Header graphic for print

Steptoe Cyberblog

Steptoe Cyberlaw Podcast – Bonus Episode – Interview with Charles Allen and John McLaughlin

Posted in Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

127: Vlad’s Cojones

I know we promised to take August off, but I was inspired by the flap over the DNC hack and the fact that I’m at the Aspen Homeland Security Working Group meeting in Colorado. I waylaid two former intelligence community members on the Aspen campus and asked for their views on the DNC hack.  Well, to be accurate, I start the interview by asking whether Putin really has the balls to step into the US electoral campaign in this way.  Answering the question are two men with the perspective of long years dealing with Soviet and then Russian intelligence:  Charles Allen, who became intelligence chief for DHS after a full career at CIA, and John McLaughlin, who ended his career at CIA as the Deputy Director and Acting Director.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 127th episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes, Pocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Ed Hammersla and Brian White

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Episode 126 – The podcast goes to the conventions

If Vladimir Putin can do it, so can we. This week the podcast dives deep into the US presidential campaign.

I of course talk with Maury Shenk about evidence that the Russians are behind “Guccifer 2.0” and the DNC data leak – aided by a Wikileaks that looks more and more like an FSB front.  I compare the largely indistinguishable Dem and GOP platform planks on encryption ‒ and draw a lesson from the straddles:  there’s little doubt that every lobbyist who contributed to the platforms was working for Silicon Valley, so the failure to endorse the Valley’s view may spell trouble for techie triumphalism.  I also spike the football for the Justice Department, whose policy views on the dangers of hacking back were swamped when the GOP called for letting victims of hacking have their way with the hackers.

Our interview this week touches on the insider threat. Andy Irwin describes the new DOD rule requiring contractors to devise insider monitoring plans for cleared personnel, and two industry leaders, Ed Hammersla, CSO of Forcepoint, and Brian White, COO of RedOwl Analytics, talk about what technology can do to spot incipient employee defections and data theft.  A discussion of the role of natural language processing naturally reminds me of George Carlin and the seven dirty words you can’t say on the radio.

In other news, Katie Cassel unpacks another in a long line of increasingly incoherent 9th Circuit rulings on when it violates the CFAA for unwanted visitors to log on to a site.  Katie also explains why the outcome of another data breach lawsuit might persuade Scottrade to change its name to Scot-Free.

Maury updates us on UK politics, from Theresa May’s honeymoon to the possibility that UK data retention law will survive review in the European Court of Justice.  I flag a good (and, sadly, already outdated) House Homeland Security Committee report on 100 ISIS-linked terror plots against the West since 2014, a surprise reprieve for Silent Circle, and Whatsapp’s continuing “If it’s Tuesday we must be shut down; if it’s Wednesday we must be back up” drama in Brazil.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 126th episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunesPocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

New “Insider Threat” Programs Required for Cleared Contractors

Posted in Security Programs & Policies

On May 18, 2016, the Department of Defense published “Change 2” to the National Industrial Security Program Operating Manual (NISPOM) that requires contractors to establish and maintain a program to detect, deter and mitigate insider threats by November 30, 2016.  Although cleared contractors are already obligated to protect classified information to which they have access, these changes to the NISPOM impose new requirements for contractors to implement programs that the US Government hopes will provide some ability to predict the future, i.e., a “risk” of or “potential” insider threat before one occurs.  More information can be found here.

Steptoe Cyberlaw Podcast – Interview with Jeremy and Ariel Rabkin

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Podcast 125In the news roundup, Michael Vatis covers Microsoft’s surprising Second Circuit victory over the Justice Department in litigation over a warrant for data stored in Ireland.  The hidden issue in that case was data localization – the same issue driving the Justice Department’s new legislative proposal to allow foreign nations to obtain information from US data repositories.  That proposal is unpacked by special guest David Kris, former Assistant Attorney General for National Security and author of the treatise, National Security Investigations and Prosecutions.

