Mailyn Fidler, NGTC Faculty member and Assistant Professor of Law at Nebraska College of Law, joins Gus Hurwitz to discuss a range of topics centered around international cybersecurity issues. Mailyn and Gus explore the colonial history of various African nations and how that has shaped their approach to technology regulation, the position of Africa in global discussions about technology and cybersecurity, and much more.
Follow Mailyn Fidler on Twitter @mailynfidler
Follow Gus Hurwitz on Twitter @GusHurwitz
Follow Nebraska Governance and Technology Center on Twitter @UNL_NGTC
Links
Infrastructure, Law, and Cyber Stability: An African Case Study by Mailyn Fidler
Nebraska Governance and Technology Center
Mailyn Fidler, NGTC Faculty member and Assistant Professor of Law at Nebraska College of Law, joins Gus Hurwitz to discuss a range of topics centered around international cybersecurity issues. Mailyn and Gus explore the colonial history of various African nations and how that has shaped their approach to technology regulation, the position of Africa in global discussions about technology and cybersecurity, and much more.
Follow Mailyn Fidler on Twitter @mailynfidler
Follow Gus Hurwitz on Twitter @GusHurwitz
Follow Nebraska Governance and Technology Center on Twitter @UNL_NGTC
Links
Infrastructure, Law, and Cyber Stability: An African Case Study by Mailyn Fidler
Nebraska Governance and Technology Center
Disclaimer: This transcript is auto-generated and has not been thoroughly reviewed for completeness or accuracy.
[00:00:00] Gus Herwitz: Welcome to Tech Refactored, a podcast in which we explore the ever changing relationship between technology, society, and the law. I'm your host, Gus Herwitz, the Menard Director of the Nebraska Governance and Technology.
My guest today is Professor Maylin Fidler.
[00:00:28] Mailyn Fidler: I'm and Maylin Fidler, I'm an assistant professor of law here at the University of Nebraska College of Law.
[00:00:33] Gus Herwitz: Professor Fidler's Scholarship focuses on the intersection of criminal law, technology, and speech among other things. She is an expert on the Fourth Amendment and changing technology, and in criminal law, she writes about often overlooked aspects of criminal proceedings, including things like jury nullification, sentence mitigation, and allocution. She is also an expert on international cyber security and cyber crime regulations, and this is what our discussion today is going to focus on.
We're going to cover [00:01:00] a really wide range of issues with Professor Fidler, ranging from the immediate cybersecurity issues that are being discussed in various countries, the history, including the colonial history of various individual African nations and how that has affected their approach to technology regulation, the position of Africa in global discussions about technology and cyber security.
And of course we will also talk about undersea fiber optic cables. It's a fun conversation and we're going to start with some background on how Professor Fidler got into this area of research.
[00:01:40] Gus Herwitz: One of the fascinating things about your work, which, uh, we'll turn to is you'd have focused on the global south. Mm-hmm. and, uh, issues in Africa in particular. So we'll turn to that, but, uh, before we turn to cyber security in Africa, can you. Tell us a little bit about your interest in cyber security and how you approach the field.
[00:01:58] Mailyn Fidler: Sure. Yeah. So I look at [00:02:00] cyber security as another instance of the general problem. Where governments want to control things versus sort of individual liberties. And so that's the, the broad approach I take to cybersecurity.
[00:02:11] Gus Herwitz: And we've spoken with folks about cybersecurity, uh, before I know you have a criminal law focus mm-hmm.
in, uh, a fair bay of your scholarship. And when you're talking cybersecurity, there are folks on a regulation and cyber cybersecurity, uh, perspective. There's the technological approach, there's international law, law of armed. Coming from the criminal law perspective, how does that call how you think about what cybersecurity is?
[00:02:33] Mailyn Fidler: Yeah, certainly. So it means I focus more on two aspects than other cybersecurity folks might. So cyber crime and hacking and the criminal law, consequences of those kinds of things as a cybersecurity problem, as well as the government, as a cybersecurity actor and government hacking, and what restrictions we'd wanna put on the government as a, a cybersecurity actor or destructor,
Right?
[00:02:54] Gus Herwitz: Yep. Generally, how would you characterize. American conception of [00:03:00] cybersecurity and where I'm going to go with this is mm-hmm. , bring that globally and then refocusing us, uh,
[00:03:04] Mailyn Fidler: on the global south. Sure. So the American conception of cybersecurity, as I think we've talked about in other context, is very sectoral.
