Header graphic for print
Steptoe Cyberblog

Yearly Archives: 2012

FTC’s Online Privacy Campaign Goes into High Gear

Posted in Privacy Regulation, Security Programs & Policies

The Federal Trade Commission is really on a roll these days. In the last few weeks alone it has: reached settlements with two companies, Compete, Inc. and Epic Marketplace, Inc., over the FTC’s charges that the two companies deceived consumers by misrepresenting their online data collection practices; released a blistering report criticizing the developers of mobile apps… Continue Reading

Prosecuting Cyberespionage – Justice’s New Strategy

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

The National Security Division of the Justice Department may be getting on the cyberspace attribution/retribution bandwagon — and in the process, reshaping US strategy for deterring cyberespionage. First, they are creating a new liaison position in US Attorney offices across the country — the National Security Cybersecurity Specialist, or NSCS (rhymes with “discus meniscus” for you… Continue Reading

US Head of Delegation at WCIT Badmouths Deep Packet Inspection

Posted in International, Privacy Regulation

It’s been a contentious meeting in Dubai at the World Conference on International Telecommunications (WCIT), where the United States and its allies have been trying to fend off efforts by Russia, China, and others to expand the writ of the International Telecommunications Union to cover the Internet. Besides that fundamental dispute, there have been some… Continue Reading

Finding Cyberspies

Posted in China, Cybersecurity and Cyberwar, International, Security Programs & Policies

For a while now I believe that attribution of hacker attacks has been rapidly improving. Well now we have confirmation from a Ken Dilanian scoop in the LA Times. Dilanian reports that “the U.S. intelligence community is nearing completion of its first detailed review of cyber-spying against American targets from abroad, including an attempt to calculate U.S. financial losses from… Continue Reading

Why Do the Feds Care About Officials’ Private Emails?

Posted in China, Cybersecurity and Cyberwar, International, Security Programs & Policies

For those who have wondered why the feds cared about what former CIA Director David Petraeus was doing on his private email account, recent reports on hacks into the personal computers of former Chairman of the Joint Chiefs of Staff Mike Mullen provide at least a clue. Mullen’s personal computers, which he used while working… Continue Reading

More on Cybersecurity and Attribution: Si Chuan University and Tencent

Posted in China, Cybersecurity and Cyberwar, International, Security Programs & Policies

Previously, I told the story of how Trend Micro identified “Luckycat,” a Chinese hacker who had attacked the Dalai Lama, aerospace firms, and other targets. Based on what we know so far, the likely hacker is Gu Kaiyuan, formerly a student at Si Chuan University’s Information Security Institute and currently employed by the large Chinese instant… Continue Reading

Privacy: The Latest Victim of Europe’s Privacy Regulation

Posted in Data Breach, Privacy Regulation, Security Programs & Policies

The European Union has proposed a privacy policy that will inevitably deprive many people of their privacy. Now working its way through the tortuous Brussels process, the regulation includes a “right to data portability.” Typically, this is Commission-speak for a regulatory requirement that information services must hand over all of a subscriber’s historical data upon request,… Continue Reading

The Hackback Debate

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

The vulnerability of computer networks to hacking grows more troubling every year. No network is safe, and hacking has evolved from an obscure hobby to a major national security concern. Cybercrime has cost consumers and banks billions of dollars. Yet few cyberspies or cybercriminals have been caught and punished. Law enforcement is overwhelmed both by… Continue Reading

RSA CEO Speaks Out on Privacy

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

In a speech earlier this week to RSA 2012 in Europe, Art Coviello challenged privacy laws as a threat to, well, privacy: “Intelligence-based security also requires information sharing at scale,” said Coviello. But these changes are held back by a number of things, including current privacy laws. Coviello recounted a discussion he had with a… Continue Reading

Good News for Cybersecurity and Attribution?

Posted in Cybersecurity and Cyberwar, Data Breach, Security Programs & Policies

How should the US respond to massive state-sponsored cyberespionage? Right now, policymakers are intent on improving network security, perhaps by pressing the private sector to improve its security, or by waiving outmoded privacy rules that prevent rapid sharing of information about attackers’ tactics and tools. This would improve our network security, but not enough to alter… Continue Reading

Rethinking Cybersecurity, Retribution, and the Role of the Private Sector

Posted in Cybersecurity and Cyberwar, Security Programs & Policies

In upcoming testimony before the House Homeland Security Committee, I’ll be assessing the Department of Homeland Security, with particular focus on cybersecurity. Probably the most important point I’ll be making is a simple one: We will never defend our way out of the current cybersecurity crisis. That’s because putting all the burden of preventing crime… Continue Reading

