Caveat 8.18.21
Ep 90 | 8.18.21

Getting tough with the adversary.


Jamil Jaffer: Discipline matters, and punching back and being tough matters. And this administration, you know, has the kind of people who understand how to do that - Paul Nakasone, Jen Easterly, Rob Joyce, Chris Inglis. These people know how to get tough with the adversary. We've got to free them up to do it.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, Ben looks at legislation aiming to better protect youngsters online. I share an outline from the folks at Lawfare for more responsible offensive cybersecurity. And later in the show, my conversation with Jamil Jaffer from IronNet Cybersecurity. We're going to be discussing some of the key takeaways from President Biden's executive order on cybersecurity. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben. We've got some good stories to share this week. Why don't you start things off for us? 

Ben Yelin: So my story comes from The Washington Post - "New Bill Would Update Decades-Old Law Governing Children's Privacy Online and (ph) Protection for Teens." It's about a piece of legislation that was introduced in the House of Representatives that would update the Children's Online Privacy Protection Act, or COPPA, which is a good acronym, with a new piece of legislation. This bill would be entitled, Protecting the Information of Our Vulnerable Children and Youth Act. Not recognizing the acronym here unless you make the PR in protecting... 

Dave Bittner: Privacy - yeah. Kids... 

Ben Yelin: Then it would be... 

Dave Bittner: They're calling it the kids' PRIVCY (ph) Act, yeah. 

Ben Yelin: It's pretty good. 

Dave Bittner: (Laughter). 

Ben Yelin: It's a bit of a stretch because you'd have to include the P and R in protecting. 

Dave Bittner: Start having a leaderboard on these acronyms so we can have a rating system. 

Ben Yelin: There's got to be a job in the Congressional Research Service of... 

Dave Bittner: Right. 

Ben Yelin: ...The person who makes the acronyms. 

Dave Bittner: Right. 

Ben Yelin: And let's just say that's my dream job. 

Dave Bittner: There you go. There you go (laughter). 

Ben Yelin: And if anybody listening wants to hire me for that job, I'm certainly... 

Dave Bittner: Just quick aside - early on in my career, I did some contract work for the U.S. Postal Service where they had some video communication stuff. And there was - I was talking to a guy who was just enamored with one of his colleagues who was the most gifted person in the U.S. Postal Service when it came to drawing out ZIP codes. 

Ben Yelin: Ah, yes. 

Dave Bittner: Ah, this guy - boy, he can just - he can... 

Ben Yelin: Talk about a specialized skill. Yeah. 

Dave Bittner: He can draw. He can map out a ZIP code like nobody else. And I just think about, you know, one person, as you say, in Congress whose job it is to - you can throw anything at them, and they can come up with a good acronym. At any rate, I digress. Your story this week, Ben (laughter). 

Ben Yelin: We digress. So this new legislation would expand COPPA to include teenagers under 18. The current law only applies to people under the age of 13, and the rules would also apply to every site that children and teens use. We have this problem now where the rules intending to protect online privacy for children don't apply to sites where people under 13 are not allowed. That includes the major social media sites, like Instagram and Facebook. 

Dave Bittner: Right. 

Ben Yelin: I don't know if you're aware, Dave, but let's just say those rules aren't exactly meticulously followed. 

Dave Bittner: (Laughter) Yes. 

Ben Yelin: There are a lot of people 12 and under who do go on Facebook and Instagram, aren't truthful in, you know, filling out information when they're setting up an account. And the justification of this law is that those individuals deserve the protection of the law, as well, especially if we're admitting that they're going to be on these websites. 

Dave Bittner: OK. 

Ben Yelin: And the companies themselves admit that children younger than 13 are using their services. 

Dave Bittner: OK. 

Ben Yelin: And they're simply just lying so they can have, you know, fun Facebook and Instagram interactions. 

Dave Bittner: Right. 

Ben Yelin: So the bill would direct the FTC to set up a new division to focus on youth privacy and marketing and would allow the agency to pursue punitive damages against some of these big companies, like the Googles of the world, if they try to target advertising to young children and if they try to collect data for the purposes of advertising on children younger than 18 in this bill. 

Ben Yelin: I think the impetus of this bill is that the previous law is sort of outdated. And it's outdated because it doesn't recognize the reality that people younger than 13 are using these social media sites, and it also doesn't recognize that, you know, people in the 13- to 18-year-old age range are still vulnerable. There still should be some level of protection for their privacy. They are not as able as adults to make decisions about protecting their own information, so they deserve the protection of the law. 

