Header graphic for print

Steptoe Cyberblog

Steptoe Cyberlaw Podcast – Interview with Fred Kaplan

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies

Was Iran’s cyberattack that bricked vast numbers of Saudi Aramco computers justified by a similar attack on the National Iranian Oil Company a few months’ earlier?  Does NSA have the ability to “replay” and attribute North Korean attacks on companies like Sony? And how do the last six NSA directors stack up against each other?  Those and other questions are answered by our guest for episode 122, Fred Kaplan, author of Dark Territory: The Secret History of Cyber War.

In the news roundup, we explore British corollary of the Pottery Barn Rule:  “You Brexit, you owns it.”  As the UK and the EU struggle to deal with fallout from the historic UK vote, all the incentives seem to be in place for the EU to do what it does best:  vindicate the worst instincts of the European elite.  In the name of deterring other departures, the EU is unlikely to offer the UK much in the way of concessions.  On data protection, for example, Maury Shenk points out that the UK will likely have to keep its current law — and adapt to the new regulation — just to avoid a claim that British privacy law is inadequate.

In other news, DHS has released final guidelines for protecting privacy while sharing cyber threat information;  I think they’re pretty good.

Michael Vatis and I also puzzle over the dicta adopted in a recent EDVA opinion that the utter insecurity of personal computers leaves users without a reasonable expectation of privacy and allows the FBI to use hackers’ tools without a warrant.  I love it when a district court stakes out territory that makes even me feel like a civil libertarian.

The FTC drops a heavy fine on inMobi.  Michael points out the much heavier weaponry that COPPA allows the Commission to deploy in privacy cases that involve children.  But we have trouble mustering much sympathy for inMobi.

Finally, we’re still trolling for listener feedback on whether we should go to the trouble of trying to arrange CLE credit for listening to the podcast.  Based on reaction so far, we won’t.  So if you’d like to get CLE credit for the podcast, it’s time to send your vote to CyberlawPodcast@Steptoe.com.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com  or leave a message at +1 202 862 5785.

Download the 122nd episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes, Pocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Jamie Smith

Posted in Blockchain, International, Virtual Currency

With Stewart on vacation, the blockchain takes over the podcast! In episode 121, Jason Weinstein and Alan Cohn talk all things bitcoin, blockchain, and distributed ledger technology, and interview Jamie Smith, Global Chief Communications Officer for the BitFury Group, one of the largest full-service blockchain technology companies.

In the news roundup, Alan led off with a discussion about Ethereum and the DAO, which of course begins by answering the question, “What is Ethereum and what is the DAO?” As Alan explains, Ethereum is a public blockchain similar to the Bitcoin blockchain, with code written in such a way as to optimize programming of “smart contracts,” self-executing contracts that transmit funds or take other actions based on the occurrence of defined events.  Ethereum is run by a non-profit organization, the Ethereum Foundation, and has its own native currency called Ether.  The DAO is an acronym for a “distributed autonomous organization,” which is essentially an organization that can operate in a decentralized manner (for example, on a blockchain) based on its programmed code rather than the actions of any governing individuals.  In this instance, “The DAO” is the first of these types of organizations, which was created to fund projects that would work on Ethereum.  For most of May, people could purchase DAO tokens using Ether, and the DAO tokens gave their holders the ability to vote “Yes” or “No” on funding proposals made to the DAO by companies or individuals wanting to build things.  The submission of proposals, the voting, and the funding of projects were all programmed to take place essentially without human intervention, all based on the DAO’s programmed code.  (Whew!)

Now for the news—the first major splash made by the DAO was not the funding of its first project, but rather an attacker’s “recursive call” attack which allowed him/her/them to withdraw approximately 3.6 million Ether—worth about $55M at the time of the attack—by exploiting an element of the code meant to allow people to withdraw from the DAO and convert their DAO tokens back to Ether. As Alan explained (and probably needed a glass of water and maybe a snack by this point), the DAO’s creators and the Ethereum Foundation were left with only a few responses, none of them ideal—void the attacker’s transactions but by doing so, demonstrate that transactions on a public blockchain can be voided; lock up the funds and figure out the next steps, which probably leads to a voiding of the transaction; roll back the entire Ethereum ecosystem to just before the attack (kind of like reverting your iPhone to a backup) but effectively constituting a “bailout” of the DAO; or concluding that “the code is its own documentation” and anything done under the code is permissible, which preserves the integrity of the DAO (and Ethereum) but leaves the attacker holding a lot of other peoples’ money.

For listeners who made it through all of that, Jason explained how the New York State Department of Financial Services issued its second BitLicense, this time to Ripple (the global settlement network, not the fortified wine), and at this pace, would get to double digits in terms of BitLicenses issued by 2022. Jason noted that this comes at the same time as industry efforts to focus attention on the dangers inherent in state-by-state licensing systems, although a single federal approach seems far off at this time.

