies, someone living in a bad neighborhood, you know, coming up to the front door of their apartment, and there's a whole row of locks on the door. You know, there's half a dozen locks that they have to - and they have to spend a minute unlocking each one. They have, you know, half a dozen different keys to get in that place. And we all think about that, and we laugh. And - but to me, that illustrates that sort of balance between convenience and security, right? Yes, it's convenient to have a four-digit passcode, right? But it's... 

Ben Yelin: Easier to remember, yeah. 

Dave Bittner: Easier to remember, your muscle memory, all that kind of stuff - but it's way more secure to have a 10-digit passcode (laughter). So you got to find, you know, what you think fits your level of risk. But this is, I believe, one of those areas where size matters. 

Ben Yelin: Yeah. I mean, I think that's absolutely right, and it's also one of those rare instances where the ultimate result, coming from this article, is in the hands of individual users. They have the power to protect their devices and to ensure the security of their own private information. 

Ben Yelin: It's a little more complicated in this day and age of everybody wearing masks in public because facial recognition, face ID or similar technology is such a useful workaround. But, you know, because when we're in public - and at least to this point - the iPhone does not recognize your face with a mask on. You do have to type in that passcode. And it sure is easier, if you're in a time crunch, for it to only be six digits, especially when you have one kid in each arm... 

Dave Bittner: Yeah (laughter). 

Ben Yelin: ...Speaking from personal experience. 

Dave Bittner: (Laughter) That's right. That's right. 

Ben Yelin: But you do need to balance the convenience with what you'd be giving up in terms of security. And that anecdote that you mentioned here is just really striking, that it's exponential how much more secure you can make your device just by having a, you know, eight to 10-digit passcode. 

Dave Bittner: Yeah, yeah. All right. Well, interesting story for sure. And of course, we'll have a link in the show notes. My story this week is, I'd say - I think it's fair to say, the biggie... 

Ben Yelin: Yes, it is. 

Dave Bittner: ...(Laughter) When it comes to policy. I happen to be also using a story from The New York Times, but pretty much everybody covered this one. And this is about the U.S. accusing Google of illegally protecting a monopoly. So the Department of Justice is coming after Google basically for antitrust, saying that they are an illegal monopoly controlling central parts of the internet. This article in The New York Times is written by Cecilia Kang, David McCabe and Daisuke Wakabayashi. And the upshot here is that the DOJ is accusing Google of using their position in the search engine market, their ability to strike deals with other companies such as Apple for exclusive or preferential placement of their search engine - is an illegal monopoly. What's your take on this, Ben? 

Ben Yelin: So first of all, it's really groundbreaking. I mean, there have been discussions at the federal level about instigating antitrust lawsuits against these big tech companies for years. And finally, we have that high-profile case. You know, and they've been exposed for some of these business practices overseas, particularly in the European Union, where they've had to pay fines. But up until this point, our country has just not pursued this effort for a variety of reasons. So you know, finally, we're going to have this high-profile case. 

Ben Yelin: If you read the complaint, it really details how Google has, in the words of the Department of Justice, gained its grip on distribution. They're paying billions of dollars sometimes to their competitors to become the default search application in web browsers. So, you know, if you pay off Apple to have Google be the default web browser on an iOS device, in some ways, you're giving money to what could potentially be one of your largest competitors, and that will dissuade Apple from developing its own search engine. 

Dave Bittner: Yeah. This article points out that they estimate the Google pays Apple between eight and $12 billion a year - billion with a B - to be the default option on iPhones, iPads and Macs. And that could be 15% to 20% of Apple's profits. 

Ben Yelin: If you think about that, all this kind of happens very cryptically. We don't really notice it. It's not something that's in the news. If you thought about this in any other industry, let's say in the airline industry - all right, not to single out an individual company, but United paid off all of the other airlines to only include their mileage rewards program as part of the benefits. I mean, that would increase their market share. And, you know, there's not much the other companies would do or could do about it because they're receiving billions and billions of dollars. And that's exactly what's happening here. 

