Header graphic for print

Steptoe Cyberblog

Steptoe Cyberlaw Podcast – Interview with Matt Cutts and Lisa Wiswell

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

A record-setting insecurity week.

Our interview in episode 131 is with Matt Cutts and Lisa Wiswell from the Pentagon’s Defense Digital Service.  Matt joined the Digital Service from Google where he authored their SafeSearch content filter.  Lisa is a bureaucracy hacker with the Defense Digital Service and previously spent years working on cyber-warfare in DOD’s policy shop and in DARPA.  They both stress that the Service is looking for good code and policy hackers — and that their Digital Service recruiting link is https://www.usds.gov/join

After a musical intro featuring the Beatles as reimagined by artificial intelligence, Michael Vatis explains why Microsoft’s new German datacenters may succeed in putting customer data beyond the reach of US agencies, and why Microsoft might not want to state its goal quite that way.

Jennifer Quinn-Barabanov explains how a new lawsuit on behalf of Gilbert Chagoury will test whether the US government will punish leakers and whether the EU succeeds in its effort to get the Privacy Act to cover European nationals.

Jen and I also tackle the record-breaking Yahoo! breach, and what it says about the actual impact of data breach risk on companies and investors.  Jen reveals this shocking statistic: the median cost of a breach is $200,000 by some measures, hardly enough to get even the plaintiffs’ bar out of bed.  And, it turns out, nearly half of corporate GCs have already lived through a breach, so they likely know their own exposure pretty well.

Speaking of records, Brian Krebs, a podcast alum, experienced his own unenviable record: victim of world’s biggest DDOS attack, fueled by the Internet of things.  What next?  Networked Fords launching a denial of service attack on GM dealers?

Sliding seamlessly into the interview, Matt Cutts and I dive into the latest OpenSSL bug, the reasons Google launched BoringSSL, and the ways in which being boring is also being secure.  (As pretty much any overprotected ten-year-old boy could have told us.)

Matt and I debate whether SSL everywhere is just good, prudent security or the fruits of a Crypto Derangement Syndrome on the part of a Valley that hopes to secede from the United States (guess which side I took).

We take a long look at the Digital Service and what it has done so far. Lisa Wiswell brags on “Hacking the Pentagon,” which paid the first bug bounties ever offered by a US government agency. I congratulate her on avoiding the alternative ‒ filing a STFU lawsuit against the security researchers, unlike some I could mention (*cough* St. Judes *cough*).  This leads to a colloquy on what it will take to fix IT procurement in the US government.  We make a little progress, but find no silver bullets.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 131st episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – News Round-Up

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies, Uncategorized

In a law-heavy news roundup, Katie Cassel and I talk about New York’s dangerously prescriptive cybersecurity regs for banks and insurers. Maury Shenk and I uncover the seamy industrial politics behind the EU’s latest copyright and telecom proposals.  The Sixth Circuit deepens a circuit split over standing and how much injury it takes to support a federal data breach lawsuit – and then, oddly, decides not to publish its opinion.  Michael Vatis explains.

In other news, Michael notes that the CFTC has adopted its own very prescriptive cybersecurity testing rules.  At least pen testers should be happy; their specialty is increasingly required by regulators.  Katie hoses me down on the significance of the Ninth Circuit’s latest “failure to warn” decision for section 230 of the Communications Decency Act.  Good news for section 230, not so much for Match.com.

Finally, the FTC continues to vie for the title of federal agency with the least sense of moderation. The FTC is opposing a motion to stay in the LabMD case.  Pending appeal, it wants to impose strict cybersecurity procedures on a business whose servers are probably stored in Mike Daugherty’s garage.  As Winston Churchill said about nuclear weapons, at some point all you’re doing it making the rubble bounce.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 130th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Ciaran Martin

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

This week’s podcast interview is with Ciaran Martin, the chief executive of the UK’s National Cyber Security Centre.  While the US political climate makes it implausible that the National Security Agency would be asked to head a nationwide cybersecurity center designed to work with the private sector, that’s exactly the job that the United Kingdom given to GCHQ, the British equivalent of NSA.  I ask why, and a lot more too.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 129a episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – News Round-up with Phil West

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

Ironman meets the Antideficiency Act

In episode 129, Alan Cohn and I dive deep on the Government Oversight committee’s predictably depressing and unpredictably entertaining report on the OPM hack. Cheeky Chinese hackers register their control sites to superhero alter egos.  And poor, patriotic Cytech finds an intruder during a sales demo, rushes to provide support without a contract, and ends up not just stiffed but accused of contributing to a violation the Antideficiency Act. The overmatched OPM security team launches a desperate operation Big Bang to oust one team of hackers, while another is safely ensconced in the network, biding its time before exfiltrating all its data.

