Header graphic for print

Steptoe Cyberblog

Steptoe Cyberlaw Podcast – Interview with Michael Daniel

Posted in Cybersecurity and Cyberwar, International

156: Interview with Michael Daniel

Our interview is with Michael Daniel, former Special Assistant to the President and Cybersecurity Coordinator at the White House and current President of the Cyber Threat Alliance.  We ask Michael how the new guys are doing in his job, what he most regrets not getting done, why we didn’t float thumb drives filled with “The Interview” into North Korea on balloons, and any number of other politically incorrect questions.  His answers are considerably more nuanced.

In the news roundup, we note that the second Wikileaks release is a damp squib, full of outmoded Apple exploits.

Michael Vatis and I unpack the Third Circuit ruling upholding imposition of contempt penalties on a defendant who has “forgotten” the password to his child porn trove.  It turns out that the case offers a road map for prosecutors and police who want to make sure no one ever forgets a password in their jurisdiction.

Stephanie Roy notes that Congress has begun the process of repealing the ISP privacy and security regulations adopted under Chairman Wheeler.  What, if anything, will replace them, and when, is a matter for lengthy speculation.

I note that the privacy zealots of Silicon Valley have fatally miscalculated the kind of support they’ll get in Europe for end-to-end encryption.  Face it, guys, Europe hates you no matter what you do, and they’ll happily impose massive fines both for violating user privacy and for protecting it too well.

Does GCHQ spy on Americans for NSA?  Nope.  The real question is whether Rick Ledgett, number 2 at NSA, has already stopped sounding like a government employee when he talks to the press.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 156th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe partner Stewart Baker pictured with Michael Daniel

Steptoe partner Stewart Baker pictured with Michael Daniel

 

Steptoe Cyberlaw Podcast – Debate with Greg Nojeim and Jamil Jaffer

Posted in Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

155: Debating Hackback

Episode 155 of the podcast offers something new:  equal time for opposing views.  Well, sort of, anyway.  In place of our usual interview, we’re running a debate over hacking back that CSIS sponsored last week.  I argue that US companies should be allowed to hack back; I’m opposed by Greg Nojeim, Senior Counsel at the Center for Democracy & Technology and Jamil Jaffer, Vice President for Strategy & Business Development of IronNet Cybersecurity.  (Jeremy Rabkin, who was supposed to join me in arguing the affirmative, was trapped in Boston by a snowstorm.)

In the news, we can’t avoid the unedifying – and cynical – spat between press and White House over wiretapping.  Turning to legal news, I note the DC circuit’s adoption of a cursory and unpersuasive reading of the Foreign Sovereign Immunities Act in the context of state-sponsored hacking of activists in the United States.  Maury Shenk unpacks the latest ECJ opinion refusing to apply the “right to be forgotten” across the board to government databases.  So far, the only clear application is to American tech giants.  That’s also true of the latest German proposal to make the internet safe for censors, government and nongovernment alike.  As Maury explains, the German Justice Minister is proposing fines up to $50 million for tech giants that don’t censor online speech fast enough or hire enough European private censors to keep up with the workload.

The Justice Department’s indictments in the Yahoo! hack show just how remarkably intertwined Russian intelligence and Russian cybercrime have become.

Alan Cohn and I chew over the latest developments in the new administration’s approach to cybersecurity – a determination to cripple botnets more effectively, and a willingness to exempt SHS cyber programs from what looks like a drastic set of budget cuts for nondefense agencies.  Whether the administration can make progress on botnets while sticking to voluntary measures is uncertain; equally uncertain is whether the plus-ups for DHS cyber reflects satisfaction with the agency’s performance on that mission in recent years.

Finally, Maury and I ask whether the German government is surrendering to reality in pursuing more effective video surveillance of possible criminals and terrorists.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 155th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Curtis Dukes and Tony Sager

Posted in Cybersecurity and Cyberwar, Data Breach, Security Programs & Policies

Episode 154:  What cybersecurity experts tell their Moms about computer security

In this week’s episode, we ask two acknowledged NSA cybersecurity experts, Curtis Dukes and Tony Sager, both from the Center for Internet Security, what they tell their family members about how to keep their computers, phones, and doorbells safe from hackers.

Joining us for the news round-up is Carrie Cordero, a Washington lawyer who focuses on national security law, homeland security law, cybersecurity and data protection issues.  She is also an adjunct professor of Law at Georgetown University.

