From the Crows' Nest

Ken Miller [00:00:09]:
Welcome to From the Crows' Nest, a podcast on Electromagnetic Spectrum Operations, or EMSO. I'm your host, Ken Miller, Director of Advocacy and Outreach for the association of Old Crows. You can follow me on LinkedIn or you can email me directly at host@fromthecrowsnest.org. Thanks for listening. In late 2024, it was revealed that a major cyber attack dubbed Salt Typhoon affected US Telecom networks and compromised consumers sensitive information. The FBI and the Cybersecurity and Infrastructure Security Agency indicated that Salt Typhoon was likely a state sponsored attack from hackers within China. In the aftermath, there have been calls for better use of encrypted tech communications to to ensure that data, even if collected in a future attack, remains unreadable. Cyber attacks like Salt Typhoon are nothing new. They happen almost every day, whether they are state sponsored, the work of non state actors, or from any number of independent hacker groups around the world.

Ken Miller [00:01:09]:
These cyber attacks often require the use of RF signals via the Internet, wireless communications, WI Fi and Bluetooth for delivery, and thus fall under the broader Electromagnetic Spectrum operations discussion. However, consumers using end to end encryption also poses challenges for law enforcement agencies around the world. In fact, earlier this year the United Kingdom released a policy entitled the Technical Capability Notice of Investigatory Powers Act TCM to encourage tech companies like Apple and Google to provide access to encrypted data. Certainly, cybersecurity and more broadly cyber operations is one of the most complex technical and policy issues facing government and society today here in the US and abroad. To help us understand the technical issues raised by Salt Typhoon attack and responses like UK's TCN Law and how we need to approach encryption and security protections, I am pleased to have with me Susan Landau, professor of Cyber Security and Policy at Tufts University. Professor Landau has a distinguished career spanning more than 30 years. She was formerly the Bridge professor of Cybersecurity and Policy at the Fletcher School of Law and Diplomacy and the School of Engineering at Tufts University. In this role, she initiated and directed a Master's program in Cybersecurity and Public Policy, which was run jointly between the two Tufts University schools.

Ken Miller [00:02:29]:
She also has held positions as professor of Cybersecurity Policy at Worcester Polytechnic Institute, Senior Staff Privacy Analyst at Google, and Senior Staff Engineer and Distinguished Engineer at Sun Microsystems. She holds a PhD in applied mathematics from MIT, a master's from Cornell University, and a Bachelor's from Princeton University. And with that, Professor Susan Landau, welcome to from the Crow's Nest. It's great to have you on the show. Thanks for joining me.

Susan Landau [00:02:56]:
It's great to be here. Thanks very much.

Ken Miller [00:02:59]:
All right, so we have a lot to cover today. This is an issue that, you know, we have not covered recently on here and From the Crows' Nest and so and probably need to cover it a lot more in, in week in episodes to come. So I really appreciate you kind of being the, the, the introductory voice to, to our cybersecurity episodes here on the horizon. I thought it would be good to kind of start from the beginning, though, because, you know, as we talk about cybersecurity, there's a lot of terms that are thrown around that I think a lot of people either don't understand fully or they kind of confuse with other various terms in this policy space, including things like, you know, metadata and communication, security, encryption, malware, so forth. So I just want to kind of get started and get your take on in this technical area. What are some of the terms that we need to really understand thoroughly because they play such an important role in how we develop policy and response?

Susan Landau [00:03:55]:
Sure. Thanks for asking me that. So let me start with metadata, which is the simplest thing. Back when we used telephones that didn't move, that was the communications data that said which line connected with which line, at what time, for how long. And it was something the telephone company used for billing. It also used for things like predicting future services and so on. When we began to move around with phones, that is when we got mobile phones, it became a lot more interesting data. And in fact, the first Snowden disclosure that happened in 2013 was the call metadata records.

Susan Landau [00:04:33]:
Now, the White House at the time, President Obama at the time said, look, don't worry about the collection we're doing, which was bulk collection of all domestic call records. Don't worry about it. We're not collecting content. We're only collecting who's calling whom when we're only collecting the metadata. The public didn't buy it. And the reason the public didn't buy it is because they were pretty smart about it. They understood. They figured out that where you are and your phone reveals where you are.

