In this episode, host Gwyneth Shaw talks with UC Berkeley Law Professor Chris Jay Hoofnagle, whose latest book, Cybersecurity in Context: Technology, Policy, and Law, was published last fall. Hoofnagle and his co-author, LSU computer science and engineering Professor Golden G. Richard, wrote the book to accompany courses on this important topic, but also worked to make it accessible to students and teachers in any discipline. The textbook includes a set of hands-on exercises on self-contained virtual machines for Linux, Windows, and Mac so readers can experience how cybersecurity works in practice.
Hoofnagle, who came to UC Berkeley Law in 2006, is also a faculty co-director of the school’s Berkeley Center for Law & Technology, a faculty advisor to the Berkeley Center for Consumer Law & Economic Justice, and an elected member of the American Law Institute. He is of counsel to Gunderson Dettmer LLP and a longtime advisor to companies in cyber intelligence. He’s the author of dozens of articles and two other books, Law and Policy for the Quantum Age and Federal Trade Commission Privacy Law and Policy.
Hoofnagle has been teaching a course on cybersecurity for several years and also teaches Torts. This spring, he’s teaching Computer Programming for Lawyers.
About:
“Berkeley Law Voices Carry” is a podcast hosted by Gwyneth Shaw about how the school’s faculty, students, and staff are making an impact — in California, across the country, and around the world — through pathbreaking scholarship, hands-on legal training, and advocacy.
Production by Yellow Armadillo Studios.
Episode Transcript
[MUSIC PLAYING] GWYNETH SHAW: Hi listeners. I’m Gwyneth Shaw, and this is Berkeley Law Voices Carry, a podcast about how our faculty, students and staff are making an impact through pathbreaking scholarship, hands-on legal training, and advocacy. In this episode, I’m joined by UC Berkeley Law professor Chris Jay Hoofnagle, whose latest book, Cybersecurity in Context, was published last fall.
Hoofnagle and his co-author, LSU computer science and engineering professor Golden G. Richard, wrote the book to accompany courses on this important topic, but also worked to make it accessible to students and teachers in any discipline. The textbook includes a set of hands-on exercises on self-contained virtual machines for Linux, Windows, and Mac so students can experience how cybersecurity works in practice.
Hoofnagle, who came to UC Berkeley Law in 2006, is also a faculty co-director of the school’s Berkeley Center for Law and Technology and an elected member of the American Law Institute. He is of counsel to Gunderson Dettmer LLP, and a longtime advisor to companies in cyber intelligence. He’s the author of dozens of articles and two other books Law and Policy for the Quantum Age and Federal Trade Commission Privacy Law and Policy. Hoofnagle has been teaching a course on cyber security for several years and also teaches torts. This spring, he’s teaching Computer Programming for Lawyers. Thanks so much for joining me, Chris.
CHRIS JAY HOOFNAGLE: Thank you for having me.
GWYNETH SHAW: Let’s start with cyber security and context. Why did you and Professor Richard write this book?
CHRIS JAY HOOFNAGLE: Cyber security is a growing field. There are literally millions of unfilled jobs that are high paying, high skilled, and intellectually interesting. Programs are blossoming all over the country to fill those jobs and yet we still do not have a textbook that synthesizes all the different domains of cybersecurity. So Golden and I worked together to create a work that aggregates the different disciplines of cyber, and presents it in a way that a student can pick it up and make sense of it.
Now, it might seem kind of obvious, but I’ll tell you from teaching this course for years, law students are flummoxed when I assign them an article from economics or even from international relations. They don’t understand the disciplinary assumptions of those other fields. So what our textbook does, is it introduces all those ideas, and tells the student.
A political scientist looks at this problem a little bit differently than a lawyer. Similarly, an economist looks at it in this other way. So what we’ve tried to do is synthesize these different views, so the field can be open to anyone, and so actors in the field can understand each other.
GWYNETH SHAW: As you mentioned, this book tackles cybersecurity from the technical angle as well as law and policy angles. What are some of the other benefits of taking such a broad approach?
CHRIS JAY HOOFNAGLE: Clients need advisors who can think beyond the legal lens. And so I can give a legal analysis of let’s say, a security incident or a security breach, but that could be quite problematic if it doesn’t also consider the larger international relations, law enforcement, even national security issues that could be bound up in a security breach.