And for those who’ve complained that we never talk about cybertax law, a feast: Steptoe’s premier international tax partner (and head of the firm) explains everything you need to know about the fight between Apple and the EU over Ireland’s tax regime for the company. I am shocked to discover that Brussels is doing, well, what Brussels usually does.

Alan and I talk about one more PlayPen decision, United States v. Torres. It may be the last word on the subject, in part because it’s so sensible (the FBI did perform a search, it had a warrant and probable cause, the warrant didn’t conform to Rule 41, but so what?  No suppression) and in part because the Supreme Court has agreed to change the Rule. I confidently predict that Sen. Wyden’s effort to stop the rule change will fail.

Download the 129th episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Scott DePasquale

Posted in Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

The podcast is back with a bang from hiatus. Our guest, Scott DePasquale, is the CEO of Utilidata, an electric utility IoT and cybersecurity company. Scott talks about his contribution to the Internet Security Alliance’s upcoming book, The Cyber Security Social Contract.

Episode 128 also brings you a news roundup from the most momentous August in cybersecurity history. Maury Shenk brings the SWIFT hack to life by describing his own brush with cyber bank fraud. I cover the Shadow Brokers’ disclosure of what most believe to be an NSA hacking toolkit. Meanwhile, Russia is hacking our political process and only the side whose ox is being gored seems to care.

The EU, with an instinct for the capillaries, continues to fight the US on these issues. Privacy Shield is up, and a lot of serious companies are signing up, despite the uncertainties. Maury and I note the entry of France and Germany into the Great Crypto World War – at a comfortably leisurely pace. And, in a welcome move, the European Court of Justice has reaffirmed that there are still some (modest and blurry) limits to the assertion of data protection jurisdiction over internet merchants.

The FTC had a busy month. It served LabMD a mess of home cookin’ and the company is now free to argue its case before an unbiased court of appeals. Speaking of which, the ninth circuit court of appeals shot down the FTC’s effort to steal the FCC’s common-carrier-regulating turf, and the FTC has finally deigned to notice (and even pat on the head) NIST’s Cybersecurity Framework.

The UK’s terror watchdog has more or less endorsed the value of bulk collection of personal data. And Baltimore has put it into effect, adopting an “eye in the sky” technology that has solved serious crimes without harming anyone’s privacy; naturally the privacy lobby is determined to make sure it’s never used again.

In privacy class action news, the lawyers for CareFirst deserve a bonus; they’ve now killed three class action cases (here, here, and here) where the breach was serious but the plaintiffs couldn’t claim that the stolen data was ever used to harm them. And Judge Koh, to her shame, has approved $4 million in legal fees for the lawyers who brought a class action against Yahoo! and settled for a no-damages injunction that lets Yahoo! keep reading its users emails, but after it’s been sent, not before.

As always, the Cyberlaw Podcast welcomes feedback. Send email to mailto:CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 128th episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Bonus Episode – Interview with Charles Allen and John McLaughlin

Posted in Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

127: Vlad’s Cojones

I know we promised to take August off, but I was inspired by the flap over the DNC hack and the fact that I’m at the Aspen Homeland Security Working Group meeting in Colorado. I waylaid two former intelligence community members on the Aspen campus and asked for their views on the DNC hack.  Well, to be accurate, I start the interview by asking whether Putin really has the balls to step into the US electoral campaign in this way.  Answering the question are two men with the perspective of long years dealing with Soviet and then Russian intelligence:  Charles Allen, who became intelligence chief for DHS after a full career at CIA, and John McLaughlin, who ended his career at CIA as the Deputy Director and Acting Director.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 127th episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes, Pocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Ed Hammersla and Brian White

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Episode 126 – The podcast goes to the conventions

If Vladimir Putin can do it, so can we. This week the podcast dives deep into the US presidential campaign.

I of course talk with Maury Shenk about evidence that the Russians are behind “Guccifer 2.0” and the DNC data leak – aided by a Wikileaks that looks more and more like an FSB front.  I compare the largely indistinguishable Dem and GOP platform planks on encryption ‒ and draw a lesson from the straddles:  there’s little doubt that every lobbyist who contributed to the platforms was working for Silicon Valley, so the failure to endorse the Valley’s view may spell trouble for techie triumphalism.  I also spike the football for the Justice Department, whose policy views on the dangers of hacking back were swamped when the GOP called for letting victims of hacking have their way with the hackers.