In other news, LabMD has found yet another defendant in its campaign against Tiversa.  Michael discusses what may be the first judicial decision requiring a warrant to use a Stingray to locate a criminal suspect.  And HHS tries to achieve a plausible policy goal with an overreaching legal interpretation; as Michael explains, the result could be massive unintended consequences.

In quick hits: more evidence that foreign nations are targeting our energy grid, FDIC engages in a surprisingly successful breach cover-up, a Chinese browser sends data back to China unmolested (all because we still haven’t funded the Europocrisy Prize, I argue), and the cyberwar on ISIS is going slowly, mainly, I argue, because cyberwar on ISIS is not all that good an idea.

What’s the argument in favor of hacking back that is best calculated to infuriate the State Department? We talk hackback with the father and son team that produced a thoughtful paper on the topic for the Hoover Institution.  Jeremy, a law professor at the Scalia Law School, and his son, Ariel Rabkin, a computer scientist out of Berkeley, have the expertise to deal gracefully and concisely with the policy debate over hacking back.  Their proposal charts a middle ground while cheerfully eviscerating State’s hand-wringing about the international consequences of permitting hacking victims to act outside their networks.  Bonus feature:  lifetime career advice from yours truly!

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 125th episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunesPocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Steptoe Cyberlaw Podcast – Interview with Congressman Will Hurd (R-TX)

Posted in Cybersecurity and Cyberwar, International

What’s the difference between serving in Congress and spying in the back alleys of a Middle Eastern bazaar? Why not ask the one Congressman who’s done both – Rep. Will Hurd (R-TX). He also has cybersecurity chops from his career in industry, so he makes the perfect guest for episode 124a of the podcast. Just running through his week takes us from the difficulty of setting red lines in cyberspace to what we know about foreign penetration of the Clinton email server. But we manage as well to cover the declining fortunes of the Massie-Lofgren amendment and the reasons (and possible cures) for the disaster that is federal IT procurement.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 124th(a) episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunesPocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – News Round-Up

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies

This week’s news roundup is dominated by the Ninth Circuit and the European Union. The EU parliament has approved the Privacy Shield that replaces the Safe Harbor. Michael Vatis, Alan Cohn and I ask whether companies should seek protection under what may prove to be a pretty leaky Shield. And the EU has approved cybersecurity rules for critical industries and verdammte amerikanische Unternehmen … er, digital service providers. You may not like the EU penchant for regulation as a first resort, but Alan and I conclude that the initiative on cybersecurity standard-setting may finally have moved to Brussels.

In Ninth Circuit news, the Nosal case has come back for another round of appellate decision-making, and this time the decision goes against Mr. Nosal. Michael and I debate whether sharing a password should lead to criminal penalties.  In other news, the lib/left continues its campaign to impose a warrant requirement on reuse of section 702 data.  They’ve already lost in two courts, and my guess from oral argument in US v. Mohammud is that they won’t do better in the third.

Elsewhere, Russia has finally adopted its aggressive new law regulating digital service providers in the name of fighting terrorism. The FCC privacy regs attract some support from other agencies, notably the FBI and Secret Service. Silent Circle, already silently circling the drain, has dropped its faddish warrant canary “for business reasons.” And kudos to Yingmob for its new business model; the Chinese company seems to have combined legitimate adtech business lines with a line of malware that has infected ten million Android phones. No word yet on whether Yingmob employees can take a break from writing malware to play foosball.

Our interview with Will Hurd will follow later in the week.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 124th episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunesPocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – News Round-Up

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Edward Snowden criticizes Russia’s mass surveillance law, and a Russian official retaliates by outing him ‒ as a Russian intelligence source.  Silent Circle, the phone company that built its marketing on fear and loathing of the NSA, is nearing bankruptcy. And members of the dominant European Parliament faction are asking the Commission, “Hey! How come you keep demanding more data export and privacy concessions from the US without asking for bupkis from China?”  And the FBI now has three politically viable paths to win back authority to obtain electronic communications transaction records with a National Security Letter (one, two, three).