Ben Yelin: And this bill is supported by a bunch of advocacy organizations that have the mission of protecting kids online. They talked about Fairplay, Center for Digital Democracy, Common Sense Media, et cetera. 

Ben Yelin: I think the tech companies have seen that the writing is on the wall for this. You know, they've created special applications for the use of children under the age of 13 where they aren't collecting data and they aren't, you know, developing targeted advertising - so for example, Facebook Messenger Kids, YouTube Kids, both of which are items that my kids or my oldest kid, unfortunately, uses. But they are geared for kids. 

Dave Bittner: Right. 

Ben Yelin: And they are set up in a way that you don't see the type of mass data collection that they engage in for adults. You know, I think the reason we would need a law is that these policies don't go far enough. You know, there was a hearing in Congress this past March with a bunch of Silicon Valley executives where members of Congress were talking about these instances where child safety and privacy had been violated. And, you know, they talked about recognizing the reality that kids under 13 are on these social media sites and do merit protection. 

Ben Yelin: There's a similar bill that's been proposed in the Senate on a bipartisan basis by Senator Markey of Massachusetts and Cassidy of Louisiana. That law would do something similar to the law being proposed in the House. So I think that you are going to see a concentrated effort to try and change regulations to better protect young people in this country. 

Dave Bittner: Yeah. It's just interesting. I guess my initial reaction to this - of course, I'm all for limiting the amount of tracking that these big social media companies can use. I wonder how effective something like this will be because it seems like they always find a workaround or a way to do it anyway. 

Dave Bittner: But I also wonder, as someone who has a teenager and has had another teenager who's now no longer a teenager, how - I don't know how much of a problem I have with somebody putting an ad for sneakers in front of my 16-year-old. I guess it's the hyper targeting that we are taking issue with here and the collection of data about them to be able to place those ads. 

Ben Yelin: Yeah, I think that's a large part of it and the fact that, you know, you can't really get - you can get meaningful consent from adults at least theoretically... 

Dave Bittner: Right. 

Ben Yelin: ...To have this information collected. And you can't really get that from people who are minors just because they're not as capable of making an informed decision. And, you know, most of the decisions we have to make to protect our personal privacy are opt-out decisions, meaning you actually have to actively go into an application and say, you know, don't track my interactions. Don't collect my data for advertising purposes. And people who are underage are just less able to make those kinds of decisions. 

Ben Yelin: But, I mean, I agree with you on principle that, like - is it that much of a concern that there is targeted advertisements to, you know, people aged 13 through 18? It's not the biggest problem in the world to me, but I can understand why you would want to expand the protection of this previous legislation. You know, I think you're recognizing that people who are 16 and 17 are still largely kids. 

Dave Bittner: Right. 

Ben Yelin: You recognize that in areas of the law. And, you know, you're doing more than just changing the age range here. You know, you are setting up a division of the FTC to actively engage in an effort to root out the exploitation of youth in a bunch of different circumstances. 

Dave Bittner: Yeah. 

Ben Yelin: So, you know, it's more than just a technical change to the age limit. It's also a broader policy to try and root out privacy violations. 

Dave Bittner: And I suppose, I mean, this also relies on the teenagers themselves being honest when they create their accounts. And I have - you know, I mean... 

Ben Yelin: Teenagers are well-known for being honest. 

Dave Bittner: Right. Well, I'm just thinking of, you know, the young teenage boy or girl who finds themselves at the entrance to some sort of porn site that says, are you 18? Yes. Yes, I am. Yes, I am totally 18. 

Ben Yelin: Yeah. 

Dave Bittner: And let me - and that's all it takes, right? So I suppose, you know, without any sort of age verification, which the social media companies have resisted strongly... 

Ben Yelin: Right, and understandably. I mean... 

Dave Bittner: Yeah. 

Ben Yelin: You want as many people as possible. Yeah. 

Dave Bittner: I mean, it's a burden. But, yeah, I guess I can understand the impulse of a teenager to want to act older than they are, right? 

Ben Yelin: Yes. 

Dave Bittner: I think we've all been there. And so if there's no penalty for being found out about lying about your age on Facebook or Instagram or wherever, I mean, they're going to do that. 

Ben Yelin: Right. I agree with you. I'll also point out I unfortunately have watched a good deal of YouTube Kids. The algorithm itself almost replaces the need for tracked advertising. 

