Header graphic for print

Steptoe Cyberblog

Steptoe Cyberlaw Podcast – Interview with David Kris

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

We devote episode 100 to “section 702” intelligence – the highly productive counterterrorism program that collects data on foreigners from data stored on US servers.  What’s remarkable about the program is its roots:  President Bush’s decision to ignore the clear language of FISA and implement collection without judicial approval.  That decision has now been ratified by Congress – and will be ratified again in 2017 when the authority for it ends.  But what does it say about the future of intelligence under law that our most productive innovation in intelligence only came about because the law was broken?  Our guest for the episode, David Kris, thinks that President Bush might have been able to persuade Congress to approve the program in 2001 if he’d asked.  David may be right; he is a former Assistant Attorney General for National Security, the coauthor of the premier sourcebook on intelligence under law, “National Security Investigations & Prosecutions,” and the General Counsel of Intellectual Ventures.  But what I find surprising is how little attention has been paid to the question.  How about it?  Is George Bush to FISA what Abraham Lincoln was to habeas corpus?

My interview with David leaves Lincoln to the history books and instead focuses entirely on section 702.  David lays out the half-dozen issues likely to be addressed during the debate over reauthorization, including the risk that the legislation will attract efforts to limit overseas signals intelligence, now governed mainly by Executive Order 12333.  He then pivots to the issues he thinks Congress should grapple with but probably won’t – from the growing ambiguity of location as a proxy for US citizenship to the failure of current intelligence law to adequately extract intelligence from the technologies that have emerged since 9/11, particularly social media and advertising technology. Continue Reading

Steptoe Cyberlaw Podcast – Interview with Amit Ashkenazi

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies

Our guest is Amit Ashkenazi, whom I interviewed while in Israel.  Amit is Legal Advisor of The Israel National Cyber Bureau and a former general counsel to Israel’s data protection agency.  Israel is drafting its own cybersecurity act, and we discuss what if anything that country can learn from the US debate – and what the US can learn from Israel’s cybersecurity experience.  We explore the challenges Israel will face in trying to start a new cybersecurity agency, how Israel strikes the balance between security and privacy, the risks of using contractors to staff a new agency, the danger of stating agency authorities with too much specificity, and why the agency is likely to look more like DHS than the FBI. Continue Reading

Steptoe Cyberlaw Podcast – Interview with Melanie Teplinsky

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

If there really is another crypto war in Washington, then this week’s podcast features several war correspondents and at least one victim of PTSD.  Our guest is Melanie Teplinsky, former cybersecurity lawyer at Steptoe, adjunct professor at American University’s Washington College of Law, advisory board member for Crowdstrike, and a regular columnist on privacy and security issues for the Christian Science Monitor.

We cover crypto news from Davos to the New York legislature.  We also discuss my latest policy provocation, designed to unveil yet another example of European hypocrisy where privacy, data protection, and the United States are concerned.  Inspired by the still-stalled Safe Harbor talks, I announce plans to award a Europocrisy Prize for filings that force European data protection authorities to assess the adequacy of surveillance law in important European trading partners who aren’t the United States, such as China, Russia, Saudia Arabia, and Algeria.  Amazingly, in twenty years of bitter attacks on US privacy adequacy, that’s never been done.

We dig into several developments in the world of litigation.  Michael Vatis and Alan Cohn discuss several new cases:  a lawsuit claiming that fake emails should be covered by a forgery insurance policy, a hacked casino’s effort to recover from the security consultant that incorrectly told the casino its security problems had been solved, and a Minnesota decision that shoots down still more creative arguments for injury from the breach plaintiff’s bar.

Michael tells us why the FBI isn’t apologizing for running a child porn site for two weeks in order to catch pedophiles.  And I predict with a bit of enthusiasm that the Senate Judiciary Committee will add more conditions to the Judicial Redress Act, as Congressional patience with Europocrisy begins to wear thin.

Finally, Alan reveals that the Obama administration has just created the worst Schedule C job in government.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the ninety-eighth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with John Lynch

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Back for a rematch, John Lynch and I return to the “hackback” debate in episode 97, with Jim Lewis of CSIS providing color commentary.  John Lynch is the head of the Justice Department’s computer crime section.  We find more common ground than might be expected but plenty of conflict as well.  I suggest that Sheriff Arpaio in Arizona may soon be dressing hackers in pink while deputizing backhackers, while Jim Lewis focuses on the risk of adverse foreign government reactions.  We also consider when it’s lawful to use “web beacons” and whether trusted security professionals should be given more leeway to take action outside their customers’ networks.  In response to suggestions that those who break into hacker hop points might be sued by the third parties who nominally own those hop points, I suggest that those parties could face counterclaims for negligence.  We close with a surprisingly undogmatic discussion of Justice Department “no-action letters” for computer security practitioners considering novel forms of active defense. Continue Reading

FinTech Bits: Bitcoin and Terrorist Financing

Posted in Blockchain, Security Programs & Policies, Virtual Currency

Following the attacks in Paris and San Bernardino, polls show that Americans identify terrorism—more than any other issue—as the most important problem facing the US.  In this environment, some media outlets have predicted a pending “crackdown” on digital currencies, particularly by European governments, because of the risk that the technology could be used to fund terrorism.

