Header graphic for print

Steptoe Cyberblog

Steptoe Cyberlaw Podcast – Interview with Robert Knake

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Rob Knake & Stewart Baker

Our guest for Episode 73 is Rob Knake, currently the Council on Foreign Relations Senior Fellow for Cyber Policy and formerly with DHS, the White House, and the Richard Clarke finishing school for cybersecurity policymakers.  Rob and I are quickly embroiled in disagreement; as usual, I mock the cyberspace “norms” that Rob supports and disagree with his surprisingly common view that the US shouldn’t react strongly to Chinese hacking of the OPM database.  But we come together to condemn the gobsmackingly limp US response to China’s attack on Github.

In the news roundup, Alan Cohn and Jason Weinstein explain attribution problems in the Cardinals-Astros hacking case.  Somehow the Broncos also figure in the discussion.

Want to know why President Obama was foolish to promise he wouldn’t spy on the French President’s communications?  The answer is supplied by WikiLeaks, which discloses that the last French President was caught trying to end run the United States on Palestinean issues.  WikiLeaks of course thinks that shows American perfidy.

Google, meanwhile, fought the good fight to overcome a gag order and disclose an investigation of WikiLeaks soulmate Jake Applebaum.  Most interesting item in the 300 pages of documents released by the Justice Department?

The Department’s hint that those who Twitter-bully tech companies over their transparency records may be engaged in witness intimidation.

And in a recurring feature, This Week in Prurient Cyberlaw, we unpack the surprisingly complex problem of how Google identifies and delinks revenge porn.

Rob Knake, Stewart Baker, Jason Weinstein, Alan Cohn

Rob Knake, Stewart Baker, Jason Weinstein, and Alan Cohn

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the seventy-third episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Digital Payments and Currencies: Global Threat or Opportunity?

Posted in Blockchain, Privacy Regulation, Security Programs & Policies, Virtual Currency

On Thursday, April 23, I spoke at the Bretton Woods Committee seminar, “Digital Payments and Currencies: Global Threat or Opportunity?”  The panel discussed the changes digital currencies and payment systems have brought to the market and the disruptive potential of a future in which they may become more conventional.

An audio clip of the seminar can be accessed here.

Steptoe Cyberlaw Podcast – Interview with James Baker

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

James Baker, General Counsel of the FBI, is our guest on this week’s podcast. He fearlessly tackles the FBI’s aerial surveillance capabilities, stingrays, “Going Dark,” encryption, and the bureau’s sometimes controversial attribution of cyberattacks.  But he prudently punts on the Hack of the Century, refusing to reveal details of the FBI investigation into the Houston Astros network intrusionAlan Cohn leaps into the breach, starting with a reminder for me of which sport the Astros play.

In the news roundup, Michael Vatis and I highlight growing threats to free speech, from France’s censorship of what Americans read, to the European Court of Human Rights’ claim to punish even forums for allowing speech it deems hateful.  And in a move that would have tickled George Orwell’s funny bone, the Right to Be Forgotten returns to Russia, original home of the memory hole.

I mock US CTO Tony Scott for descending to “privacy theater” in requiring SSL encryption for all government websites, even those that require none.

Michael Vatis explains the court’s recent ruling in the Sony employees’ breach law suit, which will continue despite a lack of demonstrated injury to most individual employees.

I express satisfaction that hacking back has taken on a life of its own, praised by multiple witnesses (none of them me) at a financial services subcommittee hearing on the Hill.

Finally, in other news, Snowdenista “journalists” reveal their values through their choices.  Jacob Applebaum appeals to the Chinese to release stolen OPM files to Wikileaks, evidently hoping that harm to US security can be exacerbated by injury to the privacy of government employees.  And given a choice between NSA and a Russian antivirus firm widely suspected of ties to Russian intelligence, Glenn Greenwald stands up for the Russian (and, apparently, the view that copyright deserves better legal protection than either personal property or privacy).

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the seventy-second episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

New EU Data Protection Law: Are We There Yet?

Posted in International, Privacy Regulation, Security Programs & Policies

EU data protection (privacy) law is changing, albeit slowly.  After three years of intense discussions behind the scenes, the Council, the last of the EU institutions to reveal its hand, has finally managed to adopt a negotiating position on the General Data Protection Regulation or GDPR.  Three-way talks with the Commission and Parliament are confirmed for this week (24 June).  However, quick resolution to the negotiation does not seem in the cards as there remains much controversy.  Despite this, optimists believe a deal is possible by the end of the year.  But even with a deal by Christmas, the new rules will apply in the first half of 2018 at the earliest, leaving businesses with 24-36 months under the current legislation, essentially the 1995 Data Protection Directive.

