March 2023 Global Tech Policy Bulletin: From Bank Nightmares to a Spyware Scandal in Greece

Hello, and welcome back to Citizen Tech, InformationWeek’s monthly global policy update. It’s March, and we’re looking at the following:

Tech Finance on the Brink

Bankers have passed sleepless nights all month, between the fall of Silicon Valley Bank, the near fall of Crédit Suisse, and First Republic’s $30 billion life support from the Treasury, JP Morgan Chase, and 10 other major banks.

Citizen Tech is less interested in these fraught negotiations than in the fate of Silicon Valley Bank (SVB), the 16th largest in the United States and one of the most important investors in tech startups. On March 7, SVB made a shocking announcement: it was taking emergency measures to stay solvent, including the sale of $21 billion in liquid assets, per the New York Times. They had long depended on government bonds, which depreciated with recent higher interest rates but kept their bank’s money tied up, and their biggest clients began closing their accounts and looking for a bank with a healthier liquidity. Investors began dumping their shares as quickly as they could. Moody’s downgraded the tailspinning bank, and by the end of the week the Federal Deposit Insurance Corporation (FDIC) had announced it would be taking SVB’s deposits into its own hands, to reassure investors that their deposits, at least, were safe.

NPR spoke to a number of tech startups the following week, asking their stories. All of them had long depended on SVB; several of them feared not being able to pay their employees or make wire transfers as the bank crashed. One startup CEO found himself in line at the Santa Clara SVB branch with nobody behind the counter. Eventually he was told that his assets were frozen -- a nightmare for any small business owner, but worse for someone who works in the volatile tech sector.

Although perhaps the sector itself needs a bit of self-reflection -- the tech sector, that is. (Everyone knows self-reflection is a rare virtue in the banking sector.) Were it not so “clubby and herd-following,” as Kevin Roose of the Times called the tech industry, the run on SVB might have been avoided, or at least slower and more easily managed.

The political fallout of this month’s banking scare will become clearer in the coming months. For now, lawmaker reactions have split more or less along the same lines as the reaction to Biden’s Chips Act: support from the center, dissent from the wings. On the left, Sen. Bernie Sanders (D-VT) thundered about “vulture capitalists” and working people, pointing out the irony of SVB’s CEO Gregory Becker, a longtime advocate for banking deregulation, leaping into the arms of the Fed’s regulatory regime when it served him. On the right, Republican presidential hopeful Nikki Haley called the bailout “socialism for the rich.”

TikTok on the Hill

Nikki Haley’s Twitter feed may be a good starting point for discussing the other major tech story in Washington this month, the appearance of ByteDance CEO Shou Chew before Congress amid talks of banning his flagship video app, TikTok. Haley has tweeted over and over that such a ban is necessary for national security. (“Cringey app anyways,” she added.)

This is by no means an exclusively Republican sentiment. New Jersey Democrat Frank Pallone, ranking member of the House Energy and Commerce Committee who summoned Chew, railed against this “tool used by a foreign adversary to violate Americans’ privacy and to undermine our national security.”

TikTok’s questionable access to user data and use for espionage has become a perennial theme in Citizen Tech, but the stakes rose this month. The White House demanded that ByteDance, the company that owns TikTok, divest itself of Chinese shareholders, which would theoretically weaken its bond with the Chinese government. If they didn’t, the White House threatened, the United States would outlaw the app. ByteDance only smiled at the threat. For one thing, President Trump had failed when he tried to ban TikTok in 2020. For another, there are 150 million app users in the US. In Brussels, ByteDance’s European representatives told POLITICO they had a “clear understanding” between European lawmakers, which would keep TikTok legal in the EU. The firm is whistling in the dark, to some extent: the European Commission has already banned TikTok from its work devices and unrest is bubbling in Strasbourg.

From the witness table in Washington’s Rayburn building, Chew stressed his bonafides, including his honorable service in the army of Singapore, his degree from Harvard Business, and his beginnings as a humble content creator. After a litany of gentle platitudes about “discovery, creation, and creation,” Chew made four promises to the Committee: that safety for TikTok’s youngest users was a top priority; that all US user data was and would be firewalled from foreign access; that no government would be permitted to interfere with TikTok users’ freedom of expression; and that ByteDance would remain transparent with all third-party monitors.