Susan Landau [00:05:02]:
Where you are can tell an awful lot about what you're doing. Do you go to the church every Thursday evening at 6:30, but you never go on Sundays? Well, Alcoholics Anonymous has its meetings 6 Thursday. On Thursdays, do you go straight home after work every. Every day but one Friday you go to the bar and you're there for hours and you don't go to work on Monday. Does that mean you've been laid off? There are all sorts of things one can discern from call metadata.

Ken Miller [00:05:28]:
And I would imagine with the metadata that is captured, it's not just a one point in time call collection. It's, it's over a period of time from your phone. And so they can, and using, I would imagine, AI machine deep learning that, that can run through a lot of scenarios to kind of create a picture based on some of that like basic information. They can almost create a picture of your habits and, and locations and, and so forth.

Susan Landau [00:05:55]:
I don't even think you need fancy AI to do that actually. And what we've hap. What's happened is in the 60s we digitized the records in, in the 90s we started storing them digitally in ways that made it easy to search. And by the 2000s it was extremely easy to search. So figuring out, for example, getting the evidence for who had bombed the World Trade center in 1993, it was very easy for the prosecutor to do those searches and discover, oh, these two people called each other and then one went out to buy this type of bomb material and then they spoke again and he got a different type of bomb material and so on. That's the sort of thing that in the 1970s or 80s would have been close to impossible to do.

Ken Miller [00:06:39]:
Now, I mean it's almost the layers of just, I guess not protection, but the layers of. With today's communications you don't, you're not necessarily privy to that kind of direct communication, that direct data. It's even anonymous users in gaming situations and other. There's other layers of, I want to say protection, but I don't want to get those terms confused.

Susan Landau [00:07:02]:
Layers of the phone company is the one that collects the metadata. It's available to the government under subpoena. Location information needs a search warrant if it's seven days or more. And I think that law enforcement is being careful in getting search warrants even if it's fewer than seven days. But it's also sometimes available for sale and private sector collects it too. That's one piece of it. That metadata was very useful in the early 2000s for tracking down terrorists. When you had an organization like Al Qaeda, which was very much a corporate level or corporate style organization with a head and people lieutenants underneath and so on and so forth.

Susan Landau [00:07:43]:
The metadata was very revelatory of the organization. When you go to something like isis, it's less so. So that's metadata. One of the things that the NSA, the National Security Agency knew already in the late 1990s, early 2000s is that encryption as encryption And I'll describe encryption in a moment. But as encryption became more popular and more, more easily available, encryption was making it hard to listen to content. But metadata would tell them a lot of what they needed to know. So now we get to encryption. Encryption is the technique for making the content of something unreadable.

Susan Landau [00:08:22]:
That is, if somebody listens in unless they know the key. So there's both an algorithm. The algorithm could be something as simple as Caesarship, where you move the Alphabet just a few letters and there's the key, how much you move the Alphabet. Or it could be a substitution cipher, which is more interesting. Maybe the letter A goes to Q and the letter B goes to T, and so on and so forth. And that's harder to break, but not, but far from impossible. What we had in the late 1990s is that codes that were very hard to break, encryption methods that were very hard to break, became available not just to technologically advanced nations, but to nations that were less skilled. And one of these techniques is a good method for doing end to end encryption.

Susan Landau [00:09:06]:
So end to end encryption means that if you and I communicate, anybody who's listening in, in the middle can't understand anything. The communication is only understandable at my end and at your end. And what happened in the mid-1970s was a method to exchange the key in a way that we could do it over a public network like the Internet, over an insecure public network like the Internet, but exchange the key between you and me, so that even if somebody watched that method of exchange, they still didn't really know the key. And that meant that you and I, never having communicated before, could all of a sudden communicate together securely. And that was part of the reason that the NSA became more interested in the metadata than the content, is because other nations had adopted this end to end encryption method.

Ken Miller [00:09:57]:
So where does the end, the, the end to end encryption capability exist today, particularly in the US because it's, it's everywhere. All, all phones have it.