Can Business Afford to Wait?

To put it briefly, no. Given the ever increasing role that digital technology plays in everyday life, it is unsurprising that most businesses now routinely collect, store and process personal information.  All grapple with the challenges that lawfully protecting that information brings.  Few keep up with best practice.  Meantime corporate exposure to personal data breach is on the increase, regardless of company size, location or reputation.  Business large and small needs to manage that risk and handle incidents professionally both now and under the future legislation.  What is clear, whether a social networking/file sharing internet site, or an e-commerce platform for goods and services, if EU citizens use your on-line services, it is increasingly difficult to ignore EU law (see selected case-law such as C-131/12 – Google Spain and Google and the draft GDPR territorial scope which does not require establishment in the EU before the legislation applies to a given business).

Will the New Legislation Bring Clarity?

The anticipated streamlined “digital age” single EU regime seems rather unlikely.  At the outset, the Commission proposed a Regulation – directly applicable uniform rules across the twenty-eight Member States.  It seems more realistic, though, that we will still have Regulation, but also many national carve-outs.  The practical result could be much the same as the existing Directive.  Skeptics fear an erosion of rights for consumers.  Additionally, as the negotiations have already been very lengthy, front runners such as Belgium, the Netherlands, and Germany have lost patience and have tabled their own national legislation.  On-going cases in the European Court may also add to the confusion (see selected cases on the role of national data protection authorities such as C-230/14 Weltimmo and Case C-362/14 Schrems.)  In short, as things currently stand, we risk a legal minefield.

What Are the Threats?

  • National regulators will gain enforcement muscle.  Fines are going up.  It seems likely that fines will be calculated as a percentage of global annual turnover of the corporate group (Council wants 2%, whereas the Parliament has called for 5%).  Currently, absent such sanctions, other regulators have had to intervene to protect affected consumers.  A striking example from the UK is the 2.27 million pounds fine imposed on Zurich UK in 2010 by the then Financial Services Authority for the lack of adequate systems and controls when outsourcing.
  • An initial goal in reviewing the legislation was to make it easier for companies to move personal data around, particularly within the corporate group (binding corporate rules).  The Snowden revelations have had their impact.  In particular, the Parliament is very sensitive about how to deal with requests for personal data from non-EU courts or administrative authorities.  Businesses hoping for a solution to the risk of being caught between a subpoena in one jurisdiction and a refusal from an EU jurisdiction for the data to be handed over could be disappointed.
  • Liability between operators is blurred.  Under the existing legislation the roles and responsibilities of so-called data controllers and processors were relatively clear, but it became a parlour game among lawyers to distinguish which legal entity was the controller, and which the processor.  Dividing liability between the two in the draft legislation appears to be the worst case scenario for many operators.
  • Keeping it relevant.  Once the legislation is adopted, no one will want to contemplate GDPR 2 for a long time.  However, as we are all too aware, the digital environment evolves quickly.  Agreeing on which aspects of the law can be amended by the Commission by so-called delegated or implementing act, avoiding a root and branch review of the Regulation, will be controversial.
  • Additional requirements.  GDPR is not comprehensive.  Related EU and national laws are going through the legislative process or are being contemplated, e.g. the EU network and information security proposal contains data breach reporting requirements for affected market participants, which risk being different than requirements under the GDPR.

How Should Business React Now?

Now is a very good time to get your house in order.  It is not too early to initiate a privacy programme or review existing practices.  If the lengthy negotiation has done anything, it has served to raise awareness that Europeans expect organisations to take care of their personal information.  As many surveys have revealed, many organisations have deficient practices.  These can be resolved.  The following (non-exhaustive list) sets out some initiatives that could be taken in the interim:

