Header graphic for print
Steptoe Cyberblog

Tag Archives: cyberattack

Steptoe Cyberlaw Podcast – Interview with Jim Lewis

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies

This week’s cyberlaw podcast begins as always with the week in NSA. We suspect that a second tech exec meeting with the President (for two hours!) bodes ill for the intelligence community, or at least the 215 metadata program, as does the shifting position of usually stalwart NSA supporters like Dianne Feinstein and Dutch Ruppersberger…. Continue Reading

Time for a change in the cybersecurity paradigm

Posted in Cybersecurity and Cyberwar, Security Programs & Policies

Earlier today the Wall Street Journal’s Risk and Compliance Journal published an interview with me and Steve Chabinsky from Crowdstrike about cybersecurity. In the interview, Steve and I make the case that the current paradigm for protecting companies against cyberattacks isn’t working, and that fixing it involves focusing on aligning private sector and government resources… Continue Reading

Steptoe Cyberlaw Podcast – Interview with Ed Stroz

Posted in Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

In our eighth episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Michael Vatis, Jason Weinstein and guest commentators Stephen Heifetz and Stephanie Roy discuss: This week in NSA/Snowden: Law Firm Surveillance Report Cited in Legal Challenge and Report: American law firm’s communications spied on; Merkel Backs Plan to Keep European Data in Europe and EU… Continue Reading

Steptoe Cyberlaw Podcast – Interview with John Rizzo

Posted in Cybersecurity and Cyberwar, Data Breach, Privacy Regulation, Security Programs & Policies

In our sixth episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Michael Vatis, and Jason Weinstein discuss: This Week in NSA: Transparency reports disclose Foreign Intelligence Surveillance orders and telephony metadata program is not tracking as much as previously thought Target breach update: hackers got in through HVAC contractor and Senate Judiciary Committee hearing and… Continue Reading

Another Takeaway from TARGET: Are you being targeted through your vendors?

Posted in Data Breach, Security Programs & Policies

Yesterday TARGET announced that the hackers who committed the breach that has potentially affected as many as 110 million customers gained access to its systems through one of its vendors. Although the details are still emerging as the forensic investigation continues, this early report is a reminder that your vendors can be a potential source… Continue Reading

Republican National Committee draws fire for resolution condemning NSA

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

Almost immediately after the Republican National Committee adopted an error-filled resolution attacking the NSA and its telephone metadata program, current and former GOP officials took a strong stand against the RNC resolution: [T]he RNC resolution threatens to do great damage to the security of the nation. It would be foolhardy to end the program without… Continue Reading

Steptoe Cyberlaw Podcast – Episode Two

Posted in Privacy Regulation, Security Programs & Policies

Welcome to the next installment of the new Steptoe Cyberlaw Podcast. In our second episode, Stewart Baker, Michael Vatis, Jason Weinstein, and guest panelist Stephanie Roy predict what the President may say regarding the NSA; discuss the latest update in the Target and Nieman Marcus breaches; and explain the recent net neutrality decision. Download the… Continue Reading

New Controls on Surveillance and Hacking Tools?

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

The old Cold War export control alliance, now known as the Wassenaar Arrangement, hasn’t exactly been a hotbed of new controls since Russia joined the club. But according to the Financial Times, the 41-nation group is preparing a broad new set of controls on complex surveillance and hacking software and cryptography. I suspect that the… Continue Reading

Hackback Backers’ Comeback?

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

The US-China Economic and Security Review Commission has issued its annual report. It reminds us that, while press and privacy campaigners have been hyperventilating over US intelligence programs, there are, you know, actual authoritarian governments at work in the United States — breaking into the networks of activists whom they dislike, newspapers whose sources they… Continue Reading

How NIST’s Cybersecurity Framework Could Reduce Cybersecurity

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

In my first post about NIST’s draft cybersecurity framework I explained its basic problem as a spur to better security: It doesn’t actually require companies to do much to improve their network security. My second post argued that the framework’s privacy appendix, under the guise of protecting cybersecurity, actually creates a tough new privacy requirement… Continue Reading

Is NIST turning weak cybersecurity standards into aggressive new privacy regulation?

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

Following up on my earlier NIST post, it’s fair to ask why I think the NIST Cybersecurity Framework will be a regulatory disaster. After all, as I acknowledged in that post, NIST’s standards for cybersecurity are looking far less prescriptive than business feared. There’s not a “shall” or “should” to be found in NIST’s August… Continue Reading

Who’s Afraid of the NIST Cybersecurity Framework?

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

Business and conservatives have been worried all year about the cybersecurity standards framework that NIST (the National Institute of Standards and Technology) is drafting. An executive order issued early this year, after cybersecurity legislation stalled on the Hill, told NIST to assemble a set of standards to address cyber risks. Once they’re adopted, the order… Continue Reading

Using Attribution to Deter Cyberespionage

Posted in China, Cybersecurity and Cyberwar, International, Security Programs & Policies

Foreign Policy has published my article on how attribution can be used to deter foreign governments’cyberespionage. Excerpts below: The Obama-Xi summit in Sunnylands ended without any Chinese concessions on cyber-espionage. This came as no surprise; cyber spying has been an indispensable accelerant for China’s military and economic rise. And though Beijing may someday agree that… Continue Reading

Support for Retribution and Active Defense Increases

Posted in China, Cybersecurity and Cyberwar, International, Security Programs & Policies

Chinese hacking continues to build anger in American business and government circles. As a result, private companies may be encouraged to do more than passively defend their networks as evidenced by the recent report of a commission headed by two Obama appointees, former US Ambassador to China (and minor GOP Presidential candidate) Jon Huntsman and… Continue Reading

Lessons From the New York ATM Heist

Posted in Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

The announcement yesterday of charges in New York against eight members of a cybercrime ring that stole $40 million from ATMs in 24 countries, all within 10 hours, is the latest in a series of episodes that illustrate the constant threat of cyber attacks against our corporate networks. This case should be a wake-up call… Continue Reading

The Question of ‘International Law of Cyberwar’

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

Will international law and diplomacy limit cyberwar? Those who believe in international “norms” for cyberwar usually argue that cyberattacks on financial institutions are beyond the pale. For example, Harold Koh has declared the State Department’s view that cyberwarriors “must distinguish military objectives … from civilian objects, which under international law are generally protected from attack.”… Continue Reading

Hacking Hollywood

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

That might sound like breaking news from 1983, but this time we’re not talking movie plots, we’re talking business. Specifically how Chinese cyberespionage could affect Hollywood’s bottom line. The Hollywood Reporter asked me to talk about that impact in a guest column, out this week. Here’s some of what I said: Hollywood might be blinded… Continue Reading

The Hackback Debate Revisited

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Last fall, Orin Kerr and I engaged in an online debate over the Computer Fraud and Abuse Act — specifically whether it is lawful for the victim of computer crime to follow his stolen data into networks controlled by the thief. The debate spread across several posts and into the comments, but it’s been pulled… Continue Reading

Found: The PLA’s University of Hacking

Posted in China, Cybersecurity and Cyberwar, International, Security Programs & Policies

Bloomberg Businessweek has a remarkable story about the identification of another Chinese hacker. It’s a long, tangled, and fascinating tale of good sleuthing by several researchers, but the trail ends with Zhang Changhe, a digital entrepreneur and teacher — at a People’s Liberation Army school that is suspected of training PLA hackers. In the denouement,… Continue Reading