So it focuses on specific rules for certain kinds of data. The interesting thing about the global conversation about cybersecurity is the American voice is, Super present . Um, so we have a sort of a Western approach, but it is mostly European driven. When I'm talking about the West in relation to the global south, often it's going to be talking
[00:03:32] Gus Herwitz: about Europe and how does the European conception of cybersecurity differ from the American conception?
[00:03:40] Mailyn Fidler: There's an interesting phenomenon talking about global regulation of cybersecurity because there aren't as many differences in approaches as you might think, So there's definitely a difference in data protection versus privacy, that kind of stuff. On cyber security, you actually. Fewer substantive differences, which is very interesting.
So there's a political game here that's being played. Without much [00:04:00] difference in substance. So this is sort of the heart of my research is, is looking at this. So we have something called the Budapest Convention on Cyber Crime, which is the Western, I'm doing air quotes here. Western approach, primarily driven by the Council of Europe, as well as the US, lays out rules about cyber crime.
Pretty straightforward.
[00:04:19] Gus Herwitz: So it, it's pro cyber crime.
[00:04:21] Mailyn Fidler: But no, anti cyber crime- although potentially anti sovereignty, which is the major sort of point of substantive debate over cyber security and cyber crime, which I can return to in a second. We have sort of a flowering of other regional conventions on cyber crime, on cyber security.
Nominally they try to put forward other approaches. If you look under the hood, there's not a lot of difference there probably because this is the technical problem. There's a limited set of ways you can go about addressing the the underlying issue, but there's an effort to say that these are very different and there's an effort to align countries sort of behind [00:05:00] different regional conventions as though they were very different and, And one of the key differences is sovereignty. We can circle back to that.
[00:05:05] Gus Herwitz: It's weird. This sounds like there's some weird political chess and mm-hmm. Invisible factions. Is this just the traditional European interests versus American interests, or what are the factions where the breakdowns here?
[00:05:17] Mailyn Fidler: Yeah, so let me tell this through the story of the Budapest Convention that will give it a little bit of flavor. So we have the Budapest Convention come on the scene in 2000. Again, that was a Council of Europe instrument with substantial American participation. And this was supposed to be the gold standard approach to dealing with cyber crime internationally.
So it was nominally open to every country, uh, that wanted to join. In reality, that's not what happened. And then we see the commonwealth of independent states. Which is a regional body composed of Russia and China and other associated states. They came out with their own version also in 2001. That was a sort of competing document to the Budapest convention.
So we had [00:06:00] initially sort of west versus Russia, China approach. You would think it would've ended there. It didn't. Uh, we had the Shanghai Cooperation Organization, which is China, come out with their, their own version, and I think it was 2009, 2010. Again, there's a question of why they would wanna go different than the one that they already had with Russia, but they did.
Um, that one is probably the most substantively different. Um, it tries to define underlying concepts around cyber security differently. Didn't stop there. We had the League of Arab states come out with their own in 2010, and then we had perhaps, most surprisingly, the African Union come out with their own in 2014, the Malabo convention.
Yeah.
[00:06:40] Gus Herwitz: This seems-
[00:06:42] Mailyn Fidler: Yeah. So my argument is that especially when we are dealing with technical domains that don't yet have legal rules around them, countries see this as an opportunity to exercise political leverage. So there's a competition over who owns the rules, not just what the rules say. And [00:07:00] that's part of what explains this difference between there not being a lot of substantive difference, it's really about who gets to write the rules and who gets to control their enforcement.
[00:07:07] Gus Herwitz: Is this a prestige sort of thing, or is there some more? Putting my cynical head on some nefarious will, if I get to write the rules, I'm going to be able to write them in a way advantageous to firms in my country.
Mm-hmm. or to my country's political interests or? I'll have greater say in how they are ultimately enforced or interpreted in the future. Yeah, there's
[00:07:28] Mailyn Fidler: a little bit of both, and it depends on what region you're looking at and assessing why they decided to go sort of different from the Budapest Convention.
So with Russia, with China, that is more sort of a, a political prestige, uh, desire to try to drive, you know, the, the new World order per se. With the African Union, it's different because that's not the goal, right? A, it's not politically realistic. So my argument there is actually one that just like other regions are using this as a political tool, the African Union is using cyber [00:08:00] security regulations as a political tool, but their ends are different.
So it's really a tool of resistance against outside interests and primarily the outside interest is the European. And interestingly, histories of colonialism actually come up a lot in patterns of support for independent cyber security regulations, which you wouldn't expect, right? .