  • Assess how personal information is processed throughout an organisation’s business units, including ensuring personal data is stored and transmitted safely so that access is controlled and only available to authorised personnel.
  • Consider how the organisation can react better to consumer and employee requests for information about their personal information held by the organisation (subject access requests).
  • Review existing terms & conditions and privacy notices to increase readability, raising awareness among staff of their rights and responsibilities.
  • Audit terms & conditions, privacy notices and other corporate documents such as consumer preference testing questionnaires, against existing legal provisions, including commercial and consumer law in the jurisdictions in which the organisation operates.
  • Consider whether transfers of personal data outside the EEA meet current requirements (e.g. use of “model clauses,” the EU-US Safe Harbour scheme, and BCRs).
  • Assess how resilient the organisation is to data breach (from accidental loss and damage to a fully-fledged cyber-attack): what detection mechanisms and security measures are in place?  What risk management techniques are deployed across the organisation, including cyber-insurance?  Are there response procedures?  Are they sufficient under current law and appropriate for the organisation’s business continuity needs?  How quickly could the organisation get back on its feet?
  • Analyse obligations from other EU legislative and national implementing measures affecting the business, e.g. for insurers (Solvency II etc.), anti-money laundering (3AML), tax (EU Savings Directive).

2018 is not long in corporate planning terms so companies should identify now potential risk areas, prepare a road map, and initiate plans for implementation projects.

Steptoe Cyberlaw Podcast – Interview with David Anderson

Posted in Blockchain, China, Cybersecurity and Cyberwar, Data Breach, PCLOB, Privacy Regulation, Security Programs & Policies, Virtual Currency

Privacy advocates are embracing a recent report recommending that the government require bulk data retention by carriers and perhaps web service providers, exercise extraterritorial jurisdiction over data stored abroad, and expand reliance on classified judicial warrants.  In what alternative universe is this true, you ask?  No need to look far.  That’s the state of the debate in our closest ally.  The recommendations were given to the United Kingdom by an independent reviewer, David Anderson.  He’s our guest for Episode 71 of the Cyberlaw Podcast, and he provides a refreshingly different perspective on surveillance policy, one that makes us realize that it’s US civil libertarians , not the US government, who are out of step with the world.

In the news roundup, I bring Edward Snowden back for one last time – the fifteenth time I’ve done that, Michael Vatis points out.  This time it’s a British government leak claiming that both Russia and China have decrypted the entire corpus of Snowden’s stolen files – including the enormous number of files that have nothing to do with surveillance and everything to do with military operations.

The OPM hack has now reached Target status, Jason Weinstein argues.  It’s not the first, it’s maybe not even the worst, but it’s a hack that has captured the country’s imagination in a way that earlier warnings did not.

You might think that the OPM hack would show why information sharing is essential.  But privacy advocates continue to hold CISA hostage to yet more protections for privacy.  The 14 million government officials and former officials whose privacy has been grossly abused by the OPM hack will, I’m sure, thank Senators Mike Lee and Ron Wyden for their continued obstruction of government cybersecurity efforts.   In the House, the likeminded Rep. Massie has again proposed an appropriations amendment that would put new limits on the most important part of NSA’s intelligence mission – overseas collection.  His amendment passed the House but shows little prospect of surviving Senate review.

In a new feature, This Week in Self-Dealing, we review Jason’s recent op-ed on the New York bitcoin regulations and Alan Cohn’s op-ed on what’s wrong with government cybersecurity policy.  We close with comments on the new, extensive, and probably ill-advised Connecticut breach and security law, plus new obstacles for Twitter’s “warrant canary” first amendment lawsuit.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the seventy-first episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Are New York’s BitLicense Rules Good or Bad for Bitcoin?

Posted in Blockchain, Security Programs & Policies, Virtual Currency

It’s only been about a week since New York’s outgoing Superintendent of Financial Services Ben Lawsky released the long-awaited “BitLicense” rules for digital currency businesses operating in New York, but it’s not too early to try to assess the potential impact of those rules on the development of Bitcoin-related businesses and emerging financial technologies.

The primary question on everyone’s mind: Are the BitLicense regulations – the product of a nearly two-year rulemaking process – good or bad for Bitcoin? The answer: A little of both. The truth is that the BitLicense rules are a mixed bag, and how you perceive them depends to some extent on whether your glass is half-full or half-empty.

The “Glass Half-Full” Perspective

As an initial matter, the BitLicense rules represent an attempt to bring regulatory clarity and stability to an uncertain environment. Ask the entrepreneurs, engineers, venture capitalists, and bankers who are pouring their time, energy, and money into bitcoin-related businesses, and they’ll tell you that regulatory clarity is good for business. As Perianne Boring, the President of the Chamber of Digital Commerce, recently observed in another context, “Investors don’t fear regulation, they fear uncertainty.”

