Header graphic for print

Steptoe Cyberblog

The GitHub Attack and Internet Self-defense

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

In an earlier post I talked about how the Chinese government has used its “Great Firewall” censorship machinery on an expanded list of targets – from its own citizens to ordinary Americans who happen to visit Internet sites in China.  By intercepting the ad and analytics scripts that Americans downloaded from Chinese sites, the Chinese government was able to infect the Americans’ machines with malware.  Then the government used that malware to create a “Great Cannon” that aimed a massive number of packets at the US company GitHub.  The goal was to force the company to stop making news sites like the New York Times and Greatfire.org available to Chinese citizens.  The Great Cannon violated a host of US criminal laws, from computer fraud to extortion. The victims included hundreds of thousands of Americans.  And to judge from a persuasive Citizen Lab report, China’s responsibility was undeniable.  Yet the US government has so far done nothing about it.

US inaction is thus setting a new norm for cyberspace.  In the future, it means that many more Americans can expect to be attacked in their homes and offices by foreign governments who don’t like their views.

The US government should be ashamed of its acquiescence.  Especially because the Great Cannon is surprisingly vulnerable. After all, it only works if foreigners continue to visit Chinese sites and continue to download scripts from Chinese ad networks.  They supply the ammunition that the Great Cannon fires.  If no one from outside China visits Chinese search sites or loads Chinese ads, the Cannon can’t shoot. Continue Reading

The GitHub Attack, Part 1: Making International Cyber Law the Ugly Way

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies

Over the past few years, the US government has invested heavily in trying to create international norms for cyberspace. We’ve endlessly cajoled other nations to agree on broad principles about internet freedom and how the law of war applies to cyberconflicts. Progress has been slow, especially with countries that might actually face us in a cyberwar. But the bigger problem with the US effort is simple: Real international law is not made by talking. It’s made by doing.

“If you want to know the law … you must look at it as a bad man,” Oliver Wendell Holmes Jr. once observed.  A bad man only cares whether he’ll be punished or not. If you tell him that an act is immoral but won’t be punished, Holmes argued, you’re telling him that it’s lawful.

When it comes to international law, Holmes nailed it. In dealings between nations, norms are established by what governments do.  If countries punish a novel attack effectively, that builds an international norm against the attack. And if they tolerate the attack without retaliating, they are creating an international norm that permits it.

By that measure, the United States has been establishing plenty of norms lately. After accusing North Korea of seeking to censor Sony with a cyberattack, the US announced meaningless sanctions; there’s no sign that the US has found, let alone frozen, any of the secretive North Korea’s intelligence agency’s assets. Similarly, even though the US director of national intelligence long ago attributed the OPM hack to China, the National Security Council continues to dither about whether and how to retaliate.

When it comes to setting new norms through inaction, though, the most troubling incident is China’s denial of service attack on GitHub. Like lots of US tech successes, GitHub didn’t exist ten years ago, but it is now valued at more than $2 billion. Its value comes from creating a collaborative environment where software can be edited by dozens or hundreds of people around the world. Making information freely available is the core of its business. So when the Chinese government decided to block access to the New York Times, the paper provided access to Chinese readers via GitHub. China then tried to block GitHub, as it had the Times. But if Chinese programmers can’t access GitHub, they can’t do their jobs. The outcry from Chinese tech companies forced the Chinese government to drop its block within days.

It was a victory for free speech. Or so you’d think. But the Chinese didn’t give up that easily. They went looking for another way to punish GitHub. And found it. Earlier this year, GitHub was soon hit with a massive distributed denial of service attack. Computers in the US, Taiwan, and Hong Kong sent waves of meaningless requests to GitHub, swamping its servers and causing intermittent outages for days. The company’s IT costs skyrocketed. A similar attack was launched against Greatfire.org, a technically sophisticated anticensorship site.

A Citizens Lab report shows that this denial of service attack was actually a pathbreaking new use of China’s censorship infrastructure. Over the years, China has built a “Great Firewall” that interrupts every single internet communication between China and the rest of the world. Up to now, China has used that infrastructure to inspect Chinese users’ requests for content from abroad. Uncontroversial requests are allowed to proceed after inspection. But most requests for censored information trigger a reset signal that cuts the connection. The same infrastructure could be used to inspect foreign requests for data from Chinese sites but there’s no obvious need to do so because the Chinese sites are already under the government’s thumb.