[00:08:19] Gus Herwitz: Yeah. So let's use that to pivot to your interest in and your research relating to cyber security issues in the African Union mm-hmm.
And global south. Uh, more generally, and I'll start by asking a question. I'm sure you get often. How did you get interested in this
[00:08:34] Mailyn Fidler: area? Very good question. It's one of those, I guess, happy accidents, right? I'm from, The Midwest, I have no personal connections to Africa. Um, but when I was, uh, I think it was the summer after my senior year in college, I was interning at Google and as part of the internship they offered a sort of a phone call with somebody in the company that you thought would be interesting to talk to.
I don't know why I said, Can I talk to the, uh, Google Policy Office in Africa? [00:09:00] Um, and they said, Sure. And so I talked to them and they raised this issue of the cybersecurity convention and said, There's not a lot of academic research around this. I was heading to grad school and so I thought, Hey, this is, this is a very interesting topic to explore.
So I wrote my master's thesis on that, and then it has, you know, continued to be an interest
[00:09:18] Gus Herwitz: of mine. A really great example of the age old advice to students everywhere that you should do some weird things.
[00:09:25] Mailyn Fidler: Yep.
[00:09:25] Gus Herwitz: Take, take that class that you don't know anything about, or, uh, get to know that professor who's just- you don't study with. And they seem really weird because a simple idea can spark a lot of questions and a lot of interest and can take you to really fascinating places.
[00:09:39] Mailyn Fidler: And to push back against people who tell you not to do those weird things. Uh, I got a lot of pushback about studying a and cybersecurity, which is not really done in either international relations or the law at the time that I was studying things. Mm-hmm. and Africa, people said, "don't do it." Um, there's a lot of biases out there, but it has been a very interesting and fruitful topic, so, yeah.
[00:09:58] Gus Herwitz: So can you tell [00:10:00] us a bit about your, uh, early forays into this area and how your, uh, journey and experiences, uh, continued to
[00:10:05] Mailyn Fidler: grow?
Yeah, so I started out by conducting lots of in-person interviews at. Internet policy gatherings in Africa. So the first round I did was in 2015. That was in Ethiopia, and then I went back and did more interviews in Uganda. In 2016, and then most recently finally got to go back after the pandemic to Ghana.
And so it's been a combination of sort of textual analysis of all of the different rules as well as layering on those, those interviews with people who were there at the drafting of the this instrument.
[00:10:40] Gus Herwitz: I. Know and assume that there are all sorts of tropes and stereotypes. Mm-hmm. and misconceptions about the law in Africa, by which is to say American scholars and non-African scholars and lawyers have a lot of assumptions and misunderstandings.
Mm-hmm. . Um, are there any that you've noted or that, uh, you [00:11:00] find particularly remark. Yeah,
[00:11:02] Mailyn Fidler: so there's, especially in the cyber security realm, there's this sort of conception of, well, why do African states need this regulation when they don't sort of exhibit the same kind of either level of cyber crime, level of cyber insecurity, or even underlying levels of internet infrastructure.
And I think that obscures, again, the political work that these regulations are doing, so that that's. Stereotype that I've encountered a lot. The,
[00:11:27] Gus Herwitz: there's a economic war going on over control of Africa in many ways. Uh, the United States, European Union, Russia, and perhaps most notably China mm-hmm. are investing very heavily in infrastructure in much of Africa.
Mm-hmm. and much of that infrastructure is telecommunications infrastructure, cyber infrastructure. Does that play any role here?
[00:11:49] Mailyn Fidler: So this is one of the puzzles I've been trying to figure out because. The regulatory battle over cybersecurity in Africa does not seem to reference China at all. It is very [00:12:00] European oriented and sort of pushing back against European dominance.
I've been trying to figure out why couple speculations a, trying to actually benefits from a lack of regulation in states that they want to invest in. And so they don't want a lot of regulation, so they're, they're happy for things to sort of exist as they are. Um, at the Ghanaian conference I went to recently, I floated this theory and the response I got was, Well, no, they have a policy of non interference, so we actually really appreciate.
That they're not involved in our regulatory debates. So that's a different Take on that.
[00:12:36] Gus Herwitz: That that is a very interesting yes, very interesting take.
[00:12:38] Mailyn Fidler: Um, and then the second thing I wanted to say was I've picked up this pattern that countries with- and let me back up. I'm gonna talk about undersea fiber optic cables, okay?