Now, one of the best examples that it illustrates, this comes from a movie studio here in the United States that made a movie that depicted the assassination of North Korean leader Kim Jong Un. Now, that was a security breach. The movie company experienced a security breach. But if you analyzed that breach only from a legal perspective, you’d miss out on all the game theory, you’d miss out on all the important elements that were necessary to understand what the North Koreans did, what they wanted and how to solve it.
So this is a field where lawyers have an important role to play. But to be effective as a lawyer, one has to have a view that incorporates different lenses. And a lot of it is game theory, some of it is technology, some of it is now international relations and understanding that companies today, no longer operate in a world as flat environment, they have to deal with the spikiness that is being imposed upon them from different regimes around the world.
GWYNETH SHAW: Obviously, new security threats are popping up all the time, as you said. And here we are in late January, and I think we’re going to see some more interesting things happening over the next few months and years. How does this book offer a framework for thinking about cybersecurity as these issues continue to evolve? Does that framework hold up, even as the technology changes? Even as you mentioned, some of the other facets of the problem might change?
CHRIS JAY HOOFNAGLE: Absolutely. One of the things Golden Richard and I are trying to impart is the idea that security has method. So oftentimes when people talk about privacy and security, what is triggering them is a feeling of creepiness or the like. What we argue is there is a way to evaluate security claims and claims of responsive policy.
And some of it is straightforward cost benefit analysis, but it’s also informed by issues such as whether security intervention, let’s say airport security, enables opportunism and guile, whether people have rights when they’re subjected to the security measure, whether the people who operate the security measure, have the proper incentives to reduce costs on to people to absorb those costs, and so on.
So we provide a series of questions the student can reason through, to think about many different security issues, to figure out whether they’re necessary, whether they are misaligned, and whether they’re maladaptive, whether they become, in essence, power grabs rather than the type of security we need to have society and community.
GWYNETH SHAW: That’s interesting. And of course, we have many examples in the past few decades of situations where security became a catchword for imposing on some of those rights. And surely we see that with cyber security, too.
CHRIS JAY HOOFNAGLE: Absolutely. And we discussed this in the textbook a great deal. A lot of what’s happening in security, is one party is simply transferring risk to another. So the risk doesn’t go away, it’s just who holds the risk. So our framework helps you precisely identify what people’s claims are, whether those claims are efficacious. Who holds the risk? Is it just a risk transfer? Does the situation enable the other party to get lazy or just have the wrong incentives? We have to think through all these factors.
I am a big believer in bringing cost benefit analysis to security. Currently, when we think about things like airport security, when we think about that balance sheet, what goes into that balance sheet, are things like the salaries of TSA employees. What’s not on that balance sheet, is your time and the value of your time. And we have to start to get very hard-nosed about these types of issues. Otherwise, the security will expand uneconomically and perhaps unfairly.
GWYNETH SHAW: Sure. I’m thinking about, for example, last pass, which is a password keeper getting itself, getting hacked and becoming a situation where I was a client of LastPass and I’ve now gone back to the, I just changed all my passwords every day because I now don’t trust the company that was promising to take that burden away from me. And it is a frustrating thing for the average person.
CHRIS JAY HOOFNAGLE: The game theory of security is to focus on companies that claim to be secure, that it’s absolutely– if you’re an attacker, it makes sense to attack companies that are claiming, give us all your passwords because you can trust us and so on. So we’ve created these honeypots of huge aggregations of personal information and this is part of the security problem.
But interestingly, part of the security problem is actually a privacy problem. We’ve allowed companies to scoop up all this personal data and keep it for years, and years, and years. We see this with the telecom companies, for instance, and that just creates wild incentives for nation state adversaries to break into those companies. So no matter how good your personal security is, if the security at your telecom provider is not great, all your phone calls are in their coffers.
GWYNETH SHAW: Is there a way for customers to understand better what the companies they’re trusting are doing? So I’m thinking about Apple, for example, or like you said, telecom providers. Is that visible at all to customers?
CHRIS JAY HOOFNAGLE: On some level, it is. And there is good security advice out there. The problem with security advice, is that it often doesn’t give you trade offs. You’ll get a very long list, do these hundreds of things and it’s like, no, wait a minute. I am a person who lives in this world and has a spouse and children, and I can’t do hundreds of things, I can do three, so tell me what those three things are.
