Podcast appearances and mentions of chris inglis

In this special episode of the CAFE Insider podcast, former Acting U.S. Deputy Attorney General John Carlin interviews Chris Inglis, while Preet and Joyce are out. Inglis recently served as the first U.S. National Cyber Director, in which role he advised President Biden on cybersecurity issues and helped develop a national cyber strategy. Before that, Inglis served as Deputy Director of the National Security Agency. In this excerpt from the interview, Inglis discusses the risks artificial intelligence poses for national security, including:   – The “black box problem” of AI algorithms; – The use of AI in cyberattacks;  – The AI arms race among United States, China, and Russia; and – The potential use of generative AI to spread misinformation ahead of the 2024 election. In the full interview, Inglis breaks down the job of the National Cyber Director and the Biden administration's cyber strategy. Stay informed. For analysis of the most important legal and political issues of our time, become a member of CAFE Insider for one month for $1.00: www.cafe.com/insider. You'll get access to full episodes of the podcast, and other exclusive benefits. This podcast is brought to you by CAFE Studios and Vox Media Podcast Network.  Check out other CAFE podcasts: Now & Then, Up Against The Mob Learn more about your ad choices. Visit podcastchoices.com/adchoices

You've seen it in the headlines, and maybe you've felt it in your own life: over the last few years, cyber attacks have become more frequent and more damaging. They can also vary widely in nature, ranging from minor nuisances to national security crises.Is there anything we can do to secure ourselves – as individuals, and as a society – from these attacks? Is there any way to get ahead of the problem, given the dizzying speed of change in our digital technology? According to our two guests on this episode of Trending Globally, to answer these questions, you need to ask some much deeper questions about the role of technology in society and the relationship between governments, businesses, and individuals. Congressman Jim Langevin represented Rhode Island in the House of Representatives from 2001 until 2023. Chris Inglis served as cyber director for the Biden Administration from 2021 until this past February and as deputy director of the NSA from 2006 until 2014. In this episode, you'll hear from Chris and Jim about the future of cybersecurity, and why it's so much more than just a technological problem. This spring, Jim Langevin is leading a study group at the Watson Institute for International and Public Affairs on the issue of cybersecurity. He recently brought Chris Inglis to campus to discuss their work together, including helping to create the Biden Administration's National Cyber Strategy, which was released in March of this year. Read a summary of the Biden Administration's National Cyber StrategyLearn more about the Cyber Solarium Commission Learn more about other podcasts from the Watson InstituteTranscript coming soon to our website

Kemba Walden recently took over from Chris Inglis as Acting National Cyber Director in the White House. She had been Principal Deputy Assistant National Cyber Director after serving in multiple cybersecurity positions in government and in the private sector.David Kris, Lawfare contributor and former Assistant Attorney General for the National Security Division, and Bryan Cunningham, Lawfare contributor and Executive Director of the University of California, Irvine's Cybersecurity Policy & Research Institute, sat down with Kemba to talk about the challenges and opportunities of her new role, the recently released U.S. National Cyber Strategy and the significant policy changes it announces, threats to our national and economic security from China, and a fairly long discussion of music theory.Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.

This episode of the Cyberlaw Podcast opens with a look at some genuinely weird behavior by the Bing AI chatbot – dark fantasies, professions of love, and lies on top of lies – plus the factual error that wrecked the rollout of Google's AI search bot. Chinny Sharma and Nick Weaver explain how we ended up with AI that is better at BS'ing than at accurately conveying facts. This leads me to propose a scheme to ensure that China's autocracy never gets its AI capabilities off the ground.  One thing that AI is creepily good at is faking people's voices. I try out ElevenLabs' technology in the first advertisement ever to run on the Cyberlaw Podcast. The upcoming fight over renewing section 702 of FISA has focused Congressional attention on FBI searches of 702 data, Jim Dempsey reports. That leads us to the latest compliance assessment on agencies' handling of 702 data. Chinny wonders whether the only way to save 702 will be to cut off the FBI's access – at great cost to our unified approach to terrorism intelligence,  I complain that the compliance data is older than dirt. Jim and I come together around the need to provide more safeguards against political bias in the intelligence community.  Nick brings us up to date on cyber issues in Ukraine, as summarized in a good Google report. He puzzles over Starlink's effort to keep providing service to Ukraine without assisting offensive military operations.  Chinny does a victory lap over reports that the (still not released) national cyber strategy will recommend imposing liability on the companies that distribute tech products – a recommendation she made in a paper released last year. I cannot quite understand why Google thinks this is good for Google. Nick introduces us to modern reputation management. It involves a lot of fake news and bogus legal complaints. The Digital Millennium Copyright Act and European Union (EU) and California privacy law are the censor's favorite tools. What is remarkable to my mind is that a business taking so much legal risk charges so little. Jim and Chinny bring us up to date on the charm offensive being waged in Washington by TikTok's CEO and the broader debate over China's access to the personal data of Americans, including health data. Jim cites a recent Duke study, which I complain is not clear about when the data being sold is individual and when it is aggregated. Nick reminds us all that aggregate data is often easy to individualize.  Finally, we make quick work of a few more stories: This week's oral argument in Gonzalez v. Google is a big deal, but we will cover it in detail once the Justices have chewed it over.   If you want to know why conservatives think the whole “disinformation” scare is a scam to suppress conservative speech, look no further than the scandal over the State Department's funding of an non-governmental organization (NGO) devoted to cutting off ad revenue for “risky” purveyors of “disinformation” like Reason (presumably including the Volokh Conspiracy), Real Clear Politics, the N.Y. Post, and the Washington Examiner – all outlets that can only look like disinformation to the most biased judge. The National Endowment for Democracy has already cut off funding, but Microsoft's ad agency still seems to be boycotting these conservative outlets. EU Lawmakers are refusing to endorse the latest EU-U.S. data deal. But it is all virtue signaling. Leaving Twitter over Elon Musk's ownership turns out to be about as popular as leaving the U.S. over Trump's presidency. Chris Inglis has finished his tour of duty as national cyber director. And the Federal Trade Commission's humiliation over its effort to block Meta's acquisition of Within is complete. Meta closed the deal last week. Download 443rd Episode (mp3)  You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode of the Cyberlaw Podcast opens with a look at some genuinely weird behavior by the Bing AI chatbot – dark fantasies, professions of love, and lies on top of lies – plus the factual error that wrecked the rollout of Google's AI search bot. Chinny Sharma and Nick Weaver explain how we ended up with AI that is better at BS'ing than at accurately conveying facts. This leads me to propose a scheme to ensure that China's autocracy never gets its AI capabilities off the ground.  One thing that AI is creepily good at is faking people's voices. I try out ElevenLabs' technology in the first advertisement ever to run on the Cyberlaw Podcast. The upcoming fight over renewing section 702 of FISA has focused Congressional attention on FBI searches of 702 data, Jim Dempsey reports. That leads us to the latest compliance assessment on agencies' handling of 702 data. Chinny wonders whether the only way to save 702 will be to cut off the FBI's access – at great cost to our unified approach to terrorism intelligence,  I complain that the compliance data is older than dirt. Jim and I come together around the need to provide more safeguards against political bias in the intelligence community.  Nick brings us up to date on cyber issues in Ukraine, as summarized in a good Google report. He puzzles over Starlink's effort to keep providing service to Ukraine without assisting offensive military operations.  Chinny does a victory lap over reports that the (still not released) national cyber strategy will recommend imposing liability on the companies that distribute tech products – a recommendation she made in a paper released last year. I cannot quite understand why Google thinks this is good for Google. Nick introduces us to modern reputation management. It involves a lot of fake news and bogus legal complaints. The Digital Millennium Copyright Act and European Union (EU) and California privacy law are the censor's favorite tools. What is remarkable to my mind is that a business taking so much legal risk charges so little. Jim and Chinny bring us up to date on the charm offensive being waged in Washington by TikTok's CEO and the broader debate over China's access to the personal data of Americans, including health data. Jim cites a recent Duke study, which I complain is not clear about when the data being sold is individual and when it is aggregated. Nick reminds us all that aggregate data is often easy to individualize.  Finally, we make quick work of a few more stories: This week's oral argument in Gonzalez v. Google is a big deal, but we will cover it in detail once the Justices have chewed it over.   If you want to know why conservatives think the whole “disinformation” scare is a scam to suppress conservative speech, look no further than the scandal over the State Department's funding of an non-governmental organization (NGO) devoted to cutting off ad revenue for “risky” purveyors of “disinformation” like Reason (presumably including the Volokh Conspiracy), Real Clear Politics, the N.Y. Post, and the Washington Examiner – all outlets that can only look like disinformation to the most biased judge. The National Endowment for Democracy has already cut off funding, but Microsoft's ad agency still seems to be boycotting these conservative outlets. EU Lawmakers are refusing to endorse the latest EU-U.S. data deal. But it is all virtue signaling. Leaving Twitter over Elon Musk's ownership turns out to be about as popular as leaving the U.S. over Trump's presidency. Chris Inglis has finished his tour of duty as national cyber director. And the Federal Trade Commission's humiliation over its effort to block Meta's acquisition of Within is complete. Meta closed the deal last week. Download 443rd Episode (mp3)  You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Chris Inglis has had an illustrious career in the defense of this country, serving as an Air Force general, deputy director of the National Security Agency, and most recently as the first National Cyber Director in the White House. Chris stepped down from his position last week, and he sat down for his first interview as a private citizen with David Kris, Lawfare contributor and former assistant attorney general for the National Security Division, and Bryan Cunningham, Lawfare contributor and executive director of the University of California, Irvine's Cybersecurity Policy & Research Institute. They talked about a wide range of cyber topics, including the newly minted National Cyber Strategy, protection of critical infrastructure, cyber insurance, competition in the international front, and more.Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.

On this week's Cyber Report, sponsored by Fortress Information Security, Mark Montgomery, a retired US Navy rear admiral who is the senior director of the Center on Cyber and Technology Innovation at the Foundation for the Defense of Democracies and a Cyber Solarium 2.0 executive director, discusses the outlook for cyber funding as a fractious Congress reconvenes, the impact of a possible year-long continuing resolution on cyber contractors and new starts, why America's cyber forces should be patterned after the US Special Operations Command, a look ahead to the Biden administration's National Cyber Strategy that is to be released over the coming weeks, the legacy of Chris Inglis as he prepares to step down from his tenure as the first National Cyber Director, and issues to watch over the coming year with Defense & Aerospace Report Editor Vago Muradian.

LastPass admits to severe data breach, encrypted password vaults stolen Chris Inglis to resign as national cyber director Comcast Xfinity accounts hacked in widespread 2FA bypass attacks Thanks to our episode sponsor, Tines Wondering how the world's leading security teams are figuring out how to do more with less? The answer is Tines! Tines is a hyper-flexible automation platform loved by customers like Okta, Canva, Kayak, and Coinbase. Tines enables security teams to focus on what matters most by taking care of the grunt work! Learn more at Tines.com. For the stories behind the headlines, head to CISOseries.com.  

The FBI warns of malicious advertising. A new gang makes an unwelcome appearance in the holiday season. Ukraine will receive more Starlink terminals after all. Cyber phases of the hybrid war: a view from Kyiv–the bears and their adjuncts are opportunistic agents of chaos. Caleb Barlow thinks boards of directors need to up their cyber security game. Our guest is AJ Nash from ZeroFox with a look at legislative restrictions on TikTok. And reports say that US National Cyber Director Chris Inglis is preparing to retire. We wish him the best of luck. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/244 Selected reading. Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users (FBI) A sophisticated fraud ring is waging war on commerce, using rapidly changing tactics (Signifyd) Ukraine to Get Thousands More Starlink Antennas, Minister Says (Bloomberg) Ukraine's Cyber Units Aim to Retain Staff, Keep Services Stable as War Enters Year Two (Wall Street Journal) Top Biden cybersecurity adviser to step down (CNN) Chris Inglis to resign as national cyber director (CyberScoop). First-ever national cyber director Chris Inglis set to retire in coming months: sources (Axios). White House cyber adviser to resign  (The Hill) Chris Inglis, Biden's top cyber adviser, plans to leave government in coming months (POLITICO). White House Cyber Director Chris Inglis to Step Down (Bank Info Security)

Our anchors begin today's show with Bedrock Capital Founder Geoff Lewis sharing his outlook for how to play the current volatility, and Cowen Managing Director offers his top picks in semiconductors. Then, Platformer News Founder Casey Newton discusses content moderation on Twitter, and BNP Paribas Asset Management Chief Market Strategist Daniel Morris weighs in on the potential for a major tech rally. Next, CNBC's Eamon Javers sits down for an interview with White House Cyber Czar Chris Inglis, and CNBC's Frank Holland covers the turbulence hitting cloud stocks. Later, CNBC's Steve Kovach reports on iPhone demand heading into the holiday season.

The White House is reviewing how agencies work with critical infrastructure companies on cybersecurity. The new national cyber director's office is leading the study. Federal News Network's Justin Doubleday has the story.

Much of this episode is devoted to how modern networks and media are influencing what has become a major shooting war between Russia and Ukraine. Dmitri Alperovitch gives a sweeping overview. Ukraine and its president, Volodymyr Zelenskyy, clearly won the initial stages of the war in cyberspace, turning broad Western sympathy into a deeper commitment with short videos from downtown Kyiv at a time when Zelenskyy was expected to be racing for the border. The narrative of determined Ukrainian resistance and hapless Russian arrogance was set in cement by the end of the week, and Zelenskyy's ability to casually dial in to EU ministers' meetings (and just as casually say that this might be the last time the ministers saw him alive) changed official Europe's view of the conflict permanently. Putin's failure to seize Ukraine's capital and telecom facilities in the first day of the fight may mean a long, grinding conflict. Russia is doing its best to control the narrative on Russian networks by throttling Facebook, Twitter and other Western media. And it's essentially telling those companies that they need to distribute pro-Russian media in the West if they want a future in Russia. Dmitri believes that that's not a price Silicon Valley will pay for access to a country where every other bank and company is already off-limits due to Western sanctions. Jane Bambauer weighs in with the details of Russia's narrative-control efforts—and their failure. And what about the cyberattacks that press coverage led us to expect in this conflict between two technically capable adversaries? Nate Jones and Dmitri agree that, while network wiping and ransomware have occurred, their impact on the battle has not been obvious. Russia seems not to have sent its A-team to take down any of Ukraine's critical infrastructure. Meanwhile, as Western nations pledge more weapons and more sanctions, Russian cyber reprisals have been scarce, perhaps because Western counter-reprisals are clearly being held in reserve.  All that said, and despite unprecedented financial sanctions and export control measures, initiative in the conflict remains with Putin, and none of the panel is looking forward to finding out how Putin will react to Russia's early humiliations in cyberspace and on the battlefield.  In other tech news, the EU has not exactly turned over a new leaf when it comes to milking national security for competitive advantage over U.S. industry. Nate and Jane unpack the proposed European Data Act, best described as an effort to write a General Data Protection Regulation (GDPR) for non-personal data. And, as always, as a European effort to regulate a European tech industry into existence.   Nate and I dig into a Foreign Affairs op-ed by Chris Inglis, the Biden administration's National Cyber Director. It calls for a new Cyber Social Contract between government and industry. I CTRL-F for “regulation” and don't find the word, likely thanks to White House copy editors, but the op-ed clearly thinks that more regulation is the key to ensuring public-private cooperation.   Jane reprises a story from the estimable “Rest of World” tech site. It turns out that corrupt and abusive companies and governments have better tools for controlling their image than Vladimir Putin—all thanks to the European Parliament and the U.S. Congress, which approved GDPR and the Digital Millennium Copyright Act respectively. These turn out to be great tools for suppressing stories that make third-world big shots uncomfortable. I remind the audience once again that Privacy mainly Protects the Privileged and the Powerful.    In closing, Jane and I catch up on the IRS's latest position on face recognition—and the wrongheadedness of the NGOs campaigning against the technology.  Download the 396th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Much of this episode is devoted to how modern networks and media are influencing what has become a major shooting war between Russia and Ukraine. Dmitri Alperovitch gives a sweeping overview. Ukraine and its president, Volodymyr Zelenskyy, clearly won the initial stages of the war in cyberspace, turning broad Western sympathy into a deeper commitment with short videos from downtown Kyiv at a time when Zelenskyy was expected to be racing for the border. The narrative of determined Ukrainian resistance and hapless Russian arrogance was set in cement by the end of the week, and Zelenskyy's ability to casually dial in to EU ministers' meetings (and just as casually say that this might be the last time the ministers saw him alive) changed official Europe's view of the conflict permanently. Putin's failure to seize Ukraine's capital and telecom facilities in the first day of the fight may mean a long, grinding conflict. Russia is doing its best to control the narrative on Russian networks by throttling Facebook, Twitter and other Western media. And it's essentially telling those companies that they need to distribute pro-Russian media in the West if they want a future in Russia. Dmitri believes that that's not a price Silicon Valley will pay for access to a country where every other bank and company is already off-limits due to Western sanctions. Jane Bambauer weighs in with the details of Russia's narrative-control efforts—and their failure. And what about the cyberattacks that press coverage led us to expect in this conflict between two technically capable adversaries? Nate Jones and Dmitri agree that, while network wiping and ransomware have occurred, their impact on the battle has not been obvious. Russia seems not to have sent its A-team to take down any of Ukraine's critical infrastructure. Meanwhile, as Western nations pledge more weapons and more sanctions, Russian cyber reprisals have been scarce, perhaps because Western counter-reprisals are clearly being held in reserve.  All that said, and despite unprecedented financial sanctions and export control measures, initiative in the conflict remains with Putin, and none of the panel is looking forward to finding out how Putin will react to Russia's early humiliations in cyberspace and on the battlefield.  In other tech news, the EU has not exactly turned over a new leaf when it comes to milking national security for competitive advantage over U.S. industry. Nate and Jane unpack the proposed European Data Act, best described as an effort to write a General Data Protection Regulation (GDPR) for non-personal data. And, as always, as a European effort to regulate a European tech industry into existence.   Nate and I dig into a Foreign Affairs op-ed by Chris Inglis, the Biden administration's National Cyber Director. It calls for a new Cyber Social Contract between government and industry. I CTRL-F for “regulation” and don't find the word, likely thanks to White House copy editors, but the op-ed clearly thinks that more regulation is the key to ensuring public-private cooperation.   Jane reprises a story from the estimable “Rest of World” tech site. It turns out that corrupt and abusive companies and governments have better tools for controlling their image than Vladimir Putin—all thanks to the European Parliament and the U.S. Congress, which approved GDPR and the Digital Millennium Copyright Act respectively. These turn out to be great tools for suppressing stories that make third-world big shots uncomfortable. I remind the audience once again that Privacy mainly Protects the Privileged and the Powerful.    In closing, Jane and I catch up on the IRS's latest position on face recognition—and the wrongheadedness of the NGOs campaigning against the technology.  Download the 396th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

