Header graphic for print
Steptoe Cyberblog

Tag Archives: hacking

Steptoe Cyberlaw Podcast – Interview with Ed Stroz

Posted in Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

In our eighth episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Michael Vatis, Jason Weinstein and guest commentators Stephen Heifetz and Stephanie Roy discuss: This week in NSA/Snowden: Law Firm Surveillance Report Cited in Legal Challenge and Report: American law firm’s communications spied on; Merkel Backs Plan to Keep European Data in Europe and EU… Continue Reading

Steptoe Cyberlaw Podcast – Interview with Steve Chabinsky

Posted in Cybersecurity and Cyberwar, Data Breach, Security Programs & Policies

In our seventh episode of the Steptoe Cyberlaw Podcast, Jason Weinstein discusses: This week in NSA: Clapper says Snowden exploited perfect storm of security lapses/Snowden swiped password from NSA coworker; FISA Court backs Pres. Obama’s changes to phone metadata program/government seeking info about private sector’s ability to hold the data; Rand Paul sues Pres. Obama… Continue Reading

Another Takeaway from TARGET: Are you being targeted through your vendors?

Posted in Data Breach, Security Programs & Policies

Yesterday TARGET announced that the hackers who committed the breach that has potentially affected as many as 110 million customers gained access to its systems through one of its vendors. Although the details are still emerging as the forensic investigation continues, this early report is a reminder that your vendors can be a potential source… Continue Reading

Steptoe Cyberlaw Podcast – Episode Two

Posted in Privacy Regulation, Security Programs & Policies

Welcome to the next installment of the new Steptoe Cyberlaw Podcast. In our second episode, Stewart Baker, Michael Vatis, Jason Weinstein, and guest panelist Stephanie Roy predict what the President may say regarding the NSA; discuss the latest update in the Target and Nieman Marcus breaches; and explain the recent net neutrality decision. Download the… Continue Reading

Is the Congressional Response to the Target Breach Off-Target?

Posted in Data Breach, Security Programs & Policies

In the aftermath of the TARGET breach announced last month, there has been much talk of how to respond to large-scale breaches of this type.  Lawmakers are eager to write legislation to increase the FTC’s enforcement powers and create a national breach notification standard.  But if the congressional response focuses entirely on breach notification and… Continue Reading

The Shorter Matt Blaze: NSA Hacking Is OK, As Long As We Take Away Its Best Hacking Tools

Posted in Privacy Regulation, Security Programs & Policies

Matt Blaze, a well-known public cryptographer and NSA critic, offered what seemed like a modest concession in the relentless campaign against NSA intelligence gathering: The NSA’s tools are very sharp indeed, even in the presence of communications networks that are well hardened against eavesdropping. How can this be good news? It isn’t if you’re a… Continue Reading

New Controls on Surveillance and Hacking Tools?

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

The old Cold War export control alliance, now known as the Wassenaar Arrangement, hasn’t exactly been a hotbed of new controls since Russia joined the club. But according to the Financial Times, the 41-nation group is preparing a broad new set of controls on complex surveillance and hacking software and cryptography. I suspect that the… Continue Reading

Hackback Backers’ Comeback?

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

The US-China Economic and Security Review Commission has issued its annual report. It reminds us that, while press and privacy campaigners have been hyperventilating over US intelligence programs, there are, you know, actual authoritarian governments at work in the United States — breaking into the networks of activists whom they dislike, newspapers whose sources they… Continue Reading

How NIST’s Cybersecurity Framework Could Reduce Cybersecurity

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

In my first post about NIST’s draft cybersecurity framework I explained its basic problem as a spur to better security: It doesn’t actually require companies to do much to improve their network security. My second post argued that the framework’s privacy appendix, under the guise of protecting cybersecurity, actually creates a tough new privacy requirement… Continue Reading

Is NIST turning weak cybersecurity standards into aggressive new privacy regulation?

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

Following up on my earlier NIST post, it’s fair to ask why I think the NIST Cybersecurity Framework will be a regulatory disaster. After all, as I acknowledged in that post, NIST’s standards for cybersecurity are looking far less prescriptive than business feared. There’s not a “shall” or “should” to be found in NIST’s August… Continue Reading

Who’s Afraid of the NIST Cybersecurity Framework?

