Header graphic for print

Steptoe Cyberblog

Steptoe Cyberlaw Podcast — Interview with John “Four” Flynn, Heather Adkins, and Troels Oerting

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

In this episode, Stewart Baker goes to RSA and interviews the people that everyone at RSA is hoping to sell to – CISOs. In particular, John “Four” Flynn of Uber, Heather Adkins of Google, and Troels Oerting of Barclays Bank. We ask them what trends at RSA give them hope for the future, which make them weep, what’s truly new in cybersecurity, and what kind of help they would like from government.

While Stewart’s traveling, Alan Cohn takes over the news roundup. We start with some news from the RSA Conference keynotes. Brad Smith, President of Microsoft, called for a cyber “Geneva Convention” on behalf of the sovereign nation of Microsoft. And Rep. Michael McCaul (R-TX), chair of the House Committee on Homeland Security, announced his opposition to backdoors in encryption, lining up with former Secretary of Homeland Security Michael Chertoff and former NSA and CIA Director Michael Hayden but against current Attorney General Jeff Sessions and current FBI Director Jim Comey.

In news from across the pond, Maury takes us through the EU’s efforts to take on robots. We coin the term #EURobotHammer in the process (it’s complicated). Maury also tells us whether the Russians are hacking the French elections (it’s complicated).

Back stateside, Alan asks what the cyber implications are of “out like Flynn, in with McMaster” at the National Security Council. Alan also confides in us about White House staffers’ use of confidential messaging apps like Confide (see what I did there?).

Finally, Alan takes us through a few quick hits on CrowdStrike vs NSS Labs, the SASC’s new Cyber subcommittee, and Yahoo!’s $350M haircut.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 151th episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Cybersecurity and the Wassenaar Arrangement — What Needs to Be Done in 2017?

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

Cyber threats move at Internet speed and so must cyber responders, to protect networks and data across the globe. Imagine the impact on cybersecurity if responders, innovators, and developers were told to pause and apply for an export license before responding to a threat. With a new round of international negotiations about to begin for the Wassenaar Arrangement, now is the time to press hard to arrive at a workable international standard that protects, rather than undermines, cybersecurity.

In 2013, the Wassenaar Arrangement, a 41-country international forum that seeks consensus among its members on dual-use export controls, adopted new controls on “intrusion software” and “carrier class network surveillance tools.” The purpose behind these controls is worthy: protecting human rights activists and political dissidents from surveillance by authoritarian governments.

Unfortunately, the approach proposed by the Wassenaar regulation misses the mark, and indeed, the controls would ultimately undermine that goal by making it harder for cyber responders to defend against the use of surveillance technologies. Because the regulation is so overly broad, it would require cyber responders and security researchers to obtain an export license prior to exchanging essential information to remediate a newly-identified network vulnerability, even when that vulnerability is capable of being exploited for purposes of surveillance. It would also require an onerous licensing process for sales of strong cybersecurity tools and services by companies around the world, and in some cases, could prohibit their sale altogether. Continue Reading

Steptoe Cyberlaw Podcast – Interview with Dominic Rochon and Patricia Kosseim

Posted in Cybersecurity and Cyberwar, Data Breach, International

Our interview features a classic “please don’t read this” headline: “Worthwhile Canadian Initiatives.”  We explore multiple worthwhile Canadian initiatives with Dominic Rochon, deputy chief of policy and communications for CSE, Canada’s version of the NSA and with Patricia Kosseim, general counsel and director general for policy at the Office of Canada’s Privacy Commissioner.  Among other things, we take a close look at Canada’s oversight regime for intelligence, in which a retired judge gets to exercise executive authority over the CSE – in contrast to the US system where active judges do the same but pretend they’re carrying out a judicial function.

In the news roundup, Judge Robart is doing his best to hog the judicial headlines, not only blocking the Trump administration’s immigration policy but giving support to Microsoft’s suit to overturn discovery gag orders en masse. His opinion allows Microsoft to proceed with a lawsuit claiming that gag orders violated the First Amendment.