Alan described the European Parliament’s recent resolution concerning virtual currencies, which was hailed as an anti-money laundering and counter terrorism financing action but in fact covers many aspects of virtual currencies and distributed ledger technology. The main headline was Parliament’s call on the European Commission to create a Task Force on virtual currencies.  Alan channels Stewart for a moment, noting that the resolution actually says that Parliament “recalls that the internet, despite attempts to promote a multi-stakeholder approach, is still governed by the National Telecommunication and Information Administration, an agency of the United States Department of Commerce.”  That must still sting.

Jason notes that the blockchain has also come to DC in a big way, with one day of a three-day symposium run by the Federal Reserve, the World Bank, and the International Monetary Fund dedicated to blockchain. The White House also got into the game, holding a FinTech summit with various White House and Administration officials.  The President’s Council of Advisors on Science and Technology heard from industry leaders on blockchain, and the White House Commission on Enhancing National Cybersecurity heard testimony on blockchain technology in one of its first meetings.

Finally, Alan reports on the Central Bank of Canada’s experiment with developing a digital version of the Canadian dollar based on blockchain technology. Dubbed “CAD-coin” and running on the “Jasper” Distributed Ledger Settlement Platform (rather than something more inspired and Canadian, like “Molson”), the Central Bank’s experiment with a private blockchain is meant to “better understand the technology first-hand,” and we applaud them for that.

In the interview, Jamie Smith first debunks rumors that she is, in fact, Satoshi Nakamoto, the original creator of Bitcoin (“We are all Satoshi,” Jamie graciously explains.) Jamie describes how she first got involved in the blockchain space, her experience leaving a comfortable post-Administration job at a global PR firm to join the BitFury Group, and her process of realizing that Bitcoin is not “criminal money” and that blockchain technology can change the world for the better.  Jamie describes recent initiatives backed by the BitFury Group, including the Blockchain Trust Accelerator launched in conjunction with the think tank New America and the National Democratic Institute, and the Global Blockchain Business Council.  Jamie also describes events at the second Blockchain Summit on Sir Richard Branson’s Necker Island (Jason attended the first Blockchain Summit last year, and Alan attended this year’s Summit).  Jamie gives a shout-out to the Blockchain Alliance, the organization co-founded by the Chamber of Digital Commerce and Coin Center to create a forum for the blockchain industry to engage with law enforcement (full disclosure: Steptoe serves as counsel to the Blockchain Alliance and Jason serves as its Director).

Next week, Stewart will be back and the podcast will turn back to cybersecurity issues. As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 (202) 862-5785.

Download the 121st episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunesPocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – News Round-Up with Paul Rosenzweig

Posted in Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

Podcast 120European hypocrisy on data protection is a lot like the weather.  Everyone complains about it but no one does anything about it.  Until today.

In episode 120, we announce the launch of the Europocrisy Prize.  With the support of TechFreedom, we’re seeking tax deductible donations for a prize designed to encourage the proliferation of Schrems-style litigation, but with a twist.  We’ll award the prize to anyone who brings complaints that force Europe to apply the same human rights and data export standards to Russia, China, and Saudia Arabia as it applies to the US.  More on the prize here.

We’re inspired to this announcement, because as Katie Cassel tells us in the news roundup, the data protection commissioner in Hamburg is hot-dogging on the privacy issue, and with relish. He has imposed fines on US companies for the offense of being caught by surprise when the Safe Harbor went down.  Naturally, as far as we can tell, no similar cases have been launched against Russia, China, or any of the other countries that never even bothered to negotiate over privacy with the EU.  The Europocrisy Prize, though, should go a long way to even the score.

We’re joined for the news roundup by Paul Rosenzweig of Red Branch Consulting, and he clues us in on the fight over ICANN’s future now being waged in Congress.  Meanwhile, Alan Cohn explains why standing is such a high threshold for data breach plaintiffs, leading us to muse on exactly how much harm we can show from the disclosure of our naked pictures on the internet (in contrast to viewers, for whom injury may be presumed).

I highlight a workmanlike opinion from Judge Doumar on the FBI’s remote hacking of child porn aficionados.  I also thank Sen. Cornyn and others on the Judiciary Committee for exposing just how little privacy groups care about ECPA reform.  Sen. Cornyn has offered an amendment that would give back to the FBI the NSL access they had in 2008 to electronic communications transactions records.  In order to keep Sen. Cornyn’s amendment off their reform bill, they’ve apparently ditched the whole bill.