But committee chair Cathy McMorris Rodgers (R-WA) spoke for many in the room in her caustic opening remarks. “TikTok collects nearly every data point imaginable, from people’s location, to what they type and copy, who they talk to, biometric data, and more,” she said. “Your platform should be banned. I expect today you’ll say anything to avoid this outcome.”

War Bulletin No. 14

Here is one of the strangest tales to come out of either the Ukrainian War or the ongoing TikTok drama: Your teenage niece’s favorite is not only driving American lawmakers to distraction, and not only spying on journalists, but inadvertently hurting the Ukrainian war effort.

A Norwegian aerospace defense manufacturer, Nammo, supplies artillery shells to the Ukrainian Ministry of Defense. Demand is high: according to the Guardian, the Ukrainians fire as many as 7,000 a day. Demand is so high, in fact, that Nammo needs to expand one of its main factories just to keep up.

It can’t, however. There isn’t enough electricity, because the regional TikTok data center is taking it all up. Nammo’s CEO groused that “our future growth is challenged by the storage of cat videos,” which is, perversely, the funniest summation of 2023 yet uttered. The irony is that TikTok is following the instructions of EU lawmakers by storing European data in Europe. (Norway is not an EU member but is covered by GDPR.) As the Guardian points out, this is also part of a larger story about the cost of data centers, which has risen to 3.2% of Europe’s energy demand and will likely keep rising.

In Athens: A ‘Predator’ Does Not Rest

Last summer, the Greek government found itself embroiled in a domestic spy scandal that led to -- almost no consequences at all, apart from embarrassment. After months of inquiry, the center-right Mitsotakis government more or less admitted to having lured opposition leader Nikos Androulakis, MEP, into downloading Predator spyware on his mobile. Predator is a mysterious bug; its origins are far from clear. A Greek company, Intellexa, tried to sell the Ukrainian military a Predator suite in 2021. (The leaked pitch is worth reading, if only for the cold-blooded marketing: a magazine of 100 extra infections, for instance, goes for €900.) Gizmodo, on the other hand, holds that Predator is the flagship malware of a sinister, secretive company called Cytrox, just over the border in Northern Macedonia -- outside the European Union and theoretically unbeholden to its regulators. Cytrox specializes in surveillance technology. According to Citizen Lab, Cytrox and Intellexa’s self-declared “alliance” amounts to membership in a kind of underground, European spyware cartel.

Whoever is ultimately behind Predator, Mitsotakis’ security arm seems to have used it with abandon, bugging a long list of opposition targets, including journalists. By October, however, the case seemed to have fizzled out. Mitsotakis’ chief of staff and national intelligence chief both resigned. The government claimed not to know anything about anything, wrote up a report on the affair, and never got around to publishing it. That seemed to be that.

But the scandal roared back to life this month when the New York Times revealed that a Greek-American trust and safety manager for Meta, one Artemis Seaford, had been infected with Predator -- by the Greek national intelligence service, directly --  as early as 2021. Seaford was an on the ground cybersecurity specialist for the tech behemoth, frequently working with Greek and EU regulators. It isn’t clear why she was targeted. Was the Greek government using Facebook or Instagram as a platform for spying? Was it trying to cover up traces of electoral disinformation? Or was this a more banal question of contracts and regulation?

Don’t expect answers from the Greek government. “The Greek authorities and security services have at no time acquired or used the Predator surveillance software,” their spokesman told the Times. “To suggest otherwise is wrong.”

In Brussels: Europe Needs Metal

The European Commission is pushing for a new approach to critical metals and other raw materials, for use in “renewable energy, digital, space and [defense] technologies.” The European Critical Raw Materials Act mandates that 90% of critical materials, like lithium -- for which demand is set to increase 12-fold in the next seven years -- come from outside the EU (a problem the US also faces). The plan will, in theory, not only diversify Europe’s supply chains but mandate recycling of rare earth metals: up to 15% of the EU’s critical raw material supply should be recycled by an unspecified date.

There is a foreign policy aspect to this as well. The commission’s fact sheet does not need to mention China to make it clear that Europe’s mineral sovereignty will come at Beijing’s expense. There’s a lot of talk about close cooperation with the WTO and OECD, as well as suggested “win-win” partnerships with friendly countries: Chile and Australia receive mention. The world’s foremost supplier of technology’s raw material does not.