The BitLicense regime also confers greater legitimacy on Bitcoin. Indeed, the fact that the BitLicense rules exist at all reflects a recognition by one of the nation’s most important financial regulators that Bitcoin is here to stay and that its underlying blockchain technology is a potentially transformative force in our economy and society. With companies like Goldman Sachs, the New York Stock Exchange, and IBM now exploring the blockchain’s potential to improve everything from international securities settlement to the emerging “Internet of Things,” it’s on balance a positive development that NYDFS has crafted regulations tailored to digital currencies instead of trying to shoehorn this new technology into a set of regulations created during a bygone era.

There are a number of specific provisions, many refined based on responses to earlier drafts, that are positive, including the following:

  • the rules focus on financial intermediaries – i.e., entities entrusted with safeguarding customers’ funds – while exempting software developers, retailers, and others;
  • the rules do not require approval of standard software upgrades and only apply to major changes in business model or products;
  • the rules require approval of changes in control, but not funding through investment rounds;
  • there will be a one-stop application process for a BitLicense and money transmitter license; and
  • licensed entities that file Suspicious Activity Reports with federal regulators will not have to file duplicate reports with NYDFS.

In addition, regardless of one’s opinion about the BitLicense rules themselves, those rules were the product of an open process in which regulators took seriously the views of Bitcoin companies and experts. Indeed, the final rules reflect a significant improvement over the first draft, with a number of significant changes made in response to a flood of public comments.

The “Glass Half-Empty” View

So that’s the good part. What about the other side of the (bit)coin? Critics of the BitLicense regulations have pointed to a number of features of the regime as potentially problematic, including the following:

  • the arguably overbroad definition of virtual currency business activity, particularly as compared to the more circumscribed definition in California’s proposed regulations (our friends at Coin Center have done an excellent analysis on this issue);
  • the imposition of cybersecurity and AML provisions that go beyond any regulations imposed on the traditional payments industry; and
  • the fact that the rules impose state-level AML requirements instead of simply licensing and leaving AML regulation in the capable hands of FinCEN.

In addition, commentators have pointed to the lack of a clear, defined on-ramp for start-up companies. Indeed, one of the greatest areas of concern since the first draft of the BitLicense proposal has been the potential impact on new entrants to the market. It remains to be seen whether the costs of compliance inhibit the growth of start-ups, who are so critical to innovation in this space.

The race is on for other states to regulate digital currencies, and for better or worse, New York’s BitLicense rules will likely help shape the regulations in those other states. So critics of the BitLicense regime are working overtime to try to ensure that other states improve on, rather than simply copy, New York’s approach.

It’s About the Execution

In many ways, the blockchain today is like the Internet was 20 years ago. In the early 1990s, the earliest days of commercial exploitation of the Internet, who could have foreseen Google, Facebook, Twitter, Uber, Airbnb, Expedia, online streaming of movies and TV shows, or many of the other Internet applications that are now part of the fabric of our daily lives? That’s where we are today with the blockchain technology – a world of possibilities that most of us can’t even imagine. It’s critical that new companies be able to develop applications for that technology, and for investors to be able to fully understand the regulatory environment in which their companies are operating.

To his credit, Mr. Lawsky has recognized that the “genie is already out of the bottle” when it comes to digital currencies and other financial technology innovations. In his speech announcing the final BitLicense rules, he observed that “the technology underlying Bitcoin could be used not just as a currency, but potentially as a means to transfer all manner of personal property securely over the Internet” and that “when it comes to Bitcoin … platforms could be built upon platforms could be built upon platforms by future innovators.” With that in mind, Mr. Lawsky has said that New York’s goal was to put in place measures to protect consumers and detect illicit activities while not “doom[ing] promising new technologies before they get out of the cradle.” That is a goal everyone who supports the blockchain should embrace, but time will tell whether New York has drawn those lines in the right place.

Although he won’t be in office to implement these rules, Mr. Lawsky has recognized that the BitLicense regulations are just a starting point, and has predicted (I think correctly) that we will see a fine-tuning of those rules over the next several years as their actual impact is felt. As Mr. Lawsky noted, NYDFS “must be willing to take a hard look at how these new rules are working when they are put into practice” and must be willing to “course correct” as needed. So ultimately, whether the BitLicense rules will be good or bad for Bitcoin and the blockchain will be determined by how those rules are applied – and adjusted – over time.