Dave Bittner: Really? 

Ben Yelin: And, you know, maybe this is getting a little personal. But, like, you start on cartoons. The algorithm will lead you to unboxing videos. 

Dave Bittner: Oh. 

Ben Yelin: That means kids discover new toys that they want to buy. 

Dave Bittner: (Laughter) Right, right, right. 

Ben Yelin: So let's just say things have their way - the system is set up in a way that, you know, your kids' interests will be enhanced and developed by the algorithms in place. 

Dave Bittner: Yeah. 

Ben Yelin: That's my personal opinion. 

Dave Bittner: Yeah. 

Ben Yelin: I'm not alleging that, you know, YouTube Kids is doing that for any nefarious reason. 

Dave Bittner: Right, right. 

Ben Yelin: That's just an observation. 

Dave Bittner: Well, look. I mean, my generation grew up watching Saturday morning cartoons that were basically ads for sugary cereals and action figures. So - and we turned out just fine (laughter). 

Ben Yelin: Did you, though? I don't know. 

Dave Bittner: Yeah, that's true. We really didn't. 


Dave Bittner: All right. Well, interesting story for sure - we'll have a link to that in the show notes. 

Dave Bittner: My story this week comes from the Lawfare blog, the folks over at Lawfare. This is titled "Responsible Cyber Offense," and it's written by Perri Adams, Dave Aitel, George Perkovich and J.D. Work. And, really, what these folks are doing here is attempting to outline, I suppose, some rules of the road when it comes to offensive cyber operations, defining what that is and how you should go about that. 

Dave Bittner: I think most of us - when we think of offensive cyber operations, we think of nation-states engaging in them. And it's sort of the military analog in the cyber domain... 

Ben Yelin: Right. 

Dave Bittner: ...Where you're actually reaching out and you're doing damage. You're not - this isn't just espionage. This isn't secretly breaking into someone's system to gather information, to listen in, to find out what they're doing. This is reaching out, making your way into a system and then trying to hurt it, to erase data or corrupt data or so on and so forth. 

Dave Bittner: Obviously, this is problematic if, for example, a private company starts to do this sort of thing. And it is currently prohibited that private companies do this sort of thing for... 

Ben Yelin: Yep. 

Dave Bittner: I think the reasons are obvious. In the same way that, you know, if my neighbor comes and - I don't know - you know, steals my favorite lawn ornament off my lawn, I can't go over and burn down his house, right? 

Ben Yelin: As much as you'd want to, no. 

Dave Bittner: (Laughter) Right. Right. 

Ben Yelin: The law does not allow for that. 

Dave Bittner: No, you have - you know, you think you have to - you can't take the law into your own hands. And basically, that's what... 

Ben Yelin: Even in Florida. 

Dave Bittner: Even in Florida - and that's what offensive cyber operations could end up being, particularly when in the hands of private individuals. 

Dave Bittner: So what this article does is they outline some of the elements that they consider to be responsible offensive behavior - things like testing your tools before using them, avoiding indiscriminate targeting, prohibiting targets throughout the operational life cycle, constraining automation, because things can spin out of control, to preventing criminal and third-party access to backdoors and responsible operation, design, engineering and oversight. I think these are pretty basic, straightforward things here. 

Dave Bittner: I'm curious on your take on this, Ben. I mean, the - I suppose, first of all, the need for an article like this. And then what do you think of the things that they've outlined here? 

Ben Yelin: I think it's a really interesting article, and I understand the need. I mean, the analog, as you say, is conventional warfare, and we do have rules of engagement that have been negotiated in international treaties. I mean, that's what the Geneva Convention is. I think the idea here being presented in that paper is that we have to adopt some of those principles (inaudible) than it is to just have standard rules of engagement for actual war and combat for a number of reasons. 

Ben Yelin: One is that it seems like the most hostile nation-states are loath to admit that they're behind some of the most prominent cyberattacks, and they're willing to, you know, have nonstate actors be forward-facing and take the blame for the attacks. 

Dave Bittner: Right. 

Ben Yelin: And they're trying to disclaim responsibility. And I don't know why they would ever have incentive not to do that, you know, unless we escalate our own cyber-espionage and bring them to the table with our own offensive actions. And that would sort of violate what we're trying to get across in this entire effort anyway and trying to minimize the damage of cyber incidents and not, you know, escalate into an all-out cyber war. So, you know, that's one problem. 