Which is what carries the internet high speeds to countries. There's a very good chance that domestic overland fiber infrastructure also matters. The data there is much harder to get. [00:13:00] So focusing on on the undersea fiber for starters, so countries with fewer undersea fiber optic cable connections, and countries.
Cable connections that have outside ownership, particularly European ownership, are much more likely to support the African Union Cyber security convention. Very odd, right? Mm-hmm. . So we've got this technological vulnerability aspect actually driving support for regulation, which I say, uh, supports this view of the law as a resistance
[00:13:30] Gus Herwitz: tool.
So, uh, I'm going to ask questions coming from a place of ignorance mm-hmm. that I expect a shared by most of our listeners. Mm-hmm. . Um, I will readily. Not a great deal of familiarity with African law or governance. And of course Africa is a continent. Mm-hmm. not a country. Um, you've been talking about the African Union.
Mm-hmm. , can you just educate me and the listeners, uh, a little bit about what the political and governance structures at [00:14:00] issue here are? Sure.
[00:14:00] Mailyn Fidler: So you're right, I've been talking a lot about the African Union, so this is a Pan Continental. Organization of African States. Now, I believe it actually does have all African states in it.
Maroc. Without, for a while, they're back in. Um, and so sort of similar in theory to integration projects like the European Union. The African Union tries to tackle issues that affect all African countries. That's in theory, in practice. There are a lot of, you know, ongoing struggles over how much buy-in to give the African Union, what its scope should be, that kind of thing.
[00:14:34] Gus Herwitz: Are they governed by something like the TFEU, the Treaty for the European Union that kind of has a constitutional level of authority within or among the member states or no? Is it, it's looser.
[00:14:48] Mailyn Fidler: It's not, It's looser, It's not quite constitutional. So to give an example from the cybersecurity context, the, the cybersecurity and data protection treaty: it's optional to join African Union, put it [00:15:00] out. But then member states have toe, essentially. Mm-hmm.
[00:15:03] Gus Herwitz: uh, and what, what about the politics within individual countries? How, uh, I, I'm sure there's a great deal of variation in terms of strength of the government, the governance institutions, their, their interests in these topics.
[00:15:15] Mailyn Fidler: Yeah. And actually, I should say there's one more level to talk about before we get to the states. So that's sub-regional. Governmental organizations, so there's the Pan-African African Union, and then there's different regions within Africa. So Southern, Eastern and Western are the primary ones, and there's subregional organizations that have all member states from those regions.
That's important because those states act as interest blocks within the African Union. Mm-hmm. . So they're sort of power struggles over which Subregion is going to get its way. Within those subres, there are then what I call sub-regional hegemons. So leading states within these, these little mm-hmm.
smaller groups. So South Africa is the clear sub-regional hegemon in the east southern [00:16:00] region, the eastern and western ones. There's a bit more competition over who calls the shots in those sub-regional organizations. Domestic politics often is linked to those struggles as well. And so within the Western subregion, especially over cybersecurity matters, you have countries sort of vying for leadership over all issues, and so that drives their decisions about whether to support things like cybersecurity regulations, So, mm-hmm.
sometimes support pattern. Don't look like you would expect them to because of this sub-regional political competition
[00:16:34] Gus Herwitz: that's going on. What's the, uh, state of development of the technology industry in individual countries in Africa? There certainly are countries that I know have substantial technological growth and development infrastructure.
Mm-hmm.
[00:16:49] Mailyn Fidler: It's pretty widely varied. So you're gonna have these countries that have very active technological hubs. And then you have countries that don't. And so it really varies and is a more a local [00:17:00] question than anything else.
[00:17:01] Gus Herwitz: What's the goal of the regional or the local tech industries? Is it to build out infrastructure for within, for domestic uses, or are there any significant technological exports?
[00:17:13] Mailyn Fidler: This is speaking in very broad strokes, so mm-hmm. . Yep. Not everything is going to fall into this, but it's, it's largely a domestic economic effort. Mm-hmm. , so driving commerce and trade within. A country and also sort of between neighboring countries. But in terms of global exports, that's not so far really the focus of, of the tech industries there.
[00:17:32] Gus Herwitz: So let's turn more directly to the cybersecurity questions. What sort of topics are at issue are up for debate? I know you are recently in Ghana at a cybersecurity conference. What are the issues and concerns that they're talking about?
[00:17:47] Mailyn Fidler: So the Malabo Convention itself is pretty comprehensive. It covers most of what you would expect from a, a cybersecurity convention.
