The Cyberlaw Podcast Serious threats, unserious responses
It was a week of serious cybersecurity incidents paired with unimpressive responses. As Melanie Teplinsky reminds us, the U.S. government has been agitated for months about China’s apparent strategic decision to hold U.S. infrastructure hostage to cyberattack in a crisis. Now the government has struck back at Volt Typhoon, the Chinese threat actor pursuing that strategy. It claimed recently to have disrupted a Volt Typhoon botnet by taking over a batch of compromised routers. Andrew Adams explains how the takeover was managed through the court system. It was a lot of work, and there is reason to doubt the effectiveness of the effort. The compromised routers can be re-compromised if they are turned off and on again. And the only ones that were fixed by the U.S. seizure are within U.S. jurisdiction, leaving open the possibility of DDOS attacks from abroad. And, really, how vulnerable is our critical infrastructure to DDOS attack? I argue that there’s a serious disconnect between the government’s hair-on-fire talk about Volt Typhoon and its business-as-usual response.
Speaking of cyberstuff we could be overestimating, Taiwan just had an election that China cared a lot about. According to one detailed report, China threw a lot of cyber at Taiwanese voters without making much of an impression. Richard Stiennon and I mix it up over whether China would do better in trying to influence the 2024 outcome here.
While we’re covering humdrum responses to cyberattacks, Melanie explains U.S. sanctions on Iranian military hackers for their hack of U.S. water systems.
For comic relief, Richard lays out the latest drama around the EU AI Act, now being amended in a series of backroom deals and informal promises. I predict that the effort to pile incoherent provisions on top of anti-American protectionism will not end in a GDPR-style triumph for Europe, whose market is now small enough for AI companies to ignore if the regulatory heat is turned up arbitrarily.