But the Github attack shows an imaginative repurposing of the censorship machinery. Instead of subtracting packets from the foreign data requests, China decided to add a few packets — of malware. Whenever foreigners — whether from the US, Taiwan, or Hong Kong — visited a site inside the Great Firewall, they were already downloading buckets of code to run on their machines. Called javascript, this code is now a standard part of almost all internet browsing. It’s javascript that makes your computer play those moving, talking ads you love so much, and its importance to advertisers means that it isn’t likely to fade away any time soon. That’s too bad, because javascript actually runs code on your machine, so it’s not just an annoyance, it’s a serious security risk.

A risk China managed to exploit. How? Well, since China’s censorship infrastructure was already intercepting all the packets running between China and the outside world, it was easy enough for China to drop a few additional javascripts into the stream of legitimate advertisers’ code that foreign users were already downloading. Once on the user’s machine, though, instead of stealing credit card information the way most javascript malware does, the Chinese government’s code started sending packets to GitHub. Soon, millions of infected machines were doing the same, and Github’s servers couldn’t keep up. The attack brought GitHub to its knees.

For several technical reasons, it’s also plain that the Chinese government could not have expected to keep its hand hidden. Indeed, the Citizen Lab report makes clear that no one other than the Chinese government could have used this technique or this infrastructure.

Think about that for a minute. This was an attack that was carried out largely on American soil, first by infecting hundreds of thousands of American computers and then by launching them at a US company, all with the goal of punishing Americans for hosting the content of a preeminent US newspaper. And China didn’t even bother to hide its actions from the US government.

As it turns out, the Chinese had taken our measure pretty well. Not until May, weeks after the attacks, did the State Department respond. And then it simply announced that it “has asked Chinese authorities to investigate” the attack. Really? What’s to investigate? Given the evidence of Chinese complicity, the request seems pointless. And now, months later, it appears that the Chinese have not deigned to respond.

The message is clear. The administration has decided to tolerate this kind of attack. As Justice Holmes reminds us, for bad men all that matters are the consequences of their acts. By imposing no consequences on the GitHub attack, the United States has done its bit to make such attacks lawful.

That’s a foolish choice, and one than needs to be reversed. We shouldn’t tolerate such contempt for both our values and our borders. Even if the US government won’t take action, Americans can still take action that will deter such attacks in the future.

I’ll talk about that in my next post.

Steptoe Cyberlaw Podcast – Atlantic Council Panel

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Bonus Episode 78:  Dmitri Alperovitch, Harvey Rishikof, Stewart Baker, and Melanie Teplinsky debate whether the United States should start doing commercial espionage

I know, I know, we promised that the Cyberlaw Podcast would go on hiatus for the month of August.  But we also hinted that there might be a bonus episode.  And here it is, a stimulating panel discussion sponsored by the Atlantic Council and moderated by Melanie Teplinsky.  The topic is whether the United States should abandon its longstanding policy of refusing to steal the commercial secrets of foreigners to help American companies compete.  The discussion is lively, with plenty of disagreements and an audience vote at the start and finish of the discussion to gauge how persuasive we were.  Enjoy!

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the seventy-eighth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

FinTech Bits: What Does Donald Trump Think About Bitcoin?

Posted in Blockchain, Virtual Currency

This week featured interesting remarks from two of the most influential thought leaders in Bitcoin and the blockchain – Blythe Masters and Brian Forde.

During SourceMedia’s Convene conference, Masters, the CEO of Digital Asset Holdings, observed that while we are in the early days of development for Bitcoin and the blockchain, similar to where we were with the Internet in the early 1990s, “[t]he potential addressable markets for these types of technologies are gigantic.” For instance, Masters noted that blockchain technology could transform the way we trade and settle transactions for stocks, bonds, and derivatives.

Meanwhile, Brian Forde from MIT’s Digital Currency Initiative, with whom I was privileged to spend time at the Blockchain Summit, spoke at the Atlantic Aspen Ideas Festival about how digital currency and blockchain technology could improve public welfare. Forde observed that these technological innovations could improve the efficiency and security of government services. He noted that the technology also could benefit underserved populations by, among other things, increasing financial inclusion for the unbanked, helping secure property rights, and protecting identity.

The week also included thoughtful remarks about Bitcoin from a more unlikely source – former Texas governor and current presidential candidate Rick Perry. In a speech to the Committee to Unleash Economic Prosperity, Perry offered his take on the causes of the 2008 economic crisis, predicted that another economic crash is on the horizon, and challenged Donald Trump to a pull-up contest. But in the same speech, Perry called for “regulatory breathing room for banking with digital currencies, like Bitcoin.” Perry added that “[d]igital currencies harbor the possibility of reducing the cost and improving the quality of financial transactions in much the same way that the conventional Internet has done for consumer goods and services.” Regardless of what one thinks of Perry’s politics, it is a milestone of sorts that any presidential candidate was discussing Bitcoin in the course of a campaign event, and perhaps even more significant that the candidate was encouraging a regulatory approach that doesn’t stifle the growth of the technology.