Ben Yelin: So these are monopolistic business practices. Google does have about an 88% market share on search engines, which is pretty remarkable. You know, the remaining 12% is divided between Bing, which, you know, has fallen a long way down since it was introduced about 10 years ago, a little bit from Yahoo! and then Go Duck Go (ph), which is a more secure search engine. But to have an 88% market share using these heavy-handed business practices is pretty remarkable. So in some ways, I mean, I think this was a long time coming. 

Ben Yelin: What's frustrating is that this type of litigation will take years to resolve. This is not something where we're going to get adjudication, you know, even in - I would say if we got any sort of decision in the next two years, I would be greatly surprised. We're going to have dueling motions. Google has already obviously argued that these business practices don't violate the Sherman Act, which is our major federal antitrust law, saying that our laws against monopolies were not designed to stifle innovation; they were designed to curtail unfair business practices. And in Google's view, nothing that they're doing is unfair. 

Ben Yelin: You know, another interesting aspect of this to me is that for various reasons, there's bipartisan support for this type of action by the Department of Justice. People on the left and Democrats largely ideologically want to break up big companies. They want to prevent individual corporations from having too much power and too large of a market share. But recently, Republicans have been big critics of big tech, too, largely because they see some of these platforms discriminating against conservative viewpoints. They want to open up the market so that competing search engines can enter and, in their view, be more amenable to conservative points of view. So we do have sort of a rare bipartisan consensus on the importance of going after some of these big Silicon Valley companies. And that's really a unique moment in history here. 

Dave Bittner: Yeah, one of the things that this article points out to that point that this is going to be a long slog - they say, this lawsuit is likely to outlast the Trump administration, and that includes the possibility of Trump having a second term. They point out that when - big case against Microsoft back in the '90s. They went after them; it took about a decade. 

Ben Yelin: Oh, yeah. And I could certainly see the same time frame here. Not only is - does Google have a vested interest in this, but some of the other tech companies that have a large market share in their domain, like the Facebooks and Apples of the world, are going to be looking at this with great interest. And their lobbyists are going to get involved. Everybody's going to have their eyes on this case because it's the first time we've gone after a Silicon Valley company, you know, at least in the last decade or so. 

Ben Yelin: So, I mean, because of the scope of it and the amount of interest you're going to see in the industry and, you know, just the level of jockeying between the Department of Justice attorneys and attorneys for Google and other tech companies, yeah, this is going to last a while. So this is sort of the opening salvo. 

Ben Yelin: I will mention, you know, there's another interesting political element in this - that Attorney General Barr was discouraged by some of his deputies from bringing this case prior to the election. He decided to do so anyway. You know, this is certainly better than bringing a politically motivated case to bear three or four weeks before the election. But I do think that's something important to keep in context here, for whatever it's worth. 

Dave Bittner: What about this notion that our antitrust laws are not up to the task of dealing with modern tech companies? I mean, could that put the DOJ at a disadvantage here of, you know, having one hand tied behind their back? 

Ben Yelin: To a certain extent, yes. I mean, just because we don't have a lot of precedent cases and it's just easier - because of the way modern technology works, it's more efficient to use some of these monopolistic business practices to buy off competition. You know, so much of these purchases, for example, are automated, which is something that you didn't see a hundred years ago with the Sherman Act, where you had more public records of these types of transactions. So you know, I think there is something to that. But the general principles are still the same. And I think with the amount of resources the Department of Justice is willing to devote to this investigation - and we know that they've already devoted several years' worth of personnel and taxpayer dollars in conducting an investigation - I think they at least believe that they have the legal tools to successfully adjudicate this case. 

Ben Yelin: These cases are particularly hard because companies like Google will always argue that the only reason consumers are able to enjoy the features that you love on our search engine is because we're able to innovate. We are able to be aggressive in our business practices to bring you the best product. 