An interesting proposal appeared this week in an article penned by Chris Inglis, US National Cyber Director, and Harry Krejsa. In it, a suggestion is made for a new cyber social contract to help build trust and security with the public. We discuss this story and more in this week's Rundown. For show. notes please visit: https://gestaltit.com/

Adam Segal, Ira A. Lipman chair in emerging technologies and national security and director of the Digital and Cyberspace Policy Program at CFR, leads a conversation on cyberspace and U.S.-China relations. FASKIANOS: Welcome to the first session of the Winter/Spring 2022 CFR Academic Webinar Series. I'm Irina Faskianos, vice president of the National Program and Outreach here at CFR. Today's discussion is on the record, and the video and transcript will be available on our website, CFR.org/academic. As always, CFR takes no institutional positions on matters of policy. We are delighted to have Adam Segal with us to discuss cyberspace and U.S.-China relations. Adam Segal is CFR's Ira A. Lipman chair in emerging technologies and national security and director of the Council's Digital and Cyberspace Policy program. Previously, he served as an arms control analyst for the China Project at the Union of Concerned Scientists. He has been a visiting scholar at Stanford University's Hoover Institution, MIT's Center for International Studies, the Shanghai Academy of Social Sciences, and Tsinghua University in Beijing. And he's taught courses at Vassar College and Columbia University. Dr. Segal currently writes for the CFR blog, Net Politics—you should all sign up for those alerts, if you haven't already. And he is the author several books, including his latest, The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age. So, Adam, thanks very much for being with us. We can begin with a very broad brush at cyberspace, the role cyberspace plays in U.S.-China relations, and have you make a few comments on the salient points. And then we'll open it up to the group for questions. SEGAL: Great. Irina, thanks very much. And thanks, everyone, for joining us this afternoon. I'm looking forward to the questions and the discussion. So broadly, I'm going to argue that the U.S. and China have the most far-reaching competition in cyberspace of any countries. And that competition goes all the way from the chip level to the rules of the road. So global governance all the way down the to the chips that we have in all of our phones. Coincidentally, and nicely timed, last week the Washington Post did a survey of their network of cyber experts about who was the greater threat to the United States, China or Russia. And it was actually almost exactly evenly split—forty to thirty-nine. But I, not surprisingly, fell into the China school. And my thinking is caught very nicely by a quote from Rob Joyce, who's a director at the National Security Agency, that Russia is like a hurricane while China is like climate change. So Russia causes sudden, kind of unpredictable damage. But China represents a long-term strategic threat. When we think about cyberspace, I think it's good to think about why it matters to both sides. And on the Chinese side, I think there are four primary concerns. The first is domestic stability, right? So China is worried that the outside internet will influence domestic stability and regime legitimacy. And so that's why it's built an incredibly sophisticated system for controlling information inside of China that relies both on technology, and intermediate liability, and other types of regulation. China is worried about technological dependence on other players, in particular the U.S., for semiconductors, network equipment, and other technologies. And they see cybersecurity as a way of reducing that technology. China has legitimate cybersecurity concerns like every other country. They're worried about attacks on their networks. And the Snowden revelations from the—Edward Snowden, the former NSA contractor—show that the U.S. has significant cyber capabilities, and it has attacked and exploited vulnerabilities inside of China. And while the Chinese might have used to think that they were less vulnerable to cyberattacks given the shape of the Chinese network in the past, I think that probably changed around 2014-2015, especially as the Chinese economy has become increasingly dependent on ecommerce and digital technology. It's now—GDP is about a third dependent on digital technology. So they're worried about the same types of attacks the United States is worried about. And then, fourth and finally, China does not want the United States to be able to kind of define the rules of the road globally on cyber, create containing alliances around digital or cyber issues, and wants to constrain the ability of the U.S. to freely maneuver in cyberspace. Those are China's views. The U.S. has stated that it's working for a free, open, global, and interoperable internet, or an interoperable cyberspace. But when it looks at China, it has a number of specific concerns. The first is Chinese cyber operations, in particular Chinese espionage, and in particular from that Chinese industrial espionage, right? So the Chinese are known for being the most prolific operators, stealing intellectual property. But they're also hacking into political networks, going after think tanks, hacking activists—Uighur activists, Tibetan activists, Taiwanese independence activists. We know they're entering into networks to prepare the battlefield, right, so to map critical infrastructure in case there is a kinetic conflict with the United States—perhaps in the South China Sea or over the Taiwan Strait—and they want to be able to deter the U.S., or perhaps cause destructive attacks on the U.S. homeland, or U.S. bases in South Korea, or Japan. The U.S. is also extremely concerned about the global expansion of Chinese tech firms and Chinese platforms, for the collection of data, right? The U.S. exploited the globalization of U.S. tech firms. Again, that was something that we learned from the Snowden documents, that the U.S. both had legal and extralegal measures to be able to get data from users all around the world because of their knowledge of and relationship to U.S. tech firms. And there's no reason to believe that the Chinese will not do the same. Now, we hear a lot about, you know, Huawei and the national intelligence law in China that seems to require Chinese companies to turnover data. But it would be very hard to believe that the Chinese would not want to do the same thing that the U.S. has done, which is exploit these tech platforms. And then finally, there is increasingly a framing of this debate as one over values or ideology, right? That democracies use cybertechnologies or digital technologies in a different way than China does. China's promoting digital authoritarianism, that has to do about control of information as well as surveillance. And the U.S. has really pushed back and said, you know, democracies have to describe how we're going to use these technologies. Now, the competition has played itself out both domestically and internationally. The Chinese have been incredibly active domestically. Xi Jinping declared that cybersecurity was national security. He took control of a small leadership group that became a separate commission. The Cyberspace Administration of China was established and given lots of powers on regulating cybersecurity. We had a creation of three important laws—the cybersecurity law, the data security law, and the private—personal information protection law. We see China pushing very hard on specific technologies they think are going to be important for this competition, especially AI and quantum. And we see China pushing diplomatically, partly through the idea of what's called cyber-sovereignty. So not the idea that internet is free and open and should be somewhat free from government regulation, but instead that cyberspace, like every other space, is going to be regulated, and that states should be free to do it as they see fit, as fits their own political and social characteristics, and they should not be criticized by other states. They promoted this view through U.N. organizations in particular. And they've been working with the Russians to have a kind of treaty on information and communication technologies that would include not only cybersecurity, but their concerns about content and the free flow of information. The U.S. right now is essentially continuing a policy that was started under the Trump administration. So part of that is to try and stop the flow of technology to Chinese firms, and in particular to handicap and damage Huawei, the Chinese telecom supplier, to put pressure on friends to not use Huawei. But the most important thing it did was put Huawei on an entity list, which cut it off from semiconductors, most importantly from Taiwan Semiconductor, which has really hurt the Huawei of products. The U.S. tried to come to an agreement about—with China about what types of espionage are considered legitimate. And not surprisingly, the U.S. said there was good hacking and back hacking. And the good hacking is the type of hacking that the U.S. tends to do, and the bad hacking is the type of hacking that the Chinese tend to do. So, basically the argument was, well, all states were going to conduct political and military espionage, but industrial espionage should be beyond the pale. Or if you put it—you can think of it as the way President Obama put it, you can hack into my iPhone to get secrets about what I'm discussing with my Cabinet, but you can't hack into Apple to get the secrets about how iPhones are made to give to Huawei. There was an agreement formed in 2015, where both sides said they weren't going to engage in industrial espionage—cyber industrial espionage. For about a year and a half, that agreement seemed to hold. And then it—and then it fell apart. The Chinese are engaged in that activity again. And as a result, the U.S. has once again started indicting Chinese hackers, trying to create—enforce that norm through indictments and naming and shaming. The U.S. probably also—although I have no evidence of it—has engaged in disrupting Chinese hackers. So we know under the Trump administrationm Cyber Command moved to a more forward-leaning posture, called defending forward or persistent engagement. We've heard about some of those operations against Russian or Iranian actors. John Bolton, before he left the NSC, suggested they were getting used against Chinese cyberhackers as well. So what comes next? And it's often hard, if not impossible, to end cyber talks on a positive note, but I will try. So I think from a U.S. perspective, clearly the kind of tech pressure, not only of Huawei but on a broader range of companies, is going to continue. The Biden administration has shown no signal that it is going to roll any of that back. And it's actually expanded it, to more companies working on quantum and other technologies. The Biden administration has worked much more actively than the Trump administration on building alliances around cybersecurity. So in particular, the tech and trade competition group with the Europeans and the quad, with Australia, India, and Japan all have discussions on cybersecurity norms. So how do you actually start imposing them? Now, where you would hope that the U.S. and China would start talking to each other, again, is where I hope the Biden administration can eventually get to. So there were some very brief discussions in the Obama administration. The Trump administration had one round of talks, but that were not particularly useful. The Chinese were very unwilling to bring people from the People's Liberation Army to actually kind of talk about operations, and generally were in denial about that they had any cyber forces. But you want both sides really to start talking more about where the threshold for the use of force might be in a cyberattack, right? So if you think about—most of what we've seen, as I said, is spying. And so that is kind of the—is below the threshold for use of force or an armed attack, the thing that generally triggers kinetic escalation. But there's no general understanding of where that threshold might be. And in particular, during a crisis, let's stay, in the street or in the South China Sea, you want to have some kind of clarity about where that line might be. Now, I don't think we're ever going to get a very clear picture, because both sides are going to want to be able to kind of skate as close to it as possible, but we would certainly want to have a conversation with the Chinese about how we might signal that. Can we have hotlines to discuss those kind of thresholds? Also, we want to make sure that both sides aren't targeting each other's nuclear command and control systems, right, with cyberattacks, because that would make any crisis even worse. There's some debate about whether the Chinese command and control systems are integrated with civilian systems. So things that the U.S. might go after could then perhaps spillover into the Chinese nuclear system, which would be very risky. So you want to have some talks about that. And then finally, you probably want to talk—because the Chinese open-source writing seems to suggest that they are not as concerned about escalation in cyber as we are. There's been a lot of debate in the U.S. about if escalation is a risk in cyber. But the Chinese don't actually seem to think it's much of a risk. And so it would be very useful to have some discussions on that point as well. I'll stop there, Irina, and looking forward to the questions. FASKIANOS: Thank you, Adam. That was great analysis and overview and specifics. So we're going to go first to Babak Salimitari, an undergrad student at the University of California, Irvine. So please be sure to unmute yourself. Q: I did. Can you guys hear me? SEGAL: Yeah. Q: Thank you for doing this. I had a question on the Beijing Olympics that are coming up. Recently the told the athletes to use, like, burner phones because the health apps are for spying, or they've got, like, security concerns. What specific concerns do they have regarding those apps, and what do they do? SEGAL: So I think the concerns are both specific and broad. I think there was a concern that one of the apps that all of the athletes had to download had significant security vulnerabilities. So I think that was a study done by Citizens Lab at the University of Toronto. And it basically said, look, this is a very unsafe app and, as you said, allowed access to health data and other private information, and anyone could probably fairly easily hack that. So, you know, if you're an athlete or anyone else, you don't want that private information being exposed to or handled by others. Then there's, I think, the broader concern is that probably anybody who connects to a network in China, that's going to be unsafe. And so, you know, because everyone is using wi-fi in the Chinese Olympics, and those systems are going to be monitored, those—your data is not going to be safe. You know, I'm not all that concerned for most athletes. You know, there's probably not a lot of reason why Chinese intelligence or police are interested in them. But there are probably athletes who are concerned, for example, about Xinjiang and the treatment of the Uighurs, or, you know, maybe Tibetan activists or other things, and maybe have somewhere in the back of their minds some idea about making statements or making statements when they get back to the U.S. or safer places. And for those people, definitely I would be worried about the risk of surveillance and perhaps using that data for other types of harassment. FASKIANOS: I'm going to take the written question from Denis Simon, who received two upvotes. And Denis is senior advisor to the president for China affairs and professor of China business and technology. When you say “they” with respect to Chinese cyber activity, who is “they”? To what extent are there rogue groups and ultranationalists as well as criminals involved? SEGAL: Yes, Denis, will send me a nasty email if I don't mention that Denis was my professor. We're not going to go how many years ago, but when I was at Fletcher. So, and Denis was one of the first people I took—was the first person I took a class on Chinese technology. So, you know, and then I ended up here. So I think, “they.” So it depends what type of attacks we're talking about. On the espionage side, cyber espionage side, what we've generally seen is that a lot of that was moved from the PLA to the Ministry of State Security. The most recent indictments include some actors that seem to be criminal or at least front organizations. So some technology organizations. We do know that there are, you know, individual hackers in China who will contract their services out. There were in the '90s a lot of nationalist hacktivist groups, but those have pretty much dissipated except inside of China. So we do see a lot of nationalist trolls and others going after people inside of China, journalists and others, for offending China or other types of violations. So “they” is kind of a whole range of actors depending upon the types of attack we're talking about. FASKIANOS: Thank you. So our next question we're going to take from Terron Adlam, who is an undergraduate student at the University of Delaware. And if you can unmute yourself. Q: Can you hear me now? FASKIANOS: Yes. Q: Hi. Good evening. Yes. So I was wondering, do you think there will be a time were we have net neutrality? Like, we have a peace agreement amongst every nation? Because I feel like, honestly, if Russia, U.S., Mexico, any other country out there that have a problem with each other, this would be, like, there's rules of war. You don't biohazard attack another country. Do you think—(audio break)—or otherwise? SEGAL: So I think it's very hard to imagine a world where there's no cyber activity. So there are discussions about can you limit the types of conflict in cyberspace, though the U.N. primarily. And they have started to define some of the rules of the road that are very similar to other international law applying to armed conflict. So the U.S.' position is essentially that international law applies in cyberspace, and things like the International Humanitarian Law apply in cyberspace. And you can have things like, you know, neutrality, and proportionality, and distinction. But they're hard to think about in cyber, but we can—that's what we should be doing. The Chinese and Russians have often argued we need a different type of treaty, that cyber is different. But given how valuable it seems, at least on the espionage side so far, I don't think it's very likely we'll ever get an agreement where we have no activity in cyberspace. We might get something that says, you know, certain types of targets should be off limits. You shouldn't go after a hospital, or you shouldn't go after, you know, health data, things like that. But not a, you know, world peace kind of treaty. FASKIANOS: Thank you. So I'm going to take the next question from David Woodside at Fordham University. Three upvotes. What role does North Korea play in U.S.