Truly, episode 123 feels like a reward for living through 2013.

In other news, Alan Cohn and Katie Cassel report on the Bank for International Settlements’ surprisingly sophisticated cybersecurity standards.  I whinge about Bob Litt’s 18 pages of binding commitments to Europe on how the US will conduct intelligence from now on.  Alan and I compliment CBP on its technical savvy in easing border clearance ‒ and ponder the role of stools in protecting the homeland.

I report that Belgian courts have reversed a verdict by the local DPA against Facebook, and Maury Shenk comments on broader implications for EU data protection.  Katie notes that FTC commissioner Maureen Olhausen continues to tout the advantages of her agency’s “flexible” privacy and security standard and to diss the FCC’s more explicit approach. I mock the ACLU for demanding the right to violate criminal law to get information from private companies and ask if I can do the same to get the ACLU to answer my questions about whether it provides real security for its clients. And Maury reports that China is still rolling out new internet regulations, from online search standards to where to store Chinese citizens’ personal data (China, natch).

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 123rd episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunesPocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Fred Kaplan

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies

Was Iran’s cyberattack that bricked vast numbers of Saudi Aramco computers justified by a similar attack on the National Iranian Oil Company a few months’ earlier?  Does NSA have the ability to “replay” and attribute North Korean attacks on companies like Sony? And how do the last six NSA directors stack up against each other?  Those and other questions are answered by our guest for episode 122, Fred Kaplan, author of Dark Territory: The Secret History of Cyber War.

In the news roundup, we explore British corollary of the Pottery Barn Rule:  “You Brexit, you owns it.”  As the UK and the EU struggle to deal with fallout from the historic UK vote, all the incentives seem to be in place for the EU to do what it does best:  vindicate the worst instincts of the European elite.  In the name of deterring other departures, the EU is unlikely to offer the UK much in the way of concessions.  On data protection, for example, Maury Shenk points out that the UK will likely have to keep its current law — and adapt to the new regulation — just to avoid a claim that British privacy law is inadequate.

In other news, DHS has released final guidelines for protecting privacy while sharing cyber threat information;  I think they’re pretty good.

Michael Vatis and I also puzzle over the dicta adopted in a recent EDVA opinion that the utter insecurity of personal computers leaves users without a reasonable expectation of privacy and allows the FBI to use hackers’ tools without a warrant.  I love it when a district court stakes out territory that makes even me feel like a civil libertarian.

The FTC drops a heavy fine on inMobi.  Michael points out the much heavier weaponry that COPPA allows the Commission to deploy in privacy cases that involve children.  But we have trouble mustering much sympathy for inMobi.

Finally, we’re still trolling for listener feedback on whether we should go to the trouble of trying to arrange CLE credit for listening to the podcast.  Based on reaction so far, we won’t.  So if you’d like to get CLE credit for the podcast, it’s time to send your vote to CyberlawPodcast@Steptoe.com.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com  or leave a message at +1 202 862 5785.

Download the 122nd episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes, Pocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Jamie Smith

Posted in Blockchain, International, Virtual Currency

With Stewart on vacation, the blockchain takes over the podcast! In episode 121, Jason Weinstein and Alan Cohn talk all things bitcoin, blockchain, and distributed ledger technology, and interview Jamie Smith, Global Chief Communications Officer for the BitFury Group, one of the largest full-service blockchain technology companies.

