Header graphic for print

Steptoe Cyberblog

Steptoe Cyberlaw Podcast – Interview with Alan Cohn

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest for episode 63 of the Cyberlaw Podcast is Alan Cohn, former Assistant Secretary for Strategy, Planning, Analysis & Risk in the DHS Office of Policy and a recent addition at Steptoe.  Alan brings to bear nearly a decade of experience at DHS to measure the Department’s growth.  He explains how it has undertaken and largely delivered a new civilian cybersecurity infrastructure.  And, while Congress dithers, it has begun to build an information sharing network quite independent of the legislative incentives now on offer.  Alan also offers his insights into emerging technologies and the risks they may pose, including drones, sensors, and cryptocurrencies.

Jason Weinstein & Doug KantorIn the news roundup, the consensus story of the week is the return of Jason Weinstein from a five-week absence, only some of it justified by family vacation and other worthwhile endeavors.  In second place is the concerted European attack on Google and the rest of the US tech sectorMichael Vatis and I mull over a high-ranking European official’s astonishing gaffe in admitting the truth behind  the effort – that it’s an attempt to regulate US technology until European industry can compete.  Good luck with that.

In the House, Doug Kantor reminds us, it’s cyberweek, so the data breach law has immediately collapsed into such uncertainty that its Dem sponsor even voted to keep it in committee.  The bill has gone back to the shop for repairs to its bipartisan credentials, and the Obama administration, which says it supports a bill, seems to be keeping its distance from the messy business of actually legislating.

Meanwhile, Jason explains why cops are paying ransom to cybercrooks to get their data decrypted, Michael tells us a district court has given life to class action Google Wallet privacy claims under a sweeping theory, and I note that Julian Assange’s Wikileaks has hit a new low in offering a searchable database of stolen Sony email messages.  Finally, the SEC’s Mary Jo White is taking heat for standing in the way of ECPA amendments, and the Chinese technological autarky movement seems to be alive and well, with a little help from US companies.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.comor leave a message at +1 202 862 5785.

Download the sixty-third episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Dmitri Alperovitch

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest for Episode 62 is is Dmitri Alperovitch, co-founder and CTO of CrowdStrike Inc. and former Vice President of Threat Research at McAfee.  Dmitri unveils a new Crowdstrike case study in which his company was able to impose high costs on an elite Chinese hacking team.  The hackers steadily escalated the sophistication of their attacks on one of Crowdstrike’s customers until they finally unlimbered a zero-day.  When even that failed, and the producer was alerted to the vulnerability, the attackers found themselves still locked out and now down one zero-day.  We mull the possibility that there’s a glimmer of hope for defenders.

Dmitri and I also unpack the Great Cannon – China’s answer to 4Chan’s Low-Orbit Ion Cannon.  Citizen Lab’s report strongly suggests that the Chinese government used its censorship system to deliberately infect about 2% of the Baidu queries coming from outside China.  The government injected a script into the outsiders’ machines.  The script then DDOSed Github, a US entity that had been making the New York Times available to Chinese readers along with numerous open source projects.  The attack is novel, shows a creative and dangerous use of China’s Great Firewall, and provoked not the slightest response from the US government.  I ask why any company in the US that uses the Baidu search engine or serves China-based ads should not be required to notify users that their machines may be infected with hostile code before allowing them to receive ads or conduct searches.  Finally finding something good to say about the FTC’s jurisdiction I ask why it isn’t deceptive and unfair to automatically expose US consumers to such a risk.

In other news:  The courts are raking the Mississippi Attorney General over the coals for an ill-considered attack on Google. The DEA’s bulk collection program is still undercovered.  The FCC is racing the FTC to investigate big telecom and internet companies for privacy violations.  The Baker Plan for punishing North Korea in response to its attack on Sony has been implemented.  And I break out my suits and ties from the early 1990s to celebrate the return of split-key escrowed encryption and arguments over the meaning of CALEA.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the sixty-second episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Steptoe Cyberlaw Podcast – Interview with Joseph Nye

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Podcast 61Our guest for episode 61 of the Cyberlaw podcast is Joseph Nye, former dean of the Kennedy School at Harvard and three-time national security official for State, Defense, and the National Intelligence Council.  We get a magisterial overview of the challenge posed by cyberweapons, how they resemble and differ from nuclear weapons, and (in passing) some tips on how to do cross-country skiing in the White Mountains.

