Header graphic for print

Steptoe Cyberblog

Steptoe Cyberlaw Podcast – Interview with Scott Charney

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

We ask Rihanna to sum up the latest US-EU agreement:

And that’s when you need me there
With you I’ll always share …
You can stand under my umbrella

RiRi’s got the theory right:  The Umbrella Agreement was supposed to make sure the US and EU would always share law enforcement data.  But when the Eurocrats were done piling on the caveats, it’s clear what concessions that US has made but it isn’t clear if the EU has made any at all.  Meanwhile, the Investigatory Powers Act has gained royal assent, Maury Shenk walks us through both developments.

The Trump administration is hinting at a change in responsibility for protecting critical infrastructure from cyberattack, and it’s consistent with the President-elect’s enthusiasm for turning hard jobs over to generals.  Congress is doing its bit, elevating Cyber Command to full combatant command status.  But the Obama administration may still be toying with the idea of firing Adm. Rogers.

In good news, DOJ and a boatload of other countries have sinkholed Avalanche botnet.  Michael Vatis has the details.

Kudos to Sen. Cornyn, who held off a series of left/lib attacks on the changes to Rule 41 needed to catch even moderately sophisticated child porn and cyber law breakers.

Tom Donilon’s Commission on what the next administration should do about cybersecurity has delivered recommendations.  The response:  crickets.

Lastly, Saudi Arabia suffers major Iranian attack.

We then turn to an interview with Scott Charney, Corporate Vice President for Trustworthy Computing at Microsoft.  I’ve known Scott for 25 years and he’s an acute observer of the international cybersecurity scene.  He discusses international pressures on technology companies including the conflicted roles of governments dealing with encryption.

Our interview is with Corporate Vice President for Trustworthy Computing at Microsoft, Scott Charney.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 141st episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Interview with Scott Charney - Episode 141

Stewart Baker with interview guest Scott Charney

Steptoe Cyberlaw Podcast – Interview with John Markoff

Posted in Cybersecurity and Cyberwar, Data Breach

The Autonomous Weapon Who Went to the Beach

Episode 140 features long-time New York Times reporter, John Markoff, on the past and future of artificial intelligence and its ideological converse – the effort to make machines that augment rather than replace human beings.  Our conversation covers everything from robots, autonomous weapons, and Siri to hippie poetry of the 1960s and Silicon Valley’s short memory on use of the term “cyber.”

In the news, Maury Shenk reports that five EU members now say they want EU-wide crypto controls.  And that’s not counting France and Germany.  Maybe the real question is whether any EU countries oppose encryption regulation.  We can’t find any.  Tongue firmly in cheek, I thank Tim Cook for bringing the need for government crypto regulation to the attention of governments around the world.

It turns out that the FBI actually hacked more than 8,000 computers in 120 countries in a single child porn investigation.  Wow.  And the Justice Department is lecturing me on the risk that active defense could cause unexpected foreign relations problems?  Well, I guess they would know.

We-Vibe’s undisclosed collection of data about users of its smart-phone enabled vibrators spurs a class action.  Or should that be a “lacks class” action?  I confess to being nonplussed by the uses to which an Internet-connected vibrator app can be put.  And even more nonplussed when Jennifer Quinn-Barabanov explains how We-Vibe could contribute to the law of standing.

The Wages of Defeat, part one: Election hack fever seizes the left, and I ask Alan what the law should do about vulnerable election infrastructure.  Jill Stein is almost certainly wrong about election hacking this year (or in it for the money), but now that everyone has some reason to question the integrity of our election process, Alan and I ask whether there’s room for bipartisan improvements in electoral systems?