Ben Yelin: And then, you know, so many cybercrimes are not really traceable to a single nation-state. You know, luckily for some of the major cyberattacks that we've had over the past several months - SolarWinds and the Microsoft Exchange incident - we have been able to trace them at least to the country of origin. That's not always going to be the case. 

Dave Bittner: Right. 

Ben Yelin: And sometimes we're going to get things wrong. I just don't think it's as well-situated for the type of diplomatic agreement that conventional warfare is. So I guess my position is that I admire the effort. I think it's a worthy goal, but I'm just very skeptical that we're going to get to the point where we have these sort of standardized rules of engagement for cyber-espionage... 

Dave Bittner: Yeah. 

Ben Yelin: ...And offensive cyber operations. And I guess I'll be happy when I see it. 

Dave Bittner: Yeah. You know, just earlier this week, I was speaking with an expert on Russian relations, you know, in the cyber realm, and they made the point that one of the challenges here is that Russia still denies that they even have any offensive cybercapabilities. 

Ben Yelin: What, us? Oh, yeah. 

Dave Bittner: Yeah, exactly. Exactly. So how do you proceed from there? If your adversary's position is, we don't even have those capabilities, then how do you negotiate the limitations on them if that's your point of departure for your conversation? 

Ben Yelin: Yeah, I mean, I also think that it could represent kind of an outdated view on diplomacy in general. I mean, we used to have a series of superpowers in the world. It was easy to get everybody at the table, even if they were our adversaries. You know, there were reasons where we could have diplomatic agreements - for example, during the Cold War with the Soviet Union. 

Dave Bittner: Right. 

Ben Yelin: Because they were well-organized. You know, they were - you're less able with the technology available at the time to hide your true intentions, to funnel your operations through somebody else. And, you know, you had mutually assured destruction. So you had some sort of incentive to try to negotiate. 

Dave Bittner: Right. 

Ben Yelin: Even going outside the cyber realm, when we're talking about the last 20 years, like, the war on terrorism has been about non-nation-states who, you know, aren't the type of groups or organizations that are going to engage in international diplomacy. And we've had to react to those threats not through diplomacy, but, for better or worse, through, you know, our own offensive operations. 

Dave Bittner: Right. 

Ben Yelin: So even in the non-cyber world, I'm wondering if this type of approach might just not realistically address the threats that exist right now, even though I wish it did. I'm just not sure that it does. 

Dave Bittner: Yeah. Yeah. Well, it's an interesting article. Definitely worth a read. Again, it's over on the Lawfare blog. It's titled "Responsible Cyber Offense," and we'll have a link to that in the show notes. 

Dave Bittner: If you have a question for us, we would love to hear from you. You can email us at 

Dave Bittner: Ben, I recently had the pleasure of speaking with Jamil Jaffer. He is from IronNet Cybersecurity. And we were discussing some of the key takeaways from President Biden's executive order on cybersecurity. Here's my conversation with Jamil Jaffer. 

Jamil Jaffer: Look; I think Biden clearly was going to put together a superstar cyber team, and he's done that. If you look at across the board, whether you start with General Paul Nakasone at Cyber Command and NSA - Rob Joyce is the head of - the cybersecurity director at NSA. You've got Anne Neuberger in the White House. You've got Jen Easterly at CISA, you know, Chris Inglis at national cyber director. I mean, you could not put together a better team of cyber experts - not to mention Jake Sullivan at the top the National Security Council. I mean, this is really, in a lot of ways, the elite cyber team when it comes to defending the nation in this arena. 

Dave Bittner: And from what we've seen so far from the administration and the amount of attention that they're focusing on cybersecurities, does it fit the bill here? Are you in alignment with how they've handled it so far? 

Jamil Jaffer: Yeah. Look; I mean, they've obviously taken a lot of interest in the issue. You've heard the president talk about it a number of times, whether at press conferences or the like. You've seen two executive orders. You've seen, like I said, these great appointments. 

Jamil Jaffer: I think one of the challenges that they're facing, to be candid with you, is, you know, we've seen a onslaught of cyber hacks and cyberattacks against American infrastructure. I like to differentiate between hacks, which are sort of the things I think about when, you know, you go after a system and you try to take out data, remove it and utilize it, surveillance-type stuff, IP theft - right? - versus what I call a cyberattack, where you're actually trying to engage in destroying data, manipulating data, modifying data, taking systems offline. You know, oftentimes, we talk about cyberattacks as being both those things, but that's probably an understatement. 