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

Business and conservatives have been worried all year about the cybersecurity standards framework that NIST (the National Institute of Standards and Technology) is drafting. An executive order issued early this year, after cybersecurity legislation stalled on the Hill, told NIST to assemble a set of standards to address cyber risks. Once they’re adopted, the order… Continue Reading

Support for Retribution and Active Defense Increases

Posted in China, Cybersecurity and Cyberwar, International, Security Programs & Policies

Chinese hacking continues to build anger in American business and government circles. As a result, private companies may be encouraged to do more than passively defend their networks as evidenced by the recent report of a commission headed by two Obama appointees, former US Ambassador to China (and minor GOP Presidential candidate) Jon Huntsman and… Continue Reading

Lessons From the New York ATM Heist

Posted in Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

The announcement yesterday of charges in New York against eight members of a cybercrime ring that stole $40 million from ATMs in 24 countries, all within 10 hours, is the latest in a series of episodes that illustrate the constant threat of cyber attacks against our corporate networks. This case should be a wake-up call… Continue Reading

Amendments to CISPA a Threat to Cybersecurity?

Posted in Cybersecurity and Cyberwar, Privacy Regulation

In response to some of the privacy criticisms of the Cyber Intelligence Sharing and Protection Act (CISPA), the House Intelligence Committee is proposing amendments to the bill.  Politico’s Tony Romm reports on some of the likely amendments: Still another amendment specifies clearly that CISPA won’t allow companies to “hack back” their hackers in pursuit of… Continue Reading

The Question of ‘International Law of Cyberwar’

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

Will international law and diplomacy limit cyberwar? Those who believe in international “norms” for cyberwar usually argue that cyberattacks on financial institutions are beyond the pale. For example, Harold Koh has declared the State Department’s view that cyberwarriors “must distinguish military objectives … from civilian objects, which under international law are generally protected from attack.”… Continue Reading

Hacking Hollywood

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

That might sound like breaking news from 1983, but this time we’re not talking movie plots, we’re talking business. Specifically how Chinese cyberespionage could affect Hollywood’s bottom line. The Hollywood Reporter asked me to talk about that impact in a guest column, out this week. Here’s some of what I said: Hollywood might be blinded… Continue Reading

The Hackback Debate Revisited

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Last fall, Orin Kerr and I engaged in an online debate over the Computer Fraud and Abuse Act — specifically whether it is lawful for the victim of computer crime to follow his stolen data into networks controlled by the thief. The debate spread across several posts and into the comments, but it’s been pulled… Continue Reading

Found: The PLA’s University of Hacking

Posted in China, Cybersecurity and Cyberwar, International, Security Programs & Policies

Bloomberg Businessweek has a remarkable story about the identification of another Chinese hacker. It’s a long, tangled, and fascinating tale of good sleuthing by several researchers, but the trail ends with Zhang Changhe, a digital entrepreneur and teacher — at a People’s Liberation Army school that is suspected of training PLA hackers. In the denouement,… Continue Reading

A Soft Counterattack on Private Counterhacks

Posted in Cybersecurity and Cyberwar, Data Breach, Privacy Regulation, Security Programs & Policies

Herb Lin of the National Research Council has launched the first, soft counterattack on those who think victims of cyberespionage should have greater leeway to respond directly to intrusions. Herb always strives for some balance in his work, but it’s clear that he’s a skeptic, concluding “It is not clear that the use of offensive… Continue Reading

Up the Ladder We Go

Posted in China, Cybersecurity and Cyberwar, International, Security Programs & Policies

Once again, Ellen Nakashima of The Washington Post has broken a cybersecurity story: A new intelligence assessment has concluded that the United States is the target of a massive, sustained cyber-espionage campaign that is threatening the country’s economic competitiveness, according to individuals familiar with the report. The National Intelligence Estimate identifies China as the country… Continue Reading

Corporate Network Defense: When Seconds Count, the FBI is Years Behind

Posted in Cybersecurity and Cyberwar, Data Breach, Security Programs & Policies

The Washington Post’s Ellen Nakashima wrote another cutting-edge article on innovative approaches to network defense.  I’ve blogged before about honeytokens, deceptive files that leave hackers with false data while flagging the intrusion to defenders.  The article suggests that their use is growing, as other defensive techniques prove ineffective: Brown Printing Co…began planting fake data in… Continue Reading