Um, so incident response standards, that kind of thing. So that is. Sort of already [00:18:00] taken place. What, what's at issue now is a lot of capacity building, so making sure that countries have the equivalence of sort of certs, uh, emergency response organizations set up, have people who are capable of being cyber security officers and companies, that
[00:18:17] Gus Herwitz: kind of thing.
And so really in many ways the same things that we're talking about here in the United States. Exactly. Mm-hmm. workforce development, having, as you say, the certs, those emergency response teams. Mm-hmm. , I assume. Putting together some sort of ISAC infrastructure mm-hmm. for, uh, when your company is breached and reports it to law enforcement.
Law enforcement knows who to report it to, to bring in resources and do information sharing and all, all
[00:18:41] Mailyn Fidler: that stuff. And that actually the law enforcement piece is another big thing that's, uh, Being debated right now and making sure law enforcement has the correct training to do incident investigation and also setting up infrastructures for information sharing.
[00:18:53] Gus Herwitz: I'm going to ask the true ignorance question, and this is, uh, not coming from a place of ignorance in [00:19:00] asking this. Um, but I'm sure a lot of people listening to this, the first thing that comes to mind when they think Africa and cyber security is spam email and four 19 scams. Mm-hmm. , I, I just have to ask because it is the obvious.
Blinking flashing red light that a lot of people will immediately think about. Do you have anything that you can tell us about Nigerian princes and all of that stuff?
[00:19:27] Mailyn Fidler: Yeah, so it's certainly something that happens in terms of overall statistics. Africa-
[00:19:32] Gus Herwitz: Ju- just to be clear, when you say it's something that happens, the, these spam emails, emails not, not the listeners.
If you get an email from a Nigerian Prince, it's- this is not a thing that happens. ,
[00:19:43] Mailyn Fidler: the spam industry is something that happens. Um, it, it's tricky because the African continent as a whole sort of fall somewhere in the middle of being a source of cyber attacks and also being a victim of cyber attacks. So it's not.
one or the other, which is again, another reason. People are like, Why are you [00:20:00] regulating this when it's sort of a, you know, back burner problem. But the, the interesting thing about the the four 19 scams and this kind of thing is these are all outward facing. So they, they come from an African country and the, the victims are outside of the African continent.
And so the African Union Convention is not trying to solve that problem, right? It's trying to solve things that are happening within the African continent itself. And so this is why, uh, the Council of Europe wants other states to join the Budapest Convention because that is truly, well at least, uh, aspiring to be truly global and would, uh, solve some more of these cross-border issues.
But that's where the sovereignty piece. Mm-hmm. .
[00:20:37] Gus Herwitz: So, uh, a really important distinction and delineation of geographies there to recognize once you start looking at outward facing stuff, your concerns are different. This is with ransomware attacks. There's a lot of discussion over the last, uh, several years that a lot of the ransomware groups are located in Russia and Vladimir [00:21:00] Putin has turned a blind eye to them.
Mm-hmm. , and basically said, So long as you don't. Russian companies, you can do whatever you want. We're not going to come after you. And you might think, Oh, Russia, they're, they're in a bad state. And oh, Nigeria, I don't really know anything about Nigeria. But for 19 scams, they're probably a bad place too.
Well, you know, the, the United States is kind of the same way. with a lot of our treaties and interests. Mm-hmm. , um, that this is in many ways the longstanding debate between the United States and European Union with the so-called privacy shield. Mm-hmm. , and whether firms in the United States can do business in Europe, bringing European citizens data to the United States, American law says, Europe, European citizens data isn't protected by the US Constitution, so we, the American government, can violate European citizens' privacy rights left and right.
That extra territoriality really matters. And if you're not thinking in a. From an international perspective or from the perspective of an [00:22:00] international agreement, suddenly your domestic laws, they are inward facing, protecting your citizens, and they kind of ignore everyone
[00:22:07] Mailyn Fidler: else in the world. This brings up an interesting question, though, because data protection and cybersecurity regulations in Africa diverge in terms of political support specifically to respond to the Nigeria point, right?
Nigeria's in West. Overall, West Africa has been a big supporter of the African Union Convention. Nigeria has not been, it's been Senegal and to some extent Ghana, who have been sort of the key Western drivers again. Goes back to what I was talking about, about competition over sub-regional leadership. So Nigeria has big tech industry.