No word yet on when, or if, Donald Trump will offer his position on Bitcoin and the blockchain. Or whether he’ll accept the challenge of a pull-up contest. Time will tell, as the campaign, like the technology, is still young.

On the Intelligence Authorization Bill

Posted in Security Programs & Policies

On July 28, Senator Ron Wyden objected to the Senate’s passage of the Intelligence Authorization Bill for Fiscal Year 2016. He objected not because he opposes the funding decisions included in the legislation but rather because of just 29 lines of text among the 41 pages of proposed legislation that have nothing to do with intelligence spending. Those 29 lines, found in Section 603 of S. 1705, would require Internet companies to report to the Attorney General (or her designee) “terrorist activity” on their platforms. In support of this idea, proponents have raised concerns about use of the Internet by terrorist organizations such as ISIS to promote terrorism and recruit new members. Of course such concerns are appropriate, but the proposed legislation creates too much collateral damage. Our client, the Internet Association, has raised concerns with Section 603. The views here, however, are my own.

The Supreme Court, among others, has noted, “[C]ontent on the Internet is as diverse as human thought.” This means that along with supercharged innovation, economic development, and democratic discourse, the Internet also facilitates the views of the intolerant, hateful, and yes even criminal elements around the globe.

In the US, the First Amendment protects the rights of individuals to express intolerant and hateful ideas. We are often criticized for this, to which we respond that the best means of combating such speech is by ensuring the ability of others to respond. In this dynamic, we believe that the marketplace of ideas is the best referee. Certainly, it is a better referee we can agree than a bureaucrat in a government agency making decisions about what should be censored. Put another way, the dangers of government-controlled speech far outweigh concerns over the promotion of speech we find objectionable.

Yet the First Amendment does not protect organizations from laws prohibiting them from conspiring to commit violent acts or raise money to fund criminal activities. The First Amendment does not protect an individual’s right to incite imminent lawless action that is likely to incite such action.

When use of the Internet crosses the line from protected speech to criminal activity, law enforcement can and should intervene. In such cases, Internet companies can and do cooperate with lawful requests to assist efforts to investigate and prosecute criminal behavior.

A key problem with Section 603, however, is that the trigger for the reporting mandate is based on the vague and undefined term “terrorist activity.” This term is not a term of art in the US criminal code and arguably goes well beyond criminal activity to speech that is protected under the First Amendment.

Proponents of the provision compare the reporting obligation to the existing reporting obligation for child pornography images in 18 U.S.C. §2258A. That law requires intermediaries that obtain actual knowledge of any facts and circumstances from which there is an apparent violation of federal child exploitation crimes involving child pornography to file a report with the National Center for Missing and Exploited Children (NCMEC).

The NCMEC reporting obligations, however, relate to images that are per se unlawful and are never protected speech under the US Constitution. A government mandate that an Internet company report facts and circumstances connected to the vague and overbroad term “terrorist activity” certainly would result in overbroad reporting to the government of speech that is protected under the First Amendment.

More troubling, if adopted, the provision would serve as a global template for other countries to impose reporting requirements for activities those jurisdictions deem unlawful. This would be particularly problematic with countries that regulate speech, including political speech, and with authoritarian regimes that would demand that Internet companies police their citizens’ activities.

Section 603 also creates a practical compliance problem. Because no one knows the definition of “terrorist activity,” how does one counsel a client to establish a compliance protocol under the proposal?

Any company would be at risk that if it did not report “terrorist activity,” it could be liable if there were a subsequent event that resulted in loss of life, limb, or property. Likely, this would result in designing a protocol to over-report anything that could be considered “terrorist activity.” Given the massive scale of content shared and created on the Internet daily, this would result in reporting of items that are not likely to be of material concern to public safety and would create a “needle in the haystack” problem for law enforcement. This serves no one’s purposes and adds privacy concerns to the First Amendment concerns noted above.

This creates a perverse incentive for a company to avoid obtaining knowledge of any activity that would trigger the reporting requirement—the exact opposite of what the proponents of the legislation want. Yet, designing such an avoidance protocol is nearly impossible. If even one low-level employee received an over-the-transom email about a “terrorist activity,” knowledge of the activity can be imputed to the entire company – exacerbating the potential liability faced by an Internet company.

