The Cyberlaw Podcast: NSO on the Hot Seat

Stewart Baker
Tuesday, November 9, 2021, 10:58 AM

Published by The Lawfare Institute
in Cooperation With

We’re joined for this episode by Scott Shapiro, long-time listener and first-time panelist, not to mention our first philosopher. He breaks down the Biden administration sanctions on four offensive cyber firms, most notably the Israeli company, NSO. Imposing Commerce Department “entity list” sanctions on companies from friendly countries for human rights abuses is a departure from historical practice, and exactly how it will work out remains uncertain. The sanctions are not a death penalty for companies like NSO, we conclude, since U.S. companies can still buy their services even if they can’t sell NSO anything more sophisticated than toilet paper.

The Pentagon is a bastion of top-down cybersecurity regulation. In theory, that’s what the Cybersecurity Maturity Model Certification program was all about—comprehensive and mandatory cybersecurity regulation for defense contractors. But as Nate Jones describes it, the Department of Defense’s effort to actually put the regulations in place are a cautionary tale. The Pentagon has revamped and delayed its standards again. The new proposal may well be more workable and less bureaucratic than the last, but it also pushes the day of reckoning for contractors years into the future.

Jamil Jaffer thinks the good guys may have won another battle with ransomware gangs, but it’s probably too soon to tell. On the heels of REvil claiming to be out of business,  DarkMatter is making similar noises. But we won’t know for sure until the gangs have gone quiet for more than a couple of months.

Decoupling is still proceeding apace, as Yahoo surprises us all by announcing that it’s pulling out of China. (I’d forgotten they were still in.) 

Jamil and Nate note that GitHub is the last big Western web company left in China. And even for GitHub, the ice appears to be cracking under its feet. 

Scott takes us deep into jurisprudential philosophy in covering the ACLU’s threepeated loss as it argued a first amendment right to read classified FISA court opinions. It may be a first for our podcast to reference Marbury v. Madison, and it’s certainly a first to raise questions about whether it was correctly decided! Jamil also gives us a quick assessment of what Justice Gorsuch’s willingness to take the case tells us about his future role in national security cases.

Nate and I give the backs of our hand to legislative proposals to expand from “Five Eyes” to ‘Nine. I make the argument that we’re really down to Three.

Clearview AI took a beating down under for breaching Australians' privacy law. Nate is short on sympathy. He thinks a more responsible set of actors might have prevented the toxification of face recognition. I argue that the toxification came first, and the dearth of big respectable face recognition firms came later. As witness Facebook being driven from the market by a $650m award under the Illinois Biometric Privacy Act.

In quick hits:

  • For old time’s sake, Nate and I clash over lefty efforts to define a lack of enthusiasm for climate-based regulation as “digital hate.”
  • Jamil and I offer qualified endorsements of the State Department’s new cyber bureau.
  • I namecheck podcast regular Paul Rosenzweig and others for a thoughtful report on Chinese platforms in the United States. 
  • I see some good news for cybersecurity in the Cybersecurity and Infrastructure Security Agency’s latest Binding Operational Directive mandating that federal agencies we know are being exploited right now. I note that the directive is addressed to federal agencies to quickly patch vulnerabilities but aimed quite deliberately at private owners of critical infrastructure. Don’t say you weren’t warned!

Download the 382nd Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Stewart A. Baker is a partner in the Washington office of Steptoe & Johnson LLP. He returned to the firm following 3½ years at the Department of Homeland Security as its first Assistant Secretary for Policy. He earlier served as general counsel of the National Security Agency.

Subscribe to Lawfare