The Trump Administration could soon begin asking foreigners coming to the United States — particularly from some Muslim-majority countries — to turn over their social media accounts and passwords.  This is a policy begun under the Obama administration and supported by bipartisan homeland security groups.  I predict that it will nonetheless soon be trashed by the press as an Evil Trump Initiative.

Tallinn 2.0 is out.  It applies international law to cyber activity at and below the threshold of armed conflict.  Color me skeptical.

The cybersecurity Executive Order that’s been hanging fire for weeks is still hanging fire.  A new draft has been leaked, though, and it’s better.

Hal Martin is indicted for stealing massive amounts of data from NSA and perhaps others.  According to a Washington Post report, US officials think Martin may have stolen 75%of the NSA’s hacking tools.  Ouch.

In other news, Rick Ledgett, the No. 2 official at the NSA is leaving but not because of Trump.  And Google has told several prominent journalists that state-sponsored hackers are trying to break into their inboxes.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 150th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

2017 Global Cybersecurity Policy: Challenges & Highlights

Posted in Cybersecurity and Cyberwar, International

The growing dependence of states and societies on ICT systems means they face a higher risk of cyberattacks. Increasingly sophisticated hacking attacks target not only individual people and companies, but also highly developed countries. Although cyberattacks can have disastrous consequences, research shows that we still miss the mark in preparedness. Acknowledging the magnitude of the risk, global government decision-makers have made the security of cyberspace one of their highest priorities. Daniella Terruso and Adam Palmer, experts partnering with the Kosciuszko Institute, have outlined the major cybersecurity policy challenges for 2017.

Steptoe Cyberlaw Podcast – Interview with Jason Healey

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies, Uncategorized

149:  Thigh-high boots and defense dominance

Our guest for episode 149 of the podcast is Jason Healey, whose Atlantic Council paper, “A Nonstate Strategy for Saving Cyberspace,” advocates for an explicit bias toward cyber defense and the private sector.  He responds well to my skeptical questioning, and even my suggestion that his vision of “defense dominance” would be more marketable if paired with thigh-high leather boots and a bull whip. #50ShadesofCyber.

In the news roundup, we experiment with, uh, actual legal discussion.  The Microsoft Ireland case has company; Google recently lost a similar argument before a magistrate judge – maybe because it couldn’t say where the data it wanted to protect from disclosure actually was.  Michael Vatis explains.

Meredith Rathbone and I take a victory lap over CNN and its reporters, noting that if they’d listened to the podcast, they’d have known a month early that US sanctions had unexpectedly prevented US companies from filing license applications with Russian intelligence agencies – and that allowing companies to make such filings wasn’t an opportunity for hyperventilating about President Trump’s bromance with Putin.

Michael and I also deconstruct Supreme Court nominee Neil Gorsuch’s opinion in US v. Ackerman.  The opinion calmly and clearly puts a hole below the waterline in a longstanding approach to collecting evidence in child porn cases.  If this case gives a clue to his jurisprudence, it seems unlikely that a Justice Gorsuch will be a pushover for government arguments.

Can American companies sue governments that hack them in the US?  I hope so, but that depends on whether the Foreign Sovereign Immunities Act provides protection for malware sent from abroad that does its damage here.  In an unlikely-bedfellows moment, I’m depending on EFF to make that argument to the DC Circuit.

And, to follow up on two stories we covered earlier, Brexit authority slips quickly through the House of Commons, while Google’s penny-pinching settlement of a massive “wiretapping” class action is approved over objections to the cy pres payments to the usual NGOs.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 149th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Steptoe Cyberlaw Podcast – Interview with Corin Stone

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation

Our guest for episode 148 of the podcast is Corin Stone, the Executive Director of the National Security Agency.  Corin handles some tough questions – should the new team dump PPD-28, how is morale at the agency after the Snowden and Shadowbroker leaks, and will fully separating Cyber Command from NSA mean new turf fights?  I give Corin plenty of free advice and, more usefully, our first in-person award of the coveted Steptoe Cyberlaw Podcast coffee mug.

In the news, Alan Cohn and I cover the Second Circuit’s much-ado-about-nothing package of opinions on rehearing the Microsoft-Ireland case.