Section 603 has other problems. The scope of the kind of Internet platforms that would be covered by the proposal is enormous. The reporting mandate applies to an “electronic communication service” (ECS) and a “remote computing service” (RCS). An ECS is arguably any service that provides a person with the ability to communicate with others electronically. The definition of “remote computing service” is “the provision to the public of computer storage or processing services by means of an electronic communications system.” These terms create a huge universe of entities subject to the mandate, including but certainly not limited to social media companies, search engines, Internet service providers, blogs, community bulletin boards, universities, advocacy organizations, and religious institutions.

Further, the proposal would not limit the reporting requirement to publicly viewable sites. It would require a cloud storage provider to police a third party’s internal, stored communications to avoid the potential liability under the provision.

For all of the reasons above, Senator Wyden was right to object to the reporting mandate.

And the Senate Select Committee is right to raise concerns with the use of the Internet by terrorist organizations. Confronting such use, however, must not be done at the expense of the First Amendment and by requiring Internet companies to police and report on their users’ activities.

Steptoe Cyberlaw Podcast – Interview with Bruce Andrews

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

Our guest for episode 77 is Bruce Andrews, the deputy secretary of the Commerce Department. Alan Cohn and I pepper Bruce with questions about export controls on cybersecurity technology, stopping commercial cyberespionage, the future of the NIST cybersecurity framework, and how we can get on future cybersecurity trade missions, among other things.

In the news roundup, Alan and I puzzle over the administration’s reluctance to blame China for its hacks of US agencies.

The furor over cybersecurity export controls continues unabated, with a couple of hundred hostile comments filed and Congress beginning to stir. Alan Cohn fills us in.

The UK high court ruling on data retention makes history but maybe only the most evanescent of law. Alan and I discuss whether the ruling will resemble Marbury v. Madison in more ways than one.

France finalizes expansion of surveillance. Bush administration figures come out against back doors. Cyberweek begins and, the cyber left hopes, ends without progress on CISA.

This Week in Prurient Cybersecurity: The first Ashley Madison subscriber is outed.  And he’s Canadian.  Looks like the nights really are longer up there. Ottawa apparently leads the world in percentage of would-be adulterers, followed by Washington, DC. No further comment seems necessary.

And Bloomberg says that the Chinese attempt to build a database on Americans didn’t begin with OPM or Anthem, but with the compromise of travel databases two years ago.

This time, Alan hints, the FTC may throw away the key, as it once again takes action against LifeLock. And the Seventh Circuit wades into the debate over how much harm a data breach plaintiff must suffer to have standing to sue.

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the seventy-seventh episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.


FinTech Bits: Smart Banks Are Banking on the Blockchain

Posted in Blockchain, Virtual Currency

In an area that is growing and evolving as fast as FinTech, it’s often difficult to take a step back and take stock of where we are, and where we’re headed. So kudos to CoinDesk, which recently issued its State of Bitcoin report for the second quarter of 2015, its seventh such report since February 2014. The report is a great read that contains a number of terrific insights into trends and developments in Bitcoin and other digital currencies. One of the most interesting aspects of the report related to the significant number of banks throughout the world that are experimenting with use cases for blockchain technology. The report cited Santander, Barclays, UBS, and BNY Mellon as among the global banks exploring the potential of the blockchain.

That dovetails with reporting from CoinTelegraph and other sources that these and other large banks are increasingly studying possible use cases for bitcoin and the blockchain to reduce costs, increase speed and efficiency of transactions, and provide greater security and transparency. (To that list of advantages we would add reduced compliance costs, which are an increasing issue for banks.)

Meanwhile, a recently released book from Adaptive Labs suggests that banks are ill-prepared for the potential disruption to their business models that FinTech innovations, including the blockchain, represent.

The takeaway from all of this? Banks, money remitters, and other financial institutions would be well-served to join the growing list of organizations that are studying possible applications for digital currencies and the blockchain to enhance their business, lest they be left behind by a wave of innovation in FinTech. Better to disrupt your own business model from the inside than to see it disrupted from the outside.

Does Your CEO Know What’s Keeping You Up at Night?