Wages of Defeat, part two: Fake news fever seizes the left. For sure it’s a real problem, and Putin is part of it, but solutions are hard to find.  Fake news is often in the eye of the beholder, and neither the mainstream media (see, e.g., here or here) nor the barons of social media (Milo Yiannapoulos, call your office) have been exactly even-handed in dealing with conservative views.  If we want to go after foreign government sponsored fake news, I suggest, maybe an updated Foreign Agent Registration Act is worth looking at.  Between the first amendment and a lack of trust in would-be fake news umpires, there aren’t a lot of other attractive solutions out there.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 140th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Steven Weber and Betsy Cooper

Posted in Cybersecurity and Cyberwar, International

In this week’s episode, we guess at the near-term future with Betsy Cooper and Steve Weber of UC Berkeley’s Center for Long Term Cybersecurity.  In all of their scenarios, the future is awash in personal data; the only question is how it’s used.  I argue that it will be used to make us fall in love – with our machines.

In the news of the week, we explore the policy consequences of President-elect Trump’s personnel choices.  I point out that the quickest route to the new administration’s short list seems to be an interview on the Steptoe Cyberlaw Podcast.

The internet advertising industry is trying to stamp out ad malware so that firms following a set of guidelines will earn a seal of approval Katie Cassel explains. Color me skeptical: would you buy an antivirus product that proclaimed that it scans “a reasonable percentage of” incoming code?

It’s apparently guidelines week in cybersecurity-land, as agencies rush to release their work before the transition.  Two agencies issued guidelines on security practices.  The Department of Homeland Security released the recommendations for internet-connected devices that Rob Silvers forecast on the podcast last month. Alan Cohn summarizes the principles, which include steps like security by design and regular vulnerability patches.  Meanwhile, Katie tells us, NIST has released its  guidance for small business network security. We compare its guidance to the FTC’s.  NIST wins.

Two Chinese Android phone backdoors have emerged in one week. Researchers at Kryptowire have uncovered a secret backdoor in large numbers of Android phones that ships users’ personal data, including their SMS messages and location, back to China.  The company responsible, Shanghai Adups Technology Company, says it was a mistake, and that the software wasn’t supposed to be installed on phones for sale in the US.  Or perhaps the mistake was in getting caught.  Investigations will follow, one hopes.

The second backdoor is an unsecured firmware upgrade channel that would allow a man-in-the-middle to add arbitrary code to an upgrade.  I point out that Apple uses the same backdoor – just better secured – for the same purpose.  So its claim that it’s fighting the FBI to protect us from backdoors and their security risks is balderdash.

The 1990s have called, and they want their competition policy back.  At least that seems to be the gravamen of Kaspersky’s complaint that Microsoft Defender is killing third party antivirus companies.

In other news that isn’t new, the effort to override Rule 41 changes still looks as dead as General Franco.  That doesn’t mean that a forlorn left-right coalition will give up, of course, since there is still sympathetic lib/left press coverage to be milked from the issue.

Finally, in a sign of just how serious the cybersecurity crisis is, almost 2 in 5 American adults said they would give up sex for a year in exchange for never having to worry about being hacked.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 139th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Alan Cohn, Betsy Cooper, and Steven Weber

Alan Cohn, Betsy Cooper, and Steven Weber

Steptoe Cyberlaw Podcast – Interview with Paul Rosenzweig and Shane Harris

Posted in China, Cybersecurity and Cyberwar, Data Breach, Privacy Regulation

We couldn’t resist.  This week’s topic is of course President-elect Trump and what his election could mean for All Things Cyber.  It features noted cybercommentator Paul Rosenzweig and Daily Beast reporter Shane Harris. 

In the news, we’re reminded of the old Wall Street saying that bulls and bears can both make money in the market but pigs eventually get slaughtered.  The same goes for the pigheaded, as the FTC has learned.  Whatever modest satisfaction the FTC got from denying a stay of its order against LabMD surely evaporated when it forced the Eleventh Circuit to make an early call on the stay.  The result: the court of appeals practically overrides the FTC decision on the motion.  Or was the Commission just trying to make sure the proposed television series about LabMD had an ample supply of villains?  If so, way to go, guys!

Katie Cassel announces her imminent retirement from the podcast.  She also explains the DMCA’s new exemption for security researchers

This is getting ugly: Yahoo now says that some of its employees knew about its massive data breach in 2014 – two years before it was disclosed.  Why the delay?  Yahoo says it’s investigating – and that it can’t be sure Verizon will follow through on the deal to buy the company.