Maury and I discuss what the new White House executive order on the privacy rights of foreigners means – as well as Donald Trump’s meeting with Theresa May (including whether they talked about Russia sanctions).  Also on the agenda:  Has Donald Trump already surpassed Barack Obama’s lifetime record for holding hands with prominent White House visitors?

Speaking of Peter Thiel, Jennifer Quinn-Barabanov and I speculate about whether FTC commissioner Maureen Ohlhausen will pull the FTC back from the ledge on suing companies for security flaws that don’t cause demonstrable consumer harm.  And whether Peter Thiel is looking for someone else to chair the FTC.

In other news, no new executive order on cybersecurity yet, despite (or because of) the leaksChina disses attribution.  And ADT settles an early IOT security class action.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 148th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Steptoe Cyberlaw Podcast – Interview with Jack Goldsmith

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation

147: Introducing the Herman Kahn of Cyberspace

Our guest interview is with Jack Goldsmith, Shattuck Professor of Law at Harvard and co-founder of Lawfare.  We explore his contrarian view of how to deal with Russian hacking, which leads to me praising (or defaming, take your pick) him as a Herman Kahn for cyberconflict.  Except what’s unthinkable in this case are his ideas for negotiating, not fighting, with the Russians.

In the news roundup, I ask Michael Vatis whether the wheels are coming off the FTC’s business model, as yet another company refuses to succumb to the commission’s genteel extortion. 

The Obama Administration came to an end last week, and its officials left behind a lot of paper to remind us why we’ll miss them — and why we won’t.  A basically sympathetic review of the administration’s cyber policies ends with a harsh judgment on President Obama: “He did almost everything right and it still turned out wrong.”

Among the leftovers served up last week: a farewell statement on privacy that seems unlikely to prove relevant in the new administration, a workman-like report on cyber incident responsea wistful FCC public safety bureau report on the commission’s cybersecurity initiatives, and a zombie notice that showed up in the Federal Register three days into the Trump administration, implementing the Umbrella Agreement on data protection with the EU.  Maury Shenk evaluates the agreement and its prospects.

And just to make sure we haven’t forgotten the new team’s rather different approach, it posted a policy statement on how good its cyber policy will be.  It reads, in its entirety, “Cyberwarfare is an emerging battlefield, and we must take every measure to safeguard our national security secrets and systems. We will make it a priority to develop defensive and offensive cyber capabilities at our U.S. Cyber Command, and recruit the best and brightest Americans to serve in this crucial area.”

I try a quick explanation of the flap between security researchers and the Guardian over an alleged “back door” in WhatsApp messaging.  Somehow, the Iran-Iraq war makes an appearance.

And, in a first for the Steptoe Cyberlaw Podcast, Alan Cohn reports as our roving foreign correspondent from, where else, Davos.  Want to know what the global 1% are worried about – other than you?  Alan has the answers.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 147th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – News Roundup

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Uncategorized

Posse Comitatus: Latin for “Get off my turf”?

Would it violate the Posse Comitatus Act to give DOD a bigger role in cybersecurity?  Michael Vatis and I call BS on the idea, which I ascribe to Trump Derangement Syndrome and Michael more charitably ascribes to a DOD-DHS turf fight.

Should the FDA allow implants of defibrillators with known security flaws – without telling the patients who are undergoing the surgery?  That’s the question raised by the latest security flaw announcement from the FDA, DHS, and St. Jude Medical (now Abbot Labs).

Repealing the FCC’s internet privacy regulations is well within Congress’s power if it acts soon, says Stephanie Roy, who stresses how rare it is for a Republican president to control both houses of Congress.  (And who says President Obama didn’t leave a legacy?)

The European Commission isn’t done complaining about US security programs, Maury Shenk tells us. Vera Jourova wants to know more about the US request that Yahoo! screen for certain identifiers and hand over what it finds.  That’s apparently too useful for finding terrorists to satisfy delicate European sensibilities.  Speaking of which, Angela Merkel is in the bulls-eye for Russian doxing.  And to hear Maury tell it, Russia has probably been collecting raw material for years.