More generally, the BitLicense rulemaking process underscores the value of constructive engagement and open dialogue between Bitcoin entities and regulators. Whatever your view of the BitLicense rules, there’s no question that they would have been a lot more onerous and a lot less palatable but for the ideas and input from companies and technologists and the open-mindedness of the regulators. Open dialogue and engagement will be just as important in the months and years ahead, as we see the practical impact of the regulations and as we learn whether the lines drawn by New York last week need to be moved.

Protecting Companies and Investors

For Bitcoin-related companies who may be covered by these rules, the takeaway from the announcement of the BitLicense regime, and from FinCEN’s recent enforcement action against Ripple, is clear – that compliance and AML issues need to be top of mind. This is not an area where it’s better to ask forgiveness than permission. Any company that may be impacted by these rules should get help in determining whether, or how, the rules may apply and in designing and implementing a compliance regime that will pass regulatory scrutiny while allowing the company to grow and thrive.


Steptoe Cyberlaw Podcast – Interview with Dan Kaminsky

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest for Episode 70 of the Cyberlaw Podcast is Dan Kaminsky, a famous cybersecurity researcher who found and helped fix a DNS security flaw.  Dan is now the Chief Scientist at WhiteOps, but I got to know him in an unlikely-bedfellows campaign against SOPA because of its impact on DNS security.  Dan and I spend most of the podcast disagreeing, largely about trust, Snowden, and security, but we do explore in detail the fact that, contrary to the Received Canon of Silicon Valley, end-to-end encryption is broken to improve security thousands if not millions of times a day by responsible corporate CISOs.  Dan also describes WhiteOps’s promising new take on identifying hackers and clickfraud on the internet.

In the news roundup, we bring back This Week in NSA for old times’ sake, highlighting the enactment of the USA FREEDOM Act and exploring its likely impact.  We mock Charlie Savage for his overwrought New York Times article claiming that NSA’s cybersecurity monitoring is a privacy issue.  (We apologize to Julia Angwin, Jeff Larson, and Henrik Moltke, who shared Charlie’s byline; we’ll mock you next time, I promise.)  NSA is apparently inspecting traffic from foreign sources for malware and other signatures and may also be spotting exfiltrated data as it leaves victims’ networks.  Charlie and his coauthors call this “warrantless surveillance of Americans’ international Internet traffic.”  Note to the New York Times:  a hacker sending me malware and stealing my files is a lot of things, but in the real world no one would call that my “international Internet traffic.”

Jason covers the broken settlement between MasterCard and Target arising from Target’s notorious Christmas 2013 breach.  And the Office of Personnel Management comes in for some well-earned criticism, not least for its lame offer of credit monitoring to the 4 million victims of what may be Chinese hacking.  If it is the Chinese government, the one thing we probably don’t have to worry about is credit fraud, and given the flood of Chinese thefts of American personal data, the government needs to be giving victims better guidance about what to watch for.

Speaking of government failings, we talk about the supine US response to Putin’s trolls, even though they’re clearly testing tools to create panic and sow disinformation in the wake of a crisis in the United States.  Even when they do it inside the United States, it appears that our only strategy is hope.

Michael talks about the Supreme Court ruling that will make the internet safe for violent revenge fantasies.  And Jason explains the difference between the FBI’s encryption “Going Dark” campaign and the FBI’s CALEA “Going Dark” campaign:  They’re both DOA, but buried in different parts of the US Code.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the seventieth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Jason Brown

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies
Podcast 69

Jason Brown and Jason Weinstein

Our guest for Episode 69 is Jason Brown, the Assistant to the Special Agent in Charge of the Cyber Intelligence Section at the US Secret Service.  We talk about the Secret Service’s Electronic Crimes Task Forces and their critical role in investigating data breaches affecting financial institutions, retailers and other companies.  We also discuss how the Secret Service helps companies prepare for and mitigate their risk of an incident.  We talk about issues that impact breach victims’ decisions about whether or how to engage with law enforcement and about how the relationship between law enforcement and Internet providers has changed in the post-Snowden world.  Finally, we discuss how the changing jurisprudence relating to electronic searches is impacting the day-to-day conduct of criminal investigations.