Dave Bittner: Right. 

Ben Yelin: And that can be a compelling argument. I think what the government would say, what the Department of Justice would say is, as a result of this lawsuit, we're not asking you to break up Google in its entirety. We're asking for a declaration that you're going to cease some of these more destructive business practices. And I think that could limit the scope of the case in a way that the government could have an easier time in a federal court. 

Dave Bittner: Well, this is Episode 52 of "Caveat." We'll be having our wrap up of this case in Episode 552 (laughter) 10 years from now. 

Ben Yelin: I hope we're still doing this in 10 years. Our hair will be a lot grayer and our voices a little more scraggly. But I anticipate that we'll... 

Dave Bittner: Right. We'll be complaining - yeah, complaining about your teenage kids wanting to borrow the car, right? (Laughter). 

Ben Yelin: ...Yeah, exactly. Exactly. And hopefully we'll be looking, you know, back fondly on this COVID era as having been long gone. 

Dave Bittner: Right, right. 

Ben Yelin: But I anticipate we will still be talking about this case, so we should make this a long-running segment. 

Dave Bittner: Yeah. All right. Well, it's big news for sure. 

Dave Bittner: We would love to hear from you. We have a call-in number. It's 4106183720. You can also send us an email. It's caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had a really interesting conversation with Morgan Wright. He is the chief security advisor at SentinelOne. He is a former senior law enforcement adviser for the 2012 Republican National Convention and a senior adviser in the U.S. State Department Anti-Terrorism Assistance Program. So this guy has some interesting (laughter) experience that he brings to bear. We had a really interesting conversation. So here's my talk with Morgan Wright. 

Morgan Wright: It's almost one of those things, if we go back and really see where this started, this started in 1917 - but - when the - Russia stood up the Cheka, which was the first true intelligence organization. But kind of fast-forward to today - yeah. I actually - I used to write for The Hill. I was an opinion contributor on national security, cybersecurity and intelligence. And one of my former editors sent me this link, said, hey, did you see this? So I went and took a look at it. Well, immediately, No. 1, I was suspicious because it was from Russia. No. 2, I was suspicious because it was making grandiose claims. Hey, these voter databases had been hacked. And I had not seen any corroboration in the news media. And I went to the Michigan site, the Iowa site, the states where they said the databases had been hacked and had seen no information from there. 

Morgan Wright: But by then the damage was done because it was picked up by Newsweek, and the article was repeated from a Russian business journal, so it was given some credibility because it was amplified through a U.S. publication. And it required CISA out of DHS and the state of Michigan itself to respond to these claims to say, no, that hasn't happened. So I mean, that's originally how I became aware of it. But immediately, I was suspicious. Why? - because it had a Russian source during an election season. 

Dave Bittner: What are the overall implications here? When something like this takes off the way this did, what's the effect? 

Morgan Wright: I just finished watching "The Social Dilemma," the documentary on the social media companies. And one piece of research out of there just really struck me. And it was an - piece of MIT research that said fake news on Twitter traveled six times faster than factual or accurate news. So it kind of validates that old saying, which Mark Twain said - and, you know, there's some origin stories to that - but, you know, the lie can make it halfway around the world before the truth can even get a chance to lace up its boots. 

Dave Bittner: Right. 

Morgan Wright: So the impact was, we've already anchored the perception in people's mind that the voter database was hacked, that you can't trust the results, that your personally identifiable information has been exposed. So once that's anchored in the mind, it takes a lot because there's a perception bias. So they have this bias that, no, any other information is designed to disinform me after this anchoring information. So it becomes very hard then to you - I mean, you can't put the toothpaste back in the tube. Once it's out, it's out. 

Dave Bittner: You know, it seems to me that, over the past couple of decades or so - perhaps more - that there's been kind of a distillation of adversaries' ability to take advantage of these sorts of campaigns. Like, they understand what makes us tick - right? - as Americans and have really become good at this sort of thing. I mean, is that an accurate perception in your view? 

