Header graphic for print

Steptoe Cyberblog

Steptoe Cyberlaw Podcast – Interview with Julian Sanchez

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guests for Episode 68 include Julian Sanchez, senior fellow at the CATO Institute where he studies issues at the busy intersection of technology, privacy, and civil liberties, with a particular focus on national security and intelligence surveillance. They also include the entire May meeting of ISSA- NOVA, which kindly invited the Cyberlaw Podcast to go walkabout once again. The audience provides useful feedback on several of the topics covered in this episode.

We begin with This Week in NSA.  And even though we had no idea how the Senate process would end up, neither it turns out did Majority Leader McConnell or anyone else.  Our remarks on the Congressional dynamic remain as relevant now as when we made them, despite our intimations of obsolescence.   We also cover an early judicial decision on insurance coverage for data breaches (subscription required), the US indictment of (another!) six Chinese economic espionage agents, and the personal data orphaned by Radio Shack’s bankruptcy.

More importantly, we seize on a flimsy pretext to revisit Max Mosley’s five-hour, five hooker sadomasochistic orgy (subscription required) and his self-defeating efforts to wipe it from the internet by threats of lawsuit.  It turns out he’s now reached a settlement with Google.  I speculate that perhaps we’ve misread Mosley all this time.  Maybe he’s doing this because of the Streisand effect, not in spite of it.  It’s like he wants the internet to punish him, or something …

Returning to serious coverage, we note that CCIPS and the Justice Department may be suffering from Baker Derangement Syndrome in the face of my defense of private cyber-investigation that goes beyond network boundaries.  The Department’s latest effort involves persuading CSIS and a group of CISOs  to join a draft paper that looks suspiciously like a DOJ brief in opposition to the Cyberlaw Podcast.   And the supposed consensus among CISOs that’s identified in the paper breaks down quickly, rejected ten to one in an informal poll of the ISSA-NOVA audience.

Julian and I mix it up over the new, revived Crypto Wars, as I challenge the claim that building access to encryption systems is always a bad idea.  That, I say, will come as news to all the network security administrators who access end-to-end TLS sessions on a routine basis because the security consequences of not “breaking” that crypto are worse than the corporate front door.  He recommends that I ask Dan Kaminsky to comment on that statement, and since Dan will be a guest on the podcast soon, we’ll all get to hear his answer.

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the sixty-eighth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

BIS Proposes Cybersecurity Export Control Rule: Significant Changes Possible

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

On May 20, 2015, the Department of Commerce Bureau of Industry and Security (BIS) published a proposed rule affecting exports of intrusion software, surveillance systems, and related systems, equipment, software, and components.  The proposed rule provides for new and amended export control classification numbers (ECCNs) for these “cybersecurity items,” resulting in new licensing and reporting requirements.  Currently, these items typically are controlled based on their cryptographic functionality, but the new proposed ECCNs and control regime would disallow the use of most license exceptions, including the encryption (ENC) license exception, for many of these items.  Export control professionals have been anticipating rulemaking in this area following the 2013 Wassenaar Arrangement Agreements that added intrusion software and penetration systems to the dual use, multi-lateral export control regime.  BIS is seeking comments on the proposed rule with a deadline of July 20, 2015.  The following are some of the key changes that are being proposed.

New Definition of “Intrusion Software”

The proposed rule would add a new definition of “intrusion software” that is critical to understanding the proposed export controls.  “Intrusion software” under the new rule would include:

“Software” “specially designed” or modified to avoid detection by “monitoring tools,” or to defeat “protective countermeasures,” of a computer or network-capable device (including mobile devices and smart meters), and performing any of the following:

(a) the extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or

(b) the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

Here “monitoring tools” are software or hardware devices that monitor system behaviors or processes running on a device, including antivirus products, end point security products, Personal Security Products, Intrusion Detection Systems, Intrusion Prevention Systems, or firewalls.  “Protective countermeasures” within the proposed rule are techniques designed to ensure the safe execution of code, such as Data Execution Prevention, Address Space Layout Randomization, or sandboxing.

The proposed definition adds a number of notes that would remove certain standard commercial products from the definition.  In particular, the proposed definition of “intrusion software” does not include:  (1) hypervisors, debuggers or Software Reverse Engineering (SRE) tools; (2) Digital Rights Management software; or (3) software designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery.

