Stewart Baker & Charlie Savage
Our guest for episode 90 is Charlie Savage, New York Times reporter, talking about Power Wars, his monumental new book on the law and politics of terrorism in the Obama (and Bush) administrations. I pronounce it superb, deeply informative, and fairly unbiased, “for a New York Times reporter.” With that, the fat is in the fire, and Charlie and I trade views – and occasional barbs – about how the Bush and Obama administrations handled the surveillance issues that arose after 9/11.
In the news roundup, Michael Vatis and I puzzle over the FTC’s astonishing loss on its own home court. We wonder why the FTC failed to do the right thing and drop the LabMD case when the FTC’s source began to lose credibility by the shovel-load. I suggest that FTC leadership was suffering from the rarely spotted “Darrel Issa Derangement Syndrome.”
Jason Weinstein deconstructs the claim that the European Union is “cracking down” on bitcoin in response to the attacks in Paris.
Stepping out of character, I defend the value of diplomatic “words on paper,” finding promise in the G20’s announcement that all twenty members join in condemning cyberespionage for commercial purposes.
Michael recaps the latest in litigation over the nearly expired NSA 215 program. DC Circuit Judge Kavanagh has explained why Judge Leon is wrong about the program, depriving the district court judge of the last word on the subject and demonstrating that its lawfulness can be assessed without resort to exclamation points.
Working a technology help desk could drive a man to suicide. Until ISIS opened its own terrorist help line, though, we thought that was a bug not a feature. In the same vein, I mock Glenn Greenwald for insisting that Snowden taught ISIS nothing about security about a week before we got to see a tech manual, apparently in use by the terror group, which invokes Fast Eddie’s advice about which remote storage systems are safe to use.
As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
Download the ninetieth episode (mp3).
Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!
The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm
The NSA metadata program that is set to expire in two weeks was designed to provide early warning of a terror attack planned in a foreign safe haven and carried out inside the United States. Those are some of the most deadly terror attacks we’ve seen, from 9/11 to Mumbai. And now Paris.
So should the United States be terminating the 215 program just as the Paris attacks show why it was created? That’s the question I ask in Episode 89 of the podcast as we watch the DC circuit cut short Judge Leon’s undignified race to give the program one last kick before it’s terminated. Continue Reading
Where the hell are the FTC, Silicon Valley, and CDT when human rights and privacy are on the line? If the United States announced that it had been installing malware on 2% of all the laptops that crossed US borders, the lawsuits would be flying thick and fast, and every company in Silicon Valley would be rolling out technical measures to defeat the intrusion. But when China injects malware into 2% of all the computers whose queries cross into Chinese territory, no one says boo. Not the US government, not CDT or EFF, and not the big browser companies. That’s the lesson I draw from episode 88 of the podcast, featuring an in-depth discussion of China’s Great Cannon with Adam Kozy and Johannes Gilger of Crowdstrike. They expand on their 2015 Blackhat talk about China’s deployment of Great Firewall infrastructure to hijack American and Taiwanese computers and use them in a DDOS attack against Github. Continue Reading
What good is CISA, anyway?
Now that both the House and Senate have passed information sharing bills that are strikingly similar but not identical, the prospects for a change in the law are good. But what changes, and how much difference will they make to network defenders? That’s the topic we explore in episode 87 with our guest, Ari Schwartz. Ari has just finished a tour as senior director for cybersecurity on the United States National Security Council Staff at the White House. He and I and Alan Cohn go deep into the weeds so you won’t have to. Our conclusion? The main value of the bill is that it frees some companies from aging privacy rules that prevented information sharing with groups that include the government. It also enables companies to monitor their networks without fear of liability under even older privacy laws preventing interception of communications without all parties’ consent. The other lesson to be drawn from the bill is that privacy groups are still something of a paper tiger without business support. More than seventy senators voted for CISA over the bleeding bodies of every privacy group in the country. Continue Reading
Are Russian hacker-spies a bunch of lethargic government drones more interested in smash-and-grabs than stealth? That’s one of the questions we pose to Mikko Hypponen in episode 86 (right after we ask about how to pronounce his name; turns out, that’s harder than you think). Mikko is the Chief Research Officer at F-Secure and a long-time expert in computer security who has spoken and consulted around the world for over 20 years. His company recently published a lengthy paper on Russian government cyberspies, which F-Secure calls “the Dukes.” Mikko describes the Dukes’ targets and tactics, including a remarkably indiscriminate attack on a Tor exit node. I press him on whether attribution is really getting better, and on whether F-Secure’s paper eases or heightens concerns about Kaspersky’s ties to Russian intelligence. Continue Reading
Want to see cyber attribution and deterrence in action? In August, a hacker pulled the names of US military personnel and others out of a corporate network and passed them to ISIL. British jihadist Junaid Hussain exulted when ISIL released the names. “They have us on their ‘hit list,’ and we have them on ours too…,” he tweeted. On the whole, I’d rather be on theirs. Two weeks after his tweet, Hussain was killed in a US airstrike, and two months after that, the hacker was arrested in Malaysia (subscription required) on a US warrant.
