Header graphic for print
Steptoe Cyberblog

Tag Archives: network security

Steptoe Cyberlaw Podcast – Interview with Dmitri Alperovich

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

This week in NSA: We take a look at the other half of the Lofgren amendment, which prohibits NSA and CIA from asking a company to “alter its product or service to permit electronic surveillance.”  So if Mullah Omar orders a phone from Amazon, the government can’t ask Amazon to put a bug in it… Continue Reading

Steptoe Cyberlaw Podcast – Interview with Ed Stroz

Posted in Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

In our eighth episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Michael Vatis, Jason Weinstein and guest commentators Stephen Heifetz and Stephanie Roy discuss: This week in NSA/Snowden: Law Firm Surveillance Report Cited in Legal Challenge and Report: American law firm’s communications spied on; Merkel Backs Plan to Keep European Data in Europe and EU… Continue Reading

Steptoe Cyberlaw Podcast – Interview with Steve Chabinsky

Posted in Cybersecurity and Cyberwar, Data Breach, Security Programs & Policies

In our seventh episode of the Steptoe Cyberlaw Podcast, Jason Weinstein discusses: This week in NSA: Clapper says Snowden exploited perfect storm of security lapses/Snowden swiped password from NSA coworker; FISA Court backs Pres. Obama’s changes to phone metadata program/government seeking info about private sector’s ability to hold the data; Rand Paul sues Pres. Obama… Continue Reading

Hackback Backers’ Comeback?

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

The US-China Economic and Security Review Commission has issued its annual report. It reminds us that, while press and privacy campaigners have been hyperventilating over US intelligence programs, there are, you know, actual authoritarian governments at work in the United States — breaking into the networks of activists whom they dislike, newspapers whose sources they… Continue Reading

NIST Issues Preliminary Cybersecurity Framework — Cybersecurity Hardest Hit

Posted in Cybersecurity and Cyberwar, Security Programs & Policies

NIST has revised the draft cybersecurity framework that it released in August. What it published today is a “preliminary cybersecurity framework.” After comments, a final framework will be released in February. I’ve been very critical of the draft released in August. NIST clearly worked to address the criticisms. The result is a mixed bag, but the… Continue Reading

How NIST’s Cybersecurity Framework Could Reduce Cybersecurity

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

In my first post about NIST’s draft cybersecurity framework I explained its basic problem as a spur to better security: It doesn’t actually require companies to do much to improve their network security. My second post argued that the framework’s privacy appendix, under the guise of protecting cybersecurity, actually creates a tough new privacy requirement… Continue Reading

Is NIST turning weak cybersecurity standards into aggressive new privacy regulation?

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

Following up on my earlier NIST post, it’s fair to ask why I think the NIST Cybersecurity Framework will be a regulatory disaster. After all, as I acknowledged in that post, NIST’s standards for cybersecurity are looking far less prescriptive than business feared. There’s not a “shall” or “should” to be found in NIST’s August… Continue Reading

Who’s Afraid of the NIST Cybersecurity Framework?

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

Business and conservatives have been worried all year about the cybersecurity standards framework that NIST (the National Institute of Standards and Technology) is drafting. An executive order issued early this year, after cybersecurity legislation stalled on the Hill, told NIST to assemble a set of standards to address cyber risks. Once they’re adopted, the order… Continue Reading

Intelligence Under Law – Judiciary Testimony

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

I will be testifying today to the full House Judiciary Committee about FISA, NSA and the Snowden flap. You can download my full prepared remarks here. In short I used this opportunity to muse on the resemblance between today and the waning Clinton era; I discuss the (surprisingly short) history of viewing intelligence as a… Continue Reading

Lessons From the New York ATM Heist

Posted in Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

The announcement yesterday of charges in New York against eight members of a cybercrime ring that stole $40 million from ATMs in 24 countries, all within 10 hours, is the latest in a series of episodes that illustrate the constant threat of cyber attacks against our corporate networks. This case should be a wake-up call… Continue Reading

The Question of ‘International Law of Cyberwar’

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

Will international law and diplomacy limit cyberwar? Those who believe in international “norms” for cyberwar usually argue that cyberattacks on financial institutions are beyond the pale. For example, Harold Koh has declared the State Department’s view that cyberwarriors “must distinguish military objectives … from civilian objects, which under international law are generally protected from attack.”… Continue Reading

Hacking Hollywood

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

That might sound like breaking news from 1983, but this time we’re not talking movie plots, we’re talking business. Specifically how Chinese cyberespionage could affect Hollywood’s bottom line. The Hollywood Reporter asked me to talk about that impact in a guest column, out this week. Here’s some of what I said: Hollywood might be blinded… Continue Reading

Up the Ladder We Go

Posted in China, Cybersecurity and Cyberwar, International, Security Programs & Policies

Once again, Ellen Nakashima of The Washington Post has broken a cybersecurity story: A new intelligence assessment has concluded that the United States is the target of a massive, sustained cyber-espionage campaign that is threatening the country’s economic competitiveness, according to individuals familiar with the report. The National Intelligence Estimate identifies China as the country… Continue Reading

Anonymous Attacks Again

Posted in Cybersecurity and Cyberwar, Data Breach, Privacy Regulation, Security Programs & Policies

Anonymous is claiming to have struck a blow in Aaron Swartz’s memory. It has hacked the website of the US Sentencing Commission and posted a long manifesto and a group of files named after Supreme Court Justices. The manifesto suggests that the files contain embarrassing secrets and says that the secrets will be revealed in… Continue Reading

Corporate Network Defense: When Seconds Count, the FBI is Years Behind

Posted in Cybersecurity and Cyberwar, Data Breach, Security Programs & Policies

The Washington Post’s Ellen Nakashima wrote another cutting-edge article on innovative approaches to network defense.  I’ve blogged before about honeytokens, deceptive files that leave hackers with false data while flagging the intrusion to defenders.  The article suggests that their use is growing, as other defensive techniques prove ineffective: Brown Printing Co…began planting fake data in… Continue Reading

The Hackback Debate

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

The vulnerability of computer networks to hacking grows more troubling every year. No network is safe, and hacking has evolved from an obscure hobby to a major national security concern. Cybercrime has cost consumers and banks billions of dollars. Yet few cyberspies or cybercriminals have been caught and punished. Law enforcement is overwhelmed both by… Continue Reading

Taking the Offense to Defend Networks – Another Perspective

Posted in Cybersecurity and Cyberwar, Privacy Regulation

One can certainly understand the frustration of private companies that are repeatedly subject to cyberattacks, and seem to have little ability to keep the intruders out or to get overstretched law enforcement agencies interested in investigating. But the idea of changing the law to authorize “hacking back” is a dangerous one, and unlikely to fix… Continue Reading

Taking the Offense to Defend Networks

Posted in Cybersecurity and Cyberwar, Privacy Regulation

Joseph Menn has an interesting Reuters article on a growing sentiment within network security circles: Frustrated by their inability to stop sophisticated hacking attacks or use the law to punish their assailants, an increasing number of US companies are taking retaliatory action. Known in the cyber security industry as “active defense” or “strike-back” technology, the reprisals… Continue Reading