But do digital currencies like bitcoin actually pose a unique threat when it comes to funding terrorist networks?  Jason Weinstein published a post on Medium earlier this week—“Combating Bitcoin Use by Terrorists?”—that seeks to answer this question.

Jason’s post applauds governments and law enforcement for increasing scrutiny on how terrorists communicate and fund their activities.  But a singular focus on digital currencies is misplaced.  According to a recent report from the UK Treasury, the money laundering risk posed by digital currencies is “low.”  Traditional banks, charities, and cash (of course) all pose a greater risk.  The public, permanent nature of bitcoin’s distributed ledger actually makes it easier for law enforcement to “follow the money” without the need for a subpoena or cooperation from a foreign government.   Law-abiding companies and emerging coalitions like the Blockchain Alliance have a crucial role to play, both by educating law enforcement, the media, and the public and by building the capacity to go after criminals and terrorists who may try to use digital currencies for nefarious purposes.

Time to Get Serious About Europe’s Sabotage of US Terror Intelligence Programs

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies

The intelligence tools that protect us from terrorism are under attack, and from an unlikely quarter. Europe, which depends on America’s intelligence reach to fend off terrorists, has embarked on a path that will sabotage some of our most important intelligence capabilities. This crisis has been a long time brewing, and up to now, the US has responded with a patchwork of stopgap half-solutions.

That’s not likely to work this time. We need a new strategy.  And most of all, we need to get serious about defending US interests.

It’s no surprise that the US fight against terrorism depends crucially on the so-called 702 program, which allows the government to serve orders on social media, webmail, and electronic service providers who store their global customers’ data in the United States.

The intelligence we gather in this way protects Europe as much as the United States. Within days of the Paris attacks, the US agreed to give France direct access to much raw intelligence. Even more recently, the German government credited US (and French) intelligence with helping it thwart planned suicide bombings in Munich over the New Year holiday. The British communications intelligence agency, GCHQ, has a deeply integrated intelligence sharing arrangement with NSA. None of these countries, let alone the smaller members of the European Union, can hope to match the American intelligence resources that are now marshaled in their defense.

So it might seem odd that the European Union poses a threat to these capabilities. Odd but true.  The problem has deep roots in Europe’s dysfunctional governance structure and in the mix of dependence and resentment that shape its relationship to the United States.  In the name of protecting privacy, the EU has long insisted that personal data may not be exported to other countries unless those countries provide “adequate” legal guarantees for privacy, and it has frequently threatened to cut off data flows to the United States because of differences in US and EU data protection law.

The threats were grounded partly in economic interest – keeping data processing jobs and companies in Europe – and partly in a European enthusiasm for expressing its moral superiority to the United States.  The EU and US have always been able to negotiate a solution as these crises have been created, but the dynamic changed this fall when the European Court of Justice (ECJ) was asked to rule on the adequacy of US privacy law.  Relying in part on irresponsible and inaccurate statements by the European Commission, the ECJ declared that the Commission had not justified a conclusion that United States surveillance oversight is “adequate.” It overturned the “Safe Harbor” that had allowed US companies to send customer data across the Atlantic.  Just as important, it  authorized individual data protection agencies in each member state to adjudicate the lawfulness of data transfers to the United States. While the decisions of those agencies can be appealed, the EU has reached agreement on penalties for data protection violations that are a percentage of companies’ global revenue – billions of dollars in the case of big tech companies like Google and Microsoft.  With those penalties hanging over their head, few companies will want to gamble that they’ll be vindicated on appeal.  The data protection agencies, meanwhile, are delighted to have the US and its tech companies in their sights; they’ve said that enforcement actions are likely to begin at the end of January.