In the news roundup, Alan led off with a discussion about Ethereum and the DAO, which of course begins by answering the question, “What is Ethereum and what is the DAO?” As Alan explains, Ethereum is a public blockchain similar to the Bitcoin blockchain, with code written in such a way as to optimize programming of “smart contracts,” self-executing contracts that transmit funds or take other actions based on the occurrence of defined events.  Ethereum is run by a non-profit organization, the Ethereum Foundation, and has its own native currency called Ether.  The DAO is an acronym for a “distributed autonomous organization,” which is essentially an organization that can operate in a decentralized manner (for example, on a blockchain) based on its programmed code rather than the actions of any governing individuals.  In this instance, “The DAO” is the first of these types of organizations, which was created to fund projects that would work on Ethereum.  For most of May, people could purchase DAO tokens using Ether, and the DAO tokens gave their holders the ability to vote “Yes” or “No” on funding proposals made to the DAO by companies or individuals wanting to build things.  The submission of proposals, the voting, and the funding of projects were all programmed to take place essentially without human intervention, all based on the DAO’s programmed code.  (Whew!)

Now for the news—the first major splash made by the DAO was not the funding of its first project, but rather an attacker’s “recursive call” attack which allowed him/her/them to withdraw approximately 3.6 million Ether—worth about $55M at the time of the attack—by exploiting an element of the code meant to allow people to withdraw from the DAO and convert their DAO tokens back to Ether. As Alan explained (and probably needed a glass of water and maybe a snack by this point), the DAO’s creators and the Ethereum Foundation were left with only a few responses, none of them ideal—void the attacker’s transactions but by doing so, demonstrate that transactions on a public blockchain can be voided; lock up the funds and figure out the next steps, which probably leads to a voiding of the transaction; roll back the entire Ethereum ecosystem to just before the attack (kind of like reverting your iPhone to a backup) but effectively constituting a “bailout” of the DAO; or concluding that “the code is its own documentation” and anything done under the code is permissible, which preserves the integrity of the DAO (and Ethereum) but leaves the attacker holding a lot of other peoples’ money.

For listeners who made it through all of that, Jason explained how the New York State Department of Financial Services issued its second BitLicense, this time to Ripple (the global settlement network, not the fortified wine), and at this pace, would get to double digits in terms of BitLicenses issued by 2022. Jason noted that this comes at the same time as industry efforts to focus attention on the dangers inherent in state-by-state licensing systems, although a single federal approach seems far off at this time.

Alan described the European Parliament’s recent resolution concerning virtual currencies, which was hailed as an anti-money laundering and counter terrorism financing action but in fact covers many aspects of virtual currencies and distributed ledger technology. The main headline was Parliament’s call on the European Commission to create a Task Force on virtual currencies.  Alan channels Stewart for a moment, noting that the resolution actually says that Parliament “recalls that the internet, despite attempts to promote a multi-stakeholder approach, is still governed by the National Telecommunication and Information Administration, an agency of the United States Department of Commerce.”  That must still sting.

Jason notes that the blockchain has also come to DC in a big way, with one day of a three-day symposium run by the Federal Reserve, the World Bank, and the International Monetary Fund dedicated to blockchain. The White House also got into the game, holding a FinTech summit with various White House and Administration officials.  The President’s Council of Advisors on Science and Technology heard from industry leaders on blockchain, and the White House Commission on Enhancing National Cybersecurity heard testimony on blockchain technology in one of its first meetings.

Finally, Alan reports on the Central Bank of Canada’s experiment with developing a digital version of the Canadian dollar based on blockchain technology. Dubbed “CAD-coin” and running on the “Jasper” Distributed Ledger Settlement Platform (rather than something more inspired and Canadian, like “Molson”), the Central Bank’s experiment with a private blockchain is meant to “better understand the technology first-hand,” and we applaud them for that.