Almost no one is willing to do that. And part of the reason is that good security advice changes with time. So one of the most secure decisions anyone can make, is to look carefully at the ecosystem that they’re operating in. Some people are operating in so-and-so ecosystems, some are operating in others. There are some ecosystems that are just more secure than others.
But ultimately, I would quibble with this idea that it’s trust. It’s actually just reliance. As sophisticated as Google or Facebook or Apple is, in a sense I cannot trust them because there is no reciprocal relationship. I don’t know who they are, they don’t owe me anything. That doesn’t– that’s not what builds trust. It is reliance and that’s where we are right now, we just have to rely on these companies.
GWYNETH SHAW: All right. Well, now I’m depressed. So let’s get back to the book. One of the really interesting things about it, are these exercises and these virtual machines for doing those exercises. How does that work and what’s the benefit for students, especially students who aren’t coming into a course using this book with a background in computer science or something like that?
CHRIS JAY HOOFNAGLE: We teach students how to use the command line, we expose them to real hacker tools, so they get to use the tools that are used by attackers to do things like architect, social media attacks, architect social engineering attacks, spy on networks, and so on. One of the big takeaways from this, is that it’s become easier than ever to spy, to engage in computer attacks and so on.
Many of these tools are automated, and so one does not need a deep background in programming to pick up these tools and start to cause problems. So we have the student experiment with these tools in a virtual machine, which cannot damage their computer and is a legal use. That is, it is perfectly legal to test these tools in this container environment.
So we want students to see what it is that attackers are doing to see the tools that are used, because those tools help you understand attacker motivation and attacker limits. And one of the parts of cybersecurity is to understand defense. You have to know something about offense. And that’s what all those technical exercises are about.
GWYNETH SHAW: You use the story of Odysseus and his famous problem solving moxie as a way to explain coding security problems, what does his story and other classical themes tell us about the challenges we face today? It’s one of the most interesting parts of the book, I think.
CHRIS JAY HOOFNAGLE: So the background idea is that computers are insecure and modern general purpose computers cannot be made secure. Despite that fundamental problem, most attackers are still attacking, using tricks, using clever strategies that cause the user to reveal their password or to reveal their information.
And one of the classical themes that Golden Richard and I are trying to impress upon people, is that there’s nothing new about this. There’s in fact, nothing new about misinformation, disinformation. It’s as old as the classics. You can read about it and see it in Julius Caesar. You can read about it in Lucian, the first century thinker and what we want the students to understand is there is no rubric when your adversary is a trickster. The trickster is playing a different game.
We want students to think like Odysseus, to think about someone who knows that there are rules, but they can be broken or circumvented, and that mindset is the type of mindset that we have to be able to anticipate and defend against in cybersecurity.
I think what’s interesting about the classical themes is it’s not just Odysseus. There are trickster characters throughout the Iliad and Odyssey. Achilles is a trickster. Helen, Penelope, Athena, all have different tricks and win with that mentality. So this is nothing new. And it’s also a call to students that there is no rule book, if you will. You’ve got to be willing to deal with people who attack in unanticipated and very clever ways.
GWYNETH SHAW: I guess there’s a reason why we use the term Trojan Horse for some attacks as well. It gets to that point. You’re teaching computer programming for lawyers this semester and have taught it repeatedly. Why should law students learn some basic programming? I come out of the journalism world and the joke is always “learn to code,” which is probably good advice, but why should law students do this? What’s the benefit to them?
CHRIS JAY HOOFNAGLE: The tools we use as lawyers, typically Microsoft Word, as majestic and as wonderful as it is, are low efficiency tools. And when you’re a lawyer who’s doing big cases, let’s say you have a case involving depositions of hundreds of witnesses, or even just 20 witnesses, it’s a mistake to organize that type of work in our typical tools.
We should be thinking about that work from a database perspective, we should be using– even moving from Microsoft Word to Microsoft Excel, is a big step up in sophistication. But what I’ve found is that most lawyers are still stuck in this world where they’re creating individual documents and they’re in effect recreating the same work over and over in a very inefficient way.
So the programming mindset helps students understand that they can organize information differently, and they can think about problems from the lens of complexity theory. And when you have those tools, you can begin to see what can be ethically automated versus those things that need individual attention and the eyes of the lawyer.
There’s a lot of things we could do that can be automated, and there’s a lot of things that can’t be automated that nonetheless could be done much faster at higher quality, with greater consistency using database models and using simple programming concepts.