Podcast 61In the news roundup, Meredith Rathbone explains details of the new sanctions program for those who carry out cyber attacks on US companies.  I mock the tech press reporters who think this must be about Snowden because, well, everything is about Snowden.  Michael Vatis endorses John Oliver’s very funny interview of Edward Snowden.  Not just funny, it’s an embarrassment to all the so-called journalists who’ve interviewed Snowden for the last year without once asking him a question that made him squirm.  In contrast, Oliver almost effortlessly exposes Snowden’s dissembling and irresponsibility.  He hits NSA below the belt as well.

Ben Cooper explains the Ninth Circuit decision refusing to apply disability accommodation requirements to web-only businesses (he filed an amicus brief in the case), and we speculate on the likelihood of a cert grant.

While we’re speculating on judicial outcomes, Maury Shenk takes us through the arguments over the data protection Safe Harbor before the European Court of Justice.  We both think the arguments suggest considerable hostility toward the Safe Harbor.  An unfavorable ECJ decision could greatly complicate the lives of companies that depend on it to allow extensive data transfers across the Atlantic.  And great complications are exactly what we expect.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.comor leave a message at +1 202 862 5785.

Download the sixty-first episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Treasury Sanctions on Cyber Attackers

Posted in Cybersecurity and Cyberwar, Data Breach, Security Programs & Policies

The executive order allowing the President to impose OFAC sanctions on hackers is good news.  I’ve been calling on the government for several years to go beyond attribution to retribution.  See, for example this post from 2012, this Foreign Policy article, and this recent podcast with Juan Zarate.  Similar sentiments were expressed in a 2013 report by the American Bar Association.

The good news from the Sony case is how much better and faster we’ve gotten at attributing network espionage and network attacks.  But that won’t do much good until we can also punish those we identify.

This order offers a real possibility that we can.  Even the hackers don’t want to work for government forever; they hope to run startups just like everybody else, but that will be hard with an OFAC sanction hanging over their heads.

And the companies that benefit from stolen trade secrets could also find themselves sanctioned, since the order extends to them as well. Sanctions can be applied to any company that is:

responsible for or complicit in, or to have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means knowing they have been misappropriated, where the misappropriation of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.

The program is a bit of an empty shell right now:  it authorizes but doesn’t apply sanctions to any hackers.  But if it’s used wisely it could be a game changer — the first real deterrent to cyberspying and cyberattacks.

Why the House Information-Sharing Bill Could Actually Deter Information Sharing

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

The House Intelligence Committee has now adopted a manager’s amendment to what it’s now calling the “Protecting Cyber Networks Act.”  Predictably, privacy groups are already inveighing against it.

Steptoe Cyberlaw Podcast – Interview with Paul Rosenzweig

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Episode 60 of the Cyberlaw Podcast features Paul Rosenzweig, founder of Red Branch Consulting PLLC and Senior Advisor to The Chertoff Group.  Most importantly he was a superb Deputy Assistant Secretary for Policy in the Department of Homeland Security when I was Assistant Secretary.

Paul discourses on the latest developments in ICANN, almost persuading me that I should find them interesting.  He expresses skepticism about the US government’s effort to win WTO scrutiny of China’s indigenous bank technology rules; he also sees the DDOS attack on GitHub as a cheap exercise in Chinese extraterritorial censorship.

Michael Vatis, meanwhile, fills us in on two new cyberlaw cases whose importance is only outweighed by their weirdness.  And I dissect the House cybersecurity information sharing bill, concluding that it has gone so far to appease the unappeasable privacy lobby that it may actually discourage information sharing.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.comor leave a message at +1 202 862 5785.

Download the sixtieth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Richard Bejtlich

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Podcast 59Richard Bejtlich is our guest for episode 59 of the Cyberlaw Podcast.  Richard is the Chief Security Strategist at FireEye, an adviser to Threat Stack, Sqrrl, and Critical Stack, and a fellow at Brookings.  We explore the significance of China’s recently publicized acknowledgment that it has a cyberwar strategy, FireEye’s disclosure of a gang using hacking to support insider trading, and NSA director Rogers’s recent statement that the US may need to use its offensive cyber capabilities in ways that will deter cyberattacks.

Podcast 59 In the news roundup, class action defense litigator Jennifer Quinn-Barabanov explains why major automakers are facing cybersecurity lawsuits now, before car-hacking has caused any identifiable damage.  I explain how to keep your aging car and swap out its twelve-year-old car radio for a cool new Bluetooth enabled sound system.  Michael Vatis disassembles the “$10 million” Target settlement and casts doubt on how much victims will recover.