-China cyber discussions? Can you China act outside of cybersecurity agreements through its North Korean ally? SEGAL: Yeah. I think, you know, like many things with North Korea, the Chinese probably have a great deal of visibility. They have a few levers that they really don't like using, but not a huge number. So, in particular, if you remember when North Korea hacked Sony and because of the—you know, the movie from Seth Rogan and Franco about the North Korean leader—those hackers seemed to be located in northern China, in Shenyang. So there was some sense that the Chinese probably could have, you know, controlled that. Since then, we have seen a migration of North Korean operators out of kind of north China. They now operate out of India, and Malaysia, and some other places. Also, Russia helped build another cable to North Korea, so the North Koreans are not as dependent on China. I think it's very unlikely that the Chinese would kind of use North Korean proxies. I think the trust is very low of North Korean operators that they would, you know, have China's interest in mind or that they might not overstep, that they would bring a great deal of kind of blowback to China there. So there's been very little kind of—I would say kind of looking the other way earlier in much of North Korea's actions. These days, I think probably less. FASKIANOS: Thank you. I'm going to take the next question from Joan Kaufman at Harvard University. And if you can unmute yourself. Q: Yes. Thank you very much. I'm also with the Schwarzman Scholars program, the academic director. And I wanted to ask a follow up on your point about internet sovereignty. And, you know, the larger global governance bodies and mechanisms for, you know, internet governance and, you know, China's role therein. I know China's taken a much more muscular stance on, you know, the sovereignty issue, and justification for firewalls. So there's a lot—there are a lot of countries that are sort of in the me too, you know, movement behind that, who do want to restrict the internet. So I just—could you give us a little update on what's the status of that, versus, like, the Net Mundial people, who call for the total openness of the internet. And where is China in that space? How much influence does it have? And is it really—do you think the rules of the road are going to change in any significant way as a result of that? SEGAL: Yeah. So, you know, I think in some ways actually China has been less vocal about the phrase “cyber sovereignty.” The Wuzhen Internet Conference, which is kind of—China developed as a separate platform for promoting its ideas—you don't see the phrase used as much, although the Chinese are still interjecting it, as we mentioned, in lots of kind of U.N. documents and other ideas. I think partly they don't—they don't promote as much because they don't have to, because the idea of cyber sovereignty is now pretty widely accepted. And I don't think it's because of Chinese actions. I think it's because there is widespread distrust and dissatisfaction with the internet that, you know, spans all types of regime types, right? Just look at any country, including the United States. We're having a debate about how free and open the internet should be, what role firms should play in content moderation, should the government be allowed to take things down? You know, we've seen lots of countries passing fake news or online content moderation laws. There's a lot of concern about data localization that countries are doing because of purported economic or law enforcement reasons. So I don't think the Chinese really have to push cyber sovereignty that much because it is very attractive to lots of countries for specific reasons. Now, there is still, I think, a lot of engagement China has with other countries around what we would call cyber sovereignty, because China—countries know that, you know, China both has the experience with it, and will help pay for it. So certainly around the Belt and Road Initiative and other developing economies we do see, you know, the Chinese doing training of people on media management, or online management. There was this story just last week about, you know, Cambodia's internet looking more like the Chinese internet. We know Vietnam copied part of their cybersecurity law from the Chinese law. A story maybe two years ago about Huawei helping in Zambia and Zimbabwe, if I remember correctly, in surveilling opposition members. So I think China, you know, still remains a big force around it. I think the idea still is cyber sovereignty. I just don't think we see the phrase anymore. And I think there's lots of demand pulls. Not China pushing it on other countries, I think lots of countries have decided, yeah, of course we're going to regulate the internet. FASKIANOS: Thank you. Next question, from Ken Mayers, senior adjunct professor of history and political science at St. Francis College. Following up on Denis Simon's question, to what extent to Chinese state actors and U.S. state actors share concerns about asymmetric threats to cybersecurity? Is there common ground for discussion? And I'm going to—actually, I'll stop there, because— SEGAL: All right. So I'm going to interpret asymmetric threats meaning kind of cyber threats from other actors, meaning kind of nonstate or terrorist actors, or criminal actors. So I think there could be a shared interest. It's very hard to operationalize. Probably about six or seven years ago I wrote a piece with a Chinese scholar that said, yes, of course we have a shared interest in preventing the proliferation of these weapons to terrorist actors and nonstate actors. But then it was very hard to figure out how you would share that information without exposing yourself to other types of attacks, or perhaps empowering your potential adversary. On cyber—for example, on ransomware, you would actually expect there could be some shared interest, since the Chinese have been victims of a fair number of Russian ransomware attacks. But given the close relationship between Putin and Xi these days, it's hard to imagine that the U.S. and China are going to gang up on Russia on ransomware. So, again, I think there could be, it's just very hard to operationalize. FASKIANOS: Great. Thank you. So just to follow on from Skyler Duggan, who is an undergraduate at the University of Waterloo. Likewise, to these questions, how do we differentiate individual criminal groups from the state? And how can we be sure this isn't China just trying to abdicate—or, one party, he doesn't specify, trying to abdicate the responsibility? SEGAL: Yeah, I think—because there's—one of the challenges faced by the U.S. and other liberal democracies is that we tend to primarily keep a fairly tight legal control over the cyber operations. They tend to be, you know, intelligence operations or military operations. So Title 10 or Title 50. There's kind of a whole set of legal norms around it. The U.S. does not rely on proxy actors. And other, you know, liberal democracies tend to don't. And U.S. adversaries in this space tend to do so. We know Iran does. We know Russia does. We know China does, although less than the others. Now according to this discussion group that I mentioned before at the U.N., the group of—what's called the group of government experts, one of the norms that all the actors agreed upon was the norm of state responsibility, which is a common one in international law, that you are responsible for whatever happens in your territory. So using proxies should not, you know, be able to give you an out. You shouldn't be able to say, well, it's happening from our territory, we just—you know, we don't know who they are and we can't control them. But, you know, in operation that norm is being fairly widely ignored. Now, the other problem, of course, is the—is how do you actually decide who the actor is, the attribution problem, right? So here, you know, a lot of people are basically saying, well, we have to rely on the U.S. or the U.K. or others to say, well, you know, we say it's these actors, and how do we know—how do we know for sure? Now, attribution is not as hard as we once thought it was going to be. When I first, you know, started doing the research for the book that Irina mentioned, attribution was considered, you know, a pretty big challenge. But now, you know, there's a fairly high expectation that the U.S. will be able to eventually identify who's behind an attack. Now, it may take some time. And we may not be able to completely identify who ordered the attack, which is, you know, as you mentioned, the problem with the proxies. But it's not—it's also not completely reliant on digital clearances. It's not just the code or the language of the keyboard. All those things can be manipulated, don't necessarily give you proof. Lots of time the U.S. is pulling in other intelligence—like, human intelligence, signals intelligence, other types of gathering. So, you know, part of it is how much do we believe the attribution, and then how much of it is—you know, what can you do with it afterwards? And, you know, I don't think the proxy problem is going to go away. FASKIANOS: Great. So I'm going next to Tim Hofmockel's question. It's gotten seven upvotes. He's a graduate student at Georgetown University. To flip Denis Simon's question: Who should the “we” be? To what extent should the U.S. intelligence community and the Department of Defense cooperate on offensive cyber operations? And how would we signal our intentions in a crisis given the overlap in authorities between the intelligence community and DOD? SEGAL: Yeah. I mean, so right now NSA and Cyber Command are dual hatted, meaning that one person is in charge of both of them, General Nakasone. So to some extent that could theoretically help deconflict between kind of intelligence gathering, offensive operations, and kind of signaling to the Chinese. But it's unclear. It's very—signaling in cyber so far seems to be kind of developing and unknown. That seems to be one of the big theories between the U.S. taking these more kinds of operations and, in fact, kind of bringing the fight to the Chinese is a very kind of sociological understanding of deterrence is that over time both sides will kind of understand where those red lines are by engaging and seeing where they're acting. You know, others have talked about could you create some kind of watermark on the actual attack or vulnerability, so that the—you know, you might discover some type of malware in your system and there'd be like a little, you know, NFT, maybe, of sorts, that says, you know, the U.S. government was here. We're warning you not to do this thing. You know, a lot of these have, you know, kind of technical problems. But the question of signaling I think is really hard, and that's part of the reason why, you know, I think these discussions are so important, that at least we have a sense that we're talking about the same types of things, and the same general set of tools. But I think probably through cyber signaling is going to be really hard. It's going to be mostly other types of signaling. FASKIANOS: Next question from Maryalice Mazzara. She's the director of educational programs at the State University of New York's Office of Global Affairs. How can people who are working with China and have a very positive relationship with China balance the issues of cybersecurity with the work we are doing? Are there some positive approaches we can take with our Chinese colleagues in addressing these concerns? SEGAL: Good question, Ali. How are you? So I guess it's very—so I do think there are forward-looking things that we can talk about. You know, several of the questions have asked, are there shared interests here? And I do think there are shared interests. You know, you we mentioned the proliferation one. We mentioned the nonstate actors. You know, there is a lot of language in the most recent statement from the Chinese government about—you know, that the internet should be democratic and open. I don't think they mean it in the same way that we do, but we can, I think, certainly use that language to have discussions about it and hope push to those sides. But I think it is hard because it is—you know, partly because government choices, right? The U.S. government chooses to attribute lots of attacks to China and be very public about it. Chinese for the most part don't attribute attacks, and don't—they talk about the U.S. as being the biggest threat in cyberspace, and call the U.S. The Matrix and the most, you know, damaging force in cyberspace. But for the most part, don't call out specific actors. So they kind of view it—the Chinese side is often in a kind of defensive crouch, basically saying, you know, who are you to judge us, and you guys are hypocrites, and everything else. So I think there are lots of reasons that make it hard. I think probably the way to do it is to try to look forward to these shared interests and this idea that we all benefitted immensely from a global internet. We now have different views of how open that internet should be. But I think we still want to maintain—the most remarkable thing about it is that we can, you know, still communicate with people around the world, we can still learn from people around the world, we can still draw information, most information, from around the world. And we want to, you know, keep that, which is a—which is—you know, not to use a Chinese phrase—but is a win-win for everybody. FASKIANOS: Great. I see a raised hand from Austin Oaks. And I can't get my roster up fast enough, so, Austin, if you can unmute and identify yourself. Q: So I'm Austin Oaks. And I come from the University of Wisconsin at Whitewater. And I used to live in Guangdong province in China. And I used to go visit Hong Kong and Macau, more Hong Kong, very often. And Hong Kong has this very free internet, which China doesn't particularly like. Macau tends to be more submissive to Beijing rather than Hong Kong does. But Chinese government has kind of started to put in people in the Hong Kong government to kind of sway the government into Beijing's orbit more. So then how—so what is China doing in the cyberspace world for both of its separate administrative regions? Because one is a lot easier to control than the other. SEGAL: Yeah. So I think the idea of Hong Kong's internet being independent and free is—it's pretty much ending, right? So the national security law covers Hong Kong and allows the government to increasingly censor and filter and arrest people for what they are posting. We saw pressure on U.S. companies to handover data of some users. A lot of the U.S. companies say they're going to move their headquarters or personnel out of Hong Kong because of those concerns. So, you know, it certainly is more open than the mainland is, but I think long-term trends are clearly pretty negative for Hong Kong. I expect Macau is the same direction, but as you mentioned, you know, the politics of Macau is just so much different from Hong Kong that it's less of a concern for the Chinese. FASKIANOS: Thank you. I'm going to take the next written question from Robert Harrison, a law student at Washburn University School of Law. My understanding is that there have been significant thefts of American small and medium-size business intellectual property by Chinese-based actors. This theft/transfer of knowledge may reduce the competitive edge from the original property holder. Are there any current efforts to curb IP thefts? Any ongoing analysis of the Belt and Road Initiative to evaluate the use of IP acquired by theft? SEGAL: Yeah. So, you know, as I mentioned, the U.S. tried to reach this agreement with China on the IP theft challenge. China held to it for about a year, and then essentially kind of went back to it. It's been very hard to quantify the actual impact of what the theft has been. You know, there are numbers thrown around, a certain percent of GDP, or 250 billion (dollars) a year. There is what's called the IP Commission, which is run out of the National Bureau of Asia Research that has been updating its report. But it's very hard because, you know, a lot of the knowledge and data that's stolen is tacit knowledge. Or, you know, is actual blueprints or IP, but they don't have the tactic knowledge. So you can have the blueprints, but it's then hard to turn from that to an actual product. And it's hard in the civilian space to kind of track lots of products that seem stolen from U.S. products, as opposed to—on the military side you can look at, oh, here's the Chinese stealth jet. It looks a lot like the U.S. stealth jet. Now, this could be physics. It could be intellectual property theft. But it's harder on the commercial side to kind of put a number on it and see what the impact is. Although clearly, it's had an impact. We do know that Chinese operators, you know, go after other targets other than the U.S., right? So they certainly go—are active in Europe. We've seen them in Southeast Asia. Most of that is probably political espionage, not as much industrial espionage. Although, there has been—has been some. I don't know of any specific cases where we can point to anything along the Belt and Road Initiative that, you know, seems in and of itself the outcome of IP theft. FASKIANOS: I'm going to take a written question from Caroline Wagner, who is the Milton and Roslyn Wolf chair in international affairs at Ohio State University. Chinese actors seem to have incredibly pervasive links to track online discussions critical of China. Are these mostly bots, or are there human actors behind them? SEGAL: So I'm going to interpret that to me for the net outside of China. So, yes. I think what we're learning is there's several things going on. Part of it is bots. So they have, you know, a number of bots that are triggered by certain phrases. Some of it is human, but increasingly probably a lot of it is machine learning. So there was a story maybe last month in the Post, if I remember it correctly, about, you know, Chinese analytical software data companies offering their services to local Ministry of State Security to basically kind of scrape and monitor U.S. platforms. And that is primarily going to be done through, you know, machine learning, and maybe a little human operations as well. FASKIANOS: Thank you. And this is a bit of a follow-on, and then I'll go to more. William Weeks, who is an undergraduate at Arizona State University asks: What role does unsupervised machine learning play in China's cyberspace strategy? SEGAL: Yeah, it's a good question. I don't have a lot of details. You know, like everybody else there, they are going to start using it on defense. It is a big push on what's called military-civil fusion. You know, we know that they are trying to pull in from the private sector on AI, both for the defense and the offense side. But right now, all I can give you is kind of general speculation about how actors think about offense and defense with ML and AI. Not a lot of specifics from the Chinese here. FASKIANOS: Thank you. OK, Morton Holbrook, who's at Kentucky Wesleyan College. Q: Yes. Following up on your comment about Hong Kong, about U.S. companies reconsidering their presence due to internet controls, what about U.S. companies in China and Beijing and Shanghai? Do you see a similar trend there regarding internet controls, or regarding IPR theft? SEGAL: I think, you know, almost all firms that have been in China, this has been a constant issue for them. So it's not particularly new. I think almost all of them have, you know, made decisions both about how to protect their intellectual property theft—intellectual property from theft, and how to maintain connections to the outside, to make them harder. You know, VPNs were fairly widely used. Now they're more tightly regulated. We know that the Chinese actually can attack VPNs. So it think, you know, those issues have been constant irritants. I think, you know, COVID and the lack of travel, the worry about getting kind of caught up in nationalist backlashes online to, you know, Xinjiang issues or if you refer to Taiwan incorrectly, those are probably higher concerns right now than these kind of more constant concerns about cyber and IP. FASKIANOS: Thank you. Anson Wang, who's an undergraduate at the University of Waterloo. We have three upvotes. Is China considered the major threat to the U.S. hegemony because China is actively trying to replace the U.S. as the new global hegemon? Or simply because China is on a trajectory to get there, without or without their active intention in involving other countries' internal politics, the same way that the U.S. does? SEGAL: Yeah. So I think this is a—you know, a larger question about what China wants in the world. And do we—you know, we do we think it has a plan or ideology of replacing the U.S.? And does it want—or, would it be happen even with regional dominance? Does it just want to block U.S. interest and others? It's a big debate. You know, lots of people have contrasting views on where they think China is coming. I'll just use the cyber example. And I think here, you know, the Chinese started with wanting to block the U.S., and prevent the U.S. from criticizing China, and protect itself. I don't think it had any desire to reshape the global internet. But I think that's changed. I think under Xi Jinping they really want to change the definitions of what people think the state should do in this space. I think they want to change the shape of the internet. I don't think they want to spread their model to every country, but if you want to build their model they're certainly welcome to help you. And they don't mind pushing, perhaps highlighting, in some cases exploiting the weaknesses they see in the U.S. as well. FASKIANOS: OK. Thank you. I'm going to go to Helen You, who's a student at NYU. It appears that governments are reluctant to restrict their cyber capabilities because they fundamentally do not want to limit their own freedom to launch cyberattacks. As a result, countries fail to follow voluntary norms on what is permissible in cyberspace. To what extent are industry standards influencing international cybersecurity norms? And what incentives would need to be in place to move these conversations forward? SEGAL: Yeah, that's a great point. I mean, I think that's one of the reasons why we haven't seen a lot of progress, is because states don't have a lot of reason to stop doing it. The costs are low, and the benefits seem to be high. Now, I understand your question in two separate ways. One, there is a kind of private attempt to push these norms, and basically arguing that states are going too slow. Part of that was promoted by Microsoft, the company, right? So it promoted the idea of what they were calling the Digital Geneva Convention, and then they have been involved in what's now known as the Paris Accords that define some of these rules, that the U.S. just signed onto, and some other states have signed onto. But again, the norms are pretty vague, and haven't seemed to have that much effect. There's a thing called the cybersecurity—Global Cybersecurity Stability Commission that the Dutch government helped fund but was mainly through think tanks and academics. It also has a list of norms. So there is a kind of norm entrepreneurship going on. And those ideas are slowly kind of bubbling out there. But you need to see changes in the state to get there. That's when we know that norms matter. And that we really haven't seen. On the—there is a lot of work, of course, going on, on the standards of cybersecurity, and what companies should do, how they should be defined. And that happens both domestically and internationally. And of course, the companies are very involved in that. And, you know, that is much further, right? Because that has to do about regulation inside of markets, although there's still, you know, a fair amount of difference between the U.S. and