Morgan Wright: It's an accurate perception, but I would actually extend it back even farther to say is that a lot of people don't remember in 1996, the FBI ran an investigation out of FBI headquarters against the Embassy of China for the $250,000 donation that Johnny Chung gave to the Democratic National Committee. So there has been influence and money. Russia has been doing this for a long time. But to put it into perspective, if you go back and you read the biographies of the previous directors of central intelligence, the head of CIA, there are many episodes in there and anecdotes they will tell you of where United States itself spent money to stop the spread of communism. And one of those things was they spent a million dollars to conduct what they called a spoiling operation to influence the outcome of election. And so it really gets into, there are things that are done to influence and things that are done to interfere. And influencing elections has always been a national security objective of, you know, just pretty much any country out there. 

Dave Bittner: Yeah. I think that's a really good point because, particularly as we find ourselves in this situation leading up to our own election, I don't think it gets a lot of emphasis that, I suppose - I mean, this is a regular part of international relations and espionage. 

Morgan Wright: It is. I've got several friends - in fact, one of my friends punched out of the CIA after 30 years. He was last - assignment was chief of station in Moscow. And there are some - I used to do some work in the Anti-Terrorism Assistance Program with the State Department, so I was over in places like Pakistan and Turkey. And I will tell you - I mean, anything that you can do to influence the behavior, which is what we do - you know, we want to - for example, we're trying to influence the behavior of Iran right now to get them to become part of the global community, which is, you know, very tough. So there are things that are done to influence them, things that are done to interfere, such as Stuxnet, you know, and Flame. But at the end of the day, exactly what you're talking about - this is something that has been going on for so long. The - what's happened is the tools have changed, but the tactics have remained basically the same for the last 30, 40, 50 years. 

Dave Bittner: And how has social media contributed to this? Is this an amplification method? I mean, where do we find ourselves with that? 

Morgan Wright: Social media is influence on steroids. I mean, you now have the ability - give you a quick example. One of the ways the Russians used to spread a rumor - and they did this to position the CIA and the United States in a bad light - was they wrote a letter. They forged a letter and basically got a obscure Italian newspaper to publish this. And then it took a while, but then it got out. It grew a life of its own. So after several weeks, you know, now we're dealing with this fallout. 

Morgan Wright: You can now accomplish the same thing with fewer people in minutes, you know, a couple hours. Remember the Internet Research Agency, the quote - which - it's - trust me, it's at the direction of the Russian government. Nothing happens in Russia without Vladimir's approval, comrade. They - look at the influence they had on the 2016 election with just, you know, less than 100 people and spending, I think - what did they say? - two hundred, $300,000, maybe, on ads and stuff. It's the ability to - everybody's got a smartphone. Everybody's got some kind of a smart device. And the ability to identify and divide is - to your point, it's been amplified by orders of magnitude compared to what we were doing 10 years ago. 

Morgan Wright: In 2012, for example, I was the senior law enforcement adviser for the Republican National Convention. There wasn't any of this going on. We were more worried about what we called black flag and other protesters. So we were using advanced technology to do surveillance, to monitor people. But the idea of anything online at that time and social media campaigns - there might be a few people tweeting and the apps like Livestream and Ustream, where you could stream things from the street. That was about it. So you fast-forward to 2016 and now 2020 - yeah, absolutely, this is amplified. I mean, it's like a hockey stick. If this were a company and you were investing in it, you'd be at the right point because that curve just, you know - it hit that inflection point, and it went up. And if you're involved in interfering and influencing elections, this is the time to be involved. 

Dave Bittner: We find ourselves with this peculiar situation of the president of the United States, who seems deferential - who is deferential to Vladimir Putin. Someone pointed out to me in the past couple weeks that President Trump has a nickname for pretty much every world leader except for Putin. It seems to me as though this plays right into their hands to have this - you know, it's that old movie trope. You know, the call's coming from inside the house. 