The European Commission has been trying to reach a new agreement with the United States to reinstate the Safe Harbor; the US has provided assurances that our intelligence oversight meets European standards. (Indeed, it far exceeds anything that French or German or British intelligence agencies put up with.) But the Commission’s authority to bind the data protection authorities is in doubt, and it is increasingly under the thumb of a reflexively anti-American European Parliament, which will be inclined to reject or cavil at whatever it negotiates. As a result, the Commission has dug in its heels, demanding wide access to (and implicit authority over) US intelligence programs. There’s a high probability that no deal, or at least no good deal, can be reached with the Commission.

Weirdly, the European institutions that have created this mess have no serious responsibility for stopping terrorism or for collecting and using intelligence.  The European security agencies that have that responsibility are powerful in individual countries  but have little sway in Brussels. This means that the machinery set in motion by the European Court of Justice will grind forward, with everyone doing what they’ve done before: The Commission will seek maximum concessions from US intelligence agencies. The European Parliament will deem the concessions insufficient. The data protection agencies will do all they can to punish American tech companies. Without a deal, tech companies may have to move their data centers out of the United States – making counterterrorism intelligence unavailable to our government. And they will be under heavy pressure to break with the US government on intelligence issues – to encrypt even more data to foil US intercepts, and to fight US intelligence orders in court and in Congress. US intelligence will suffer, perhaps greatly, and European and Americans will be at greater risk of terrorist attacks.

In short, if all the players in this drama just keep doing what they’ve always done, the result will be a disaster for US (and European) counterterrorism efforts.  If we want to stave off that disaster, we have to shake up the peculiar European structures that are driving this outcome. We have to make clear that continued attempts to hold American companies hostage over intelligence collection is simply unacceptable to the United States. Up to now, the Administration has tried to appease Europe; it has not played hard ball.  And Congress has been disappointingly inactive, except for the House of Representatives, which has gone from inactive to supine in a related dispute, proposing to amend US law to give greater privacy rights to Europeans even before the negotiations are complete.

What could the US do to change Europe’s negotiating calculus?  It’s not that hard, if we have the will. Congress (or, frankly, the President) could simply prohibit the sharing of intelligence with any country whose data protection agencies take action that has the effect of undermining US intelligence capabilities; this would certainly include punishing private companies that send data to the United States. Such a measure would make clear the connection between European data protectionism and our lost counterterrorism insights. While it is harsh to cut off intelligence to countries that are often allies against terrorism, the fact is that their policies will slowly cut off US access to terrorism intelligence. (We don’t have to cut off access across the board; the measure could allow exceptions when the President certifies the need to share particular intelligence, but broad intelligence sharing would be barred with any country that takes action against US data access.)

Such a measure has the advantage of putting the onus of solving the problem on individual member states – the entities responsible for national security and for the actions of the data protection agencies.  (It’s notable that data protection authorities have rarely or never tried to regulate their own national intelligence agencies; they don’t have the clout. Which strongly suggests that those agencies can bring the data protectors to heel if their access to US intelligence depends on it.) Negotiations with individual European nations, then, are far more likely to produce responsible results than negotiations with the neutered European Commission.

That’s one way of making clear to Europe that we’ve had enough. Here’s another. The US and Europe have been negotiating a Transatlantic Trade and Investment Partnership for years, and it’s likely that a deal will be presented to Congress for approval in 2016. This is part of the Obama administration’s ambitious effort to lock in a host of environmental, intellectual property, labor and trade policies via large multinational deals. You’d think that any effort to restrict protectionism and foster trade would address Europe’s data export restraints – probably the biggest trade issue between the US and the EU in the last fifteen years.  You’d be wrong.   Both the European Commission and the European Parliament have taken data protectionism off the table in this trade deal, insisting that their current rules must be untouched. The result is a trade deal that as a practical matter blesses the current EU attack on our counterterrorism intelligence programs. Unlike the European Parliament, Congress has said nothing about the issue, strengthening the European hand.  Yet it is Europe that likely needs a trade deal far more than the US. Europe’s economy has lagged ours in growth and employment for decades, with the one economic bright spot being a consistently large trade surplus with the US. Congress should take a page from the European Parliament’s book, adopting a resolution stating that no transatlantic trade deal will be approved if it permits the EU’s current interference with both US technology trade and US counterterrorism capabilities.

There will be opposition to either of these measures. Many American businesses expect to get specific benefits from a trade deal, and they are reluctant to upset the apple cart. Refusing to share terror intelligence, meanwhile, has a cold-hearted air. But if we fail to deal with Europe’s data protectionism in this trade deal, we may never have another chance; that will be bad for US industry, which will increasingly be held hostage or forced to accept uneconomic restrictions on how they manage their data. And cutting off counterterrorism intelligence sharing with countries that are undermining the foundation on which that intelligence rests is simply a matter of self-preservation.