Susan Landau [00:10:08]:
You go to a web page and you see HTTPs, that's end to end encrypted between you and the server. Which is why when you go to a new website and you Decide to order 10 T shirts or a washing machine or whatever it is you choose to order, your credit card number is secured, um, it's, it's used everywhere. You use it multiple times a day.

Ken Miller [00:10:29]:
So how has then the cybersecurity threat been changing in recent years in terms of complexity? Because if, if everyone's using end to end encryption, it would seem harder to Maybe find the information you're looking for? Or is that not the purpose of a lot of these cyber hackers? It's just to kind of throw it out there and disrupt in some way?

Susan Landau [00:10:46]:
Well, there are many different kinds of cyber attacks, and they've changed over the decades as, as the attackers have grown more sophisticated and the protections have grown better. And it's a cat and mouse game. So the fact is that many people use very poor passwords. Many people don't use second factor authentication. So I have my phone with me all the time, not because I like to be reachable all the time, but because anytime I want to access anything, I need a second factor, and it's typically on my phone. But many people don't use that. Many organizations fail to securely protect the data that they're storing, which is why you have all sorts of problems with the data breaches. Or a user at one of those organizations clicks on a link in a piece of email, and the link takes them to a page that's corrupted, and then the corruption goes into their machine.

Susan Landau [00:11:38]:
And then once the bad guys are in their machine, they find all sorts of other things that they can get at. So there are multiple different ways that there are vulnerabilities.

Ken Miller [00:11:48]:
How has. Could you talk a little bit about how the private sector, Apple, Google, some of the technology companies, telecom companies, work with the government to kind of balance the privacy versus national security? Or is there. Is there is that kind of the. The main challenge that's facing policy today?

Susan Landau [00:12:08]:
I wouldn't say that they work with the government, they certainly talk with the government, but their responsibility, Apples, Googles, Metas, and so on, is to their stockholders, and therefore it's to their customers, because without their customers, there isn't any profit. And there isn't. And their stockholders aren't very happy. So they will talk with law enforcement. They will work with law enforcement under a court order, and they will tell law enforcement about what they're developing. They'll tell national security about what they're developing, although sometimes they keep it under wraps for a while because they know there will be objections. But they work and develop things on their own. So in 2006, when Apple invented the iPhone, there you have this small device that's very expensive, and all this theft started.

Susan Landau [00:12:54]:
You know, somebody would be sitting on a subway reading their. Their mail on their iPhone, and someone would grab the phone just before the subway doors closed and take off with it. So Apple introduced Find My iPhone, Android followed with the same tech capability, then identity Theft happened and identity theft means you get information about a user and you don't just have their credit card, but in fact you take out driver's licenses and so on. That's a far more complex thing for somebody to handle. And they were using data off of phones, so Apple and then Android began protecting the data on the phones. These were things that law enforcement, at least in the us, in the UK and Europe, was not overly happy with because in particular it made investigations much more difficult.

Ken Miller [00:13:42]:
So you recently testified before the House Judiciary Committee and I want to get to that testimony a little bit about the under it was a hearing on the Foreign Influence on Americans Data through the Cloud Act. I want to get to that a little bit in just a little bit. But before we do, by way of background again, so can we talk a little bit about Salt Typhoon, the cyber attack. So what was Salt Typhoon and what vulnerabilities did it exploit?

Susan Landau [00:14:12]:
Sure. So going Back to the mid-1990s, the FBI was very concerned about the move to digital telephony and wanted to be sure that it would continue to be able to wiretap because the technology it was using was, was very much stuck in the era of a wire lung phone. And, and so it got Congress to pass the Communications Assistance for Law Enforcement act, which is a law that says all digitally digital switching systems have to be built wiretap enabled. So if you stop and think about security for a moment, you're now saying any switching technology has to be built with a wiretap capability in. It sounds sort of crazy if you're thinking security. And indeed, a number of technologists at the time said it was crazy. The Electronic Frontier foundation said it was crazy. The scientist, the visiting scientist at the Federal Communications Commission, Dave Farber, said this does not make sense.