In the news roundup, we discuss the dysfunction in the Senate that has led to the (temporary?) lapsing of the 215 program.  We mull over the impact of Riley on the Sixth Circuit’s decision in a laptop search case.  The DOJ Criminal Division talks about hackback, and Yahoo! faces class certification in an email scanning case.  In our “prurient interest” feature, a database of Adult Friend Finder users is for sale online.  And we weigh the possible impact of New York’s BitLicense regulations.  Once again, Maury Shenk joins us to talk about developments in Europe, including new Dutch breach notification requirements, Skype’s efforts to push back against Belgian intercept law, and discussions about new EU cybersecurity rules that could have a significant impact on US providers.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the sixty-ninth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Julian Sanchez

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guests for Episode 68 include Julian Sanchez, senior fellow at the CATO Institute where he studies issues at the busy intersection of technology, privacy, and civil liberties, with a particular focus on national security and intelligence surveillance. They also include the entire May meeting of ISSA- NOVA, which kindly invited the Cyberlaw Podcast to go walkabout once again. The audience provides useful feedback on several of the topics covered in this episode.

We begin with This Week in NSA.  And even though we had no idea how the Senate process would end up, neither it turns out did Majority Leader McConnell or anyone else.  Our remarks on the Congressional dynamic remain as relevant now as when we made them, despite our intimations of obsolescence.   We also cover an early judicial decision on insurance coverage for data breaches (subscription required), the US indictment of (another!) six Chinese economic espionage agents, and the personal data orphaned by Radio Shack’s bankruptcy.

More importantly, we seize on a flimsy pretext to revisit Max Mosley’s five-hour, five hooker sadomasochistic orgy (subscription required) and his self-defeating efforts to wipe it from the internet by threats of lawsuit.  It turns out he’s now reached a settlement with Google.  I speculate that perhaps we’ve misread Mosley all this time.  Maybe he’s doing this because of the Streisand effect, not in spite of it.  It’s like he wants the internet to punish him, or something …

Returning to serious coverage, we note that CCIPS and the Justice Department may be suffering from Baker Derangement Syndrome in the face of my defense of private cyber-investigation that goes beyond network boundaries.  The Department’s latest effort involves persuading CSIS and a group of CISOs  to join a draft paper that looks suspiciously like a DOJ brief in opposition to the Cyberlaw Podcast.   And the supposed consensus among CISOs that’s identified in the paper breaks down quickly, rejected ten to one in an informal poll of the ISSA-NOVA audience.

Julian and I mix it up over the new, revived Crypto Wars, as I challenge the claim that building access to encryption systems is always a bad idea.  That, I say, will come as news to all the network security administrators who access end-to-end TLS sessions on a routine basis because the security consequences of not “breaking” that crypto are worse than the corporate front door.  He recommends that I ask Dan Kaminsky to comment on that statement, and since Dan will be a guest on the podcast soon, we’ll all get to hear his answer.

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the sixty-eighth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

BIS Proposes Cybersecurity Export Control Rule: Significant Changes Possible

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

On May 20, 2015, the Department of Commerce Bureau of Industry and Security (BIS) published a proposed rule affecting exports of intrusion software, surveillance systems, and related systems, equipment, software, and components.  The proposed rule provides for new and amended export control classification numbers (ECCNs) for these “cybersecurity items,” resulting in new licensing and reporting requirements.  Currently, these items typically are controlled based on their cryptographic functionality, but the new proposed ECCNs and control regime would disallow the use of most license exceptions, including the encryption (ENC) license exception, for many of these items.  Export control professionals have been anticipating rulemaking in this area following the 2013 Wassenaar Arrangement Agreements that added intrusion software and penetration systems to the dual use, multi-lateral export control regime.  BIS is seeking comments on the proposed rule with a deadline of July 20, 2015.  The following are some of the key changes that are being proposed.

New Definition of “Intrusion Software”

The proposed rule would add a new definition of “intrusion software” that is critical to understanding the proposed export controls.  “Intrusion software” under the new rule would include:

“Software” “specially designed” or modified to avoid detection by “monitoring tools,” or to defeat “protective countermeasures,” of a computer or network-capable device (including mobile devices and smart meters), and performing any of the following:

(a) the extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or

(b) the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

Here “monitoring tools” are software or hardware devices that monitor system behaviors or processes running on a device, including antivirus products, end point security products, Personal Security Products, Intrusion Detection Systems, Intrusion Prevention Systems, or firewalls.  “Protective countermeasures” within the proposed rule are techniques designed to ensure the safe execution of code, such as Data Execution Prevention, Address Space Layout Randomization, or sandboxing.