Should we start treating Best Buy computer support as though its geeks work for the FBI?  And would that be a defense if they find bad stuff on our computers without a warrant?  Michael thinks it’s more complicated than that.

Speaking of overhyped stories, Michael and I unpack the claim that President Obama’s team is handing out access to raw NSA product with unseemly haste and enthusiasm.  In fact, this proposal has been kicking around the interagency for years, and the access is heavily circumscribed.  As for the haste, it could be the outgoing team is afraid its proposal will be unduly delayed – or that all its circumscribing will be second-guessed.  You make the call!

And for something truly new, we offer “call-in corrections,” as Nebraska law professor Gus Hurwitz tells us about the one time the FTC discussed the NIST Cyber Security Framework.  It’s safe to say that this correction won’t leave the FTC any happier than my original charge that the agency can’t get past “Hey! I was here first!”

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 146th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Davis Hake and Nico Sell

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

Episode 145:  What Donald Trump and “Occupy Wall Street” have in common

We interview two contributors to CSIS’s Cybersecurity Agenda for the 45th President.  Considering the track record of the last three Presidents, it’s hard to be optimistic, but Davis Hake and Nico Sell offer a timely look at some of the most pressing policy issues in cybersecurity.

In the news roundup, it’s more or less wall to wall President-elect Trump.  Michael Vatis, Alan Cohn, and I talk about Russian hacking, the American election, Putin’s longtime enthusiasm for insurgent movements from “Occupy Wall Street” to “Make America Great Again,” and the President-elect’s relationship with the intelligence community.

In other news, I’m forced to choose between dissing the New York Times and dissing Apple’s surrender to Chinese censorship.  Tough call, but I make it.  Speaking of censorship, Russia is rapidly following China’s innovation in app store regulation.  For legal antiquarians, I suggest that the Foreign Agent Registration Act deserves a comeback.

It seems to be solidarity week.  Lots of amici have leapt to support LabMD in court now that it looks like a winnerMeanwhile I stick up for Mike Masnick, the man who puts the dirt in Techdirt.  He may be an colorfully opinionated jerk, but he doesn’t deserve to be a defendant.  And I congratulate Lawfare for joining the Europocrisy campaign on Schrems and China.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 145th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – News Roundup

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

We start 2017 the way we ended 2016, mocking the left/lib bias of stories about intercept law.  Remember the European Court of Justice decision that undermined the UK’s new Investigatory Powers Act and struck down bulk data retention laws around Europe?  Yeah, well, not so much.  Maury Shenk walks us through the decision and explains that it allows bulk data retention to continue for “serious” crime, which is really the heart of the matter.

We can’t, of course, resist an analysis of the whole Russian election interference sanctions brouhaha.  The FBI/DHS report on Russian indicators in the DNC hack is taking on water, and its ambiguities have not been helped by a Washington Post article on alleged Russian intrusion into Vermont Yankee’s network.  That story had to be walked way back, from an implicit attack on the electric grid to an apparently opportunistic infection of one company laptop.  No one is surprised that there’s an increasingly partisan split over who’s going to answer the phone now that the 1980s really have called to get their foreign policy back.

Meredith Rathbone walks us through the revamp of the Obama Administration’s cyber sanctions in an attempt to address election meddling.  And we manage to find a legal twist to the new sanctions on the FSB.  Turns out that large numbers of US tech firms have to deal with the FSB, not as a buyer of services but as a regulator, both of encryption and intercepts inside Russia.  If the sanctions prohibit dealing with FSB as a regulator, Maury reports, they could end up imposing unintentionally broad restrictions on a lot of US companies doing business in Russia.

Meredith also updates us on the Wassenaar effort to control exports of “intrusion software” – which some European governments seem to want to regulate in a way that does maximum damage to cybersecurity.  The overreaching was blunted in a recent Wassenaar meeting, but not nearly as much as the US government – and industry – had hoped.  The issue won’t go away, but it will soon become an appropriate job for the author of “The Art of the Deal.”

Finally, Jennifer Quinn-Barabanov takes us on a tour of the dirtier back streets of privacy class action practice – otherwise known as cy pres awards and their challengers.  It sounds like “genteel corruption” to me, but you be the judge.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 144th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.