We explore that story and more with Gen. Michael Hayden, the only person to serve as both Director of the National Security Agency and of the Central Intelligence Agency. Gen. Hayden explains why he differs with FBI director Comey on encryption and with the European Court of Justice on whether the US sufficiently respects privacy rights, along with other topics.
In episode 84 our guest is Jack Goldsmith, Professor at Harvard Law School, a Senior Fellow at the Hoover Institution at Stanford University, and co-founder of the Lawfare blog. Before coming to Harvard, he served as Assistant Attorney General, Office of Legal Counsel and Special Counsel to the Department of Defense. From cyberespionage to the right to be forgotten and the end of the Safe Harbor, we explore the many ways in which a globalized economy has tied the US government’s hands in cybersecurity matters – and subjected the United States to extensive extraterritorial “soft power” at the hands of Europeans.
In the news roundup, the headline news is the continuing fallout from the ECJ’s attack on the Safe Harbor. Michael Vatis and Maury Shenk bring us up to date. Jason Weinstein explains why the latest convicted hacker thinks he should be a civil liberties hero/victim – and how weev has found yet another outlet for his bitterness at DOJ. Continue Reading
Now that the US-EU Safe Harbor has been invalidated by the European Court of Justice (ECJ) in Schrems v. Data Protection Commissioner, the Safe Harbor no longer provides a legal basis for transfers of personal information from the EU to the US. The ECJ’s press release and the full text of the Schrems decision are available. This does not immediately affect the US-Switzerland Safe Harbor, but it may have implications for that scheme as well.
It is widely expected that data protection authorities in the EU will offer some grace period for companies that have relied on the Safe Harbor, but the authorities are unlikely to be overly generous. So companies need to begin moving quickly to put in place alternative bases for such transfers to avoid being out of compliance with European privacy laws.
These mechanisms can include obtaining unambiguous consent of the data subject, EU-approved model contract clauses (which do not require any regulatory consent), or binding corporate rules (which must be approved by at least one EU data protection authority).
The US and EU have been negotiating over changes to the Safe Harbor, and these negotiations had made progress before the ECJ decision. But the complexities introduced by the decision make it unlikely that a “Safe Harbor 2.0” will be agreed upon quickly. What’s more, any such agreement will be subject to challenge in every EU member state, promising years of uncertainty. So companies should not wait for a new Safe Harbor to be put in place, but should determine which of the alternative bases for EU-to-US data transfers fits their business the best, and move expeditiously to implement the necessary contracts, rules, and procedures.
Bruce Schneier joins Stewart Baker and Alan Cohn for an episode recorded live in front of an audience of security and privacy professionals. Appearing at the conference Privacy.Security.Risk. 2015., sponsored by the IAPP and the Cloud Security Alliance, Bruce Schneier talks through recent developments in law and technology.
The three of us stare into the pit opened by an overwrought (and overdue and overweening) European Court of Justice advisor. If the European Court of Justice follows his lead (and what seems to be its inclinations), we could face a true crisis in transatlantic relations. Continue Reading
Cyberlaw negotiations are the theme of episode 82, as the US and China strike a potentially significant agreement on commercial cyberespionage and Europeans focus on tearing up agreements with the US and intruding on US sovereignty.
Our guest for the episode is Jim Lewis, a senior fellow and director of the Strategic Technologies Program at the Center for Strategic and International Studies. Most importantly, Jim is one of the most deeply informed and insightful commentators on China and cybersecurity. He offers new perspectives on the Obama-Xi summit and what it means for cyberespionage. Continue Reading