Susan Landau [00:15:10]:
But the law passed and it took a while for it to be implemented. And the arguments about it's crazy were you're creating an insecurity in the telephone switching network. It got more complicated by the 2000s because as people started using voiceover IP, that is voice communications over the Internet, you had to interface the Internet, which is an insecure network, with a telephone network, the public switch telephone network, which is ostensibly secure. But when you do that interconnection, all sorts of problems resulted, that is security problems. So the Chinese hackers broke in sometime in the last year or two to the telephone network and they accessed all sorts of things. They were able to access text messages over the phone network because those aren't encrypted. They were able to Access apparently some voice messages. Some of these were senior members of the Trump campaign, senior members of the Harris campaign.

Susan Landau [00:16:08]:
They were also able to access the database of wiretap targets. And that came about because of the Communications Assistance for Law Enforcement act, which by its architecture centralized those databases more than had been previously done under the old form of wiretapping. What that meant is the Chinese then knew, the Chinese government then knew which of their spies we had found out and which ones we hadn't. They found out not only those, they found out which Russian spies, which Iranian spies, which North Korean Korean spies. And of course they could give that information to other governments. I like to analyze, I would say that this is a Kim Philby type of catastrophe for the US what were.

Ken Miller [00:16:55]:
Some of the countermeasures or corrective steps that were taken immediately or since that time to protect against future attacks? Was there anything that was done directly or immediately to kind of patch that vulnerability? Or is that still, that discussion still ongoing?

Susan Landau [00:17:13]:
There are some patches that have gone on in, in fixing the original way that the Chinese got in. The Chinese hackers were quite careful and they did not leave many signs of what they're doing. But the other thing is that four of the five eyes, so Australia, Canada, New Zealand and the United States put out guidance about how to strengthen harden communication systems. And one of the striking things they did was recommend the use of end to end encryption wherever possible. And that's striking for a number of reasons, including the fact that the FBI was one of the signatories or agreeers to this set of guidance. Even though the FBI itself has been fighting the use of end to end encryption for at least three decades now. The FBI on its own web pages talks about responsible encryption. Responsible encryption means that the keys are accessible in some way to law enforcement or the content is in some way accessible to law enforcement.

Susan Landau [00:18:10]:
But did agree to the four eyes then it's not called officially the four Eyes, but it's four Eyes guidance on how to protect, strengthen, harden US Communications and communications in the other three nations.

Ken Miller [00:18:24]:
You mentioned four of the five eyes signed onto this, leaving out the UK and then in the opening I mentioned they had a the TCN guidance or law that was passed and it was the Technical Capability Notice of Investigatory Powers act, tcn that seemed to be sort of their own step in response to this. How did that play into this conversation with the other measures that were taken?

Susan Landau [00:18:50]:
The TCN was actually nothing to do with this. It's been around since the last decade and it is actually contrary to Everything in the guidance. The TCN is a requirement that comp. If the UK government requests a service provider to provide unencrypted content, the service provider must do that. And furthermore, the service provider is not allowed to make public that it has been served such a notice. So Apple got served that notice sometime within sometime earlier than last fall. It wasn't able to say so, but a story broke in the Wall Street Journal that this had happened. What this means is that Apple is required to provide unencrypted content of anybody that the UK requests, regardless of whether they're in the UK or somewhere else.

Susan Landau [00:19:45]:
And so what this means is essentially you can't do end to end encryption because end to end encryption makes that impossible. Apple's response was a careful, very measured step. Apple did a very careful, measured response. One of the services that Apple provides is something called advanced Data Protection. Advanced data protection allows one to store data in the Apple icloud in a way that only the user can access the data unencrypted. The way the technology works is the technology is essentially an end to end encrypted message from the user to herself on any device the user owns. And so it temporarily resides in the cloud as if it were transiting the cloud, but it's actually staying there a while. And what the TCN notice required is that that no longer be used in the uk.

Susan Landau [00:20:44]:
Actually, it'd be no longer used anywhere in the world. What Apple did is said, okay, we will not make this technology available in the uk. And what's more, we will remove that capability from users who are currently using it in the uk. They haven't satisfied the British requirement. Sorry, the United Kingdom's requirement. Because the UK's requirement is that the UK were investigating somebody who was committing crimes that affected the uk, but the person was in Hong Kong or Tajikistan. The UK would want the ability to get at their data and that that person would not be in the uk. So Apple has only partially, very partially complied and the case is still going on in the uk.