EU and other close economies about how those standards should be defined, who should do the defining, how they should be implemented. FASKIANOS: Thank you. I'm going to take group two questions from Dr. Mursel Dogrul of the Turkish National Defense University. In a most recent article we focused on the blockchain literature expansion of superpowers. In terms of publications and citations, China clearly outperformed the United States and Russia. Do you believe the technological advancement will have an impact on the cybersecurity race? And the Michael Trevett—I don't have an affiliation—wanted you to speak a little bit more about the cyber triangle with Russia. How are China and Russia coordinating and cooperating? SEGAL: Yeah. So the first question, you know, clearly, as I have briefly mentioned in my opening comments, that the Chinese are pushing very hard on the technologies they think are going to be critical to the—to the future competition in this space—blockchain, quantum, AI. The Chinese have made a lot of advances on quantum communication and quantum key distribution. Probably behind the U.S. on quantum computing, but it's hard to say for sure. And blockchain is a space the Chinese have developed some usages and are rolling some test cases out on the security side and the internet platforming side. On the China-Russia question, so closer cooperation. Most of it has been around cyber sovereignty, and the ideas of kind of global governance of cyberspace. The Chinese were, you know, pretty helpful at the beginning stages, when Russia started using more technological means to censoring and controlling the Russian internet. So helping kind of build some of the—or, export some of the technologies used in the China great firewall, that the Russians could help develop. Russia is pretty much all-in with Huawei on 5G. And so a lot of cooperation there. Although, the Russians are also worried about, you know, Chinese espionage from Russian technology and other secrets. They did sign a nonaggression cyber pact between the two, but both sides continue to hack each other and steal each other's secrets. And have not seen any evidence of cooperation on the operations side, on intelligence. with them doing more and more military exercises together, I would suspect we would perhaps start seeing some suggestion that they were coordinating on the military side in cyber. But the last time I looked, I didn't really see any—I did not see any analysis of that. FASKIANOS: Thank you. Next question from Jeffrey Rosensweig, who is the director of the program for business and public policy at Emory University. Q: Adam, I wonder if you could fit India in here anywhere you would like to? Because it think it'll be the other great economy of the future. SEGAL: Yeah. So India's a—you know, a really interesting actor in this space, right? So, you know, India basically think that it has two major cyber threats—Pakistan, and China being the other. China, you know, was reportedly behind some of the blackouts in Mumbai after the border clash. I am somewhat skeptical about reporting, but it's certainly a possibility, and there's no reason to doubt the Chinese have been mapping critical infrastructure there. India pushed back on TikTok and ByteDance. You know, also concerns about data control and other things. There is a long history of kind of going back and forth on Huawei. The intelligence agency has not really wanted to use, but others wanting to help, you know, bridge the digital divide and build out pretty quickly. India right now is talking about its own type of 5G. But from a U.S. perspective, you know, I think the most important thing—and this is often how India comes up—is that, you know, we want India to be an amplifier, promoter of a lot of these norms on cyber governance, because it is a, you know, developing, multiethnic, multiparty democracy. And so we want it just not to be the U.S.' voice. Now, India's a pretty complicated, difficult messenger for those things these days, right? India leads the world in internet shutdowns, and we've seen a lot of harassment of opposition leaders and other people who are opposed to Modi. So it's not going to be easy. But I think the U.S. for a long time has hoped that we could forge a greater understanding on the cyber side with India. FASKIANOS: Great. I'm going to take the next question from Michael O'Hara, who is a professor at the U.S. Naval War College. And I'm going to shorten it. He asks about China's fourteenth five-year plan, from 2021 to 2025. It includes a section titled “Accelerate digitalization-based development and construct a digital China.” Do you see their five-year plan as a useful way for thinking about Chinese future in cyberspace? SEGAL: Yes. So we're on the same page, the digital plan came out two or three weeks ago. It was just translated. Yeah, I mean, the plan is useful. Like, all Chinese plans are useful in the sense that it certainly gives us clear thinking about the direction that China wants to go, and the importance it puts on a topic. You know, the implementation and bureaucratic obstacles and all those other things are going to play a role. But as I mentioned, I think, you know, the Chinese economy is becoming increasingly digitalized. And in particular, they want to digitize, you know, more and more of the manufacturing sector and transportation, mining, other sectors that are traditionally not, you know, thought of as being digital, but the Chinese really want to move into that space. Now, from a cybersecurity perspective, that, you know, raises a whole range of new vulnerabilities and security issues. And so I think that's going to be very high on their thinking. And just today I tweeted a story that they held a meeting on thinking about cybersecurity in the metaverse. So, you know, they're looking forward, and cybersecurity is going to be a very high concern of people. FASKIANOS: Well, we couldn't have the Naval Academy without the U.S. Air Force Academy. So, Chris Miller, you wrote your question, but you've also raised your hand. So I'm going to ask to have you articulate it yourself. Q: Well, actually, I changed questions, Irina. Adam, thank you. FASKIANOS: Oh, OK. (Laughs.) But still, the Air Force Academy. Q: So two quick questions. I'll combine them. One is: I'm curious how you see the new cyber director—national cyber director's role changing this dynamic, if it at all, or changing the parts of it on our side of the Pacific that we care about. And second of all, curious how you see China viewing the Taiwanese infrastructure that they probably desire, whether or not they eventually take it by force or by persuasion. SEGAL: Yeah. So I don't think the NCD changes the dynamic very much. You know, I think there's lots of—you know, everyone is watching to see how the NCD and the National Security Council, and CISA, the Cybersecurity Infrastructure and Security Agency, work out the responsibilities among the three of them, which will have an impact, you know, of making us more secure. And, you know, Chris Inglis, the head of the NCD has given lots of talks about how they're going to manage and work together. And I think we're beginning to see some signs of that. But I think that's probably the most direct impact it'll have on the dynamic. Your second question, you know, I think primarily is about, you know, Taiwan Semiconductor. And, you know, do the Chinese eventually decide, well, chips are so important, and the U.S. is working so hard to cut us off, that, you know, for all the other reasons that we might want to see Taiwan, you know, that one is going to get moved up? You know, I think it's a possibility. I think it's a very low possibility. I do think we don't know what the red lines are on the tech war, right? You know, there's been talk about cutting off SMIC, the Shanghai manufacturer of integrated circuits, are also a very important company to the Chinese. Would that push the Chinese to do more aggressive or assertive things in this space? You know, what is it that we do in that space that eventually pulls them out? But I think it's very hard—(audio break)—that they could capture TSMC in a shape that would be useful. Am I breaking up? FASKIANOS: Just a little bit, but it was fine. We have you now. SEGAL: Yeah. That you could capture TSMC in a shape that would be useful, right? I mean, there was that piece, I think, that was written by an Army person, maybe in Parameters, that, you know, the U.S. and Taiwan's plan should be basically just to—you know, to sabotage TSMC in case there's any invasion, and make that clear that that's what it's going to do. But even without that risk, you're still dealing—you know, any damage and then, flight of people outside of Taiwan, because the Taiwanese engineers are really important. So it would be very high risk, I think, that they could capture it and then use it. FASKIANOS: Thank you. Well, I am sorry that we couldn't get to all the questions, but this has been a great conversation. Adam Segal, thank you very much for being with us. You know, you're such a great resource. I'm going to task you after this, there was a question from Andrew Moore at the University of Kansas about other resources and books that you would suggest to learn more about China and cybersecurity. So I'm going to get—come to you after this for a few suggestions, which we will send out to the group along with the link to this video and the transcript. So, Andrew, we will get back to you and share with everybody else. And so, again, you can follow Dr. Segal on Twitter at @adschina. Is that correct, Adam? SEGAL: That's right. FASKIANOS: OK. And also sign up for—to receive blog alerts for Net Politics you can go to CFR.org for that. Our next webinar will be on Wednesday, February 9, at 1:00 p.m. Eastern Time. And we're excited to have Patrick Dennis Duddy, director of the Center for Latin American and Caribbean Studies at Duke, to talk about democracy in Latin America. So thank you for being with us. You can follow us on Twitter at @CFR_Academic. Visit CFR.org, foreignaffairs.com and ThinkGlobalHealth.org for new research and analysis on other global issues. And again, Adam, thank you very much for being with us. We appreciate it. SEGAL: My pleasure. FASKIANOS: Take care. FASKIANOS: Welcome to the first session of the Winter/Spring 2022 CFR Academic Webinar Series. I'm Irina Faskianos, vice president of the National Program and Outreach here at CFR. Today's discussion is on the record, and the video and transcript will be available on our website, CFR.org/academic. As always, CFR takes no institutional positions on matters of policy. We are delighted to have Adam Segal with us to discuss cyberspace and U.S.-China relations. Adam Segal is CFR's Ira A. Lipman chair in emerging technologies and national security and director of the Council's Digital and Cyberspace Policy program. Previously, he served as an arms control analyst for the China Project at the Union of Concerned Scientists. He has been a visiting scholar at Stanford University's Hoover Institution, MIT's Center for International Studies, the Shanghai Academy of Social Sciences, and Tsinghua University in Beijing. And he's taught courses at Vassar College and Columbia University. Dr. Segal currently writes for the CFR blog, Net Politics—you should all sign up for those alerts, if you haven't already. And he is the author several books, including his latest, The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age. So, Adam, thanks very much for being with us. We can begin with a very broad brush at cyberspace, the role cyberspace plays in U.S.-China relations, and have you make a few comments on the salient points. And then we'll open it up to the group for questions. SEGAL: Great. Irina, thanks very much. And thanks, everyone, for joining us this afternoon. I'm looking forward to the questions and the discussion. So broadly, I'm going to argue that the U.S. and China have the most far-reaching competition in cyberspace of any countries. And that competition goes all the way from the chip level to the rules of the road. So global governance all the way down the to the chips that we have in all of our phones. Coincidentally, and nicely timed, last week the Washington Post did a survey of their network of cyber experts about who was the greater threat to the United States, China or Russia. And it was actually almost exactly evenly split—forty to thirty-nine. But I, not surprisingly, fell into the China school. And my thinking is caught very nicely by a quote from Rob Joyce, who's a director at the National Security Agency, that Russia is like a hurricane while China is like climate change. So Russia causes sudden, kind of unpredictable damage. But China represents a long-term strategic threat. When we think about cyberspace, I think it's good to think about why it matters to both sides. And on the Chinese side, I think there are four primary concerns. The first is domestic stability, right? So China is worried that the outside internet will influence domestic stability and regime legitimacy. And so that's why it's built an incredibly sophisticated system for controlling information inside of China that relies both on technology, and intermediate liability, and other types of regulation. China is worried about technological dependence on other players, in particular the U.S., for semiconductors, network equipment, and other technologies. And they see cybersecurity as a way of reducing that technology. China has legitimate cybersecurity concerns like every other country. They're worried about attacks on their networks. And the Snowden revelations from the—Edward Snowden, the former NSA contractor—show that the U.S. has significant cyber capabilities, and it has attacked and exploited vulnerabilities inside of China. And while the Chinese might have used to think that they were less vulnerable to cyberattacks given the shape of the Chinese network in the past, I think that probably changed around 2014-2015, especially as the Chinese economy has become increasingly dependent on ecommerce and digital technology. It's now—GDP is about a third dependent on digital technology. So they're worried about the same types of attacks the United States is worried about. And then, fourth and finally, China does not want the United States to be able to kind of define the rules of the road globally on cyber, create containing alliances around digital or cyber issues, and wants to constrain the ability of the U.S. to freely maneuver in cyberspace. Those are China's views. The U.S. has stated that it's working for a free, open, global, and interoperable internet, or an interoperable cyberspace. But when it looks at China, it has a number of specific concerns. The first is Chinese cyber operations, in particular Chinese espionage, and in particular from that Chinese industrial espionage, right? So the Chinese are known for being the most prolific operators, stealing intellectual property. But they're also hacking into political networks, going after think tanks, hacking activists—Uighur activists, Tibetan activists, Taiwanese independence activists. We know they're entering into networks to prepare the battlefield, right, so to map critical infrastructure in case there is a kinetic conflict with the United States—perhaps in the South China Sea or over the Taiwan Strait—and they want to be able to deter the U.S., or perhaps cause destructive attacks on the U.S. homeland, or U.S. bases in South Korea, or Japan. The U.S. is also extremely concerned about the global expansion of Chinese tech firms and Chinese platforms, for the collection of data, right? The U.S. exploited the globalization of U.S. tech firms. Again, that was something that we learned from the Snowden documents, that the U.S. both had legal and extralegal measures to be able to get data from users all around the world because of their knowledge of and relationship to U.S. tech firms. And there's no reason to believe that the Chinese will not do the same. Now, we hear a lot about, you know, Huawei and the national intelligence law in China that seems to require Chinese companies to turnover data. But it would be very hard to believe that the Chinese would not want to do the same thing that the U.S. has done, which is exploit these tech platforms. And then finally, there is increasingly a framing of this debate as one over values or ideology, right? That democracies use cybertechnologies or digital technologies in a different way than China does. China's promoting digital authoritarianism, that has to do about control of information as well as surveillance. And the U.S. has really pushed back and said, you know, democracies have to describe how we're going to use these technologies. Now, the competition has played itself out both domestically and internationally. The Chinese have been incredibly active domestically. Xi Jinping declared that cybersecurity was national security. He took control of a small leadership group that became a separate commission. The Cyberspace Administration of China was established and given lots of powers on regulating cybersecurity. We had a creation of three important laws—the cybersecurity law, the data security law, and the private—personal information protection law. We see China pushing very hard on specific technologies they think are going to be important for this competition, especially AI and quantum. And we see China pushing diplomatically, partly through the idea of what's called cyber-sovereignty. So not the idea that internet is free and open and should be somewhat free from government regulation, but instead that cyberspace, like every other space, is going to be regulated, and that states should be free to do it as they see fit, as fits their own political and social characteristics, and they should not be criticized by other states. They promoted this view through U.N. organizations in particular. And they've been working with the Russians to have a kind of treaty on information and communication technologies that would include not only cybersecurity, but their concerns about content and the free flow of information. The U.S. right now is essentially continuing a policy that was started under the Trump administration. So part of that is to try and stop the flow of technology to Chinese firms, and in particular to handicap and damage Huawei, the Chinese telecom supplier, to put pressure on friends to not use Huawei. But the most important thing it did was put Huawei on an entity list, which cut it off from semiconductors, most importantly from Taiwan Semiconductor, which has really hurt the Huawei of products. The U.S. tried to come to an agreement about—with China about what types of espionage are considered legitimate. And not surprisingly, the U.S. said there was good hacking and back hacking. And the good hacking is the type of hacking that the U.S. tends to do, and the bad hacking is the type of hacking that the Chinese tend to do. So, basically the argument was, well, all states were going to conduct political and military espionage, but industrial espionage should be beyond the pale. Or if you put it—you can think of it as the way President Obama put it, you can hack into my iPhone to get secrets about what I'm discussing with my Cabinet, but you can't hack into Apple to get the secrets about how iPhones are made to give to Huawei. There was an agreement formed in 2015, where both sides said they weren't going to engage in industrial espionage—cyber industrial espionage. For about a year and a half, that agreement seemed to hold. And then it—and then it fell apart. The Chinese are engaged in that activity again. And as a result, the U.S. has once again started indicting Chinese hackers, trying to create—enforce that norm through indictments and naming and shaming. The U.S. probably also—although I have no evidence of it—has engaged in disrupting Chinese hackers. So we know under the Trump administrationm Cyber Command moved to a more forward-leaning posture, called defending forward or persistent engagement. We've heard about some of those operations against Russian or Iranian actors. John Bolton, before he left the NSC, suggested they were getting used against Chinese cyberhackers as well. So what comes next? And it's often hard, if not impossible, to end cyber talks on a positive note, but I will try. So I think from a U.S. perspective, clearly the kind of tech pressure, not only of Huawei but on a broader range of companies, is going to continue. The Biden administration has shown no signal that it is going to roll any of that back. And it's actually expanded it, to more companies working on quantum and other technologies. The Biden administration has worked much more actively than the Trump administration on building alliances around cybersecurity. So in particular, the tech and trade competition group with the Europeans and the quad, with Australia, India, and Japan all have discussions on cybersecurity norms. So how do you actually start imposing them? Now, where you would hope that the U.S. and China would start talking to each other, again, is where I hope the Biden administration can eventually get to. So there were some very brief discussions in the Obama administration. The Trump administration had one round of talks, but that were not particularly useful. The Chinese were very unwilling to bring people from the People's Liberation Army to actually kind of talk about operations, and generally were in denial about that they had any cyber forces. But you want both sides really

