The Cyberlaw Podcast: The FTC Jumps Into Log4j Cleanup With One Foot

Stewart Baker
Thursday, January 13, 2022, 9:20 AM

Published by The Lawfare Institute
in Cooperation With

 The Federal Trade Commission’s (FTC) other foot, I argue, is lodged firmly in its mouth. Tatyana Bolton defends the agency, which released what can only be described as a regulatory blog post in response to the log4j vulnerability, invoking the $700 million in fines imposed on Equifax to threatening “to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j.” She stresses that this is the best way to get companies to patch quickly and notes that only “reasonable steps” are required. I think we’ll hear that a lot from the FTC, now that it turns out that fixing the Log4j mess is going to require a lot more that regulatory flexing. Especially, since the FTC’s blog post seems to pull back from its tough-guy pose when talking about the open source maintainers who actually have to do much of the patch generation; unlike the companies it threatened with wrath, the FTC understands that open source coders “don’t always have adequate resources and personnel,” something the FTC “will consider as we work to address the root issues that endanger user security.”

Speaking of fallible regulators, Glenn Gerstell gives us a tour of China’s tech regulatory landscape, and the remarkable decline in the fortunes of consumer tech firms in that country, as the New York Times covered in detail last week. Is that good news for Silicon Valley or U.S. competitiveness? Sadly, probably not, I conclude.

Mark MacCarthy explains why the proposal to marry cryptocurrency to Signal is causing angst among Signal’s supporters about the end-to-end encrypted service’s ”regulatory attack surface.”

Glenn covers the latest story about security risks and telecom gear from China.

Mark and I dig into the growing enthusiasm for regulating big Silicon Valley companies as gatekeepers. The Germans are about to apply that approach to Google. And the South Koreans are doing the same to Apple and its app store payment policies.

Tatyana notes the press coverage about possible tensions between two talented and strong cybersecurity officials in the White House: Anne Neuberger and Chris Inglis. I put Glenn on the spot about claims that Anne has “a particular tendency to clash with lawyers.” That would only make me love her more, but Glenn (who, as the National Security Agency’s top lawyer, worked with her for years) absolves her of the charge.  

Mark and I handicap the probability that the plaintiff will succeed in a highly charged lawsuit against Facebook/Meta Platforms for bringing together the boogaloo conspirators who killed a federal protective officer. It’s a long shot, but if “negligent design” turns out to create liability for software and algorithms, Signal will have an even greater attack surface than its fans are worried about.

Glenn explains the charges brought in China against Walmart for breaches of cybersecurity laws (hint: it’s mostly not breaches of cybersecurity laws). Speaking of surprises that aren’t surprises, Glenn also covers the announcement by Lloyd’s of London that cyber insurance won’t cover cyberattacks attributable to nation-states.

Finally, I devote a few minutes to rant about the Justice Department’s decision to expand charges against Joe Sullivan, Uber’s former chief information security officer, for his role in payment of “bug bounties” to hackers who looked more like crooks than bounty hunters. More than a year after charging Sullivan with obstruction of justice, the department piled on new charges of wire fraud for failing to tell Uber’s drivers about the breach. Glenn and I both question the decision to do this without any new facts to base the charges on. And I point out that the result of exposing breach response into wire fraud charges will (or should be) fatal to the FBI’s desire to be called in while companies are dealing with breaches. If the company delays notice to the public for longer than the government thinks proper, wire fraud charges start to hang heavy in the air. If so, why would any general counsel want to have an FBI agent sitting in the room for the debate about when notice to customers is required? 

Download the 389th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Stewart A. Baker is a partner in the Washington office of Steptoe & Johnson LLP. He returned to the firm following 3½ years at the Department of Homeland Security as its first Assistant Secretary for Policy. He earlier served as general counsel of the National Security Agency.

Subscribe to Lawfare