Topping the news is the Wikileaks Vault7 release, including Assange’s mischievous offer to work with Silicon Valley to fix vulnerabilities before they’re disclosed.  Carrie, Markham Erickson, and I comment.

Stephanie Roy reports that the FCC is investigating a 911 outage at AT&T; so far the agency has been tight-lipped about the details.

Home Depot is nearing the finish line in its data breach ordeal, Jennifer Quinn-Barabanov reports.  The banks that had to reissue credit cards were among the last holdouts; they’re getting $25 million, which sounds like a lot until you do the math and realize it’s two bucks a card.

Jennifer tells us that another defense effort to moot a TCPA class action by picking off a named plaintiff has been thwarted – this time by the Second Circuit.

Tom Graves (R-GA) has introduced a hackback defense to CFAA liability.  Markham and I trade barbs over the wisdom of allowing hackback defenses, but we reach agreement on the depth of Uber’s greyballing problems – and the risk that more companies will use big data to disfavor some customers without telling them.

Carrie reports on developments in the FBI-Geek Squad imbroglio, and I mock the reporters who have bought the deeply unappealing defendant’s claim to be a civil liberties victim.

Last, and well worth the wait, Jennifer and I update our listeners on the latest in CyberSexToy privacy.  Turns out the records of interactions with your internet-enabled vibrator can be compromised for a surprisingly low settlement price.  Maybe now we really ought to call the time of death for internet privacy.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 154th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Steptoe partner Stewart Baker pictured with Curtis Davis, Tony Sager and Carrie Cordero

Steptoe partner Stewart Baker pictured with Curtis Dukes, Tony Sager, and Carrie Cordero

Steptoe Cyberlaw Podcast – Interview with Matt Tait

Posted in China, Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies

Episode 153:  Fancy Bear, Cozy Bear, and … Sneaky Bear?

In this episode, Matt Tait, aka @PwnAllTheThings, takes us on a tour of Russia’s cyberoperations.  Ever wonder why there are three big Russian intel agencies but only two that have nicknames in cybersecurity research?  Matt has the answer to this and all your other Russian cyberespionage questions.

In the news, we mourn the loss of Howard Schmidt, the first cyber czar and one of the most decent men in government.  Then we descend into the depths of the Trump wiretap story.  I reprise some of my views from Lawfare.  Michael Vatis is not persuaded.

After Microsoft’s refusal to provide data stored in the cloud outside the US was upheld in the Second Circuit, things looked rosy for its position.  But now two magistrates in a row have rejected that position.  Michael and I discuss the latest ruling.

Maury Shenk is now our official commentator on the legal consequences of Internet-enabled toys.  This time it’s teddy bears, whose interactions with children and parents were exposed by hackers.

More seriously, Maury praises an impressive new analysis of China’s 50c army of tweeters.  It turns out that everything we thought we knew about the 50c army is wrong. 

Just in time for an early spring, we have harbingers of the coming fight over reauthorization of the 702 intercept program.  Director of National Intelligence candidate Coats promises to put a number on the US persons whose communications are caught up in the program, the Electronic Frontier Foundation (EFF) and other NGOs turn on both the US government and Silicon Valley to urge that Privacy Shield be held hostage to changes in the program.  And the incoming Commerce Secretary, Wilbur Ross, endorses Privacy Shield, a move that may validate EFF’s tactics.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785

Download the 153rd episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Steptoe Cyberlaw Podcast – News Roundup with Paul Rosenzweig

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

Episode 152: “Alexa, do you have first amendment rights?”

Our guest for episode 152 is Paul Rosenzweig, and we tour the horizon with him.

In the news roundup, Stephanie Roy outlines the deregulatory tangle around ISPs, privacy, security, and the FCC.  Maury Shenk briefs us on the European legislation authorizing the quashing of terrorist advocacy on line.  Jennifer Quinn-Barabanov explains when standing is a defense against privacy claims and when it isn’t.  Together, we remark on the latest example of formerly stodgy banks embracing their inner plaintiffness.

Maury explains why the Germans have banned Cayla the talking (and listening!) doll.  I ask whether the Germans next plan to ban speakerphones.  (Likely answer:  only if they come from America.)

Paul and I dig into the Amazon claim that the first amendment prevents enforcement of a criminal discovery order seeking Amazon Echo recordings.  Hey, the suspect might have been ordering books, and that’s a first amendment activity, says Amazon, and anyway, what Alexa said back to the suspect was an exercise of Amazon’s first amendment rights.  These arguments cry out for the command most frequently heard by my music-playing Echo:  “Alexa, that’s enough.”