Our interview this week touches on the insider threat. Andy Irwin describes the new DOD rule requiring contractors to devise insider monitoring plans for cleared personnel, and two industry leaders, Ed Hammersla, CSO of Forcepoint, and Brian White, COO of RedOwl Analytics, talk about what technology can do to spot incipient employee defections and data theft.  A discussion of the role of natural language processing naturally reminds me of George Carlin and the seven dirty words you can’t say on the radio.

In other news, Katie Cassel unpacks another in a long line of increasingly incoherent 9th Circuit rulings on when it violates the CFAA for unwanted visitors to log on to a site.  Katie also explains why the outcome of another data breach lawsuit might persuade Scottrade to change its name to Scot-Free.

Maury updates us on UK politics, from Theresa May’s honeymoon to the possibility that UK data retention law will survive review in the European Court of Justice.  I flag a good (and, sadly, already outdated) House Homeland Security Committee report on 100 ISIS-linked terror plots against the West since 2014, a surprise reprieve for Silent Circle, and Whatsapp’s continuing “If it’s Tuesday we must be shut down; if it’s Wednesday we must be back up” drama in Brazil.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 126th episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunesPocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

New “Insider Threat” Programs Required for Cleared Contractors

Posted in Security Programs & Policies

On May 18, 2016, the Department of Defense published “Change 2” to the National Industrial Security Program Operating Manual (NISPOM) that requires contractors to establish and maintain a program to detect, deter and mitigate insider threats by November 30, 2016.  Although cleared contractors are already obligated to protect classified information to which they have access, these changes to the NISPOM impose new requirements for contractors to implement programs that the US Government hopes will provide some ability to predict the future, i.e., a “risk” of or “potential” insider threat before one occurs.  More information can be found here.

Steptoe Cyberlaw Podcast – Interview with Jeremy and Ariel Rabkin

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Podcast 125In the news roundup, Michael Vatis covers Microsoft’s surprising Second Circuit victory over the Justice Department in litigation over a warrant for data stored in Ireland.  The hidden issue in that case was data localization – the same issue driving the Justice Department’s new legislative proposal to allow foreign nations to obtain information from US data repositories.  That proposal is unpacked by special guest David Kris, former Assistant Attorney General for National Security and author of the treatise, National Security Investigations and Prosecutions.

In other news, LabMD has found yet another defendant in its campaign against Tiversa.  Michael discusses what may be the first judicial decision requiring a warrant to use a Stingray to locate a criminal suspect.  And HHS tries to achieve a plausible policy goal with an overreaching legal interpretation; as Michael explains, the result could be massive unintended consequences.

In quick hits: more evidence that foreign nations are targeting our energy grid, FDIC engages in a surprisingly successful breach cover-up, a Chinese browser sends data back to China unmolested (all because we still haven’t funded the Europocrisy Prize, I argue), and the cyberwar on ISIS is going slowly, mainly, I argue, because cyberwar on ISIS is not all that good an idea.

What’s the argument in favor of hacking back that is best calculated to infuriate the State Department? We talk hackback with the father and son team that produced a thoughtful paper on the topic for the Hoover Institution.  Jeremy, a law professor at the Scalia Law School, and his son, Ariel Rabkin, a computer scientist out of Berkeley, have the expertise to deal gracefully and concisely with the policy debate over hacking back.  Their proposal charts a middle ground while cheerfully eviscerating State’s hand-wringing about the international consequences of permitting hacking victims to act outside their networks.  Bonus feature:  lifetime career advice from yours truly!

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 125th episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunesPocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Steptoe Cyberlaw Podcast – Interview with Congressman Will Hurd (R-TX)

Posted in Cybersecurity and Cyberwar, International

What’s the difference between serving in Congress and spying in the back alleys of a Middle Eastern bazaar? Why not ask the one Congressman who’s done both – Rep. Will Hurd (R-TX). He also has cybersecurity chops from his career in industry, so he makes the perfect guest for episode 124a of the podcast. Just running through his week takes us from the difficulty of setting red lines in cyberspace to what we know about foreign penetration of the Clinton email server. But we manage as well to cover the declining fortunes of the Massie-Lofgren amendment and the reasons (and possible cures) for the disaster that is federal IT procurement.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 124th(a) episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunesPocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.