Ken Miller [00:21:32]:
So what has been the response by the US government to this? Apple being a US company? Company Obviously there's a lot of multilateral bil. Bilateral and multilateral discussions on this topic. What has been our response to that?

Susan Landau [00:21:48]:
Sure, that's an interesting and important question. So as you know, or as has become clear, there have been a lot of debates about end to end encryption over the years in the United States, but now the US government has come out with a statement with the NSA and FBI and so on. All agreeing that end to end encryption is an important security component and should should be used wherever possible. So there's been no statement out of the White House, but the hearing that I and my colleagues participated in June had bipartisan support that end to end encryption is important, that the UK response is inappropriate and that the UK response is inappropriate because essentially the UK is legislating what what companies in the United States can do and whether companies in the United States can put in security protections that they deem appropriate. So we have this two part piece essentially going on. One, UK is legislating about how US Companies develop products which is inappropriate. And two, the UK Government is saying this piece of security technology that in fact the U.S. canada, Australia, New Zealand all agree is important in light of Salt Typhoon, that this piece of security technology should not be used.

Susan Landau [00:23:09]:
And so the members of the House Judiciary Committee to a person agreed that the UK response was inappropriate. The question is how the US Government responds. And there are some tools available, including the Cloud act, but so far we haven't seen any action.

Ken Miller [00:23:26]:
So for our listeners who might want to be interested in going back and taking a closer look at that hearing, because there were some really good witnesses on the panel with you, it was on June 5, it was a subcommittee on Crime and Federal Government Surveillance of the Committee of Judi of the Judiciary in the US House. And it was entitled Foreign Influence on Americans Data through the Cloud Act. And so looking over from this hearing, what are some of the lessons learned from Salt Typhoon and other major cyber events in recent years that kind of informing this Cloud act development of the Cloud act and kind of where we need to be going on that front. You mentioned obviously end to end encryption. I'm sure that there's a lot of, there's some other technical matters that we need to kind of sort out in terms of response.

Susan Landau [00:24:16]:
Right. Well, in general, the US has not been great on cybersecurity. We're a very anti regulatory nation and neither Congress. Well, Congress, which has the power to do those kinds of regulations in law, the White House has the power to do them, but they can be rolled back. We have not required companies to have strong forms of cybersecurity. It improved some under the Biden administration, but it is not nearly as strong as it should be with the Cloud Act. And that's a lever that was suggested during the hearing. What the Cloud act does is is it a lever against the UK action? The Cloud act says that if the US signs an agreement with another country and it signed it with both the UK and Australia, if it signs an agreement with another country, instead of the UK having to go to the Mutual Legal Assistance Treaty to get data from a US company when it's conducting an investigation.

Susan Landau [00:25:16]:
And that's a process that can take up to a year. Once the case has proved proceeded in the UK to the point of a judge agreeing to getting the evidence, then the UK government can go over to the company immediately. So it only requires one set of courts rather than a whole hoopla to go through. And it's been very beneficial for the UK government because it has gotten a lot of data from the US companies. Not surprising. We're the ones with Meta and Amazon and Google and so on, and Twitter or X. So it's been beneficial. There were some suggestions that came from my colleague Rick Salgado, and one of them was that if a country that has signed the Cloud act has a mandated technical capability notice, as both Australia and the UK do, then Congress needs to learn and the Attorney General needs to consult with Congress if the country that has signed the Cloud act tries to actually impose TCN on a US company in order to decide what actions to take.

Susan Landau [00:26:20]:
Another suggestion that Rick made was that just as free speech is a basic American value, cybersecurity should be a basic national interest. Cybersecurity should be a basic national interest and should be factored into whether or not we sign a cloud agreement with another nation. Cloud agreements are subject to review every few years. If the cloud agreement is not working for us, then we should not participate. And currently, the way the UK has been pushing, pressing on Apple is something that appears, at least on the Congressional side, to have strong agreement. This is not beneficial for the United States. So those were concrete suggestions that came.