Russia is getting ready to put some teeth in its data localization law.  LinkedIn looks like the sacrificial goat, Maury Shenk tells us, and that’s just the camel’s nose under the tent.

How can section 230 immunity provide protection against one claim but not another based on the same facts?  Katie makes it sound almost reasonable.  Boy, are we going to miss her.

The Germans have revived an investigation of Facebook for not blocking Germany’s idea of hate speech, which probably includes hats that say “Make America Great Again.”  Oh, this is going to be a fun four years.

Speaking of which, I wonder if the GRU woke up with the same hangover as the rest of the United States, suddenly realizing that they had no freaking clue what policies a Trump administration would follow.  That would explain the rash of phishing attacks on Washington think tanks.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 138th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Paul Rosenzweig, Stewart Baker, and Shane Harris

Paul Rosenzweig, Stewart Baker, and Shane Harris

Steptoe Cyberlaw Podcast – Interview with Frank Cilluffo

Posted in Cybersecurity and Cyberwar, Data Breach

The episode features a vigorous and friendly debate between me and Frank Cilluffo over his Center’s report on active defense, titled “Into the Gray Zone.”  It’s a long and detailed analysis by the Center for Homeland and Cyber Security at GW University.  My fear: the report creates gray zones for computer defense that should not be seen as lawful — and turns far too many genuine gray zones black. 

Maury Shenk returns after missing last week due to the British determination not to follow US daylight savings practice.  He updates us on challenges to the Privacy Shield Agreement in EU courts by privacy true believers (two and counting) and EU court challenges to government data practices in China, Russia, Algeria, and Saudi Arabia (none in evidence).  Speaking of which, China has actually adopted the cybersecurity law it’s been threatening Western tech companies with for months, if not years.

Congress is starting to notice the FDA’s hapless response to medical device security.  I predict that the FDA will not take serious notice until heart implants start tweeting: “I’d give this guy a cardiac arrest shock, but I’m too busy DDOSing the DNC.” 

Michael Vatis tells us what’s in the FTC’s Business Guide to Data Breach Response.  It’s pretty good, but even if it weren’t, no one can ignore it, since it’s as close to rulemaking as the FTC gets in this field.

A remarkable official leak says that US Cyber Command has pwned Russia’s IT infrastructure from its power grid to its military command system and is ready to strike if the Russians mess with the US election.  Is it true? Clint Eastwood has the best answer.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 137th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Frank Cilluffo, Associate Vice President & Director, Center for Cyber and Homeland Security at GWU with Stewart Baker, partner at Steptoe

Frank Cilluffo, Associate Vice President & Director, Center for Cyber and Homeland Security at GWU, with Stewart Baker, partner at Steptoe

Three Recent Cybersecurity and Information Systems Management Rules Impact Government Contractors

Posted in Cybersecurity and Cyberwar, Security Programs & Policies

In the last two months, the federal government has issued a number of cybersecurity-related regulations that are or will be directly or indirectly applicable to a wide range of federal contractors and subcontractors, and more rules are expected. The three recent rules discussed here on controlled unclassified information, defense industrial base cyber reporting, and network penetration protection and reporting present a complex and inter-related set of requirements and standards that federal contractors and companies in their supply chains should understand.

Steptoe Cyberlaw Podcast – Interview with Jonathan Zittrain

Posted in Cybersecurity and Cyberwar, Security Programs & Policies

Jonathan Zittrain, who holds a surfeit of titles at Harvard, is our guest for episode 136.  Among other topics, we explore the implications of routine doxing of political adversaries.  Along the way I extract kind words from Jonathan for Sarah Palin and welcome him to the club of those who think mass doxxers are evil punks.  It’s a wide-ranging, informative, and unideological performance of the sort we’ve come to expect from Jonathan.

In the news, I note that the FBI seems to be getting reinforcements in the Great Crypto War, as European prosecutors prepare the battlefield with complaints about Islamic State use of Western encryption.