Almost as unpersuasive to Paul and me is magistrate judge David Weisman’s refusal to issue an order allowing the police to search a home and make anyone on the premises put their fingers on their iPhones to unlock them.  That act is testimonial in Weisman’s opinion because, well, because he says it is.  (His fourth amendment analysis is better, but hardly compelling.)

Paul explains the dramatic clash of cultures hidden in the otherwise esoteric battle between the GSA’s inspector general and “18F,” an Obama-meets-Silicon-Valley effort to streamline government IT development.  Like any good tragedy, you knew from the start that this trainwreck was coming, but you still can’t look away.

The draft cyber executive order still isn’t out, despite what looks like a much more disciplined vetting process than other EOs went through. What’s the reward for running a good interagency process in a White House not noted for such discipline?  The Homeland Security Council may get folded under the National Security Council.

No one has heard of the National Association of Secretaries of State in 50 years.  And if you want to know why, we say, look no further than NASS’s foolish resolution objecting to the designation of electoral systems as “critical infrastructure.”

Finally, Paul and I noodle over DHS’s request that Chinese visitors to the US voluntarily disclose their social media handles.  I predict that this puts the frog in the pot and the stove on simmer.  Meanwhile, Paul finds one border security measure that even I wouldn’t adopt.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 152nd episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunesPocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast — Interview with John “Four” Flynn, Heather Adkins, and Troels Oerting

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

In this episode, Stewart Baker goes to RSA and interviews the people that everyone at RSA is hoping to sell to – CISOs. In particular, John “Four” Flynn of Uber, Heather Adkins of Google, and Troels Oerting of Barclays Bank. We ask them what trends at RSA give them hope for the future, which make them weep, what’s truly new in cybersecurity, and what kind of help they would like from government.

While Stewart’s traveling, Alan Cohn takes over the news roundup. We start with some news from the RSA Conference keynotes. Brad Smith, President of Microsoft, called for a cyber “Geneva Convention” on behalf of the sovereign nation of Microsoft. And Rep. Michael McCaul (R-TX), chair of the House Committee on Homeland Security, announced his opposition to backdoors in encryption, lining up with former Secretary of Homeland Security Michael Chertoff and former NSA and CIA Director Michael Hayden but against current Attorney General Jeff Sessions and current FBI Director Jim Comey.

In news from across the pond, Maury takes us through the EU’s efforts to take on robots. We coin the term #EURobotHammer in the process (it’s complicated). Maury also tells us whether the Russians are hacking the French elections (it’s complicated).

Back stateside, Alan asks what the cyber implications are of “out like Flynn, in with McMaster” at the National Security Council. Alan also confides in us about White House staffers’ use of confidential messaging apps like Confide (see what I did there?).

Finally, Alan takes us through a few quick hits on CrowdStrike vs NSS Labs, the SASC’s new Cyber subcommittee, and Yahoo!’s $350M haircut.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 151th episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Cybersecurity and the Wassenaar Arrangement — What Needs to Be Done in 2017?

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

Cyber threats move at Internet speed and so must cyber responders, to protect networks and data across the globe. Imagine the impact on cybersecurity if responders, innovators, and developers were told to pause and apply for an export license before responding to a threat. With a new round of international negotiations about to begin for the Wassenaar Arrangement, now is the time to press hard to arrive at a workable international standard that protects, rather than undermines, cybersecurity.

In 2013, the Wassenaar Arrangement, a 41-country international forum that seeks consensus among its members on dual-use export controls, adopted new controls on “intrusion software” and “carrier class network surveillance tools.” The purpose behind these controls is worthy: protecting human rights activists and political dissidents from surveillance by authoritarian governments.

Unfortunately, the approach proposed by the Wassenaar regulation misses the mark, and indeed, the controls would ultimately undermine that goal by making it harder for cyber responders to defend against the use of surveillance technologies. Because the regulation is so overly broad, it would require cyber responders and security researchers to obtain an export license prior to exchanging essential information to remediate a newly-identified network vulnerability, even when that vulnerability is capable of being exploited for purposes of surveillance. It would also require an onerous licensing process for sales of strong cybersecurity tools and services by companies around the world, and in some cases, could prohibit their sale altogether. Continue Reading

Steptoe Cyberlaw Podcast – Interview with Dominic Rochon and Patricia Kosseim

Posted in Cybersecurity and Cyberwar, Data Breach, International

Our interview features a classic “please don’t read this” headline: “Worthwhile Canadian Initiatives.”  We explore multiple worthwhile Canadian initiatives with Dominic Rochon, deputy chief of policy and communications for CSE, Canada’s version of the NSA and with Patricia Kosseim, general counsel and director general for policy at the Office of Canada’s Privacy Commissioner.  Among other things, we take a close look at Canada’s oversight regime for intelligence, in which a retired judge gets to exercise executive authority over the CSE – in contrast to the US system where active judges do the same but pretend they’re carrying out a judicial function.