Ken Miller [00:27:03]:
Out from the hearing last month from the MSA perspective. I was meeting with some stakeholders last week and we were talking about how in this current global security environment, with electromagnetic spectrum operations, electromagnetic warfare, we often lose sight of the fact that when we talk about security threats overseas, be it in Eastern Europe, Middle east or Asia Pacific region, it's in the American's mind that threat is over there. But because of cyber attacks, cyber operations, really the front lines of the domestic US citizen is just as close to the front lines, because you can know that we are going to see an increase in cyber attacks anytime we do any sort of operation overseas. So it brings us almost just as close to the front lines as many of our war fighters, because there is no distance, geographic distance, when you're talking cyber operations, electromagnetic spectrum operations. So it makes It a huge challenge to kind of get people at home thinking about the threats as they are evolving overseas. You mentioned a very, in your testimony, you said something very interesting. You said, salt typhoon exemplifies the security risks of government mandates that to ease evidence collection by law enforcement, introduce vulnerabilities into the system. And I found that that was kind of a, a key point that you made where a lot of times we take steps at home to help local law enforcement, local state law enforcement, because we're not, we're not thinking globally, maybe global, how it's impacting the, the security environment overseas.

Ken Miller [00:28:44]:
But we take these steps and a lot of times they introduce vulnerabilities that we're not even aware of until it's too late, until they are exploited by potential adversaries or other groups. So could you talk a little bit about that statement in terms of what is your take on the intersection between advanced cyber attack capabilities and techniques, what others can do to us, and our ability or inability to identify, address or identify or address vulnerabilities or steps that we've taken to exacerbate the vulnerabilities moving forward.

Susan Landau [00:29:16]:
So back in the late 1990s, when the NSA opted to move towards metadata, focusing on metadata rather than content, which is not to say that the NSA gave up on content. It's still quite interested in content, but it said, look, we will stop fighting about the use of strong encryption in products going overseas if we get more funding to do network exploitation. And from that point on, you did not hear public testimony from the NSA about encryption as a problem. And in fact, by the 2000 and tens, you began seeing former NSA directors saying quite publicly that end to end encryption was an important security component. We should do it. By contrast, up until Salt Typhoon, the FBI has emphatically, quite emphatically argued against the use of end to end encryption. An exception is Jim Baker, who'd been general counsel of the FBI during the, during the 2000 and tens in 2019, after we and many others were on a Carnegie Endowment study on encryption policy, said wrote in Lawfare that the China threat is sufficiently severe, Huawei is sufficiently a problem, that he now believes that end to end encryption should be encouraged rather than fought. So what you have is this.

Susan Landau [00:30:44]:
Essentially I think of the encryption battle as a battle not between privacy versus security, but as a battle between security versus security. That is the security of securing our systems versus and that means having public safety, having security of cyber systems and so on, versus efficiency, effectiveness of law enforcement investigations. Because of course, NSA has already learned how to work when encryption is a problem. Can't get the data all the time. And of course they have a different job than law enforcement. They have to get pictures of a puzzle, whereas law enforcement has to prove things in court. So what we need to do is we need to have law enforcement be able to manage investigations in the 21st century. And there was an interesting report that came out of the inspector general's office of the, of the Department of Justice a couple of weeks ago now that apparently the FBI has not been very good about training its agents about ubiquitous technical surveillance.

Susan Landau [00:31:50]:
That is the capability of adversaries to use stuff like communications, metadata and so on, or CTVs, closed circuit televisions to track agents and who they're meeting and that people had been lost that way. And so when you ask what should we be doing? On the one hand, we want to strengthen law enforcement's technical understanding and capabilities. Right now, FBI agents get 45 minutes of brush up learning on ubiquitous technical surveillance. Everybody at FBI gets 45 minutes every two years. I can't learn how to use one tool properly in 45 minutes. And I'm a techie. So I think we have to train law enforcement how to do investigations in the 21st century. 90% of investigations have a digital component, but it also means training them about how to be careful for themselves.