It's arguably a leader gone in Senegal are coming in and trying to be also the leader and using the regulatory side as a way to, to approach that. Those countries also have different colonial histories, right? And so that also comes into play in terms of their support for the convention.
[00:22:55] Gus Herwitz: So the, the colonial history part, fascinating for [00:23:00] a lot of reasons, but one in particular comes to mind. I'm curious how much of these efforts, especially when you're looking at individual countries mm-hmm. trying to drive the discussion is about attracting foreign investment and trying to get. European companies, American companies, Chinese, Russian companies to say, We're willing to come into your country and do business and bring investment, which is kind of a reverse colonial sort of discourse. How much is this about trying to compete for international investment?
[00:23:35] Mailyn Fidler: So, such an interesting topic. So clearly this kind of investment is desired to some extent by African countries. It's also deeply resented. And so we have this tension between desiring this investment and resenting this investment. And so what my research has shown is that the African Union Convention has actually been more on the resistance, resentment side than the attracting foreign investment.
Because if it was about attracting foreign investment, African countries would just have joined the [00:24:00] Budapest Convention, right? Because then everyone's on a unified regulatory scheme. That's not what happened. They went this other direction. One's sort of simple heuristic to understand this is that countries with French colonial history are supporting the convention much more.
The way that I put that in my research is that countries with French colonial history, this is an international relations terms, they're um, an international relations term. They're much. More vulnerable politically, financially, economically, that kind of thing. So there's a lot of vulnerabilities that came from the particular forms of colonization.
There's also vulnerabilities now, so France is much more active in its role in this kind of investment and the kinds of demands that it places. And so there's a sense of continuing vulnerability there that
[00:24:45] Gus Herwitz: is just. Deeply rich and fascinating both on, on that particular point, but also if you're trying to do law or regulation or technology or international investment, you don't even need to look at the international aspect.
You can find the same [00:25:00] sort of stuff. Mm-hmm. domestically, if you're trying to understand why. One state likes a certain policy and another state doesn't, and how to get them to sign on to support some piece of federal legislation and why they don't. We can think, and we usually do as we're both law professors, legal researchers, we usually think in very objective, Well, let's do cost benefit analysis.
Let's look at the economics of this. How is it going to affect industry in this state versus this state? There is history, there is stuff going on with the identities of the actors, of the countries, of the regions, whatever that informs how they think about the law, how they think about their relationships, how they think about their sovereignty, how they think about their rights, and-
I, It's just such a poignant example of the difficulty that we're engaging and though we're confronting anytime we're talking about regulation or law or treaties or politics or relations, international or domestic.
[00:25:58] Mailyn Fidler: I'm not a scholar of colonial [00:26:00] history. Right. I started this project. Sort of from a technocratic angle thinking, Okay, I need to know about cyber security and I need to know about law.
I've had to become a, a scholar, to some extent of colonial history to, to do this
[00:26:10] Gus Herwitz: project. So yeah, interdisciplinary work. Mm-hmm. right there. People so often that the idea of interdisciplinary work, which is what here at the Governance and Technology Center, where we're really trying to do. A lot of people think that interdisciplinary work is let's get the chemist and the biologist to work together, or let's get the material science engineer to work with the chemist to figure out a good container for some new reagent or something really aggressive.
Interdisciplinary work is sometimes, and let's bring the business side in to talk about commercialization or maybe. A lawyer to talk about some regulatory issues, but no true interdisciplinary work. You're bringing in the legal, the historical, the regulatory, the technical, the applied engineering, the theoretical engineering, and the humanities.
The class assists, uh, [00:27:00] the, the colonial studies historians. It's fascinating and so hard.
[00:27:05] Mailyn Fidler: Mm-hmm. , which brings us to undersea cables, right?
[00:27:08] Gus Herwitz: Yes. Which is gonna bring us to undersea cables. You, you mentioned undersea cables, um, before, and I guess this is, this brings us to the technology side. Yeah. The interdisciplinary discussion.
I'll, I'll just ask undersea cables. These are the, the large, uh, fiber optic cables typically that run under the. connecting a one continent to another. Most often they come up to the shore at landing sites. They're, they're just fancy pieces of glass wrapped in rubber and metal cladding to protect them literally from shark bites.
What's this cybersecurity issue with this piece of glass?
[00:27:43] Mailyn Fidler: Yeah, so, oh gosh, so many things to say. I wanna start by just sort of giving a background on the role that undersea cables play in domestic internet. So the United States has tons and tons of undersea cable connections. There's a, a landing [00:28:00] site in Florida that has more fiber optic cables coming ashore than any African country has docking on their coast.