Sneak Peek of the Cybersecurity Executive Order Draft

Posted in Cybersecurity and Cyberwar, Security Programs & Policies

Federal News Radio’s Jason Miller reports that he’s seen a draft of the executive order on cybersecurity. What he describes is quite plausible: The order creates a council chaired by DHS to coordinate the mission. This provision would be a defeat for the business lobbyists who fought to keep DHS from getting a central cybersecurity… Continue Reading

A Trip Down Privacy’s Memory Lane

Posted in Privacy Regulation

Privacy groups are known to put a lot of effort into attacking new technologies for a reason. They are concerned that, once the technology is seen in action, we won’t be scared by its hypothetical risks, while its benefits will be easier to assess. Once that happens, imposing new privacy laws gets a lot harder. To… Continue Reading

Europe’s ‘Right to be Forgotten’ Privacy Protection Moving to the US?

Posted in Data Breach, International, Privacy Regulation

In his recent post, Eugene Volokh of the Volokh Conspiracy recently discussed whether it can ever be libelous to say, accurately, that someone has been arrested after the arrest has been expunged. The New Jersey Supreme Court rightly described the idea as Orwellian and rejected it. However, in Europe a version of this rule is… Continue Reading

What Happened to the Cybersecurity Bill?

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

The cybersecurity bill is dead for this Congress, with cloture failing by a vote of 52-46. The Senate’s failure to reach any kind of compromise is particularly striking, given that roughly two-thirds of the basic ideas in the bill had been endorsed by all of the following: the Obama administration, Senator McCain and the great… Continue Reading

The Cybersecurity Act of 2012; Hacker Protection

Posted in Cybersecurity and Cyberwar, Data Breach, Privacy Regulation, Security Programs & Policies

A revised draft of the cybersecurity bill contains information sharing provisions that were heavily negotiated between the Obama administration and privacy groups. This effort at compromise has prompted the usual ambiguous praise from privacy groups. The Electronic Frontier Foundation, though “pleased” with the progress, complained that the measure still “contains broad language around the ability… Continue Reading

California Boosts Privacy Enforcement

Posted in Data Breach, Privacy Regulation

California Attorney General Kamala Harris announced yesterday that she is creating a Privacy Enforcement and Protection Unit in her office. The PEPU, which will consist of six prosecutors, will be responsible for prosecuting companies that violate the state’s privacy laws. California, of course, has been at the vanguard of privacy protection, enacting the nation’s first… Continue Reading

New ABA Book on National Security Law

Posted in Cybersecurity and Cyberwar, Security Programs & Policies

The ABA’s Standing Committee on Law and National Security has just released a sequel to its first book on national security legal topics. The first book, Patriot Debates, focused heavily on the USA Patriot Act. The second book, Patriots Debate, is a wider-ranging look at law and national security. Both volumes are distinguished by several… Continue Reading

China Could Have “Pervasive Access” to 80% of Global Communications Through Huawei and ZTE

Posted in China, International, Security Programs & Policies

This is the claim of former Pentagon analyst F. Michael Maloof that stories and podcasts are repeating but provide much new supporting evidence. Maloof’s own report is interesting and extensive, and it does indeed make the claim I’ve headlined: The Chinese government has “pervasive access” to some 80 percent of the world’s communications, giving it the ability to… Continue Reading

More Trouble for ZTE

Posted in China, International, Privacy Regulation

ZTE, the huge Chinese telecom equipment manufacturer, has found themselves in a kind of perfect storm. A storm largely of their own making. First, ZTE and its larger Chinese rival, Huawei, have been the subjects of great national security concern for years.  As I discussed last month the US intelligence community is worried that, if allowed to install equipment… Continue Reading

The First Circuit and Cybersecurity

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

Can you hear the legal ground shifting under the feet of the banks? Many small businesses are now infected by keylogging software. Hackers use it to steal banking credentials and make wire transfers. It is very difficult to keep the hackers out, at least for small businesses. The most promising way to defeat such fraud is for… Continue Reading

China-US “Proxy” Cyberwar Negotiations?

Posted in China, Cybersecurity and Cyberwar, International

Over the past three years think tanks in China and in the US have been conducting what could be called “proxy” negotiations on cyberwar and cyberespionage. The China Institutes of Contemporary International Relations and the US Center for Strategic and International Studies are establishment institutions, with just enough independence from their governments to make the talks… Continue Reading