In the news roundup, Judge Robart is doing his best to hog the judicial headlines, not only blocking the Trump administration’s immigration policy but giving support to Microsoft’s suit to overturn discovery gag orders en masse. His opinion allows Microsoft to proceed with a lawsuit claiming that gag orders violated the First Amendment.

The Trump Administration could soon begin asking foreigners coming to the United States — particularly from some Muslim-majority countries — to turn over their social media accounts and passwords.  This is a policy begun under the Obama administration and supported by bipartisan homeland security groups.  I predict that it will nonetheless soon be trashed by the press as an Evil Trump Initiative.

Tallinn 2.0 is out.  It applies international law to cyber activity at and below the threshold of armed conflict.  Color me skeptical.

The cybersecurity Executive Order that’s been hanging fire for weeks is still hanging fire.  A new draft has been leaked, though, and it’s better.

Hal Martin is indicted for stealing massive amounts of data from NSA and perhaps others.  According to a Washington Post report, US officials think Martin may have stolen 75%of the NSA’s hacking tools.  Ouch.

In other news, Rick Ledgett, the No. 2 official at the NSA is leaving but not because of Trump.  And Google has told several prominent journalists that state-sponsored hackers are trying to break into their inboxes.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 150th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

2017 Global Cybersecurity Policy: Challenges & Highlights

Posted in Cybersecurity and Cyberwar, International

The growing dependence of states and societies on ICT systems means they face a higher risk of cyberattacks. Increasingly sophisticated hacking attacks target not only individual people and companies, but also highly developed countries. Although cyberattacks can have disastrous consequences, research shows that we still miss the mark in preparedness. Acknowledging the magnitude of the risk, global government decision-makers have made the security of cyberspace one of their highest priorities. Daniella Terruso and Adam Palmer, experts partnering with the Kosciuszko Institute, have outlined the major cybersecurity policy challenges for 2017.

Steptoe Cyberlaw Podcast – Interview with Jason Healey

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies, Uncategorized

149:  Thigh-high boots and defense dominance

Our guest for episode 149 of the podcast is Jason Healey, whose Atlantic Council paper, “A Nonstate Strategy for Saving Cyberspace,” advocates for an explicit bias toward cyber defense and the private sector.  He responds well to my skeptical questioning, and even my suggestion that his vision of “defense dominance” would be more marketable if paired with thigh-high leather boots and a bull whip. #50ShadesofCyber.

In the news roundup, we experiment with, uh, actual legal discussion.  The Microsoft Ireland case has company; Google recently lost a similar argument before a magistrate judge – maybe because it couldn’t say where the data it wanted to protect from disclosure actually was.  Michael Vatis explains.

Meredith Rathbone and I take a victory lap over CNN and its reporters, noting that if they’d listened to the podcast, they’d have known a month early that US sanctions had unexpectedly prevented US companies from filing license applications with Russian intelligence agencies – and that allowing companies to make such filings wasn’t an opportunity for hyperventilating about President Trump’s bromance with Putin.

Michael and I also deconstruct Supreme Court nominee Neil Gorsuch’s opinion in US v. Ackerman.  The opinion calmly and clearly puts a hole below the waterline in a longstanding approach to collecting evidence in child porn cases.  If this case gives a clue to his jurisprudence, it seems unlikely that a Justice Gorsuch will be a pushover for government arguments.

Can American companies sue governments that hack them in the US?  I hope so, but that depends on whether the Foreign Sovereign Immunities Act provides protection for malware sent from abroad that does its damage here.  In an unlikely-bedfellows moment, I’m depending on EFF to make that argument to the DC Circuit.

And, to follow up on two stories we covered earlier, Brexit authority slips quickly through the House of Commons, while Google’s penny-pinching settlement of a massive “wiretapping” class action is approved over objections to the cy pres payments to the usual NGOs.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 149th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.