Posted in Cybersecurity and Cyberwar, Data Breach

Security Magazine’s Security Talk interviewed us on how we help clients navigate cybersecurity issues.  In the article, “Does Your CEO Know What’s Keeping You Up at Night?,” we discuss how a company’s ability to weather a cyber attack depends in part on the decisions the company makes both before a breach occurs and in the immediate aftermath of a breach.  One way to prepare for a breach is through tabletop exercises that simulate a data breach, which are a key feature of our pre-breach services.  In preparing these exercises, we draw on the expertise and insights of the company’s own cybersecurity professionals, and we make a practice of asking those professionals about the scenarios that cause them to lose sleep.  We encourage directors and officers to ask that same question, because what’s keeping your cybersecurity professionals up tonight could be a nightmare for your entire company down the road.

Steptoe Cyberlaw Podcast – Interview with Annie Antón and Peter Swire

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Episode 76 of the podcast features the power couple of privacy and cybersecurity, Peter Swire and Annie Antón, both professors at Georgia Institute of Technology.  I question them on topics from the USA FREEDOM Act to the enduring gulf between writing law and writing code.

In the news roundup, as our listeners have come to expect, we do indeed return to our recurring feature, This Week in Prurient Cybersecurity, with a riff on the Ashley Madison hack.  But you’ll have to wait until the end, when we’re loosened up.

We begin more soberly, with Jason Weinstein and Michael Vatis covering the courts’ mopping up after passage of the USA FREEDOM Act.  The DC Circuit has received supplemental briefs on section 215, and the ACLU is leading hopeless charge against the 215 program in the Second Circuit.

The Hacking Team doxxing draws attention to the risk involved in hiring hackers.  When they’re disgruntled, they don’t just slam the door on the way out.  Still, Alan Cohn and I can’t help but be fascinated by the Hacking Team proposal to use drones to hover over the target, intercepting his Wi-Fi connection.

In regulatory news, Alan Cohn and Jason Weinstein discuss the FERC’s revisions to the CIP cybersecurity requirements, with a focus on supply chain practices, and a Boston hospital’s settlement of HIPAA charges, prompting me to ask whether HHS’s Office of Civil Rights is the most hypocritically aggressive privacy regulator in government.

Russia’s Right to Be Forgotten law is signed, after further tweaks.  And Google announces that it has officially tipped more than one million links into the dustbin of history.

I respond to listener feedback by walking back my mockery of Tony Scott’s “TLS Everywhere” initiative, noting that it might have some modest security benefits after all.  Instead of “privacy theater” perhaps I should have called it a “privacy skit.”  And as attribution gets better, so does the temptation to fly false flags.  It looks as though the Russians will pioneer this particular development, attacking US sites under the nom de guerre of the Cyber Caliphate.  And the US government response to the Russian attacks?  A predictable silence.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the seventy-sixth episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Michael Casey

Posted in Blockchain, Cybersecurity and Cyberwar, International, Privacy Regulation

Hip Hop Summit at Graceland: Michael Casey and Digital Money

Bitcoin and the blockchain – how do they work and what do they mean for financial and government services and for consumers? And who holds massive stores of bitcoin that can’t be spent without solving one of the great financial mysteries of our time?  Our guest for episode 75 is Michael Casey, former senior columnist for the Wall Street Journal and – as of last week – senior advisor at the MIT Media Lab’s Digital Currency Initiative.  Michael is also the author, along with his former Wall Street Journal colleague Paul Vigna, of The Age of Cryptocurrency:  How Bitcoin and Digital Money Are Challenging the Global Economic Order.  Alan Cohn and Jason Weinstein interview him about bitcoin and its underestimated enabling technology, the blockchain.

In the news roundup, Meredith Rathbone, Alan Cohn, and I dive into the Commerce Department’s sweeping proposal for new regulation of the cybersecurity industry under the Wassenaar arrangement.  With comments due on July 20, security companies are beginning to identify a host of unintended regulatory consequences.

The FBI and Justice Department had a surprisingly good week complaining about technologists’ deployment of ubiquitous unbreakable encryption.  A group of cryptographers offered a contrary view, and I critiqued their position in the roundup and in a blog post.

Hacking Team was itself hacked, with its internal correspondence spread across the internet.  One quick lesson:  if anyone is expecting export controls to stop sales of hacking tools to repressive regimes, they aren’t paying attention to the Italian government’s licensing policies.

Finally, the right to be forgotten looks like a bad idea whose time has come.  Jason doubts that Consumer Watchdog will succeed in smuggling the right to be forgotten into the FTC Act, perhaps because the act is already bulging at the seams.  Canadian courts, in contrast, seem happy to impose their speech rules on Americans – whether or not Canadian courts have, you know, jurisdiction over the Americans.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the seventy-fifth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.