Ken Miller [00:32:43]:
And you know, as you're talking about them, my mind is going, we do a lot of work with stakeholders down in the state of Texas. I know the state of Texas is looking at a statewide, establishing a statewide cybersecurity command, a cyber command for statewide operations, you know, that include anything from critical infrastructure, airports and so forth. And I would imagine that that model is going to be carried on by other states as well, creating that another layer of state law enforcement cooperation that has to kind of get integrated into the federal, state and local conversations that we currently have on this. Just to kind of wrap things up. Then, you know, you started talking a little bit about the, you know, the steps we need to take moving forward. What specifically can we do to improve privacy and help law enforcement and also protect national security? Because those oftentimes seem like three different competing goals. And I, you know, I'd be interested in your take. Is there a way to bring those all together into one?

Susan Landau [00:33:44]:
Privacy. National security and law enforcement are pulling in different directions, although I think privacy and national security are probably pulling more in the same direction than law enforcement is. And that goes back to my comment about bringing law enforcement into the 21st century. So Calea the ubiquitous technical surveillance that I mentioned. I was on a committee where a senior member of the FBI said 10 years ago, it's really hard to deal with communications metadata because every service provider has them come in different formats. Well, when I discussed that in front of a class of undergraduate CS majors, they started to laugh because of course, it's an elementary job to change it into one format to deal with. So that was telling me the LACK this is 10 years ago. And one hopes things have changed.

Susan Landau [00:34:34]:
But on the other end, the Inspector General report makes me wonder how much they've changed. One has to understand the threats first. For a long time, we focused on the cybersecurity threats that were coming from Russia and from China, some from Iran, some from North Korea. There's been information security threats that are ramping up, and one only has to look at what's happening in Taiwan, in Japan, and so on to understand how severe they are coming from China. And that has a capability. It's not a technical threat, but it's a threat that comes through technical means of disrupting society in a different way. Once you understand the threats, you can begin to say, okay, what things do we need to do? And I think what we need to do, among other things, is make data a lot less available. Yes, that will make law enforcement's job somewhat more difficult, just like it will make national security's job difficult in one way and easier in another.

Susan Landau [00:35:31]:
There's less to have to protect. But I think understanding the threats much better than we do is the first step. I think that there need to be penalties for poor cybersecurity. I think that the way the bill we had, fisma, Federal Information Security Management act, which was a checklist, is the wrong way to go. Red teaming and ensuring that your system is secure against attacks is what you need to do. And all of these different pieces. So there's a piece of learning more. There's a piece about policy and regulation, and there's a piece about that protection, and all of those pieces need to happen.

Ken Miller [00:36:10]:
Is there any effort by Congress to prioritize or modernize the Cloud act or to move a bill similar to Cloud act forward that would encompass some of these changes? Or is this still more in the discussion phase?

Susan Landau [00:36:25]:
It was a subcommittee of the House Judiciary Committee that met, but Jamie Raskin, who might be the the senior member on the minority side, and Jim Jordan, who is the chair, both came rasking the whole hearing. Jordan just briefly. Which shows there's interest by the whole committee, the senior members of the committee it's hard to predict what Congress will do, but I found it very positive that both sides were in full agreement about the UK direction was very poor for US national interests on multiple levels. And that's, that's all I can say. I don't have inside gossip on what the committee is thinking.

Ken Miller [00:37:09]:
No, that's good. And you know, in the MSO world, you know, we work a lot with Congress and it's a very bipartisan issue. And it is always good when you have an issue that brings both sides together because you, you do kind of, you're able to discuss and sift through some of the, the most helpful recommendations and it doesn't get caught up as quickly in some of the, the politics. So that, that's really good to hear. Susan, I really greatly appreciate you taking time to join. This has been very helpful. As I was reading up on the cyber salt typhoon and, and other cyber attacks, it was, it's really alarming to try to figure out where we need to go as a country and as a. In not just us, but our allies as well.

Ken Miller [00:37:50]:
And this has been a really helpful conversation lay out. So I greatly appreciate you taking time to join me here today.

Susan Landau [00:37:54]:
Thank you very much for having me. I really appreciate being here.

Ken Miller [00:37:58]:
Well, that will conclude this episode of From the Crows' Nest. I'd like to thank my guest, Dr. Susan Landau, for joining me. Please take a moment to review, share and subscribe to this podcast. We always enjoy hearing from our listeners, so please take a moment to let us know how we're doing. That's it for today. Thanks for listening.