Morgan Wright: Yeah. I remember a couple of those movies - Clint Eastwood, you know, and some other ones. You know, one of the things I've tried assiduously to do - and do try faithfully is - 'cause I do a lot of stuff for the media. I've done stuff for national news. I mean, you name all the major networks, I've been on them at one time or another. I've tried to stay away from politics. I say I do ones and zeros, not R's and D's. But you do have to look at the policy implications of what's being done. And I don't know that - he may not have a nickname for Putin. I don't know that he has a nickname for President Xi of China, either. I know that he - we all used to have a nickname for Mahmoud Ahmadinejad, and it was Mahmoud I'm-A-Nutjob when he was running. 

Morgan Wright: Hey, look. I grew up in Iran. My first foreign language I spoke was Farsi. My dad was military, was over there during the days of the Shah. So I've seen what happens to a country, you know, over time. We've seen what happens to the Arab Spring. We've seen what happens in Egypt. So I don't know internally, from a political standpoint, what kind of import to give that. But I can tell you what is said, what is done gets used by our adversaries in influence campaigns. It gets used in social media. It gets used - for example, the big things that's going on right now with TikTok and WeChat, you know, these things are used as propaganda and as counterprogramming for anything that the United States might choose to do from a policy standpoint. 

Dave Bittner: Is there a way back from this? Are there examples throughout history of nations who find themselves divided in the way that we find ourselves divided right now and are dealing with so much disinformation? You know, the - I would dare say that the fabric of our nation is fraying. Is there a pathway towards reunification? 

Morgan Wright: It's interesting. Right - when we started, we talked about where I'm at. I'm in Northern Virginia, and if you look around here, there are many battlefields. My daughter and future son-in-law, they live up by Little Antietam Creek, not too far from Gettysburg. We look at Bull Run, you know, the Battle of Manassas. So we look at what happens to a nation that gets torn apart. You know, at some point, it was. United States was torn apart. It took years of reconciliation and rebuilding to bring us back. Now, does that mean that there's going to be a civil war? Don't know, hope not. 

Morgan Wright: You know, I'm former law enforcement. I keep track with a lot of my friends. I see a lot of the things that are happening. There are definitely those things, and social media can be that spark because - here's a great example. In India - and I've been over to India several times for a, you know, variety of reasons. One of the last times was in Andhra Pradesh Province, working with what they call the Greyhounds. It's a antiterrorism unit, and they do what's called direct action. They go out in the jungles, and they hunt the Maoists and the Naxalites. And one of their biggest challenges right now is dealing with false information that has caused several people to be killed by mobs because it was said that these are predators, these are child abusers. And now people that - normally whose mission is to defend against terrorism and direct action by adversaries, now they have to take those resources and point them back towards stopping the spread of disinformation. Why? Because it's resulting in the death of people. 

Morgan Wright: So - you know, I wish I had a good answer for that. I tell you what I think it's going to take, though. And I've testified before Congress a couple times on the safety and security of big systems like healthcare.gov. I am not a fan of government regulation, but it normally takes three stages. First there's litigation, then there's regulation, then there's legislation. So you know, Facebook, Google, all of them are being sued. They're being sued in different countries, the - you know, the EU. So - but at some point, I think we're going to have to come to grips to say there is needs to be a role for government in the management of information about people that, if used, can be used to influence them, can be used to modify their behavior, can be used to get them to take a set of actions that they normally wouldn't. It - basically, it's how do you legislate against social engineering? And social media is an advanced form of social engineering. 

Dave Bittner: You know, I find myself even, you know, personally - and I consider myself someone who deliberately equipped myself with a good set of tools when I was growing up, you know, to be skeptical, to apply critical thinking, you know, to the things I read and the things that I consume - if I'm honest with myself, I find myself being in the middle of all this and dealing with all this uncertainty. You know, it's hard to know what sources to trust anymore, and so that uncertainty creates stress. That uncertainty creates fatigue. Do you have any any tips, any advice for those of us who are, in good faith, trying to do our best to to keep our head above water here? Any tips you could share? 