White House Wants Cybersecurity Reboot

On March 2, the White House announced a new, holistic strategy for cybersecurity, the National Cybersecurity Strategy. This strategy, according to the fact sheet, would “secure the full benefits of a safe and secure digital ecosystem for all Americans.” The Colonial Pipeline attack of 2021 seems to be weighing heavily on the administration’s mind, especially given Biden’s commitment to new infrastructure: “Its implementation will protect our investments in rebuilding America’s infrastructure, developing our clean energy sector, and re-shoring America’s technology and manufacturing base.”

One of the most interesting points of the new strategy, besides the call for coherent cybersecurity standards across the private sector and vague, predictable calls for resilience, is the plan’s attention to ransomware, which focuses entirely on prevention and leaves response more or less alone. There is no promise of a coherent, federal protocol for companies under attack. The White House’s report to Congress on cybersecurity, of which the fact sheet is a summary, states that “the Administration strongly discourages the payment of ransoms. At the same time, victims of ransomware -- whether or not they choose to pay a ransom -- should report the incident to law enforcement and other appropriate agencies.”

“Discourages,” “should,” “whether or not” -- an unoriginal and surprisingly laissez-faire approach from an administration otherwise enthusiastic about new regulation and close public-private partnership.

Another important aspect of Biden’s cyber strategy is a new plan for cloud security, which would, unlike his ransomware policy, involve a unified regulatory scheme. So far, cloud providers have been required to implement new user verification protocols. That has a certain logic: the acting national cyber director told POLITICO that the cloud is “too big to fail.” (Between this and the SVB collapse, 2008 seems to be on everyone’s mind.) Expect more regulations in the near future.

Biden to Crypto: Who Needs You?

It’s not a secret that cryptocurrencies and the financial regulators are pulling in opposite directions, but this month SEC commissioner Hester Peirce told an audience of law students that some of the tension could probably be avoided. Peirce, a Republican, said that “Some people in the regulatory world are perfectly fine with having innovation in crypto move away from the United States because they don’t think that there’s anything positive that’s going to come out of it,” according to Blockworks. “I tend to be of a different mindset.”

Her statement comes on the heels of both the aforementioned Cybersecurity Strategy and the Economic Report of the President, given to Congress this month, which has a lot to say about crypto and none of it very flattering. The industry as a whole requires regulatory discipline, the Economic Report goes; thieves, scammers, and tax dodgers enjoy carte blanche. The FTC reported some $80 million lost to crypto scams between 2020 and 2021. Other users are using blockchain technology to illegally inflate share values; the environmental damage caused by the industry is substantial; and worst of all, according to the report, there are better technologies in place than blockchain to protect financial transactions, including tamper resistance and nonrepudiation. The whole crypto industry, in other words, is a pointless incentive to delinquency.

Naturally the industry was not impressed. Galaxy Digital, a prominent industry group, countered that the report misrepresented the industry entirely, portraying a few bad actors as the norm. “One obvious takeaway is that the framing of each section is negative,” their response asserted. “Crypto’s growth has revealed a demand for a faster and more inclusive financial system.” The CEO of the Blockchain Association, Kristin Smith, also shot back that “crypto is here for good, promising a safer and sounder financial system and a consumer-centric internet.”

Recommended Reading: A History of Chips

John Lanchester reviewed a new history of semiconductors, Chris Miller’s Chip War, in the London Review of Books this month. It’s worth a read, partly for its glimpse into the people who made the modern semiconductor: Andy Grove, born András Gróf, escaped the misery of post-war Hungary to join Intel, eventually commanding the company through a successful, self-declared policy of paranoia. The military insights are interesting as well: did you know how important chips were to the US war effort in Vietnam?

But Lanchester’s own conclusions about the direction this prodigious technology is taking are just as interesting. On Biden’s semiconductor policy: “Trump talked a good game about trade war with China, but when it comes to intentionally damaging China’s strategic interest, nothing he did was within a country mile of Biden’s new policy.” On the civilian implications of new technology: “I suspect that will mean, fairly imminently, customer service systems which replace phone-automation hell with chat services that are much better, most of the time, but offer no exit from their closed systems, are incapable of admitting error and won’t let you engage with a human being, ever. So it’ll be a lot better, except when it’s a lot worse.” Read it here.

What to Read Next:

From Terrorists on YouTube to the Chips Act and Its Discontents

From ChatGPT Musings to Tech Diplomacy in India

From Green Energy Investments to Digital Forensics in Ukraine