In other privacy misrepresentation news, the UK press is full of headlines claiming that the “controversial” Investigatory Powers Act is moving forward “despite hacking and snooping fears.”  Clue for the press:  When the House of Commons vote to send a bill to the House of Lords is 444 to 69, calling it “controversial” just makes you look stupid and ideological.   Most significantly, the bill goes out of its way to make clear that, if Apple makes the same arguments in the UK that it made against the FBI, it will lose.  Tim Cook’s publicity campaign is really paying dividends, eh?

Katie explains the US Justice Department’s proposal to modify US law and streamline the production of electronic evidence to foreign governments.  If they do that without extracting an end to EU data export restraints, the DOJ’s license to practice diplomacy should be revoked.

In other news, the French government has convicted Uber and two of its executives of failing to show sufficient respect to French officialdom.  And the right to be forgotten turns out to be unworkable (who could have foreseen that!?).

Finally, we poll DHS alumni on whether the department’s cybersecurity organization, NPPD, should be raised to the status of a full-blown DHS component.  Suzanne Spaulding will be pleased with the answer.

Note:  Our interview with Rep. Will Hurd was delayed at the last moment, so we’re releasing it separately from the episode 120 news roundup.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 120th episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunesPocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Kevin Kelly

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest for episode 119 is Kevin Kelly, founding executive editor of Wired Magazine and author of The Inevitable: Understanding the 12 Technological Forces that will Shape our Future.  Kevin and I share many views – from skepticism about the recording industry’s effort to control their digital files to a similar skepticism about EFF’s effort to control private data – but he is California sunny and I am East Coast dark about where emerging technology trends are taking us.  The conversation ranges from Orwell and the Wayback Machine to the disconcerting fluidity and eternal noobie-ness of today’s technological experience.  In closing Kevin sketches a quick but valuable glimpse of where technology could take us if it comes from Shenzhen rather than Mountain View, as it likely will. Continue Reading

FAR Council Issues Rule on Basic Safeguarding of Covered Contractor Information Systems

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

On May 16, four years after issuing a proposed rule, the FAR Council issued a final cybersecurity-related rule that reaches deep into the supply chain and is applicable to virtually all government contractors and subcontractors.  The rule establishes a new FAR subpart 4.19 and a clause 52.204-21, both of which are entitled “Basic Safeguarding of Covered Contractor Information Systems.”  The rule is effective for solicitations issued on or after June 15, 2016.  A copy is available here. Continue Reading

Steptoe Cyberlaw Podcast – Interview with Patrick Gray

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest, Patrick Gray, is the host of the excellent Risky Business security podcast.  He introduces us to the cybersecurity equivalent of decapitation by paper cut and offers a technologist’s take on multiple policy and legal issues.  In the news roundup, Michael explains the many plaintiff-friendly rulings obtained by the banks suing Home Depot over its data breach.  We wonder whether the rulings are so plaintiff-friendly that the banks will eventually regret their successes.  Michael also explains just how deliberately meaningless is the Supreme Court decision in Spokeo, Inc. v. Robins. Continue Reading

Steptoe Cyberlaw Podcast – Interview with Dmitri Alperovitch

Posted in Blockchain, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies, Virtual Currency

Dmitri AlperovitchRansomware is the new black.  In fact, it’s the new China.  So says our guest for episode 116, Dmitri Alperovitch, the CTO and co-founder of CrowdStrike.  Dmitri explains why ransomware is so attractive financially – and therefore likely to get much worse very fast.  He and I also explore the implications and attribution of the big bank hacks in Vietnam and Bangladesh. Continue Reading

Steptoe Cyberlaw Podcast – Interview with Orin Kerr

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Orin KerrDoes the FISA court perform a recognizably judicial function when it reviews 702 minimization procedures for compliance with the fourth amendment?  Our guest for episode 115 is Orin Kerr, GWU professor and all-round computer crime guru, and Orin and I spend a good part of the interview puzzling over Congress’s mandate that the FISA court review what amounts to a regulation for compliance with an amendment that is usually invoked only in individual cases.  Maybe, I suggest, the recent court ruling on 702 minimization and the fourth amendment doesn’t make sense from an article III point of view because the FISA judges long ago graduated from deciding cases and controversies to acting as special masters to oversee the intelligence community.  We also explore an upcoming Orin Kerr law review piece on how judicial construction of the fourth amendment should be influenced by statutes that play in the same sandbox.  Continue Reading

Cyber-Liability Insurance and the Retroactive Date Exclusion

Posted in Data Breach

Our colleague, Stephen O’Donnell, authored a blog post published by The D&O Diary.  In it, he discusses two particular standard features of cyber liability insurance policies, the retroactive date and policy inception date exclusions, and the potential for these exclusions to preclude coverage for the very kind of exposures that are the reasons most purchasers buy the insurance.  Cyber liability insurance is a relatively new product and many of the terms and conditions are as yet untested in the courts; we’ll be following this issue closely.

Read more.