The Federal Trade Commission's (FTC) other foot, I argue, is lodged firmly in its mouth. Tatyana Bolton defends the agency, which released what can only be described as a regulatory blog post in response to the log4j vulnerability, invoking the $700 million in fines imposed on Equifax to threatening “to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j.” She stresses that this is the best way to get companies to patch quickly and notes that only “reasonable steps” are required. I think we'll hear that a lot from the FTC, now that it turns out that fixing the Log4j mess is going to require a lot more that regulatory flexing. Especially, since the FTC's blog post seems to pull back from its tough-guy pose when talking about the open source maintainers who actually have to do much of the patch generation; unlike the companies it threatened with wrath, the FTC understands that open source coders “don't always have adequate resources and personnel,” something the FTC “will consider as we work to address the root issues that endanger user security.” Speaking of fallible regulators, Glenn Gerstell gives us a tour of China's tech regulatory landscape, and the remarkable decline in the fortunes of consumer tech firms in that country, as the New York Times covered in detail last week. Is that good news for Silicon Valley or U.S. competitiveness? Sadly, probably not, I conclude. Mark MacCarthy explains why the proposal to marry cryptocurrency to Signal is causing angst among Signal's supporters about the end-to-end encrypted service's ”regulatory attack surface.” Glenn covers the latest story about security risks and telecom gear from China. Mark and I dig into the growing enthusiasm for regulating big Silicon Valley companies as gatekeepers. The Germans are about to apply that approach to Google. And the South Koreans are doing the same to Apple and its app store payment policies. Tatyana notes the press coverage about possible tensions between two talented and strong cybersecurity officials in the White House: Anne Neuberger and Chris Inglis. I put Glenn on the spot about claims that Anne has “a particular tendency to clash with lawyers.” That would only make me love her more, but Glenn (who, as the National Security Agency's top lawyer, worked with her for years) absolves her of the charge.   Mark and I handicap the probability that the plaintiff will succeed in a highly charged lawsuit against Facebook/Meta Platforms for bringing together the boogaloo conspirators who killed a federal protective officer. It's a long shot, but if “negligent design” turns out to create liability for software and algorithms, Signal will have an even greater attack surface than its fans are worried about. Glenn explains the charges brought in China against Walmart for breaches of cybersecurity laws (hint: it's mostly not breaches of cybersecurity laws). Speaking of surprises that aren't surprises, Glenn also covers the announcement by Lloyd's of London that cyber insurance won't cover cyberattacks attributable to nation-states. Finally, I devote a few minutes to rant about the Justice Department's decision to expand charges against Joe Sullivan, Uber's former chief information security officer, for his role in payment of “bug bounties” to hackers who looked more like crooks than bounty hunters. More than a year after charging Sullivan with obstruction of justice, the department piled on new charges of wire fraud for failing to tell Uber's drivers about the breach. Glenn and I both question the decision to do this without any new facts to base the charges on. And I point out that the result of exposing breach response into wire fraud charges will (or should be) fatal to the FBI's desire to be called in while companies are dealing with breaches. If the company delays notice to the public for longer than the government thinks proper, wire fraud charges start to hang heavy in the air. If so, why would any general counsel want to have an FBI agent sitting in the room for the debate about when notice to customers is required? Download the 389th Episode (mp3)   You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Federal Trade Commission's (FTC) other foot, I argue, is lodged firmly in its mouth. Tatyana Bolton defends the agency, which released what can only be described as a regulatory blog post in response to the log4j vulnerability, invoking the $700 million in fines imposed on Equifax to threatening “to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j.” She stresses that this is the best way to get companies to patch quickly and notes that only “reasonable steps” are required. I think we'll hear that a lot from the FTC, now that it turns out that fixing the Log4j mess is going to require a lot more that regulatory flexing. Especially, since the FTC's blog post seems to pull back from its tough-guy pose when talking about the open source maintainers who actually have to do much of the patch generation; unlike the companies it threatened with wrath, the FTC understands that open source coders “don't always have adequate resources and personnel,” something the FTC “will consider as we work to address the root issues that endanger user security.” Speaking of fallible regulators, Glenn Gerstell gives us a tour of China's tech regulatory landscape, and the remarkable decline in the fortunes of consumer tech firms in that country, as the New York Times covered in detail last week. Is that good news for Silicon Valley or U.S. competitiveness? Sadly, probably not, I conclude. Mark MacCarthy explains why the proposal to marry cryptocurrency to Signal is causing angst among Signal's supporters about the end-to-end encrypted service's ”regulatory attack surface.” Glenn covers the latest story about security risks and telecom gear from China. Mark and I dig into the growing enthusiasm for regulating big Silicon Valley companies as gatekeepers. The Germans are about to apply that approach to Google. And the South Koreans are doing the same to Apple and its app store payment policies. Tatyana notes the press coverage about possible tensions between two talented and strong cybersecurity officials in the White House: Anne Neuberger and Chris Inglis. I put Glenn on the spot about claims that Anne has “a particular tendency to clash with lawyers.” That would only make me love her more, but Glenn (who, as the National Security Agency's top lawyer, worked with her for years) absolves her of the charge.   Mark and I handicap the probability that the plaintiff will succeed in a highly charged lawsuit against Facebook/Meta Platforms for bringing together the boogaloo conspirators who killed a federal protective officer. It's a long shot, but if “negligent design” turns out to create liability for software and algorithms, Signal will have an even greater attack surface than its fans are worried about. Glenn explains the charges brought in China against Walmart for breaches of cybersecurity laws (hint: it's mostly not breaches of cybersecurity laws). Speaking of surprises that aren't surprises, Glenn also covers the announcement by Lloyd's of London that cyber insurance won't cover cyberattacks attributable to nation-states. Finally, I devote a few minutes to rant about the Justice Department's decision to expand charges against Joe Sullivan, Uber's former chief information security officer, for his role in payment of “bug bounties” to hackers who looked more like crooks than bounty hunters. More than a year after charging Sullivan with obstruction of justice, the department piled on new charges of wire fraud for failing to tell Uber's drivers about the breach. Glenn and I both question the decision to do this without any new facts to base the charges on. And I point out that the result of exposing breach response into wire fraud charges will (or should be) fatal to the FBI's desire to be called in while companies are dealing with breaches. If the company delays notice to the public for longer than the government thinks proper, wire fraud charges start to hang heavy in the air. If so, why would any general counsel want to have an FBI agent sitting in the room for the debate about when notice to customers is required? Download the 389th Episode (mp3)   You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this episode of Intelligence Matters, host Michael Morell speaks with the country's first National Cyber Director, Chris Inglis, about his office's mandate, its mission, and the top cyber threats facing the U.S. today. Inglis and Morell discuss the prevalence of ransomware and why countries like Russia and China might tolerate the presence of criminal hackers on their soil. Inglis also details why deterrence in cyberspace is difficult, and how the U.S. government is engaging the private sector to bolster cyber defenses. This episode was produced in partnership with the Michael V. Hayden Center for Intelligence, Policy, and International Security at George Mason University's Schar School of Policy and Government.See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.