The proposed definition adds a number of notes that would remove certain standard commercial products from the definition.  In particular, the proposed definition of “intrusion software” does not include:  (1) hypervisors, debuggers or Software Reverse Engineering (SRE) tools; (2) Digital Rights Management software; or (3) software designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery.

New and Amended ECCNs for “Intrusion Software”

Based on the proposed definition summarized above, the proposed rule would add two ECCNs to the Commerce Control List (CCL) for “intrusion software” and related systems, equipment, components and software:

4A005:  “systems,” “equipment,” or “components” for intrusion software, “specially designed” for the generation, operation or delivery of, or communication with “intrusion software”
4D004:  “software” “specially designed” for the generation, operation or delivery of, or communication with, “intrusion software”
BIS noted in its proposed rule that these ECCNs include “network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices.”

These new ECCNs would be controlled for national security (NS), regional stability (RS), and anti-terrorism (AT), creating an export license requirement for all destinations except for Canada.  No license exceptions (except for certain portions of License Exception GOV) would be available for 4A005 and 4D004 items.

In addition, existing ECCNs affected by the “intrusion software” include 4D001, which would cover “development” and “production” intrusion software, and 4E001 which would cover “technology” “required” for the “development” of intrusion software.  BIS notes that technology here will include “proprietary research on the vulnerabilities and exploitation of computers and network-capable devices.”  Like new 4A005 and 4D004, these amended ECCNs would not be eligible for the use of license exceptions, including License Exception Technology and Software Under Restriction (TSR) or Strategic Trade Authorization (STA).

ECCN for Network Communications Surveillance Systems

The proposed rule also would add Internet Protocol network communication surveillance systems as “cybersecurity items” in ECCN 5A001.j.  These systems include those that intercept and analyze messages to produce personal, human, and social information from network communications traffic.  Excluded from 5A001.j are systems or equipment specially designed for a marketing purpose, network quality of services, or quality of experience.  Like 4A005 and 4D004 for “intrusion software”, 5A001.j would be controlled for NS, RS, and AT (all Column 1), resulting in a license requirement for all exports and reexports except Canada.  Also like the “intrusion software” ECCNS, 5A001.j would not be eligible for license exceptions except for certain provisions of GOV.

Continuing Registration, Review and Reporting Requirements for Cryptographic Items

While “cybersecurity items” – including intrusion software and network communication surveillance systems – would not be eligible for License Exception ENC, and would no longer be classified based on their information security functionality (e.g., in ECCNs 5A002, 5D002, or 5E002), information security registration, review, and reporting requirements would still apply under the proposed rule.  Relevant ECCNs (discussed in the sections above) include a note requiring the registration, review, and reporting aspects of now-existing sections 740.17, 742.15(b), and 748.3(d), including with BIS and the ENC Encryption Request Coordinator.  Currently, companies typically meet these requirements in order to qualify for ENC license exception or mass market treatment.  Under the proposed rule, these requirements would continue even though ENC and mass market treatment would not be available.

Export Licenses for Cybersecurity Items

While licenses would be required under the proposed rule to most destinations, BIS, under the proposed rule, would review favorably license requests to certain destinations, including U.S. companies or subsidiaries outside Country Group D:1 or E:1 countries, commercial partners in Country Group A:5, and government end users in Australia, Canada, New Zealand, and the United Kingdom.  There would be a presumption of denial of licenses for items that have or support rootkit or zero-day exploit capabilities.  Items would also be reviewed for licensing based on their information security functionality.

License applications for cybersecurity items would have to fulfill new requirements under the proposed rule, including the submission of certain technical information and, upon request, copies of sections of source code and other software implementing or invoking cybersecurity functionality.

The proposed requirements would result in new licensing requirements for some products that currently qualify for ENC and other license exceptions. Companies that produce, test and market intrusion software and related cybersecurity items will want to weigh in on the potential impact of the rule on their business – particularly whether the proposed implementation of the new licensing requirements and ineligibility for license exceptions will impose unmanageable burdens.  Companies operating in this area will also want to weigh in on whether aspects of the proposed rule could hamper vulnerability research and testing, and the ability to protect commercial and government networks.