New and Amended ECCNs for “Intrusion Software”

Based on the proposed definition summarized above, the proposed rule would add two ECCNs to the Commerce Control List (CCL) for “intrusion software” and related systems, equipment, components and software:

4A005:  “systems,” “equipment,” or “components” for intrusion software, “specially designed” for the generation, operation or delivery of, or communication with “intrusion software”
4D004:  “software” “specially designed” for the generation, operation or delivery of, or communication with, “intrusion software”
BIS noted in its proposed rule that these ECCNs include “network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices.”

These new ECCNs would be controlled for national security (NS), regional stability (RS), and anti-terrorism (AT), creating an export license requirement for all destinations except for Canada.  No license exceptions (except for certain portions of License Exception GOV) would be available for 4A005 and 4D004 items.

In addition, existing ECCNs affected by the “intrusion software” include 4D001, which would cover “development” and “production” intrusion software, and 4E001 which would cover “technology” “required” for the “development” of intrusion software.  BIS notes that technology here will include “proprietary research on the vulnerabilities and exploitation of computers and network-capable devices.”  Like new 4A005 and 4D004, these amended ECCNs would not be eligible for the use of license exceptions, including License Exception Technology and Software Under Restriction (TSR) or Strategic Trade Authorization (STA).

ECCN for Network Communications Surveillance Systems

The proposed rule also would add Internet Protocol network communication surveillance systems as “cybersecurity items” in ECCN 5A001.j.  These systems include those that intercept and analyze messages to produce personal, human, and social information from network communications traffic.  Excluded from 5A001.j are systems or equipment specially designed for a marketing purpose, network quality of services, or quality of experience.  Like 4A005 and 4D004 for “intrusion software”, 5A001.j would be controlled for NS, RS, and AT (all Column 1), resulting in a license requirement for all exports and reexports except Canada.  Also like the “intrusion software” ECCNS, 5A001.j would not be eligible for license exceptions except for certain provisions of GOV.

Continuing Registration, Review and Reporting Requirements for Cryptographic Items

While “cybersecurity items” – including intrusion software and network communication surveillance systems – would not be eligible for License Exception ENC, and would no longer be classified based on their information security functionality (e.g., in ECCNs 5A002, 5D002, or 5E002), information security registration, review, and reporting requirements would still apply under the proposed rule.  Relevant ECCNs (discussed in the sections above) include a note requiring the registration, review, and reporting aspects of now-existing sections 740.17, 742.15(b), and 748.3(d), including with BIS and the ENC Encryption Request Coordinator.  Currently, companies typically meet these requirements in order to qualify for ENC license exception or mass market treatment.  Under the proposed rule, these requirements would continue even though ENC and mass market treatment would not be available.

Export Licenses for Cybersecurity Items

While licenses would be required under the proposed rule to most destinations, BIS, under the proposed rule, would review favorably license requests to certain destinations, including U.S. companies or subsidiaries outside Country Group D:1 or E:1 countries, commercial partners in Country Group A:5, and government end users in Australia, Canada, New Zealand, and the United Kingdom.  There would be a presumption of denial of licenses for items that have or support rootkit or zero-day exploit capabilities.  Items would also be reviewed for licensing based on their information security functionality.

License applications for cybersecurity items would have to fulfill new requirements under the proposed rule, including the submission of certain technical information and, upon request, copies of sections of source code and other software implementing or invoking cybersecurity functionality.

The proposed requirements would result in new licensing requirements for some products that currently qualify for ENC and other license exceptions. Companies that produce, test and market intrusion software and related cybersecurity items will want to weigh in on the potential impact of the rule on their business – particularly whether the proposed implementation of the new licensing requirements and ineligibility for license exceptions will impose unmanageable burdens.  Companies operating in this area will also want to weigh in on whether aspects of the proposed rule could hamper vulnerability research and testing, and the ability to protect commercial and government networks.