And so that just gives you an idea of the scale that we're dealing with. And so, has cybersecurity implications because these pieces of infrastructure are physically vulnerable much more than other elements of cyber infrastructure. So they're vulnerable at landing points, they're vulnerable to physical takeovers, they're vulnerable to changes in regime.
So that's one side of it. And so if you have fewer landing spots, if one of them gets taken over or taken out mm-hmm. , you're up a creek because that's your entire, essentially domestic internet except for satellite backup gone potentially. Mm-hmm. .
[00:28:43] Gus Herwitz: And we've seen cases, we have seen cases, easiest cases in the world are just accidental, right? The the ship anchor tears up. Yes. A a cable and suddenly a country, literally a country is offline for days to weeks while it's
[00:28:57] Mailyn Fidler: getting repaired. And so that's the second piece is that [00:29:00] this undersea vulnerability aspect, right? So ships wreck these things , and if you have fewer connections and accident was just gonna take you out.
Um, so those are sort of some of the, the key. Um, cybersecurity issues. There's a second piece which came up around Edward Snowden. So countries like the US sitting on cables that they invested in, monitoring communications on that cable created a sense of vulnerability in countries that have their, their cables sort of only owned by outside interests that are going to be doing that kind of surveillance.
And so that's another piece of this. Mm-hmm. cyber security. Rip broadly. Yep.
[00:29:35] Gus Herwitz: And we're recording. During month seven of the Russian Ukraine war, and in the last week or so, there have been reports of someone sabotaging bombing undersea pipelines, natural gas pipelines. It's not a made up possibility that undersea infrastructure is a target.
It's actually incredibly vulnerable. And historically, if you go [00:30:00] back to uh, World War II era, You would've submarines that would, this was pre-fire optics, but you had sub c tele communications lines, and it was standard practice for countries to send submarines down and lift those up and intercept, literally tap into them and pull the signals off of them so that you could listen into, uh, communications.
They're vulnerable.
[00:30:23] Mailyn Fidler: And this is another way that history comes into play with modern cyber security. So, you know, telegraph lines, these kind of things that were laid under the, the ocean long. . Modern fiber optic cables often follow those same. . So that includes landing sites and that includes roots. And so things that happened in the past that determined where those were laid, come up again today.
Mm-hmm. . And so the first, you know, cables that were laid to Africa followed colonial roots. You've
[00:30:49] Gus Herwitz: recently been to, uh, this conference in Africa. You're doing a lot of research here. I assume that you're going to be writing up, or you currently are writing up a lot of this for, uh, uh, one [00:31:00] or more publications.
What are you currently doing with this research? What ideas are you explor. Yeah,
[00:31:05] Mailyn Fidler: so there's a book, a book coming to you e even better than a paper. Even better than a paper. Well, I will hopefully . Um, so that's coming in a bit, um, which will wrap together all of these themes that we've talked about. There are a couple papers coming in the meantime, so I'm gonna.
Put out one within hopefully the next year about all of those regional cybersecurity conventions and the different models that they approach. Also, turning to look more closely at data protection regulations in Africa and how that may or may not differ from cybersecurity regulations in terms of politics and that kind of thing.
[00:31:39] Gus Herwitz: Oh, please say more about that. .
[00:31:42] Mailyn Fidler: So, so far, this is sort of the preview of my argument. Data protection does not have the same kind of political valence that cybersecurity regulations do. That's not to say that they don't have political ends. Those political ends are just potentially less exciting. Mm-hmm.
than the cybersecurity regulations. So just like the US is [00:32:00] at the whim of the EU when it comes to. Data protection. So we're African countries and so data protection in Africa is much more trade oriented, making sure those lines stay open, um, than it is a resistance
[00:32:12] Gus Herwitz: tool. So you are of course in a, a terminological mine field here talking about data protection in cyber security.
Aren't they the same thing? Data protection inside. I thought cyber security was about protecting
[00:32:24] Mailyn Fidler: data. Oh gosh. Uh, there's so many ways to slice. That the two fields apart, the way that I usually say it is data protection. Um, and to some extent privacy is about who can access and have control over data from a legal, from a moral perspective.
Cybersecurity is about ways of ensuring that those. Regimes
[00:32:48] Gus Herwitz: work. So the uh, cyber security side is more of the business, end of the discussions and the data protection is the principles,
[00:32:57] Mailyn Fidler: business and technical. Um, so making sure that there's a [00:33:00] technical infrastructure in place to make sure that people, you don't want to have access to data, don't have access to data.