In this week's Reagan Forum podcast we go back one month to September 9, 2021 for our virtual program entitled, Digital Defense and Deterrence: America's Cybersecurity Posture. The program featured America's first National Cyber Director, Chris Inglis, and Dave Levy of Amazon Web Services as they focused on the future of U.S. cyber defenses across the national security interagency. The program also covered recent congressional policy interventions (including creating the National Cyber Director position), the Biden Administration's approach to cyber, the importance of a unified cyber strategy, and how private sector partners can bolster U.S. cyber readiness.

Could Using the Right Multi-Factor Authentication Save You? I had a good friend who, this week, had his life's work stolen from him. Yeah. And you know what caused it? It was his password. Now, you know what you're supposed to be doing? I'm going to tell you exactly what to do right now. Let's get right down to the whole problem with passwords. I'm going to tell you a little bit about my friend this week. He has been building a business for. Maybe going on 10 years now, and this business relies on advertising. Most companies do so in some way; we need to have new customers. There's always some attrition. Some customers go away. So how do we keep them? We do what we can. How do we get new customers? For him, it was. Advertising, primarily on Facebook. He did some Google ads as well, but Facebook is really where he was focused. So how did he do all of that? Here's the bottom line you have to, if you are going to be advertising on Facebook, you have to have an advertising account. The same thing's true. Google. And then, on that account, you tie in either your bank account or your credit card. I recommend a credit card so that those transactions can be backed up. And on top of all of that now, of course, you have to use a pixel. So the way the tracking works is there are pixels on websites, about those already. And the bottom line with the pixels. Those are also. Cookies are about the pixels are used to set a cookie so that Facebook knows what sites you've gone to. So he uses those. I use those. In fact, if you go to my website, I have a Facebook pixel that gets set. And the reason for all of that is so that we know with. I'd be interested in something on the site. So I know that there are many people interested in this page or that page. And so I could, I have not ever, but I could now do some advertising. I could send ads to you so that if you were looking at something particular, you'd see ads related to that, which I've always said. It is the right way to go. If I'm looking to buy a pickup truck, I love to see ads for different pickup trucks, but if I don't want a car or truck, I don't want to see the ads. It isn't like TV where it sometimes seems every other ad is about. Car or a pickup truck. It drives me crazy because it's a waste of their money in advertising to me. After all, I don't want those things. And it's also not only just annoying in money-wasting. There are better ways to do targeting. And that's what the whole online thing is. Anyways, I told you about that because he had set up this pixel years ago. Basically, the Facebook pixel gets to know you. All of the people who like you that might've bought from you. Cause you can have that pixel track people through your site, your purchase site, they know what you purchase on the shopping cart, et cetera. And you can identify these people over on Facebook and their ads because they abandoned the cart or whatever it is you want to do there. So there's just a whole ton of stuff that you can do for these people. And it's so bad. It is so valuable. It takes years to build up that account. Years to put that pixel in place. And our friend here, he had done precisely that. Then he found that his account had been compromised. And that is a terrible thing in this case because the bad guy used his account to place ads. So now there are really two or three problems here. We'll talk about one of them. Why was the bad guy going after him? He has been running ads on Facebook for a long time. So as far as Facebook is concerned, his account is credible. All of the ads he runs don't have to be reviewed by a human being. They can go up almost immediately. He doesn't have to wait days for some of these things to go up. So our bad guy can get an account like his that has years' worth of advertising credibility and now start advertising things that are not correct. So there again is part of the value of having one of these older accounts for advertising. And so the bad guy did that use his credibility. And then secondly, he used 25 grand worth of my friend's money to run ads. Also, of course, very bad, very bad. So I sat down with him. In fact, it was this last week, and I was out on a trip with just a vacation trip. It was absolutely fantastic. I never just do vacation. It's always business plus work whenever I do anything like this, but I was on a trip last week. And so my eldest son who works closely with me, and he's also part of the FBI InfraGard program. So I had him reach out to my friend, and he helped them out, and they talked back and forth. So here's the problem that he has. And I'm trying to figure out a perfect way to solve this. And I haven't figured that out yet. And if you guys have an idea because you are the best and brightest, you really are. So go ahead and drop me an email at me@craigpeterson.com if a good way around this particular problem, which is he has. This Facebook could count and many other accounts, including his website, hosting account, email account, et cetera. And. He has people who manage his ads for him. Who operates his website for him, who put up some promotions, advertising, and everything else. So these are third-party. This is what we generically call a supply chain, risk people who are not him have access to his stuff, his private property. And how does he do it, or how did he do it? Is he went ahead and gave them. Access by giving them accounts or passwords. How well were they guarding their passwords and their accounts? So the first thing I had my friend do was going to haveIbeenpwned.com. I had him put in his email address, the one he uses the most, and it showed up in five different. Hacks data dumps. So these are five various sites where he had used that same email address in this case. And he found out that in those five cases, the bad guy's got his passwords and personal information. All bad. And he went ahead and cleaned it up. So I said put in the password because have I been, pwned also let you check your password, just see if it has been used by someone else and then stolen. So there are billions of passwords in this database. It's incredible of all of these known passwords. So he put in his password, and no, it had not been stolen, but the problem is how about the people that were managing his ads on Facebook and managing his Facebook ad. We're the usernames, which are typically the email addresses and the passwords kept securely. That's a supply chain thing I'm talking about, and that's where I'd love to get him. But from you guys, me@craigpeterson.com. If you think you have a good answer, What we've been doing. And our advice to him was use one password. That's the only one to use. I don't trust last pass anymore. After their last big hack where they got hacked one password, the digit one password. And go ahead. And set it up. And in a business scenario, you can have multiple vaults. So have a vault. That's just for people that are dealing with your Facebook ad account, maybe have another vault for people who are posting for you on Facebook. Or better yet when it comes to Facebook, go ahead and have an intermediary that is trusted the, if this, then that, or there's a few of them out there that can see that you put the post up on the website and automatically posted on Facebook. So you don't have to get. All of these people, your passwords, but again, it's up to you. You got to figure out if that makes sense to you that those are the types of things that I think you can do. And that is what we do as well. Now, one of the beauties of using one password like that, where you're not sharing all of your passwords to everything you're sharing, the minimum amount of login information that you possibly can share is that if they leave your employees, All you have to do is remove their access to the appropriate vault or vaults, or maybe all of your vaults. And this is what I've done with people that worked for me in the US and people would work for me overseas, and there have been a lot of them and it has worked quite well for me. So with one pass, We can enforce password integrity. We can make sure the passwords on stolen. One password ties automatically into have I been postponed. If a password has been exposed, if it's been stolen online, it's a great way to go. Now I've got an offer for you guys who are listening. I have a special report that I've sold before on passwords, and it goes through talks about one password. He talks about the last pass, which I'm no longer really recommending, but give some comparisons and how you can use these things. Make sure you go and email me right now. Me, Me@craigpeterson.com. That's ME at Craig Peterson dot com and just ask me for the password special report, and I'll be glad to get that on-off to you. There is a lot of good detail in there and helps you, whether you're a home user or a business. So the next step in your security is multi-factor authentication. Interesting study out saying that about 75% of people say that they've used it for work or for business, but the hard numbers, I don't think they agree One of the things that you have to do is use good passwords. And the best way to do that is to use a password manager. I was talking about a friend of mine who had been hacked this last week and his account was hacked. His Facebook ad account was hacked. We asked him if we could reach out to. BI and he said, sure. So we checked with the FBI and they're looking to turn this into a case, a real case, because they've never seen this type of thing, the hijacking of an advertising account who hijacked it. And why did they hide jacket? Was this in preparation maybe for. Playing around with manipulating our next election cycle coming up. There could be a lot of things that they're planning on doing and taking over my friend's account would be a great way to have done it. So maybe they're going to do other things here. And our friends at the FBI are looking into it. How now do you also keep your data safe? Easily simply. When we're talking about these types of accounts, the thing to look at is known as two factor authentication or multifactor authentication. You see my friend, if he had been using multi-factor authentication. I would not have been vulnerable. Even if the bad guys had his username, email address and his password, they still would not be able to log in without having that little six-digit code. That's the best way to do multi-factor authentication. When we're talking about this code, whether it's four or 5, 6, 8 digits long, we should not be using our cell phones to receive those. At least not as text messages, those have a problem because our phone numbers can be stolen from us and they are stolen from us. So if we're a real target, in other words, they're going after you. Joe Smith and they know you have some, $2 million in your account. So they're going after you while they can, in most cases, take control of your phone. Now you might not know it and it doesn't have to be hacked. All they have to do is have the phone company move your phone number to a new phone. Once. So that means one of the things you need to do is contact your telephone vendor, whoever it is, who's providing new that service. That's a company like Verizon sprint T-Mobile a T and Tone of those companies that are giving you cell service, you have to contact them and set up a pass. So that if they have a phone call coming in and that phone call can be faked. So it looks like it's coming from your phone, even if there was a phone call coming in, whether it's coming from your phone or not, they have to get that password or passcode that you gave them. And once they have that passcode now, and that's great, but if you don't have that in there targeting you specifically, then you're in trouble. So for many of us really it may not make a huge difference. But I would do it anyways. I have done it with every one of my cell phone carriers now. A couple of decades set up a password. So the next step is this multifactor authentication. If I'm not supposed to get it via text message to my phone, how do I get it? There are a couple of apps out there. There's a free one called Google authentic. And Google authenticator runs on your phone. And once it's there on your phone and you are setting it up on a website, so Facebook, for instance, your bank, most websites out there, the bigger ones, all you have to do is say, I want to set up multi-factor authentication, and then it'll ask you a case. So how do you want to do it? And you can say, I want an app and they will display. A Q R code. That's one of those square codes with a bunch of little lines inside of it. You're seeing QR codes before they become very common. And you take your phone with the Google authenticator app. Take a picture. Of that little QR code on the screen, and now it will start sinking up so that every 30 seconds Google authenticator on your phone will change that number. So when you need to log back into that website, it's going to ask you for the code. You just pull up Google authenticator and there's the code. So that's the freeway to do it. And not necessarily the easiest way to. Again, going back to one password. I use this thing exclusively. It is phenomenal for keeping my passwords, keeping them all straight and then encrypted vault, actually in multiple encrypted vault it's so that I can share some of them. Some of them are just strictly private, but it also has that same authenticator functionality built right into it. Microsoft has its own authenticator, but you can tell Microsoft that you want to use the standard authenticator. Of course, Microsoft has to do everything differently. But you can tell it. And I do tell it, I want to use a regular authenticator app, not Microsoft authenticator. By the way. That's why I advise you to don't use the Microsoft authenticator, just use one authenticator for all of the sites, and then Microsoft will give you that same QR code. And then you can take that picture and you're off and running. Next time you log in, it asks you for the code and instead of texting it to you to your phone smarter, otherwise it will not. That require you to open up your authenticator. So for me, for instance, when I'm logging into a website, it comes up and asks for the username, asked for the password. Both of those are filled out automatically by one password for me. And then it asks for that code identification code and. One password automatically puts it into my pace to buffer copy-paste, buffer, and I just paste it in and they've got the code. So I don't have to remember the codes. I don't remember passwords. I don't have to remember usernames or email addresses. One password remembers them all for me. Plus it'll remember notes and other things. So you can tell, I really one password. We use it with all of our clients. That's what we have for them. And it does meet even a lot of these DOD requirement on top of. Depending again, how much security you need. We will use duo D U O and it also has this authenticator functionality and we will also use UBI keys. These are those hardware key. They do oh, can provide you with hardware tokens. Those are those little tokens that can go onto your key ring. That show a changing six-digit number every 30 seconds. And that's the same number that would be there in your smartphone app. Your one password or Google authenticator smartphone. Hopefully, I didn't confuse you too much. I think most of the reason we're not using the security we should is because we're not sure how to, and we don't know what we're going to be. And I can see that being a big problem. So if you have questions about any of this, if you would like a copy of my password security, special report, just send an email to me. M e@craigpeterson.com. That's me M e@craigpeterson.com. That's S O N.com. I'll be glad to send it to you. Also, if you sign up for my newsletter there on my website@craigpeterson.com, you are going to get. I was hold little series of the special reports to help you out, get you going. And then every week I send out a little bit of training and all of my articles for the week. It's usually six to 10 articles that I consider to be important so that, what's going on in the cybersecurity world. So you can. With it for yourself, for your family, for your business. Craig peterson.com. According to researchers. 32% of teen girls said that when they felt bad about their bodies, Instagram made them feel worse. And you know what Facebook knew and knows Instagram is toxic for teen girls. There's a great article that came out in the Wall Street Journal. And I'm going to read just a little bit here from some of the quotes first. When I went on Instagram, all I saw were images of chiseled bodies, perfect. Abs and women doing 100 burpees in 10 minutes, said, Ms.  Now 18, who lives in Western Virginia. Amazing. Isn't it. The one that I opened now with 32% of teen girls said that when they felt bad about their bodies, Instagram, I made them feel worse. So that is studies again, that looks like yeah, these were researchers inside Instagram and they said this in a March, 2020 slide presentation that was posted to Facebook's internal message board that was reviewed by the wall street journal quote comparisons on Instagram can change how young women view and describe themselves. Apparently, for the past three years, Facebook has been conducting studies into how Instagram is affecting its millions of young users. Now, for those of you who don't know what Instagram is, it allows these users to create little stories, to have. Pictures videos of things that they're doing, and it's a lifestyle type thing you might've heard, of course, of how this I don't know what it is. Kidnapping murder plot. These, this young couple and the body I think was found up in Wyoming. I'm trying to remember, but of her and it's yeah, there it is. It wasn't my OMI. And I'm looking up right now, Gabby potato. That's who it is. She was what they called a micro influence. And I know a lot of people who can loom, that's what they want to be. There's a young lady that stayed with us for a few months. She had no other place to live. And so we invited her in here and we got some interesting stories to tell about that experience. And it's, a little sad, but anyhow, she got back up on her feet and then she decided she was going to become an influence. And what an influencer is someone that has a lot of followers. And of course, a lot means different numbers. You get these massive influencers that have tens of millions of people that quote, follow unquote them. And of course, just think of the Kardashians they're famous for. Being famous, nothing else. They have subsequently done some pretty amazing things. At least a few of them have. We've got one of those daughters who now was the first earliest billionaire. I think it was ever youngest. So they have accomplished some amazing things after the fact, but they got started. By just becoming famous by posting on these social media sites. So you get a micro-influencer, like Gabby Petito, who is out there posting things and pictures. And you look at all of these pictures and, oh my gosh, they're up at this national park. Oh, isn't she so cute. I'll look at her boyfriend. They'll look so good together and people. Fall for that image, right? It's just like Photoshopping these pictures of models, changing them. There've been some real complaints about those over the years. So Instagram sets these kids up with these pictures of people that are just totally unrealistic. One of the slides from a 2019 presentation says, quote, we make body. Excuse me. We make body image issues worse for one in three teenage girls teams, blame Instagram for increases in the rate of anxiety. And depression said another slide. This reaction was unprompted and consistent across. Groups among teens is this according to the wall street journal who reported suicidal thoughts, 13% of British users, and 6% of American users trace the desire to kill themselves to Instagram. Again, according to one of these presentations, isn't this just absolutely amazing. And you might've heard it discussed a little bit. I saw some articles about it, obviously in the news wall street journal had it, but this is a $100 billion company, Instagram. That's what their annual revenues. More than 40% of Instagram users are 22 years old and younger. And about 22 million teens log into Instagram in the US each day, compared with 5 million that log into Facebook, the younger users have been declining. Facebook it's getting the population there is getting older and older on Facebook. In average teens in the us spend 50% more time on Instagram than they do on Facebook. And also tick-tock, by the way I took talk has now surpassed YouTube in some of these metrics. Quote, Instagram is well-positioned to resonate and win with young people said a researcher's slide posted internally. Inside Facebook. Another post said there is a path to growth. If Instagram can continue their trajectory. Amazing. So Facebook's public phase has really tried to downplay all of these negative effects that the Instagram app has on teens, particularly girls, and hasn't made its research public or available to academics or lawmakers who have asked for it. Quote, the research that we've seen is that using social apps to connect with other people. Positive mental health benefits said Mark Zuckerberg. He's the CEO of course of Facebook. Now this was 2020. In March one at a congressional hearing, he was asked about children and mental health. So you see how he really lawyered the words that they can have positive mental health benefits, but Facebook's own internal research seems to show that they know it has a profound negative effect on a large percentage of their users. Instagram had Adam Moseri told reporters in may of this year, that research he had seen suggest the app's effect on team's wellbeing is likely quote quite small. So what the wall street journal seems to be pointing out here is that Facebook is not giving us the truth on any of this stuff. It's really sad. We've got to be careful. No, apparently Mr. Moseri also said that he's been pushing very hard for Facebook to really take their responsibilities more broadly. He says they're proud of this research. I'm just summarizing this before we run out of time here, but it shows the document. Internal documents on Facebook show that they are having a major impact on teen, mental health, political discourse, and even human trafficking. These, this internal research offers an unparalleled picture. Courtney told the wall street journal of how Facebook is acutely aware that the products and systems central to its business success routine. Fail great article. I've got it in this week's newsletter. You can just open it up and click through on the link to the wall street journal. They have a paywall and I hate to use payroll articles, but this one's well worth it. And they do give you some free articles every month. So if you're not on that newsletter, you can sign up right now. Craig peterson.com. You'll get the next one. If you miss a link today, if you want some, the special report on passwords, et cetera, just email me directly. Give me a few days to respond. But me M e@craigpeterson.com. That's me M e@craigpeterson.com. We've all worked from home from time to time. At least if we're somehow in the information it industry, I want to talk right now about why you need a personal laptop. Even if the business is providing you with a laptop. Laptops are something that was designed to be personal, but many of us are using them as our main computer. I know I often am using my laptop, a couple of my kids and my wife. It's really their main computer, even though they all have other computers that they could potentially be using, laptops are just handy and you have them with, you can take them with you. We've got workstation set up that are kind of. Workstations, if you will, where there are three screens set up and they're all hooked up into one central screen controller that then has a USBC connection that goes right into the, your laptop. So you can be sitting there with four screens on your Mac laptop on your mac pro if you need four screens, it's really handy. No question. Many of us have a laptop for home and a laptop for business. And many of us also look at it and say, oh wow, this is a great laptop I got from work. It's much better than my home laptop. And you start to use the business laptop for work. At home. Okay. That's what it's for. Right. But then we start to use that business laptop for personal stuff. That's where the problems start. We've seen surveys out there that are shown. Then half of workers are using work issue devices for personal tasks that might be doing it at home. They might be doing it at the office. Things like personal messages, shopping, online, social media, reading the news. So the prospect of using your work laptop as your only laptop, not just for work, but also for maybe watching some movies, group chat and messaging, reading, fan fiction, paying bills, emailing to family or friend. It just seems not. It's so tempting. It's just natural. I'm on it. I'm on it all day long. Why wouldn't I just use it? And this is particularly true for people who are working from home, but we have to be careful with that. It's really something that you shouldn't be doing for a couple of reasons. One that. Top that's a business. Laptop is the property of the business. It's just like walking home with boxes, full of pencils and paperback in the old days, it is not yours to use for personal use. We also have to assume, assume since it is the company's laptop that hopefully it's been secure. Hopefully they haven't set up. So it's going through a special VPN at the office and it's going through special filters, maybe snort filters or something else. That's doing some deeper inspection on what's coming through your laptop. Well, there are also likely on that laptop. Tools that are monitoring your device. Things like key loggers, biometric tracking, Jill location, software that tracks your web browser and social media behavior, screenshot, snapshot software, maybe even your cam. Is being used to keep track of you. I know a number of the websites that I've used in the past to hire temporary workers. Those workers have to agree to have you monitor what they're doing. These hourly workers, subtle take screenshots of their screen, unbeknownst to them. Pictures from the cameras at random intervals. Again, unbeknownst to them, it'll track what they're doing. And so I can now go in and say, okay, well he billed me five hours for doing this. And I look at his screen and guess what? He wasn't doing that for all of those five hours that he just billed me. Well, the same thing could be true for your company, even if you're not paid by the hour. Right now, we're looking at stats that show over half of the businesses that are providing laptops for the employees to use more than half of them are using monitoring software. And through this whole lockdown, the usage of these different types of monitoring systems has grown. Now there's some of the programs you're using. You might be VPN in, you might be using slack or G suite enterprise, all good little pieces of software. They can monitor that obviously, but it goes all the way through to the business. And using your slack access as paid for, by the businesses also idiotic to do things like send messages to your buddies, set up drinks after work, complain to other people about someone else in the business, your boss, or otherwise your it, people at the business can see all of that. They can see what you're doing with slack. Even if you have a separate personal account. It's still more likely that you'll end up mixing them up if you're logged into both on the same computer. So the bottom line is if you are on a work computer, whether it's a laptop or something else, you can reasonably assume that I T can see everything. That's not. They own it. Okay. And they have to do some of this stuff to protect themselves. We put software on laptops for companies not to spy on employees. That's none of our business, but we put software on computers for employees. To make sure they stay safe. Think of what happens when your computer, your laptop, whatever it might be, connects to the company's network. Now that can be through a VPN. It can be because you take your laptop home or on the road when you're traveling and you bring it back into the office. If that computer is infected, somehow now you've brought that infection into the office. And that's how a lot of the malware works. It goes from computer to computer. So once they get in that front door where there's through a website and email that you clicked on or in a computer that you're bringing into the office, they can start to move around. Now it's not just your activity. And this is an interesting article from the verge by Monica chin. It's not just your activity that they can see on your laptop, but in many cases, they're also able to look at anything you're downloading any of your photographs or videos that you might've sinked up from your smart. Laura loading these types of things, your text messages on your work device for safekeeping, or just because it's your primary device might seem harmless, right? Cause you're just going to remove them before you hand it in. But some companies such as Apple won't allow you to wipe your device before handing it in regardless of how personal the contents are. And that makes sense too, because many times an employee leaves. And they don't give the company all of the information that they have, that they're obliged to give back to their employer. Things that they've been working on, customer information, et cetera. So Manalive, there are plenty of other devices out there. Hopefully if you leave your company with plenty of notice, moving a bunch of things off your work device in the last few days, uh, might raise some eyebrows at the. And I'm saying hopefully, because they should notice that sort of thing, because it could be malicious activity. It could be an insider risk that maybe they're not even aware of. There's so much you could go wrong here. So bottom line don't use the work laptop for home. So what should you use? You know, my personal recommendation. Almost always is get a Mac. They are safer to use the patches that they get are usually not destructive. You know, sometimes you can install a patch for windows and now your machine just won't work anymore. Right. You've had that happen. I know every last one of us out there that are tried to install Microsoft patches for a while have had that happen to them. All of a sudden the patch has completely messed up your computer and you are so out of luck, it's ridiculous. Right? So don't, you know, hopefully don't do that, but I like the max because they are basically safer than windows. And also because the patches just work on them, apple tends to get them out in plenty of time to try and protect us the next level. If he can't afford an apple and. Apple laptops really are not expensive when you consider how long they last and the quality that components, they are not expensive at all. But if you can't afford that, the next thing I would look at is getting a Chromebook. There are a lot of companies that make Chromebooks Chrome is an operating system from Google. It's similar to Android. Google keeps the Chromebooks up-to-date. They patch them quite regularly and make sure that there aren't nastiness is going on. You just have some of the same issues and Android has patches might take a while to get to you because it has to go through the vendor that made the Chromebook. You might have a Chromebook for Sam from Samsung, for instance, it's not Google's even though it's called a Google Chromebook. Now Chromebooks rely heavily on the cloud services that Google provides, but they can also run just locally. So with a Chromebook and you can get them for as little as 150 bucks, but remember you get what you pay for. Or as much as I've seen them in the $2,000 price range with fancy GPU's, local storage and other things, but at 150 bucks, it could be well worth it for you. It lets you do the regular word processing. Just think of what you can do with Google docs, spreadsheets against Google docs, spreadsheets, all of those types of things are built into it. You can. Cruz the web, obviously using Google Chrome on your Chromebook. And send and receive email, which is what most people do. That's really kind of all, most people do at home. So consider that as well. I also like iPad. They are quite safe again, but they tend to be more expensive and they can do pretty much everything. And now with Android support built right into Google Chromebooks, you can even run Android apps. So there you go. Keep safe and be safe out there. Right. Have a hack free life. Make sure you get my newsletter. Craig peterson.com/subscribe. Craig peterson.com/subscribe. The national cyber director, Chris Inglis said that we need cyber bullets, that cyber bullets are part of the war on hacks. And it makes sense on one level. But when you get into the reality, it's a much different story..  