If Europe wants to cripple its intelligence agencies, it is free to make that choice. We should not let it cripple ours.

Steptoe Cyberlaw Podcast – Interview with Senator Tom Cotton

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

How do you graduate as a conservative with two Harvard degrees? We learn this and much more from Sen. Tom Cotton (R-AR), our guest for episode 96 .  We dive deep with the Senator on the 215 metadata program and its USA FREEDOM Act replacement.  We ask what the future holds for the 702 program, one of the most important counterterrorism programs and just entering yet another round of jockeying over renewal; Sen. Cotton has already come out in favor of making the program permanent.  To round things out, Sen. Cotton assesses the risks of Going Dark for our intelligence community and the difficulties that the Safe Harbor negotiations pose for US intelligence. Continue Reading

OFAC Issues Cyber-Related Sanctions Regulations

Posted in Cybersecurity and Cyberwar, Security Programs & Policies

On December 31, 2015, the US Treasury Department, Office of Foreign Assets Control (OFAC) issued the Cyber-Related Sanctions Regulations (CRSR), 31 C.F.R. Part 578.  The CRSR formally implement the sanctions set forth in Executive Order (EO) 13694 of April 1, 2015, which authorizes sanctions against persons involved in malicious “cyber-enabled” activities, and are effective immediately.

Read more.

Steptoe Cyberlaw Podcast – Interview with Nick Weaver

Posted in China, Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies

We’re back from hiatus with a boatload of news and a cautiously libertarian technologist guest in Nick Weaver of the International Computer Science Institute in Berkeley.  To start Episode 95 of the podcast, Michael Vatis and I plumb the meaning of the Cyber Security Act’s passage.  The big news?  Apparently Santa is real, state laws prohibiting employer access to social media credentials may have been preempted, at least a bit, and ISPs just got new authority to monitor traffic to find bits that threaten other people.  Now if we could just find something useful to do with the defensive measures provision …

Maury Shenk and Alan Cohn dig into the latest deal moving a new European data protection regulation forward – and the slow-motion disaster around the Safe Harbor.

Maury and Michael note that the encryption debate just won’t stay dead, no matter how much Silicon Valley keeps pounding the stake into its heart.  In addition to the FBI, tech companies are seeing a whole bunch of new eyes gleaming in the dark – China’s new security law, Pakistan’s fight with Blackberry, the new UK legislation, and Brazil’s shot across Whatsapp’s bow.  In every case, government has crowded Silicon Valley hard for more cooperation on access to customer data – but without (quite) insisting on a built-in backdoor.

Speaking of governments, Michael tells us that regulators closed 2015 with a bang, with HIPAA, COPPA, and order-enforcement fines up to $100 million.  And Alan points to the CFTC’s new testing rules, which I contend may have smuggled something close to strict security liability into the Federal Register.

Michael brings us up to date on the never-ending turmoil over what access in excess of authorization means under the CFAA.  None of us are surprised that courts think it includes access in violation of a court order.

Nick Weaver & Stewart Baker

The interview with Nick Weaver explores the charms and evils of bulk surveillance, not to mention its inevitability.  Nick analyzes the two Silicon Valley business models – which he shorthands as selling shiny stuff and selling people’s souls.  (Guess which model he disapproves of.)  Which leads us to the question of tracking terrorists as though we wanted to sell them beheading videos.  Call it Son of 702.  Which leads me to ask how soon it will be before the government blocks the sale of an online ad network to China on national security grounds.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the ninety-fifth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

CFTC Adopts Proposed Cybersecurity Regulations

Posted in Cybersecurity and Cyberwar, Security Programs & Policies

On Wednesday, December 16, 2015, the Commodity Futures Trading Commission (CFTC or Commission) approved for publication two proposed rules to amend existing regulations addressing cybersecurity.  The proposed rules would establish testing obligations and safeguards for the automated systems used by designated contract markets (DCMs), swap execution facilities (SEFs), swap data repositories (SDRs) (the Exchange Proposal), and derivatives clearing organizations (DCOs) (the Clearing Proposal and, together, the Proposals).1

The Commission’s Proposals grant regulated entities with significant deference with respect to the development and implementation of policies and procedures reasonably designed to demonstrate compliance with the new cybersecurity provisions.  However, these new regulatory burdens will come with significant operational, technology, and other resource burdens, including ongoing testing and engagement with third-party service providers.  Furthermore, the scope of the Proposals for testing may extend further than similar cybersecurity standards established by other federal agencies.

The Commission unanimously approved the Proposals.  They were published in the Federal Register on December 23, 2015 and are subject to a 60-day public comment period ending on February 22, 2016. Continue Reading