Morgan Wright: Sure. Let me take it back, then, to give you an example from my law enforcement days and some training I used to do out at the National Security Agency. I used to teach behavior analysis and behavior analysis interviewing. And so the question is - and it's not like on TV. I'll tell you, Dave. It's not like on TV. You don't come in and you yell and scream at people, you're going to prison unless you admit to this murder. Well, dude, if admit to this murder, I'm going to prison. So what's in it for me, right? 

Dave Bittner: (Laughter) Right. 

Morgan Wright: So - but what you do is you ask them a series of questions. You build anxiety. You get them to the point where the only way for them to deal with the stress, the anxiety is to tell the truth. That is the only release. You don't plant false information. You don't tell them, you know, I know you did it. Just admit to it, and we'll go easy on you. You have to ask questions. You know, what do you think ought to happened to the person who did, in fact, commit this crime? Should they be given a second chance? We taught this. 

Morgan Wright: So here's my point. If I can get a - somebody who has committed first-degree murder to sit across the table from me and tell me the information I need to file a case against them to put them in prison for the rest of their life - and they know that they're giving this information - it is very easy, then, for me to manipulate at scale people to get them to take incremental actions. 

Morgan Wright: And so I think one of the - you know, if I was going to give advice, I would tell people to watch, like, the documentary "The Social Dilemma." I would say if you've got children, you need to absolutely regulate the apps and activity and the screen time that they have because I think what we've missed teaching - when I was in high school, I took debate and forensics, you know? And in college, I took logic and man and values and some philosophy courses. And it was fun, but I didn't realize what kind of impact it would have on me later till I started seeing - I can now look at a post on Facebook, on Twitter and in about a 1 1/2 seconds determine that this thing is, as the Scottish say, (imitating Scottish accent) crap. You know, it's just... 

Dave Bittner: (Laughter). 

Morgan Wright: You know, it's like - I've written back to a few people. I say, OK, great. You've made this allegation that Tom Hanks has said some great quote. Where did you - what's your source? Where'd you get it from? Nobody is doing any due diligence online. And I think to your point, you've got to approach this. I would say, remember the old saying - and I think it was Edgar Allan Poe that came up with this - believe nothing of what you hear and only one half that you see. 

Morgan Wright: We've got to go back to saying - being extremely skeptical. Everybody needs to move to Missouri and start adopting the motto show me. You need to show me. You've posted this; now show me the attribution. Show me the anecdotes. And if you - I would say if you're not willing to do the work to put that post out there to prove your point, then my response is delete. I don't even look at these things anymore. I don't know that I can influence enough people to get this to change. It's got to start with younger children. It's got to start with teenagers. It's got to start - you've got to start teaching this in college. There is no easy answer for this. And anybody who says, well, I have the magic program; just take my training for 30 minutes, and we can solve the ills of the world, is a charlatan and a fraud and a liar. 

Dave Bittner: Yeah. I mean, something I struggle with is self-preservation, you know, through deleting and ignoring and moving on versus trying to do what I suppose I consider my civic duty to try to at least counteract - you know, put the proper information out there, you know, show my sources, you know, those kinds of things. But, boy, it's grueling. 

Morgan Wright: It is a frickin' marathon. Dude, people think this is a sprint, man. 

Dave Bittner: (Laughter). 

Morgan Wright: It's like - you know, I just - I'm a huge Peloton fan. I ride a bike outdoors, too. And I'm a big Tour de France fan, and it just finished up. 

Dave Bittner: Yeah. 

Morgan Wright: And you look at - these guys rode more miles in one month than I ride all year. They're in the mountains. They're on these grades. They just - it's grueling. It's like being in the - it's like getting - finishing the Tour de France, you get one day off. And it's like, eh, hope back into it, mates. We're back for another Tour de France. It is tough. And I think this is what wears people out. This is the mental fatigue that happens. 