Michael also covers the approval by a Judicial Conference advisory committee of a rule allowing warrants to extend past judicial district lines, explaining why it may not be such a big deal.  Maury Shenk, former head of Steptoe’s London office and now a lawyer and a private equity investor and adviser, jumps in to discuss the Chinese cyberwar strategy document as well as China’s effort to exclude US technology companies from its market.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the fifty-ninth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

How Lawyers Can Deter the Cybertheft of Commercial Secrets

Posted in China, Cybersecurity and Cyberwar, International, Security Programs & Policies

Cyberspies can’t count on anonymity any more.

The United States (and the private security firm Mandiant) stripped a PLA espionage unit of its cover two years ago with a detailed description of the unit’s individual hackers; that report was followed by federal indictments of members of the unit that described them and their activities is great detail. More recently, the President outed North Korea for the attack on Sony. And as if to underscore the growing confidence of the intelligence community in its attribution capabilities, the Director of National Intelligence almost casually tagged Iran for a destructive cyberattack on Sheldon Adelson’s Las Vegas Sands gambling empire.

That’s good news, but it’s only a first step. To make a real difference, attribution has to yield more than talk.

Unfortunately, neither the companies victimized by network intrusions nor their governments have yet found ways to turn attribution into deterrence. No one expects to see members of the PLA in federal court any time soon. The administration’s public sanctions on North Korea were barely pinpricks. And Iran could be forgiven for concluding that its cyberattacks were rewarded by concessions in the nuclear enrichment negotiations.

But that’s not the last word. I attended a recent international conference where a surprising number of European officials signaled their eagerness to confront countries engaged in cyberespionage against their industries. They assumed that they could identify the countries that were stealing corporate secrets.

What they wanted were legal remedies — and remedies of a particular kind. They didn’t want to punish the hackers, who all too often are well protected by government. What they wanted was a way to punish the hackers’ customers — the state-owned companies who were benefiting from the theft of competitors’ intellectual property. Unlike the hackers, those companies can’t hide at home forever. To get the full benefit of their shiny new stolen technology, they have to sell their products globally. Which means they have to submit to the law and the jurisdiction of western nations.

But what law? Does a company victimized by cyberespionage have any legal remedies against the company that received the stolen data? That’s the question European (and American) trade officials were beginning to ask.

Faced with that question, I found three plausible legal remedies for companies that are victimized by hacking aimed at their corporate intellectual property. Here they are.

First, victims of cyberespionage could sue the foreign company benefiting from the theft of trade secrets. A company can be sued under the Uniform Trade Secrets Act (UTSA) if it uses “a trade secret of another without express or implied consent” and it “knew or had reason to know that [its] knowledge of the trade secret was derived from or through a person who had utilized improper means to acquire it.” UTSA § 1(2)(ii)(B)(II). So if the foreign company had reason to believe that it was receiving data stolen from a competitor’s network, it is at grave risk of liability under the UTSA.

The UTSA has been adopted in one form or another in forty-eight states, and plaintiffs can sue for damages, including “actual loss,” “unjust enrichment . . . that is not taken into account in computing actual loss,” and “exemplary damages” for “willful and malicious” violations. UTSA § 3(a), (b). All of those damages would seem to apply where the defendant was complicit in an attack on the plaintiff’s corporate network.

Second, the federal Computer Fraud and Abuse Act (CFAA) allows private suits against anyone who “intentionally accesses a computer without authorization,” obtains information, and causes at least $5,000 of loss. 18 U.S.C. § 1030(a)(2)(C). That certainly applies to the hackers themselves; but what about the recipients of the stolen data? They’re liable too, at least if they can be shown to have “conspired” with the intruders. 18 U.S.C. § 1030 (b). Proving conspiracy poses a higher hurdle than meeting the UTSA’s “reason to know” standard; some courts say that a charge of conspiracy requires “specific allegations of an agreement and common activities.” See, e.g., NetApp, Inc. v. Nimble Storage, Inc., No. 5:13-cv-05058, 2014 WL 1903639, at *13 (N.D. Cal. May 12, 2014). But there will be many times when the evidence strongly suggests both. For example, if the theft of data was more than just a one-off event, there is every reason to believe that the beneficiary of the thefts was actively telling the thieves what to steal.

