Tuesday, April 14, 2020

What the Cyberspace Solarium report means for the private sector

By Stewart Baker - April 14, 2020 at 10:30AM

The Cyberspace Solarium Commission's report was released into the teeth of the COVID-19 crisis and hasn't attracted the press it probably deserves. But the commissioners include four sitting Congressmen who plan to push for adoption of its recommendations. And the Commission is going to be producing more material – and probably more press attention – over coming weeks. In this episode, I interview Sen. Angus King, co-chair of the Commission, and Dr. Samantha Ravich, one of the commissioners.

We focus almost exclusively on what the Commission's recommendations mean for the private sector. The Commission has proposed a remarkably broad range of cybersecurity measures for business. The Commission recommends a new products liability regime for assemblers of final goods (including software) who don't promptly patch vulnerabilities. It proposes two new laws requiring notice not only of personal data breaches but also of other significant cyber incidents. It calls for a federal privacy and security law – without preemption. It updates Sarbanes-Oxley to include cybersecurity principles. And lest you think the Commission is in love with liability, it also proposed tort immunities for critical infrastructure owners operating under government supervision during a crisis. The interviews cover all these proposals, plus the Commission's recommendation of a new role for the Intelligence Community in providing support to critical US companies.

In the news, Nick Weaver and I dig deep into the Google and Apple proposals for tracking COVID-19 infections. I've got a separate post in the works on the topic, but the short version is that I think Google and Apple have dramatically overvalued privacy interests and downgraded the job of actually tracking infections. Nick disagrees, believing that the privacy interests aren't actually conflicting with the tracking goals, but we agree that the app should operate on an opt-out basis, not opt-in.

The Great Decoupling, part 278: It looks as though China Telecom will be getting the boot from US telecom markets, at least if Team Telecom has anything to say about it. And speaking of Team Telecom, Brian Egan tells us that it has a new charter and a new, catchy acronym: CAFPUSTTSS!

Nick and I dig into a Ninth Circuit decision that may be heading for the Supreme Court. It holds that Facebook can be held liable for wiretapping when it gets information from its widely deployed "like" buttons on third-party sites.

Fish gotta swim, birds gotta fly, and the EU gotta regulate tech, coronavirus or no coronavirus. Maury Shenk reports, bemusedly. Matching him bemusement for bemusement, Nick tries to explain a French ruling that Google must pay news outlets to link to their content (and can't stop linking to the outlets).

Maury explains the 5G-coronavirus conspiracy that has Brits burning cellular masts. And Nick explains how to make a "smart" lock spill its secrets, and how to fall foul of the FTC.

And in quick takes, the COVID-19 cyber threat has the US and UK authorities joining hands against cyberattacks, the Australian government is hacking criminals who are exploiting coronavirus, and we get a look at a future in which IoT devices defect to foreign intelligence agencies.

Download the 311th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.


from Reason Magazine Articles