Jamil Jaffer: And they have faced an onslaught of both, right? We saw the SolarStorm attacks against American infrastructure towards the end of last year as they began to take office. We saw the Microsoft Exchange hacks by the Chinese. The SolarStorm was the Russians. We've seen now a series of ransomware attacks, include attacks, where systems were compromised and made nonfunctional for a period of time against critical infrastructure - Colonial Pipeline, key, you know, providers, JBS, the meat supplier, you know, supply chain attacks through Kaseya, the cybersecurity provider. 

Jamil Jaffer: So we've seen a lot going on, and the Biden administration has really gone out of their way to be forward-leaning about it. I mean, the president raised it with Vladimir Putin at their summit recently. But let's also be candid. We haven't seen a big neckdown in attacks. The attacks and the hacks have continued, if not sped up and gotten more problematic. 

Jamil Jaffer: And so I think the administration is working on it. But have they hit success yet? I think they would tell you they're still struggling to find that key thing that will deter these hacks and these attacks and be an effective response. 

Dave Bittner: What do you suppose they have at their disposal? What are the dials they can turn in terms of international diplomacy to make a difference there? 

Jamil Jaffer: That's a great - it's a great question I think there are three primary things they can do. One is on the defensive side, right? So, you know, we've talked for a long time - and you heard the Cyberspace Solarium Commission last year in March during the middle of COVID come out with a report saying, you know, we defend in this country and, frankly, with our allies in too much of an individualized way. Each individual company, each individual government agency is going up against the Russians, the Chinese, the Iranians, the North Koreans. It's not effective. 

Jamil Jaffer: We've got to defend collectively. We've got to bring government agencies together. We got to bring private industry companies together, industries together, industry with the government and, frankly, our government with allied governments to really defend the nation and defend our allies in cyberspace. We don't do that. And the Cyberspace Solarium Commission talked about that piece of defensive side, which really is critical. So that's one thing they could do on the defensive side is really create a collective and collaborative defense capability. 

Jamil Jaffer: On the more offensive side, obviously, you could take the fight more to the enemy, to our adversaries. We've heard, allegedly, that the U.S. government has punched back potentially in the cyber realm, but we haven't seen it done publicly, right? And we haven't seen a real offensive capability leveraged against our enemies and cost extracted from them. And so I think you've got to do that, you know, if you want to deter people, and you've got to do it in a public way if you're going to deter others. 

Jamil Jaffer: And then finally, you know, I think the third way that the administration can have an effect is international norms - right? - working with our allies and those who agree with us to create standards of behavior in cyberspace that we can then press upon our adversaries. 

Jamil Jaffer: Now, of course, the challenge there - you've seen some great work on that space. You saw the recent statements just this past week from the EU, from NATO, from the United States. But the challenge there is, you know, talk is cheap, right? Words are good and norms are good when you put them on paper, but they only work if you enforce them and you use that offensive capability to extract costs when norms aren't met. 

Jamil Jaffer: And so, you know, we've got to do more on that front. I think there's more work to be done on the offensive side and on the defensive side to really create this collective and collaborative defense capability. So if we brought those three things together, I think the administration, which is thinking about all of these things and actively discussing them, you know, could have some real success. 

Dave Bittner: You know, as you and I are recording this, just recently, the White House put out a memorandum on protecting industrial control systems. And one of the things that that memorandum pointed out was that, you know, next steps could include Congress taking it to the next level of actually, you know, putting together legislation. It strikes me that cybersecurity remains one of the few things where it seems as though there is true, good-faith bipartisan support. 

Dave Bittner: First of all, do you think that's so? And is that going to make an easier path for this White House to move things forward with cyber? 

Jamil Jaffer: I think so. I mean, I think that both parties recognize the challenges we face in this arena. You know, we saw President Bush back a long time ago create the National Cyber Security Initiative, and so that was the beginning of this. The Obama administration did a lot in this space. The Trump administration definitely got more aggressive in the cyber domain. And the Biden administration has continued that effort. And Congress at times has taken action. You saw in 2015 the creation of the Cyber Information Sharing Act. That was a good move. That was legislation that I worked on back in 2011 when I was - when I worked for the chairman of the House Intelligence Committee, Chairman Mike Rogers. 