A third remedy is section 337 of the Tariff Act of 1930. It allows the International Trade Commission (ITC) to bar the importation of goods produced using stolen trade secrets. The ITC may exclude such goods from the United States if they are the result of “unfair methods of competition . . . the threat or effect of which is to destroy or substantially injure an industry in the United States.” 19 U.S.C. § 1337(a), (d). “Unfair methods of competition” includes a federal common law cause of action for the theft of trade secrets, which closely mirrors the provisions of the UTSA. See TianRui Grp. Co. v. Int’l Trade Comm’n, 661 F.3d 1322, 1327–28 (Fed. Cir. 2011). A complaint can be filed in the ITC even if the theft of trade secrets occurred abroad, so long as the theft violated the laws of the place where the secret was stolen. Id. at 1328. Although Section 337 does not allow for the recovery of money damages, a victim of commercial cyberespionage can at least make sure he’s not competing in the United States against products that are produced using his trade secrets and intellectual property.

In short, there are surprisingly robust legal remedies not just against cyberspies but against the companies who benefit from the spies’ intrusions. But that is not the end of the matter. Just having a good legal case does not mean that a victim will bring suit. There are plenty of practical reasons why a lawsuit might not be prudent even with the law on your side. But that’s a topic for another day, and another post.

Steptoe Cyberlaw Podcast – Interview with Dr. Andy Ozment

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies
Stephanie Roy, Jason Weinstein

Stephanie Roy and Jason Weinstein

In episode 58 of the Cyberlaw Podcast, our guest is Andy Ozment, who heads the DHS cybersecurity unit charged with helping improve cybersecurity in the private sector and the civilian agencies of the federal government.  We ask how his agency’s responsibilities differ from NSA’s and FBI’s, quote scripture to question his pronunciation of ISAO, dig into the question whether sharing countermeasures is a prelude to cybervigilantism, and address the crucial question of how lawyers should organize cybersecurity information sharing organizations (hint:  the fewer lawyers and the more clients the better).  In the news roundup, we revisit the cybersecurity implications of net neutrality, and Stephanie Roy finds evidence that leads me to conclude that the FCC has stolen the FTC’s playbook (and, for all we know, deflated the FTC’s football).  This ought to at least help AT&T in its fight with the FTC over throttling, but that’s no sure bet.

I explain why Hillary Clinton’s email server was a security disaster for the first two months of her tenure – and engage in utterly unsupported speculation that she closed the biggest security gap in March 2009 because someone in the intelligence community caught foreign governments reading her mail.

In news with better grounding, the Wyndham case goes to the Third Circuit and the bench is hot.  We explain why this is good for Wyndham.  In other litigation news, the feds respond to Microsoft in the Irish warrant case.  Michael and I agree that the Justice Department is praying for a cold bench.

Finally, in two updates from earlier podcasts, it looks as though China may have backed down on backdoors, for now, so Silicon Valley can go back to worrying about Jim Comey.  And I explain my claim from last week‘s that the FREAK vulnerability is over-hyped to support a simplistic civil libertarian morality tale.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the fifty-eighth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Mike Rogers

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies
Mike Rogers, Stewart, Doug Kantor

Rep. Mike Rogers, Stewart Baker, and Doug Kantor

This episode of the podcast features Rep. Mike Rogers, former chairman of the House intelligence committee, Doug Kantor, our expert on all things cyber in Congress, and Maury Shenk, calling in from London.  Mike Rogers is now a nationally syndicated radio host on Westwood One, a CNN national security commentator, and an adviser to Trident Capital’s new cybersecurity fund.  The former chairman addresses a host of issues – gaps in CFIUS, the future of the President’s new cyber threat integration center, the risk of rogue state cyberattacks on US infrastructure – as well as the issues we cover in the news roundup.  These include Maury’s take on China’s toughening policy toward US technology, the prospects for a workable bill renewing section 215 (the ex-chairman is not as sanguine as Doug Kantor and I) and the administration’s new privacy bill.  (Our take: the bill is ideal for the Twitter age, since you still have 137 characters left after typing “DOA.”)  Maury updates us on the latest reason for delay in adoption of a new European data protection regulation.  Doug Kantor and Mike Rogers consider the prospects for an information sharing bill and comment on privacy groups’ goalpost-moving style of congressional negotiation.  And, finally, I respond to Edward Snowden’s claim that he wants to move to Switzerland by reminding him (and the Swiss) what he said about them the last time he lived there.  (Said Snowden: “You guys can’t say I look gay any more.  I’m living in Switzerland.  I’m the straightest-looking man in the country,” Geneva is “nightmarishly expensive and horrifically classist,” and “I have never, EVER seen a people more racist than the swiss.”  Apparently a year in Moscow broadened his horizons.)

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the fifty-seventh episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!