Steptoe Cyberlaw Podcast – Interview with Dan Geer

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies
Dan Geer and Stewart Baker

Dan Geer and Stewart Baker

Our guest for Episode 67 is Dan Geer, a legendary computer security commentator and current CISO for In-Q-Tel.  We review Dan’s recommendations for improving computer security, including mandatory reporting of intrusions, liability for proprietary software, striking back at hackers, at least in some ways, and getting the government to purchase and fix vulnerabilities.  We agree on the inherent foolishness of the Internet voting movement, but I disagree with Dan on the right to be forgotten, and I predict that net neutrality will lead to the opposite of what he wants – both more regulation of operators and more limits on what the operators are allowed to carry.

As with Bruce Schneier, I accuse Dan of a kind of digital Romanticism for advocating improbable personal defenses like using Tor for no reason, having multiple online identities, swapping affinity cards, and paying your therapist under an assumed name.  But Dan makes me eat my words.

More from Dan can be found here, here, and here.

In the news roundup, we introduce Alan Cohn, yet another recent alumnus of the DHS Policy office now at Steptoe.  We also revive This Week in NSA , pooling our collective inability to predict what the week will hold for the 215 metadata program.  We muse about border laptop searches, questioning both DOJ’s choice of battleground and the ability of judges to withstand a PR campaign by the privacy lobby.  We cover a FOIA case to find out if the FTC actually has security standards – a case filed by Phil Reitinger and Steptoe.  The roundup ends with the plane-hacking case, the FBI’s Stingray guidance, and the first anniversary of the EU’s misbegotten Right to Be Forgotten.

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the sixty-seventh episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Constitutional Future of Section 215

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

Yesterday  I joined the National Constitution Center’s We the People podcast to debate the constitutional future of the Patriot Act’s Section 215 with Jeffrey Rosen, National Constitution Center, Bobby Chesney, Charles I. Francis Professor in Law and Associate Dean for Academic Affairs at the University of Texas School of Law, and Deborah Pearlstein, associate professor of constitutional and international law at the Benjamin N. Cardozo School of Law at Yeshiva University.

Appeals Court Ruling on NSA’s Section 215

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

On May 7, I appeared on the PBS Newshour to discuss an appeals court ruling on the National Security Agency’s (NSA) program that collects the phone data of millions of Americans.  The US Court of Appeals for the Second Circuit found that the program is illegal and not sanction by the Patriot Act.

The full interview can be viewed at PBS Newshour.

Why Bitcoin is Good for Law Enforcement – and Why Law Enforcement is Good for Bitcoin

Posted in Cybersecurity and Cyberwar, Security Programs & Policies, Uncategorized

Most people who’ve heard of “Bitcoin” know it only as a virtual currency sometimes used by criminals.  But there are entrepreneurs, engineers, venture capitalists, and bankers who are betting big on the untapped economic potential of the “blockchain” – the underlying technology that makes Bitcoin run.  In a sense, Bitcoin is just the first “app” to use the blockchain technology.  There will be many other apps in the years to come that could transform the way we do business, the way we move assets, and, through the Internet of Things, even the way we live.  But for the blockchain’s potential to be realized, Bitcoin cannot be perceived as the “currency of criminals” – and that means law enforcement has to be able to go after those who would use Bitcoin and the blockchain to commit crimes.

One of my responsibilities at the Justice Department was overseeing the Criminal Division’s cybercrime and transnational organized crime programs.  Based on that perspective, I recently did a backgrounder for Coin Center – “How Can Law Enforcement Leverage the Blockchain in Investigations?” – which discusses how, contrary to popular belief, Bitcoin and the blockchain technology actually provide significant advantages for law enforcement in conducting investigations of those who would seek to exploit this technology for criminal purposes.

Steptoe Cyberlaw Podcast – Triple Entente Beer Summit

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, PCLOB, Security Programs & Policies

The Triple Entente Beer Summit was a great success, with an audience that filled the Washington Firehouse loft and a cast that mashed up Lawfare, Rational Security, and the Steptoe Cyberlaw Podcast.  We attribute the podcast’s freewheeling interchange to the engaged audience, our profound respect for each other, and, mostly, the beer.