Morgan Wright: Jeb Bush actually said it - had a terrific line one time talking about - when he was governor of Florida - and they were talking about all the hurricanes that coming in. And as the more hurricanes they got, there was - I was - we were thinking about moving to Florida at one time - 'cause I loved the Orlando area - I was instructing down there at that time - until they had three hurricanes in a row. And I said, now, being from Kansas and suffering through tornadoes - not interested in hurricanes. He says, we are getting hurricane fatigue. By the time the third hurricane gets there, nobody's doing anything about it. They have just become numb to the fact that this is happening. 

Morgan Wright: And I think this is what's happened. We've been flooded with so much social media and fake news. The other thing, too - there are people out there sharing information that they truly believe that the information is accurate. 

Dave Bittner: Right. 

Morgan Wright: But later, you find out that it's inaccurate. So you have all of these things. You know, I don't know how to stop it, but I can tell you this. At some point, we need to get smarter people in the government. And I say that deliberately in terms of we've got a lot of people making policy. When I watch the congressional hearings on Facebook and Google, you know, and YouTube and Twitter and stuff, you have people asking questions that have no clue how this technology works. And I'm going, you're the last person I want making policy about this. Let's get - let's make sure our legislators and our politicians, the people who set policy, get educated on exactly what this is so that we can do better at passing the legislation we - I don't want to overregulate. But there's a danger in both overregulation and under regulation. We've got to find that squishy middle somewhere. That pendulum's got to kind of come more into the squishy middle. 

Morgan Wright: And we've got to do a much better job at this then use that as our baseline to improve. But it's the people, it's the politics, you know, and it's the tech companies. They have a big responsibility here to also help get this right, but self-regulation is not the answer. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: That's a really interesting perspective coming from somebody with his experience. I mean, I think it reinforced the dangers of false information on the internet as a result of malicious foreign actors. We saw it play out in the 2016 election. We've seen it play out, so far, to a lesser extent in 2020 - at least above the surface. But, you know, I think from what he said, it helped me realize that we're really just on the precipice of how big of a problem this is going to be. And in his words, it's going to be hard to put the toothpaste back into the tube - because once some misinformation gets out there, it creates these alternative universes where there are groups of people who will actively seek out confirmation of that misinformation. And frankly, I think we've seen that for - you know, with things like the QAnon conspiracy theory. 

Dave Bittner: Yeah. 

Ben Yelin: So it's just really interesting to hear his perspective on that as somebody who's been in this field for a long time and as somebody who said, you know, when he was doing security for the 2012 Republican convention, this wasn't even something on their radar. So it's just - it's very new. 

Dave Bittner: Right. And that's not that long ago. 

Ben Yelin: It really isn't. It really isn't. I looked the same in 2012 as I do now, and I'm sure you did, too. 

Dave Bittner: (Laughter). 

Ben Yelin: So it's not like we were teenagers. 

Dave Bittner: Maybe a little - yeah, maybe a little thinner (laughter). 

Ben Yelin: Yeah, same. 

Dave Bittner: Right, right. Yeah. 

Ben Yelin: But, yeah, I mean, it really was not that long ago. This is such a new developing threat. There's so much, you know, we still don't know about it. I mean, I think our first comprehensive window into it was the section from the Mueller report and the Mueller indictments on Russian disinformation, where we found out how sophisticated these operations were and how, as you said in the interview, you know, they know what our soft spots are. They know how to exploit our political differences. 

Dave Bittner: Yeah. 

Ben Yelin: So this is just something that I'm worried about. It's something that we're going to have to keep our guard up on for a long time, I think. 

Dave Bittner: Yeah. Well, again, our thanks to Morgan Wright for joining us. He's the chief security adviser at SentinelOne. We really do appreciate him taking the time and sharing his thoughts with us and with all of you. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Cybereason
Cybereason

Cybereason is the champion for today’s cyber defenders providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. Learn more.