I had an interesting email this week from a listener. Actually he sent it about two weeks ago when I finally was able to get to it this week and responded, and he was pointing out how there are some things that I talk about on the show that I put into my newsletter that are really good. And. I'm paraphrasing here but theoretical to so many people, there's some things that you can figure out pretty easily yourself. Some things you can do yourselves and other things that are just different. To do still. And a lot of that has to do with the websites you go to in order to maintain your passwords. And he was complaining specifically about bank of America and how you can, according to what he has found here in the real world, you can come up with a. Password a 20 character long password that is going to keep everything nice and safe at trend to be generated. You're using one password and great. So you set your password up in bank of America's account, and then you try and log in later, and it doesn't work because it lets you put 20 character passwords and when you're creating it, yeah. But the login screen only takes the first 16. So of course they'd home match. You see it's things like that really are pushing us back, holding us back. But I'd say pushing us back from being secure as a country, there, there just aren't enough people paying enough attention to make sure this cyber security, even the basic stuff like passwords and two factor authentication are being done properly. So one of the things I wanted to make sure you guys were aware of is I need to know when you're having these problems, because what I want to do is put together some trainings to show you exactly how to do it. Because on some websites you were saying, it's pretty hard to use one password he's paying for it, but it's kinda difficult for him. And I think in some ways, a lack of understanding. Then, it can be difficult to spend a bunch of time trying to watch some training videos for some of the software. And so I want to hear when you're having problems so I can do what I did for him this week and spend a little time, write some stuff up, and I even am reaching out to some of this website. People like bank of America who are really messing up cyber security for people who are trying to do the right thing and writing them and saying, Hey, listen, I'm part of the FBI InfraGard program. I'm a member of it. I paid a lot of attention to cybersecurity. Heck I ran the training for the FBI InfraGard program for a couple of years, and there are some real things lacking. In the login anyways, and this one particular case of the cybersecurity, but I don't know all of this stuff. I'm not using all of these things and I have a disadvantage over you guys, and that is that I've been doing this for so long. I've forgotten what it's like to not know it. Does that make sense? So if you have something that I've talked about on the show, that's appeared in my newsletter and you're having some confusion over, let me know. Just email me M e@craigpeterson.com. What he did is he just hit reply to my newsletter. And of course, that goes to me and me@gregpeterson.com and it tracks it. So I know I need to reply, so I can sit down and go through and answer people's questions. I sent out a lot of the copies of my password, special report to people you guys had requested specifically some of the. People out there had requested a little bit of help. And I had sent out an email to most of the people that I could identify as being business people. I sent out a little thing saying, Hey, listen, if you could use half-hour my help, let me know myself or my team. And then, again, you can just send me an E Craig. So I answered a lot of those questions this week. And in fact, that's how I come up with much of what I cover here on the show. You guys ask the questions and that's how I know that it's a real problem. If I understand it, that's one thing. But for the people who don't do cybersecurity as their primary job or a strategy, I get it. I can get why you guys are confused. So make sure you get my weekly newsletter. So you can find out about all of the trainings, the free stuff, the paid courses, and. It's easy. Just go to Craig peterson.com/subscribe. That's Craig Peterson, P E T E R S O N. Craig peterson.com/subscribe. And I'm more than glad. Add you to that list. And there are now thousands of people on that list to get my email pretty much every week. If you miss it one week, it's probably, cause I just got too busy, but I put out all my show notes. I put it all a little bit of training notes, all. The us government is supposedly getting ready to fire what they're calling cyber bullets in response to these significant hacking attacks. This is what they're calling a comprehensive strategy to dissuade. Adversaries. And this is all from the national cyber security director, Chris Inglis. This is from an article in American military news.com by Chris Strome. That was out this week. And of course I included that in my newsletter this week as well, coming out. Today or tomorrow, depends on how this all goes right with the weekend. I got to help a buddy out today, but president Joe Biden has been really talking about how do we use cyber weapons to retaliate. For instance, he gave a list of industries that Russia should not be. As though Putin himself is running all of these hacks or come out of Russia. Yeah, certainly there are some that are part of their military, but there many of them that are just bad guys that are trying to make some money, we should feel sorry for them. So Biden gives him this list and says, Hey, listen, if you attack any of these various industries or actually portions of our economy, We are going to retaliate. We have seen the us retaliate under President Trump and the retaliation. Of course he did all kinds of economic stuff to stop it. And much of which has been reversed by president Biden's administration, but also he attacked them directly in. Down some power systems there in the Moscow area, which I thought was really kinda cool. So kudos to President Trump for doing that and for president and Biden now to say, Hey, we are going to attack back. Of course. The biggest question is. What would we be attacking? How would we be attacking it? And for what reason, for instance, the red Chinese have gone after our office of personnel management, OPM records and got them all back in 2015. So they now know everything about everybody that had a secret security clearance or the took a paycheck from the federal government. All of those records, they would get their hands on them and get them on all of the records a lot. So Inglis was in front of the let's see here, the, yeah, he was a former director of the national security agency. He's the first to hold his Senate-confirmed position at the white house, this national cyber director position. And he says there is a sense that we can perhaps fire some cyber bullets and shoot our way out of this English set at the conference. It was hosted by the way, by the national security agency and a nonprofit group, he said that will be useful in certain circumstances. If you had a clear shot at a cyber aggressor and I can take them offline, I would advise that we do so as long as the collateral effects are acceptable. Yeah. What we have done here under president Biden administration is we have shut down some people who were operating illegally, we have shut down some cyber actors that were attacking us. So we've been doing that, but it isn't exactly. Wow. We just saw a muzzle flash over there. And so we are returning fire to the area of that muzzle flash, because as I've said many times before, we just don't know. Where in fact that bullet is coming from, it makes it a lot more difficult. English went on to say there's a larger set of initiatives that have to be undertaken. Not one of those elements is going to be sufficient to take this. Out let's see here, the us should make clear to Russia now their adversaries, what kinds of attacks would prompt a response, which is what president Biden did when he was talking with, of course, President Putin over there, red lines of both good and bad red lines are clear and crisp. Although I got to say many of our administrations have. Really done anything about it. It's the red line in the sand and Syria president Obama didn't do anything when they stepped over that red line. So yeah. And then with what we just finished doing in Afghanistan, where we drew a red line and said, we're going to protect all of you who helped us. And then we not only abandoned them, but we abandoned Americans behind there. I don't think a lot of people aren't going to believe us. So here's the last statement here. And again, this is an article in American military news from our cyber chief is the government actions. Aren't always going to be broadcast. In some cases, it's not helpful to broadcast those for all of mankind to see another one. We are doing some things behind the scenes. And I have certainly seen some of the results of those over the last few years. Stick around.  You're listening to Craig Peterson online@craigpeterson.com. You've got a smartphone and there are some new versions out, right? New hardware, new software, Android iOS. How long should you keep that device? How long can you stay safe with that older device? Apple has now done something. Different something they've never done before. One of the reasons that apple equipment tends to be safer than almost anything else out there is that they have, what's known as a closed ecosystem. There's arguments both directions here on whether that's safer or not. But the real advantage when it comes to cybersecurity is there are only. So many versions of the iPhone out there. What are we now in a couple of dozen versions of the hardware platform that makes it easier for apple to be able to support older versions of the software and multiple pieces of hardware, much easier than for, let's say Microsoft windows. It doesn't even have a single. Platform or Android, where there are hundreds of hardware platforms out there and tens of thousands of versions of the hardware, because one model phone can contain many. Changes different types of hardware to talk to the cell towers or the screen you name it. So it's very hard to keep up. Android has for quite a while now supported three versions of their operating system. Of course, we're talking about Google, but Android operating system. So they support the current release. Of Android and the Breviary release is two previous releases in fact of Android. Now that is frankly a pretty good thing to know, but there's over a billion Android devices out there that are no longer supported by security updates. We've got Android 10, nine, and eight that are fairly supported right now. We're actually up to Android 12. So here's how it works. If you've got Android version 10 out, if that's the main one, then you can continue to do. Eight and nine and get updates, security updates. But then here's the problem, everybody, those security updates are coming out of Google, but that does not mean that they are making it all the way to you. So there you go. It's one thing for Google to provide updates, but if you can't get them because your phone manufacturer is not supporting them, you've got trouble Samsung. Is probably the best company other than maybe Google and the Google Pixel phone. Samsung's the best company to go to. If you want some longer-term support. Many of these other companies just don't provide support past the current version. So keep that in mind as well. Android 12 was the 12th major version of Android announced by Google, February, 2021. And it is starting to roll out a Android. The 11th, 11 is the one that was out in February of last year. At least it was announced then. And we're, they're coming out, they're getting pushed out. So basically Google is saying the current version plus two prior versions. And that usually gives you about a four or maybe even a five year window. So if you're. An Android device from a major manufacturer, particularly Samsung on the Android side, your device is going to be good for at least four years, maybe five years now on the, and by the way, you don't necessarily have to upgrade the. You could be continuing to run an older release saw, as I mentioned earlier, if it version 11 is the current one that's out there being supported, which it is right. 12 is early still, but version 11, that means two prior versions still get security updates. You don't get featured. Dates, you don't get the new stuff, but you get security updates. So Android 11, the current one that means 10 and nine get security updates. So you don't, you're not being forced to do an upgrade. Most people don't upgrade their phones from an older major release to a newer major release. In other words, they don't try and go from Android eight to Android 11. Because in fact, most of the time, the hardware manufacturer doesn't support it. That's why there's over a billion Android devices out there right now that cannot get security updates. So have a look at your phone and your vendors. See what you're running. You probably want to do an update because most phones cannot get any support on the, in the apple side. Things are a lot different with Apple iOS, which is the operating system used on the iPhone and the I pad apple has always forced you to move to the next major version. No, they only force you to do that. If they support the hardware. And I've got to say kudos to them, they're still supporting the iPhone six S which came out quite a while. The iPhone success is something that my wife has been using and that I had as well. In fact, she got my old iPhone success, but that's a six-year-old. Phone came out in September of 2015. So it is still getting security updates, and we'll probably continue to get them. Not only is it getting security update this six-year-old iPhone success is getting the latest and our iOS operating system. It's getting iOS 15. Isn't that just amazing? Yeah, exactly. And so not just security updates, like you might get from some of the other vendors out there, Android vendors. So the apple keeps their arms around you for quite a while. Here's, what's changed now with Apple and iOS, the, for the first time ever in the iOS world, Apple is not forcing you to upgrade. So you're not being forced to upgrade to iOS 15. You can continue to run iOS 14. And that's how apples got around the security patches in the past, because what happens is you get the updates and installs them. Basically. There's no reason for you not to upgrade your phone. And so you do so apple never had to worry about releasing some of these fixes for really old versions of iOS. Although they have done that from time to time. In the Mac iOS side, Apple has done a couple of good things. The, where they always have supported basically three releases, what Google's doing with Android. So you now have a new feature. If you will, with iOS, here's a PSA for everyone. Public service announcement. You don't have to take the iOS 15 upgrade. Now I did. I put it on my iPhone and I seem to have some sort of a problem with messages where it's telling people that my phone has notifications turned off, which it does not. So I haven't figured that one out yet. I'll have to look into that a little bit more, but. This is nice because that means you're not going to have to upgrade your iPhone to iOS 15. You'll still get security updates for iOS 14, something Apple's never done before. We'll see if they continue this. We will see if they match Google going back. Three releases in Android. It just never been done before over on the iOS. So good news for them. Also course in the windows world and the Mac world, you really should upgrade the operating system as much as you can. Windows 11 though, man, windows 11. And I said this to my newsletter. I warned you guys is going to be a nightmare. For many people. You are not going to be able to do an automatic upgrade unless you have the newest of hardware, with the highest end of features, Craig peterson.com. One of the very big ransomware operations is back online. And now we have some inside information from one of the contractors working for this ransomware organization and oh yeah, there's an FBI tie, too.. This organization, ransomware gang, almost business, whatever you might want to describe them as is known as revolt. They have a few other names, but that's the really big one. And they are basically the 800 pound gorilla in the ransom. Business, you might be using cloud services right now. Maybe you use Microsoft's email service. Their Microsoft 360, I think, is what they call it now and use it for email and various other things pretty handy. It's mostly in the cloud. Computers you own or operate or have to maintain. I think that makes some sense too, but here's the bottom line it's software as a service right now, salesforce.com software as a service, Oracle has their accounting stuff. QuickBooks online, all software as a service. It isn't just those legitimate businesses that I just mentioned. That are using the cloud that are providing software as a service where you're paying monthly or however frequently. And you're getting this software as a service. That's what that means. Typically it means it's in the cloud and you don't have any real control over it. That's what this ransomware gang has been doing. This gang known as rebill. They all appear to be in. And there's some interesting stuff. That's come out. A transcript was released of an interview with one of their contractors. Now the original interview was in Russian. So I read through a translation of the Russian. I have no idea how good it is, but it is being quoted by a bank. Insider magazine that you might be familiar with bank info, security. That's one of the places that I follow. And there's a few interesting things that he talked about that I want to get into, but these are the people who have been behind things like the colonial pipeline attack and some of the other very large attacks, the way they work, their business model is. You can license their software, their ransomware software, and you go after a business or a government agency, whatever it might be, you get that ransomware software inside. And the reveal gang will take a percentage of the money that you have in rent. Now, how is that for a, an interesting business model, right? Taking something that the rest of the world has been using, and then take that model and put it into the legal side of the world. For three weeks, during this whole reveal ransomware attack, this summer turns out that the FBI secretly withheld the key that could have been used to decrypt. And computers that reveal had infected with ransomware and looks like kids up to maybe 1500 networks. Now those are networks, not just computers. That includes networks run by hospitals, schools, and businesses, including critical infrastructure businesses. The way the FBI got their hands on this decryption game. Is by penetrating reveal gangs servers. So they got into it. They were able to grab the keys and then the FBI waited before. Did anything with it. See, what they were trying to do is catch the people behind reveal. And so they didn't want to release information, get information out there to the press that might tip off those bad guys over there in Russia. And then shut down their operations. But as you might know, because I mentioned it here before the reveal gang went offline on July 13th, before the FBI could really track them down. And then the FBI didn't release the key until July 21st. And then I think it was Malwarebytes released a decryption tool. So if you had been hacked by the gang, you could. Now, remember it isn't reveal itself. That's doing most of them. Ransomware hacking if you will or a placement it's small guys. And that's why some people, including this contractor that apparently worked for the reveal gang itself says, people think that it's the Russian government, that it's Putin, that's doing this. He said, in fact, it's not it's small guys. And people like me are getting four or five hours a night. Because we're working so hard trying to make a whole of this work, come up with the new software approaches. We have to provide code tech support unquote to our affiliates, as well as tech support to the people who have had their computers and their data ransomed. So it a real interesting mix. Absolutely. Interesting mix. Now Christopher Ray here a couple of weeks ago, he's the FBI director told Congress that cool. We make these decisions as a group, not unilaterally. To the FBI and working with other government agencies, these are complex decisions designed to create maximum impact. And that takes time and going against adversaries, where we have to marshal resources, not just around the. But all over the world. So this Russian based gang first appeared in 2019, they've been around, they've been exporting large amounts of money from businesses for a very long time. One of the interest he'd things I think about all of this is that this reveal gang has their software as a service, and they provide it to quote affiliates, quote that, go ahead and then install the software, get you to install it on your computers in order to ransom you a double whammy ransom you, but there's now reports out there that there's a secret back door in the ransomwares code that allow. Rebill to go around their affiliates and steal the proceeds. How's that for hilarious, you've got a bad guy who goes in and gets the software from revolt, pays them a commission, and then reveal apparently has been jumping in on these customer support chats. In other words, you just got nailed and because you got nailed with ransomware, you have to go to. Chat room. And so you go in there and you're getting customer support on how to buy Bitcoin and how to transfer to their wallet. And apparently revival is getting right in the middle and is extorting money from these people directly instead of having the affiliates do it pretty amazing. So here's this part of this interview? It was aired on the Russian news outlet, London. And was trans translated by yeah. Flashpoint. Here are the guys that got the full transcript of the interview. He says in the normal world, I was called a contractor, doing some tasks for many ransomware collectives that journalists considered to be famous. Money is stolen or extorted with my hands, but I'm not ashamed of it. I do. And again, this goes into the thinking of many of these bad guys of Americans are all rich and they don't deserve what they have. He said, let's put it this way. This is a very time consuming job. And if you've earned enough, then you can quit the game. But chronic fatigue, burnout, deadline. All of these words from the life of ordinary office workers are also relevant for malware developers. So there you go. You should feel sorry for these malware developers who are developing software to steal millions from you and. Down our critical infrastructure. Hey, join me online. Craig peterson.com. And if you subscribe to my weekly newsletter right there on the site, I'll send you a few of my special reports. The most popular ones will come to you right there in your email box. Craig peterson.com/subscribe. We all pretty much have some form of insurance. And we're going to talk right now about the types of cyber insurance you may have. Now this might be through your homeowners policy or perhaps a rider on a business policy.  Many of our homeowners policies have started coming with cyber insurance. So we're going to talk about that. What is it? Businesses as well are also using cyber insurance and I'm sure you've heard of insurance basically called LifeLock and what that's all about. So let's kind of start. When we have a breach in a business, usually what happens is information about our customers is stolen. Look at some of the biggest breaches in history where we. Hundreds of millions of our personal records stolen Equifax breach is an example of a huge breach where we had all kinds of personal information that was stolen by the bad guys. Now, some of this information gets stale pretty quickly, but of course, other parts of it like our address, our social security number, they are probably not going to change for years. If for. No, of course our social security number will never change the social security administration. Just doesn't reissue them for very many reasons at all. And they do not reissue a social security number was stolen online because. Just about everybody's has, so what does a company like LifeLock do? They keep an eye on your credit report for you. And they're looking at what's going on new accounts that are open. They look at various other things, just related to that. And they, at that point say, wait a minute, something weird is happening. Now my credit cards, for instance, I have a credit card that if let's say I buy two of the same thing, one after the other and the, both the same price that credit card company pops a message right up on my phone saying, Hey, did you just buy two? Of these $15 things from and I can say yes or no, if I'm out on the road and I am purchasing gas, the credit card can pop up on my phone and it does and say, Hey, will you just trying to buy gas at this gas station? Because what'll happen as you use the credit card at the pump. And the pump says it was denied and then up at pops and yeah. Okay. No, that was me. And they said, okay, we'll try the transaction. Okay. And we'll approve it next time. And that's all automated. And that has nothing to do with LifeLock. LifeLock is there to more or less detect that something happened and if something happened and it was a bad guy and basically your identity was stolen. So they might be trying to buy a Ferrari in your name or maybe a 10 year old, four Ford focus, whatever it might be. And. They will help you try and clean it. That's what they do. So that's why it's cheap. And I don't know that it's terribly useful to you if you're really concerned. Go ahead and do that, but do keep an eye on your credit report. I do as well. My bank has free credit reporting for me, my credit card. Same thing. Free credit reporting that lets me know everything that's going on. So that's an easy way to tell WhatsApp. And there are different types of cyber insurance beyond this sort of thing, beyond the LifeLocks of the world. And many of us just get our cyber insurance through our homeowner's policy. It's a little rider. And businesses can buy cyber insurance as well. We have cyber insurance, that's underwritten by Lloyd's of London and we provide a $500,000 or million-dollar policy to our clients. As well, because that's what we do is cyber security, right? So the idea is if one of our clients gets hit, we have some insurance to back us up, but of course we go a lot further. It's almost like the LifeLock where if you do get hit by ransomware or something else, we will help you get back in business. We'll help restore your data. We'll help you with providing you. The information you need in order to do press releases, which agencies you need to contact, which of your customers you need to contact. And we've got scripts for all of that. So you can send it all out and just take care of it. So the idea is you don't want ransomware. So you hire us. We are extremely likely to keep ransomware out of your systems. And on top of that, if you are hit with ransomware, we restore everything. LifeLock does not do that. Obviously they all, I'll only do stuff after the fact and the cyber insurance you buy from an insurance agency is much the same, and there's a huge caveat with these policies that we're buying for our businesses and for our homes. And that is. They have a checklist at the insurance companies. Did you do this and this? And if you did, then they might payout if you did not, they may not payout. In fact, pay outs on cyber insurance policies are not known because. Bottom line. They really don't payout. Okay. I'm looking at some numbers right now and about paying ransoms and everything else. You may or may not. You got to have a look at it. Many of these policies are never paid out by the cyber insurance covers. They usually just regular insurance companies, but it's a special rider. And what they do is they say, Hey, listen, you did not follow the rules, so we're not going to payout. And there are many cases. If you go online and do a search, just use duck, go and say cyber insurance, payout. Lawsuits I'm doing that right now is. And it'll come up and show. Oh, okay. Does it cover lawsuits? Why are liability claims so costly? Yeah, exactly. A 2% payouts is talking about here. I'm invoicing, the most common cyber insurance claim denial. Yeah, it goes on and on. There are a lot is an act of war clause could nix cyber insurance payouts. That's another big one that they've tried to use. So the cyber insurance company will say, Hey, that was China attacking you. Therefore it was an act of. And you can bet if there is a big hack, they will use that. Think of what happens with the hurricanes coming onshore. How much do they push back on payouts? Especially with the real big one, it would bankrupt them. So we gotta be very careful. There are some different types of  cyber insurance. Policies do which have different types of coverages. You've got the first party lost loss, I should say. So that's you to covering you and your loss, your first-party expenses, third party liability. Each one of those has specific parameters. So sub-limit retention and others. First-party losses are usually including the loss of revenue due to business interruption. First party expenses would include all of the services and resources that you needed to use to recover from attack like forensic or system rebuilding services. These third-party liabilities. May cover expenses and legal fees related to potential damage caused by the incident to third parties like partners, customers, or employees whose sensitive information may have been compromised. So read them carefully. Be very careful. There are next-generation, cyber insurance policies are going even further and make these types of services. Prior to any incident to reduce exposures and prevent incidents in the first place. Now we don't provide insurance. We are not an insurance company, but that's basically what we're trying to do here. Not become an insurance company, but to make sure. The businesses have the right services so that the likelihood of anything happening or is extremely low. And then following up after the fact it's different obviously than insurers in and insurance, the guardians, Jessica Crispin had a great article about a couple of weeks ago that I've been hanging on. And it's talking about this tattle where that's been incorporated into the computers we're using at home. Now we're specifically talking about employers that are putting this. The software on computers, they belong to the companies. A lot of businesses are worried. If workers are at home or where we can't see them, how do we know that they're actually working, not watching Netflix or something else on. They have, of course, come up with software that can reassure your boss. It does things like take snapshots of what you're doing. Record your keystrokes grabs photos from. Picture from your camera. There's a new program called sneak, which makes your webcam take a photo of you about once a minute and makes available to the supervisor to prove you're not away from your desk. There's no warning in advance. It just takes that photograph catches your doom. Pretty much anything can be absolutely anything. Then, it's the type of thing you'd expect the national security agency to do. So there are some good reasons for this lack of trust because sometimes employees have not been doi

