Government policymakers have been hoping for twenty years that companies will be driven to good cybersecurity by the threat of tort liability. That hope is understandable. Tort liability would allow government to get the benefit of regulating cybersecurity without taking heat for imposing restrictions directly on the digital economy.

Those who see tort law as

Here we go again.  A prominent company suffers a data breach.  The company publicly alerts its customers.  The company almost immediately finds itself the subject of inquiries from Congress and the target of investigations by regulators.  Before long, class action lawyers will crank out complaints as if they’re Mad Libs, filling in the name of

Almost immediately after the Republican National Committee adopted an error-filled resolution attacking the NSA and its telephone metadata program, current and former GOP officials took a strong stand against the RNC resolution:

[T]he RNC resolution threatens to do great damage to the security of the nation. It would be foolhardy to end the

The old Cold War export control alliance, now known as the Wassenaar Arrangement, hasn’t exactly been a hotbed of new controls since Russia joined the club. But according to the Financial Times, the 41-nation group is preparing a broad new set of controls on complex surveillance and hacking software and cryptography. I suspect that the

The US-China Economic and Security Review Commission has issued its annual report. It reminds us that, while press and privacy campaigners have been hyperventilating over US intelligence programs, there are, you know, actual authoritarian governments at work in the United States — breaking into the networks of activists whom they dislike, newspapers whose sources

NIST has revised the draft cybersecurity framework that it released in August. What it published today is a “preliminary cybersecurity framework.” After comments, a final framework will be released in February.

I’ve been very critical of the draft released in August. NIST clearly worked to address the criticisms.

The result is a mixed

I’ve been critical of the claim that European privacy law offers more protection against government surveillance than American law. Apparently not critical enough. An Ars Technica reporter with a pro-privacy inclination decided to seriously investigate using a German email system to get the benefits of European privacy law.

His tale of disillusionment revealed three