Mm-hmm.
[00:33:05] Gus Herwitz: So do you have any inclinations? I know you said you're very early mm-hmm. in this research, but why African Nation? Seem to have very different interests in the data protection discussions than the cyber security
[00:33:19] Mailyn Fidler: discussions. So it largely boils down to the hammer that the European Union holds over all other countries with respect to data and trade.
If you wanna do business, you have to. Comply, at least on paper. And so that's another thing that we're seeing is there's a divergence between formal compliance and actual compliance. That isn't to say that there is resistance on the data protection side. I think we're seeing some of that resistance get funneled into the cyber security conversations because there's not very much room to maneuver.
especially from the perspective of an African state on data
[00:33:49] Gus Herwitz: protection. Of course, the, the big rift in this space generally is the United States versus the European Union, which is always puzzles me because China and Russia are also [00:34:00] really big markets with much more problematic privacy and data protection policies, especially from a European union standpoint, uh, than, uh, the United States.
But we, we focus on the US versus European Union, and a big part of the reason of that is, So much of the tech industry is based in the United States and the European Union is trying to assert a lot of control over it.
[00:34:22] Mailyn Fidler: Yeah, and I actually wanna back up and say this vision that I'm talking about, legal rules being used as tools of resistance.
Is applicable to other regions as well. And so this research, I should back up even further, actually started by me looking at Internet of Things regulations in the European Union and seeing that they were using legal rules around emerging technologies in the same way that I'm now seeing the African Union.
Use them to try to essentially claw back some power where the, the tech industries were in the us not in the eu, but they wanted to be dominant and so they were using tools of of law to do that.
[00:34:57] Gus Herwitz: Fascinating. How do aspirations to [00:35:00] grow the technology industry in Africa factor into any of these discussions if they do it
[00:35:06] Mailyn Fidler: all?
I don't wanna oversimplify things, but particularly during the drafting of the Malibu convention, those interests were not front and center. Do
[00:35:14] Gus Herwitz: you think? Going to continue to be the case. I I, that this is, uh, perhaps my own naive optimism, but I believe, I hope that there is true opportunity for growth and continued expansion of the African technology ecosystem and industry, at which point there might be more conflicts that we start to see arise here.
And it's such a challenge to. We're talking about how difficult it is to create rules for today. Mm-hmm. . Well, if you're trying to create rules for today that are responsive to historical interests and concerns that will build a platform to build and grow into the future, that's even harder. Yeah.
[00:35:51] Mailyn Fidler: I think there's two places to watch for that.
So one is as this conversation moves from drafting the rules to implementing them, the tech sector is gonna have a [00:36:00] bigger role to play, especially with things like setting up certs, um, and that kind of thing. The second thing I wanna say is there is a strong possibility that it was there, and I'm just not seeing it because of the structure of how Pan-African politics works.
So the technical feedback happens at the domestic level and then that filters up. And so by the time I'm doing the kind of interviews I'm doing with people at the, the top drafting levels, the technical people aren't in the room. But those sort of concerns have been funneled through
[00:36:30] Gus Herwitz: my thanks to Malin Fiddler for joining us today. Episode of Tech Refactored. We have a couple of exciting guests coming up. In our next couple of episodes, we will be talking with Wayne Bennett, the president and founder of Teamworks, a company that uses the building of robots and the battling of robots as a team building tool.
And we will also be speaking with Professor Peter Squier from Georgia, Texas Sheller School of Business. Peter will be talking with us about cyber security, privacy, and the recently announced privacy [00:37:00] shield. Between the United States and the European Union. I look forward to sharing those conversations with you.
[00:37:11] James Fleege: Tech Refactored is part of the Menard Governance and Technology Programming series hosted by the Nebraska Governance and Technology Center. The NGTC is a partnership led by the College of Law in collaboration with the Colleges of Engineering. In journalism and mass communications at the University of Nebraska, Lincoln Tech Refactored is hosted in executive produced by Gus Herwitz. James Fleege is our producer. Additional production assistance is provided by the NGTC staff. You can find supplemental information for this episode at the links provided in the show notes. To stay up to date on the latest happenings within the Nebraska Governance and Technology Center, visit our website at ngtc.unl.edu. You can also follow us on Twitter and Instagram at UNL underscore NGTC. [00:38:00]