Jamil Jaffer: And so there's been a lot done in this space. But could there be more? Absolutely. But could there also be bad choices made by Congress and the executive branch in this space? There could be. You know, there's been a lot of talk about the need to regulate in the cyber domain. There's been a lot of talk about the need to impose new requirements. And, you know, I tend to be of the view that one of the challenges we have in the cyber domain is, you know, there's a real lack of information flowing between the government and industry. There's a real lack of collaboration. I think we need to fix that problem first before we try to go after regulation. 

Jamil Jaffer: I mean, look; the government is not particularly good at understanding technology itself internally, much less externally. The idea that, you know, one of our regulatory agencies or one of the regulatory bodies of the government could set smart regulations for cybersecurity and then update them as quickly as needed to keep up with technology seems to me pretty unlikely. And so I think before we reach that regulatory stick, we should really reach for, you know, smart carrots, smart incentives, and really create what the Cyberspace Solarium Commission called for, this collaborative and collective cyberdefense, and see if that works, see if that solves the challenges we see in cybersecurity. 

Jamil Jaffer: People talk about a market failure in cybersecurity. It's not a market failure if the market lacks information, right? That's something you'd fix through more information, more collaboration. Then - and if then there's still a problem in cybersecurity, then we can talk about market failures and the need for regulation, in my view. And then - even then, you've got to be sure, can Congress do it right and update it effectively? And, you know, I mean, that's still to be seen. 

Dave Bittner: You know, my sense is that we've certainly seen more outreach from a lot of the organizations. You know, NSA is being a lot more public and collaborative than I think they've been in the past, even things like seeing folks like Jen Easterly communicating out on social media, like Twitter. You know, I think all of these things are helpful. How do we be sure that they aren't just window dressing? 

Jamil Jaffer: Look; that's a great question. I mean, look; I know Jen Easterly personally. I've known her for years, since she ran the counterterrorism mission management center at NSA. She is a doer; she is not a talker. It's been great that she's been out there publicly on Twitter talking about the work that she's doing, the work - the important work that CISA does. That's an important part of that dialogue with the American public. 

Jamil Jaffer: At the same time, again, you know, it's - action's critical. And so, you know, we've seen executive orders. We've seen some talk within the government about what they're going to do. We've seen some great appointments. But at the end of the day, until our adversaries realize that we are getting fed up and tired of this and we're going to do something about it, then they're going to feel some pain, the way they're making us feel pain, whether that's China through IP theft or Russia through ransomware or, you know, Russian proxy actors through ransomware, frankly. You know, until they feel pain, they're going to keep doing it. They're going to continue to test our boundaries. It's like having a kid, you know? 

Dave Bittner: (Laughter). 

Jamil Jaffer: If you set boundaries for your kid, if you don't enforce them, they learn they can get away with it, and they test your boundaries. And, you know, again, I'm not trying to be dismissive of any of our adversaries. They're very serious and very professional - the Russians, the Chinese, the Iranians and North Koreans. But discipline matters, and punching back and being tough matters. And this administration, you know, has the kind of people who understand how to do that - Paul Nakasone, Jen Easterly, Rob Joyce, Chris Inglis. These people know how to get tough with the adversary. We got to free them up to do it. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: Really interesting interview. I, you know, think the Biden administration has gotten off to a good start on cyber policy. I think their appointments have been well-recognized across the political spectrum, and I think the executive order was relatively well-received. And, you know, I'm just kind of curious to see, as new threats continue to emerge, how the administration and their experienced personnel are going to react. But I thought it was an interesting conversation. 

Dave Bittner: Yeah, yeah. I agree. I think - particularly interesting. I think Jamil rightly points out that, you know, this administration has been putting really well-qualified people in place, and because of that, they've really - they've gone through without much controversy. There's been bipartisan support for the folks that they've been putting in these particular positions. So that's a good sign. 

Ben Yelin: Yeah, I think so, too. I mean, nominating somebody, for example, like Chris Inglis, who has worked in the administrations of both parties, somebody who understands the full range of threats in the cyber realm and, you know, somebody who's worked in the National Security Agency - I just think, you know, they have made some good personnel decisions. I'm encouraged by it, and I hope it pays off for us. 

Dave Bittner: Yeah. All right. Well, our thanks to Jamil Jaffer from IronNet Cybersecurity for joining us. We do appreciate him taking the time. 

Dave Bittner: And that is our show. We want to thank all of you for listening. 

Dave Bittner: The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.