After a rash of high profile cyber attacks earlier this year, the Biden administration launched a full court press to reform federal cybersecurity. Congress is also considering new cyber requirements for private companies. During a hearing yesterday, the Senate Homeland Security and Governmental Affairs Committee got the chance to press senior administration officials on the actions they're taking right now. to defend U.S. networks. Federal News Network's Justin Doubleday attended the hearing.

Many if not most workers began working from home in March of 2020, and while the numbers have shifted since, a significant portion are still doing at least some remote work. But according to a survey, neither the remote workers or their company IT staff are too happy about the cybersecurity of it all.For our featured topic this episode, we dive into the HP Wolf Rebellions & Rejections Report, which outlines security frustrations and outright rebellious behavior from work from homers, some misses on the cyber training front from employers, and some perceived scapegoating of IT staff.In the cyber news world, we discuss identity theft of condo collapse victims, a major DDoS attack in Russia, the new National Cyber Director, and an Apple IOS patch to counteract zero-click spyware.  Here are the stories:Florida 'cyber grave robbers' charged with condo collapse ID thefthttps://www.reuters.com/world/us/three-charged-with-stealing-identities-florida-condo-collapse-victims-2021-09-08/Yandex Pummeled by Potent Meris DDoS Botnethttps://threatpost.com/yandex-meris-botnet/169368/Chris Inglis scopes out cyber turfhttps://fcw.com/articles/2021/09/09/inglis-cyber-director-turf.aspxCyber arms dealer exploits new iPhone software vulnerability, affecting most versions, say researchershttps://www.reuters.com/technology/cyber-arms-dealer-exploits-new-apple-iphone-software-vulnerability-affects-most-2021-09-13/Get info on all things network security through our blog, https://firewalls.com/blog.And please do reach out, as we want to hear from you. Suggest an episode topic, ask a question, or just say hi in a review, or by emailing podcast@firewalls.com. New episodes are normally released every other Wednesday, so subscribe/follow to ensure you get the latest first - and again, please rate and review.Thanks for listening!

Cybersecurity, NSA, and Working Mom In this episode of The Outspoken Podcast, host Shana Cosgrove talks to Teresa Shea, Vice President of Cyber Offense and Defense Experts (CODEX) for Raytheon Intelligence and Space. Teresa talks about her 34 years with the NSA and her experience being surrounded by talented and motivated individuals. We also hear about her family and what childcare was like for her and her husband as working parents. Teresa also gives her two cents on priorities, promotions, and team building.  QUOTES "It's going to take us a long time to recover from [the pandemic]. As women, we just need to help each other. We need to be aware, and empathetic, and when these women are ready to come back to the work force, open the door, help them get in." – Teresa Shea [04:58] “I'm a proponent of constant defense. I don't believe we're going to get to a hundred percent secure networks anytime soon. I am a believer in you just constantly have to defend. Build in resiliency.” Teresa Shea - [14:04] “Behavior is critically important. Behave in the way you want others to emulate. You want to create that culture that thrives in that kind of environment.” – Teresa Shea [42:25] TIMESTAMPS  [00:04] Intro [02:36] Meet Teresa Shea [03:12] Priorities [05:16] Teresa's Kids and Grandkids [07:13] Teresa's Position at Raytheon [08:48] Offense Vs. Defense [17:05] Growing Up and Family [24:00] Nyla Technology Solutions [24:34] Working and College as a Woman [29:07] Electrical Engineering and Teresa's Husband [30:42] Childcare [32:24] Working and Appearance [35:26] Work at the NSA [38:52} Women in Cybersecurity and Speaking Up [41:30] Advice on Promotions and Team-Building [45:13] Being a Working Mom [50:35] Wrap-Up Questions [54:40] Outro RESOURCES http://gatech.edu/ (Georgia Tech) https://www.nsa.gov/ (NSA) https://www.iqt.org/ (In-Q-Tel) https://www.raytheonintelligenceandspace.com/ (Raytheon Intelligence & Space) https://georgewbush.com/ (George W. Bush) https://barackobama.com/ (Barack Obama) https://military.wikia.org/wiki/National_Intelligence_Distinguished_Service_Medal (National Intelligence Distinguished Service Medal) https://www.osssociety.org/award.html (William J. Donovan Award ®) https://www.defense.gov/Explore/News/Article/Article/603608/dod-civilian-awards-recognize-distinguished-service/ (Distinguished Civilian Service Award) https://www.hiltonhead.com/ (Hilton Head) https://www.navy.mil/ (U.S. Navy) https://www.simplefileupload.com/ (Simple File Upload) https://softwaresocial.dev/about (Software Social Podcast) https://www.cdc.gov/ (CDC) https://www.georgiasouthern.edu/ (Georgia Southern) https://www.purdue.edu/ (Purdue University) https://www.usna.edu/CyberCenter/People/Biographies/Inglis.php (Chris Inglis) https://www.linkedin.com/in/jen-easterly-225380123/ (Jen Easterly) https://www.linkedin.com/in/anne-neuberger-13b4491b/ (Anne Neuberger) https://www.dhs.gov/ (DHS) https://www.npr.org/2017/09/30/548666129/from-dinner-parties-to-spy-rings-the-woman-who-smashed-codes-bursts-with-detail#:~:text=Technology-,From%20Dinner%20Parties%20To%20Spy%20Rings%2C%20'The%20Woman%20Who%20Smashed,fascinating%20woman%20in%20perilous%20times. (“The Woman Who Smashed Codes”) by Jason Fagone https://www.amazon.com/Wolves-Door-Americas-Greatest-Female/dp/159921072X (“The Wolves at the Door”) by Judith Pearson RELEVANT LINKS https://www.linkedin.com/in/teresa-shea-244594113/ (Teresa Shea) on LinkedIn https://nylatechnologysolutions.com/ (Nyla Technology Solutions) I'd love to hear from you -- your feedback is important to me and I read all of it. If you enjoyed the podcast, please give us 5 stars and I'll be sure to thank you via email. If not, let me know what you think we should do differently. Don't forget to hit “subscribe” so you'll receive notifications about guest interviews and other topics that drop every Tuesday. Live well, Shana

Cybersecurity is increasingly becoming synonymous with national security. As we become more connected, integrate technology into our infrastructure, and work to ensure our supply chains are secure, leaders in federal government and industry discuss working toward securing our nation from the Aug. 19 CyberScape event series, kicked off by fireside chat keynote Chris Inglis.

The White House's National Cyber Director, Chris Inglis, says federal agencies need more authoritative data on the threats they face. Inglis is advising Congress to establish a Bureau of Cyber Statistics within the Homeland Security Department. Its purpose would be to get a big picture look at cyber threats. The bipartisan Cyberspace Solarium Commission first recommended creating this bureau, and now members are introducing measures to make the bureau a reality. Federal News Network's Jory Heckman has more.

Dmitri Alperovitch sat down with Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, to discuss the Biden administration's cybersecurity strategy. The conversation was originally recorded at a Silverado Policy Accelerator event on June 29, 2021.They discussed the latest executive order that the president signed on cybersecurity, the administration's strategy to combat ransomware and the division of responsibilities between Neuberger's office at the National Security Council and the newly created National Cyber Director office to be led by Chris Inglis. They also got into the strategy for securing our semiconductor supply chain. Support this show http://supporter.acast.com/lawfare. See acast.com/privacy for privacy and opt-out information.

In today's Federal Newscast, Senator Rick Scott (R-Fla.) is placing a hold on confirming Jen Easterly as the director of the Cybersecurity and Infrastructure Security Agency.

Chris Inglis confirmed as top White House Cyber Advisor; Putin praises Biden as 'meticulous'; European security experts wonder how U.S.-Russia summit will affect Russian espionage in Europe.  Here are the stories shaping global security that you may miss in your mainstream news feed.  

Host, Elisabeth Braw, speaks with Chris Inglis, nominee for the United States' first-ever National Cyber Director, about cyber aggression, how to create systems to encourage "good behavior" online, and how the private sector should be part of the solution.

They used to say that a conservative was a liberal who'd been mugged. Today's version is that a conservative who's comfortable with business regulation is a conservative who's been muzzled by Silicon Valley. David Kris kicks off this topic by introducing Justice Thomas's opinion in a case over Trump's authority to block users he didn't like. The case was made thoroughly moot by both the election and Twitter's blocking of Trump, but Justice Thomas wrote separately to muse on the ways in which Twitter's authority to block users could be regulated by treating the company as a common carrier or public accommodation. David sees a trend among conservative jurists to embrace limits on Big Social's authority to suppress speech. I recount my experience being muzzled by LinkedIn, which would not let me link to a new Daily Mail story about the Hunter Biden laptop and say, “The social media giants that won't let you say the 2020 election was rigged are the people who did their best to rig it: The Hunter Biden laptop was genuine and scandalous according to the Daily Mail.” To my mind, this is Big Social protecting its own business interests by suppressing a story that could convince people that the industry has too much power over our national dialogue and our elections. (I mocked LinkedIn by posting 5 variants of my original post, all making the same point in slightly different ways. You can see this on my LinkedIn account result.) But my view that we should not let five or six Silicon Valley owners take over our national dialogue is challenged by Jamil Jaffer, a friend and conservative who is appalled at my deviation from Republican antiregulatory orthodoxy and first amendment doctrine. It's a great conservative catfight that mirrors the much greater catfight now under way in the Republican party. Elsewhere in the news roundup, Jordan Schneider and David dig into the claims that China has built advanced weapons systems with the help of American chip designers and Taiwanese fabs. The accusation has led the Biden administration to slap export controls on several Chinese firms. Whether this will work without more aggressive U.S. controls on, say, foreign fabs serving those firms is open to question. More to the point, it raises questions about long term U.S. industrial policy. David notes that one answer, the bipartisan “Endless Frontier Act,” is gaining some momentum. (I understand the motivation but question the execution.) We also touch on the sad story of Intel's recent missteps, and the opportunity that industrial policy has created for GlobalFoundries' IPO. Meanwhile Jamil takes on AdTech espionage, while U.S. senators ask Digital-Ad auctioneers to name foreign clients amid national-security concerns. We all weigh in on the administration's cyber picks, announced over the weekend. The unanimous judgment is that Chris Inglis, Jen Easterly and Rob Silvers are good picks—and, remarkably, ended up in the right jobs. In shorter hits, David and I ponder Twitch's unusual decision to start punishing people on line for misdeeds offline—misdeeds that Twitch will investigate itself. While neither of us are comfortable with the decision, including the effort to do privately what we pay cops and courts to do publicly, but there is more justification for the policy in some cases (think child sexual abuse) than might be apparent at first glance. I tell the story of the Italian authorities identifying and arresting someone trying to hire a hitman using cryptocurrency and the dark web. As far as I know, successful cryptocurrency hitmen remain as rare as unicorns David suggests that I should be glad not to live in Singapore, where the penalty for information the establishment doesn't like is a criminal libel judgment that I'd be forced to crowdfund like Singapore's government critics. I note that American sites like GoFundMe and Patreon have already imposed ideological screens that mean I wouldn't be able to crowdfund my defense against Big Social. And, for This Week in Data Breaches, I note the new tactic of ransomware gangs trying to pressure their victims to pay by threatening the victims' customers with doxxing plus the remarkable phenomenon of half-billion-user data troves that the source companies  say are not really the result of network breaches and so not disclosable.

In today's Federal Newscast, President Joe Biden announces his picks for a slew of leadership roles.

Today's Headlines and the latest #cybernews from the desk of the #CISO, Financial industry preps for proposal that would require 36-hour breach notification White House to nominate NSA veterans Chris Inglis, Jen Easterly Joker malware infects over 500,000 Huawei Android devices Iran Used Fake Instagram Accounts to Try to Nab Israelis US Blacklists 7 Chinese Supercomputer Entities     The Practitioner Brief is sponsored by: KnowBe4: https://info.knowbe4.com/phishing-security-test-cyberhub  Whistic: www.whistic.com/cyberhub Attivo Networks: www.attivonetworks.com   **** Find James Azar Host of CyberHub Podcast, CISO Talk, Goodbye Privacy, Tech Town Square, Other Side of Cyber and CISOs Secrets James on Linkedin: https://www.linkedin.com/in/james-azar-a1655316/ James on Parler: @realjamesazar Telegram: CyberHub Podcast ****** Sign up for our newsletter with the best of CyberHub Podcast delivered to your inbox once a month: http://bit.ly/cyberhubengage-newsletter ****** Website: https://www.cyberhubpodcast.com Youtube: https://www.youtube.com/channel/UCPoU8iZfKFIsJ1gk0UrvGFw Facebook: https://www.facebook.com/CyberHubpodcast/ Linkedin: https://www.linkedin.com/company/cyberhubpodcast/ Twitter: https://twitter.com/cyberhubpodcast Instagram: https://www.instagram.com/cyberhubpodcast Listen here: https://linktr.ee/cyberhubpodcast   The Hub of the Infosec Community. Our mission is to provide substantive and quality content that's more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

The White House is filling two key cybersecurity roles at the National Security Council and the Cybersecurity and Infrastructure Security Agency. These two are among the most prominent technology leadership positions that needed to be filled by the Biden administration. In his weekly feature, the Reporter's Notebook, Federal News Network Executive Editor Jason Miller wrote about these nominations in some detail. He joined Federal Drive with Tom Temin for more.