In the interview, Jamie Smith first debunks rumors that she is, in fact, Satoshi Nakamoto, the original creator of Bitcoin (“We are all Satoshi,” Jamie graciously explains.) Jamie describes how she first got involved in the blockchain space, her experience leaving a comfortable post-Administration job at a global PR firm to join the BitFury Group, and her process of realizing that Bitcoin is not “criminal money” and that blockchain technology can change the world for the better.  Jamie describes recent initiatives backed by the BitFury Group, including the Blockchain Trust Accelerator launched in conjunction with the think tank New America and the National Democratic Institute, and the Global Blockchain Business Council.  Jamie also describes events at the second Blockchain Summit on Sir Richard Branson’s Necker Island (Jason attended the first Blockchain Summit last year, and Alan attended this year’s Summit).  Jamie gives a shout-out to the Blockchain Alliance, the organization co-founded by the Chamber of Digital Commerce and Coin Center to create a forum for the blockchain industry to engage with law enforcement (full disclosure: Steptoe serves as counsel to the Blockchain Alliance and Jason serves as its Director).

Next week, Stewart will be back and the podcast will turn back to cybersecurity issues. As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 (202) 862-5785.

Download the 121st episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunesPocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – News Round-Up with Paul Rosenzweig

Posted in Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

Podcast 120European hypocrisy on data protection is a lot like the weather.  Everyone complains about it but no one does anything about it.  Until today.

In episode 120, we announce the launch of the Europocrisy Prize.  With the support of TechFreedom, we’re seeking tax deductible donations for a prize designed to encourage the proliferation of Schrems-style litigation, but with a twist.  We’ll award the prize to anyone who brings complaints that force Europe to apply the same human rights and data export standards to Russia, China, and Saudia Arabia as it applies to the US.  More on the prize here.

We’re inspired to this announcement, because as Katie Cassel tells us in the news roundup, the data protection commissioner in Hamburg is hot-dogging on the privacy issue, and with relish. He has imposed fines on US companies for the offense of being caught by surprise when the Safe Harbor went down.  Naturally, as far as we can tell, no similar cases have been launched against Russia, China, or any of the other countries that never even bothered to negotiate over privacy with the EU.  The Europocrisy Prize, though, should go a long way to even the score.

We’re joined for the news roundup by Paul Rosenzweig of Red Branch Consulting, and he clues us in on the fight over ICANN’s future now being waged in Congress.  Meanwhile, Alan Cohn explains why standing is such a high threshold for data breach plaintiffs, leading us to muse on exactly how much harm we can show from the disclosure of our naked pictures on the internet (in contrast to viewers, for whom injury may be presumed).

I highlight a workmanlike opinion from Judge Doumar on the FBI’s remote hacking of child porn aficionados.  I also thank Sen. Cornyn and others on the Judiciary Committee for exposing just how little privacy groups care about ECPA reform.  Sen. Cornyn has offered an amendment that would give back to the FBI the NSL access they had in 2008 to electronic communications transactions records.  In order to keep Sen. Cornyn’s amendment off their reform bill, they’ve apparently ditched the whole bill.

In other privacy misrepresentation news, the UK press is full of headlines claiming that the “controversial” Investigatory Powers Act is moving forward “despite hacking and snooping fears.”  Clue for the press:  When the House of Commons vote to send a bill to the House of Lords is 444 to 69, calling it “controversial” just makes you look stupid and ideological.   Most significantly, the bill goes out of its way to make clear that, if Apple makes the same arguments in the UK that it made against the FBI, it will lose.  Tim Cook’s publicity campaign is really paying dividends, eh?

Katie explains the US Justice Department’s proposal to modify US law and streamline the production of electronic evidence to foreign governments.  If they do that without extracting an end to EU data export restraints, the DOJ’s license to practice diplomacy should be revoked.

In other news, the French government has convicted Uber and two of its executives of failing to show sufficient respect to French officialdom.  And the right to be forgotten turns out to be unworkable (who could have foreseen that!?).

Finally, we poll DHS alumni on whether the department’s cybersecurity organization, NPPD, should be raised to the status of a full-blown DHS component.  Suzanne Spaulding will be pleased with the answer.

Note:  Our interview with Rep. Will Hurd was delayed at the last moment, so we’re releasing it separately from the episode 120 news roundup.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 120th episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunesPocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.