GWYNETH SHAW: It’s interesting that you mentioned trying to automate some work. Is AI and ChatGPT or its successors, is that going to be transformative technology for lawyers? You are already seeing some people talking about this?
CHRIS JAY HOOFNAGLE: It absolutely will be. However, we have to understand the underlying technical basis of the large language models and what they’re good at. They’re good at doing things that can be represented statistically. So they’re good, if you will, at cliche, they’re good at what people expect. They’re not good at very creative tasks that break the rule set. Just as an anecdote, as an experiment, I took my undergraduates’ final papers and I graded them. And then I graded them using ChatGPT.
And interestingly, ChatGPT did a great job, but it assigned a D to the best paper in the class. And the reason why is the student who wrote that sublimely awesome paper thought about the world in such an unexpected way that ChatGPT thought it was mediocre. And so I think that’s something to think about. And when it comes to lawyers, it’s the age-old issue. What we are trying to do as lawyers, we’re trying to say that my client’s situation is not like the typical one. A different rule should apply, a different situation is afoot and so on.
But the LLMs are better at this other thing of figuring out what the general approach should be when it is our job to use our brains to break out of the general approach.
GWYNETH SHAW: The LLM is not the trickster, it’s not the Odysseus of the case. You still need the person with the creative mindset to come up with the novel argument.
CHRIS JAY HOOFNAGLE: That’s absolutely the case. And we don’t need a person with a creative mindset to create 20 different, nearly identical Microsoft Word documents with the deposition questions. That stuff could be done in Excel, and we could use all sorts of automation for this kind of rote activities. And the problem that we’re going to face, of course, is that law firms based their billing on a lot of rote activities that don’t require higher level creativity, so this is going to be disruptive, and law firms are going to have to rethink their value proposition.
GWYNETH SHAW: That’s so interesting. Let’s go back to the larger arc of what’s been going on. You’ve been immersed in technology law for almost a quarter century, starting at the Electronic Privacy Information Center. What’s changed and what hasn’t from a privacy and security standpoint? You mentioned earlier that kind of privacy and security are so interlinked. What are some things that have changed and haven’t, and what are some things on the horizon that you’re concerned about or particularly interested in?
CHRIS JAY HOOFNAGLE: That’s such a great question. I started working in privacy almost 25 years ago when it was a Wild West, and where there were people who credibly were saying that the future would have no privacy, that privacy was dead, that we’re entering a transparent society and it’s going to be awesome. That view, I think, has been completely refuted. We’ve had an astonishing amount of legal reform.
So you could think about the progressives, and the liberals more generally have pushed forward statutory privacy law that regulates almost all businesses in the world from the perspective of the General Data Protection Regulation. And then from the more conservative side, we’ve seen the Supreme Court re-embrace the Fourth Amendment and extend the warrant preference to much more data than I would have guessed 20 years ago.
So we’re seeing it from both sides. Privacy is a value that’s valued both by Liberals and by Conservatives. And now I think we’re reaching a tipping point where we have to begin to think of whether privacy rules are beginning to impede other public goods like innovation, freedom to choose, and so on. So that’s the big– that’s the way I’ve seen it.
Now, the big exception to all of this, of course, is abortion rights, which are under the privacy penumbra but are rejected by the Conservatives. And that’s an area where I think we’re going to see states take over and state legislative cures to fit voters preferences. But when it comes to information privacy, we’ve seen this unity between Conservatives and Liberals that has really ratcheted up the privacy landscape. And it’s manifest in so many ways.
One just example– one palpable example, is that you don’t see mugshots hardly anymore. That’s a complete change from 10 years ago, where if you were arrested for the most minor crime, your picture would end up in the newspaper. Now, people are– you rarely see them. It’s only when it’s very serious crimes and so on. So fundamentally, the government and the private sector are beginning to think about privacy differently. And it’s not the world of transparency that was predicted 25 years ago.
GWYNETH SHAW: That’s so interesting that you mentioned that about the mug shots, because I agree that the government choosing a more private option is something that does seem to be taking hold in terms of public records and even just government materials, emails, things like that– again, I come out of the journalism world where the assumption in a place like California or a place like Florida, where you have strong public information laws, these are things you’re going to get your hands on as a journalist really easily.