Ben Wittes, Shane Harris, Stewart Baker, Tamara Cofman Wittes, & Michael Vatis

Ben Wittes, Shane Harris, Stewart Baker, Tamara Cofman Wittes, & Michael Vatis

We begin by reviving “This Week in NSA,” as the Second Circuit contributes a timely 97-page opinion declaring that NSA’s metadata program cannot be squared with the language of section 215.  We wonder why the court bothered, given that its opinion rests on a statute that will either be revised, reauthorized, or repealed in less than three weeks – all outcomes that moot the opinion.  The opinion itself comes in for faint praise, though Ben proposes a variant of Godwin’s Law:  Judges who treat NSA’s highly regulated 215 program as the equivalent of the law-free domestic surveillance of the 1970s end up looking like poseurs if they don’t follow up by enjoining the program.

Former CIA deputy director Mike Morell’s book is out, and it attributes the rise of ISIS in part to Edward Snowden’s leaks.  We chew over this claim as well as Morell’s take on Benghazi and the Agency’s politically convenient naivete about the impact of the Arab Spring on Islamic terrorism.

We introduce another recurring feature, “This Week in French and German Hypocrisy.”  Ben opens for the prosecution, and the rest of us pile on, pointing out that post-Snowden posturing seems to have been more about restraining US capabilities than about protecting privacy.

After these topics, we throw the event over to the audience, which demonstrates that we could have produced almost as good a program by randomly selecting audience members to appear on the panel with us.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the sixty-sixth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Bruce Schneier

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Episode 65 would be ugly if it weren’t so much fun.  Our guest is Bruce Schneier, cryptographer, computer science and privacy guru, and author of the best-selling Data and Goliath – a book I annotated every few pages of with the words, “Bruce, you can’t possibly really believe this.”  And that’s pretty much how the interview goes, as Bruce and I mix it up over hackbacks, whether everyone but government should be allowed to use Big Data tools, Edward Snowden, whether “mass surveillance” has value in fighting terrorism, and whether damaging cyberattacks are really infrequent and hard to attribute.  We disagree mightily – and with civility.

Stewart Baker & Jason Weinstein

Stewart Baker & Jason Weinstein

The news roundup covers Congress’s debate over NSA and section 215.  The House is showing a dismaying efficiency in moving bad bills while the Senate is mired in what may turn out to be more productive confusion (see, e.g., S. 1035 and S. 1123).

We unpack the Supreme Court’s grant of certiorari in Spokeo.

A new and troubling development in cyber insecurity was demonstrated by the malware Cryptowall, which infected readers of the Huffington Post via ads for Hugo Boss, then encrypted the readers’ hard drives and held their data for ransom.  We ask whether the ad networks or even the web publishers will eventually be held liable for transmitting the infected ads via HuffPo ads for Hugo Boss.  The Senate Homeland Security Committee wrote a report on malvertising risks and liabilities last year that concludes with the view that liability couldn’t be established because none of the participants in the online advertising industry is directly responsible for the harm.  I think the Senate Homeland Security committee has never litigated in the Eastern District of Texas.

In quick news,  Goldman’s “Flash Boy” has been convicted again.  The FCC says it doesn’t regulate Stingrays, except to require FBI approval for purchasers. The US and Japan deepen their cyber defense relationship, and Prime Minister Abe gets standing O for calling out (shh! Chinese) cybertheft of IP.  And DOJ releases cybersecurity guidance that is surprisingly good – but for what I call its fatally flawed view of hacking back (at least that’s what I meant when I called the authors “jackasses”).

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the sixty-fifth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Cyber Risks Facing Health Insurers

Posted in Cybersecurity and Cyberwar, Data Breach, Privacy Regulation, Security Programs & Policies

I recently did a guest a blog for ID Experts regarding the cyber risks facing health insurers in the wake of the Anthem and Premera breaches.  The post, “More Health Insurer Data Breaches Are Coming – What Can You Do to Prepare?,” provides an overview of what other health insurers can do to mitigate their risk of a breach and to respond effectively if and when one occurs.

Triple Entente Beer Summit

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

I hope you will join us on Thursday, May 7 from 6:00 pm – 9:00 pm for the “Triple Entente Beer Summit” at The Washington Firehouse (1626 North Capitol Street Northwest, Washington, DC).  This live recording of the three podcasts – Steptoe Cyberlaw Podcast, Lawfare Podcast, and Rational Security – will be your chance to meet the voices behind the podcasts, ask all of your burning cyberlaw questions, and support Lawfare.

Tickets to the event can be purchased at Lawfare.