We’re seeing the rise of a new kind of security disclosure mandate, Katie Cassel tells us.  First DOD and now Treasury are requiring their industry to disclose not just personal data breaches but the details of security breaches.  But only Treasury was clever enough to do it without new regulatory authority.

NHTSA proposes some pretty thin cybersecurity guidance for vehicles, says Michael Vatis, and a couple of Senate Dems predictably call for tougher mandatory standards.

In more dog-bites-man news, European data protectionists have more hassles for US tech companies; this time it’s WhatsApp and Yahoo in the crosshairs.

Michael leads a tour of the FCC’s new “opt-in” privacy rules for ISPs.  I make a bold prediction about how the privacy fight will shake out, and Michael — remarkably – thinks I may be right.

Katie explains HHS’s latest fine for a company that allowed file-sharing of medical files on one of its servers.  Mike Daugherty, time to call your office.

Would the revolting magistrates have scuppered the FBI’s effort to extract Huma’s emails from Weiner’s computer?  Michael and I debate Orin Kerr’s suggestion that there’s a legal problem with expanding the search (or the seizure) to a new and different investigation.  We mostly disagree with Orin.

And in continuing Rule 41 news, I narrowly escape an NFL taunting penalty while reporting that a whopping 23 out of 535 lawmakers are whining about expanded searches of pedophile computers.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 136th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

EU to Update Export Control Regime and Controls on Cybertechnology

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

On September 28, 2015 the European Commission (the Commission) released its proposal to “modernize and strengthen” the European Union’s (EU) dual-use export control regime as laid out by Regulation (EC) No. 428/2009 (the Regulation).  As Steptoe has previously advised, a version of the Commission’s proposal was leaked in July, prompting concern from industry and other stakeholders.  The official release of the proposal triggers the process toward adoption of a slew of amendments to the current dual-use export control regime, including, most significantly, broad controls on the export of cybertechnology.  Click here to read more.

Steptoe Cyberlaw Podcast – Interview with Robert Silvers

Posted in Blockchain, Cybersecurity and Cyberwar, International, Security Programs & Policies

Our guest for the episode is Rob Silvers, the assistant secretary for cybersecurity policy at DHS.  He talks about what the government can and should do about newly potent DDOS attacks and the related problem of the Internet of Things.  The only good news: insecure debrillators and pacemakers may kill you, but they haven’t yet been implicated in any DDOS attacks.

In the news, Michael Vatis and I debate whether the netizen reaction to a search warrant that also allows the FBI to collect phone security fingerprints during the search is overheated or justified.  Maury Shenk explains an unusual UK tribunal ruling, holding that GCHQ’s and MI5’s bulk collection of data was once a violation of the European Convention on Human Rights.  Luckily for the UK government, that illegality was cured by the government’s acknowledgment of the collection.

The financial industry faces new cybersecurity regulations; Katie Cassel explains.  Then, as the junior member of the podcast crew, Katie also finds herself called on to explain when defense contractors have to disclose cyberattacks to the Department.

In other news, NSA contractor Harold Martin is looking less like a hoarder and more like a serious threat to national security, thanks to the Justice Department motion opposing bail.  Maury explains why the EU’s top court thinks that even dynamic IP addresses are personal data.  And I explain (or try to) why Julian Assange is a first amendment cover boy when he blows national security secrets but apparently the second coming of Josef Stalin when he blows politically embarrassing secrets of the Clinton Global Initiative.  Or is the real problem the risotto recipe?

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 135th episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Assistant Secretary of Cybersecurity Policy at DHS, Robert Silvers, and Stewart Baker

Assistant Secretary of Cybersecurity Policy at DHS, Robert Silvers, and Stewart Baker, partner at Steptoe

Data Portability under EU GDPR: A Financial Services Perspective

Posted in International, Privacy Regulation

Philip Woolfson and I wrote an article for PL&B International about data portability, a new requirement of data protection law which will be introduced when the European Union General Data Protection Regulation (GDPR) applies on May 25, 2018.  Under this new regulation, data subjects have acquired a right to data portability (RDP). This article looks at developments in a selected regulated sector, financial services, to explore how RDP may be implemented successfully and where difficulties may arise.