Is that– do you think these things are tied? As people have pushed or wanted a more private internet, that or realized that when you can put a mug shot on the internet and you can’t pull it back once if a person is not actually charged or convicted? Are those things working together to close some of those spaces where you might have had more opportunity to get access to what the government’s doing, for example?
CHRIS JAY HOOFNAGLE: Absolutely. There is a risk that these trends will lead to government privacy. We don’t want to end up in a situation where people can be arrested secretly, and that’s the historic reason why we’ve had open arrest registers and generally open mugshots. So figuring out this reaction, whether it’s an overreaction, it’s going to be very important.
But I think what many have figured out, is somewhere like 30% of Americans, have an arrest record. So that eventually becomes a huge impediment to employment and to economic efficiency. So we have to figure out how to balance out these different competing societal interests. And the other area that I think where journalism is suffering, is the rise of defamation.
When I went to law school, I was taught that defamation was basically a dying tort, that the First Amendment was going to eat up most of its strength, and it would just be a skeleton of its former self. And defamation has come roaring back, and we’re seeing situations where even public figures are winning cases. People like Cardi B winning cases for defamation despite being a public figure.
That is a really interesting trend that we have to figure out what the proper balance of those interests are.
GWYNETH SHAW: Very interesting. I’ll ask you one more question about artificial intelligence, just because it is the topic of the moment generally and also in law, I think. What kind of an impact do you think AI and its many applications is going to have on cybersecurity, and what are some examples of some things we could watch out for?
CHRIS JAY HOOFNAGLE: That’s a big question. And the first thing I would do– the first thing our textbook asks the student to do is to decompose it and to think about high level questions– subquestions to that inquiry. One of which is, do we think artificial intelligence, machine learning will be more offense friendly or defense friendly, and why?
There’s currently a debate about this. On one hand, large language models make offense easier because if I don’t have good English skills, I can use ChatGPT to craft a very convincing attack message. I could use ChatGPT to even write code that might help me with various tasks. On the defensive side, though, what is super interesting, is that there is a huge amount of attack information and machine learning, the more data you have, the more advantage you have.
So in a world where companies like Cloudflare have an unfathomable amount of information about attacks, they’ll be able to use their machine learning to see attacks way faster than in the past. So just on a fundamental level, one question to think through is, do we think this is an offense dominant or defense dominant? And in some categories, it’s going to be defense dominant, and in others it might enable the offense.
GWYNETH SHAW: So my last question for you. You mentioned earlier, most people can’t do hundreds of things to secure their entire online and virtual life, but they might be able to do three. What are a few things that you think the regular person should be doing to keep themselves as secure as possible, understanding your point, which is that we really can’t be completely certain?
CHRIS JAY HOOFNAGLE: Absolutely. It’s a great question. I think what’s very important is to have two different email addresses. One email address is what you use for your banking and your high risk stuff. You have to have a unique, unguessable password for that email address. And the reason why is that attacks essentially happen through email.
If someone is trying to steal, let’s say, your paycheck or your bank information, what they’re going to do is they’re going to try to trigger a password reset through your email. So it makes it much harder to make– to do those attacks when you have a secret email account that you don’t use for other purposes, and it does not share a password with other services.
And the other critical thing to do is to turn on multi-factor authentication. It is a real pain. I know it’s a real inconvenience, but you understand that without it, someone who merely knows your password can steal your money. With multi-factor enabled, they have– the attacker has to do a lot more work, and it’s often enough work that it will stop an attacker.
The other wrinkle about that, is that text messaging, multi-factor authentication is weak, and it can be attacked. So if I can gain access to someone’s AT&T or T-Mobile account, I can intercept their SMS. And if we’re talking about stealing your life savings, it’s totally worth it. So it makes much more sense to use an application based multi-factor system like Microsoft authenticators, Google Authenticator or Duo. And so that’s what I say, is like these three steps, create big speed bumps that will cause an attacker to move on to someone else.
GWYNETH SHAW: That’s great advice. I’m going to go get myself a new email address right after we stop talking. Well, Chris, thanks so much for joining me. And thank you, listeners. To learn more about Professor Hoofnagle and his work, please check out the show notes and if you enjoyed this episode, please share it. Be sure to subscribe to Voices Carry wherever you get your podcasts. Until next time, I’m Gwyneth SHAW.
[MUSIC PLAYING]