Header graphic for print

Steptoe Cyberblog

The Cyberlaw Podcast — Interview with Shane Harris

Posted in China, Data Breach, Government Contracts, Security Programs & Policies

Episode 198 — Interview with Shane Harris

It turns out that the most interesting policy story about Kaspersky software isn’t why the administration banned its products from government use. It’s why the last administration didn’t.  Shane Harris is our guest for the podcast, delving into the law and politics of the Kaspersky ban.  Along the way, I ask why the Foreign Sovereign Immunities Act, which allows suits against foreign governments for some torts committed in the United States, shouldn’t allow suits against foreign governments that hack computers located in the United States.

In the news, the House comfortably adopts a bill to reauthorized 702 surveillance; the Senate is expected to act today as well. While the House bill makes some changes to the law, it endorses the most moderate of the reform proposals.

In case you haven’t heard, Apple is handing off its iCloud operations to a local cloud storage company – with none of the histrionic civil liberties posturing the company displays in the United States.  Whose data is being transferred to the tender mercies of Chinese authorities? Who knows? Not Apple, which can’t even send out notices to its customers without getting confused about who’s covered by the new policy.

It’s a threepeat for state authority to make online companies collect sales tax from their customers.  The Supreme Court has agreed to reconsider a dormant commerce clause doctrine that it has already affirmed twice.

I apologize to Uber for snarking on their “bounty” payment of $100,000 to a hacker who exposes a serious security flaw and gained access to large amounts of personal data. A good New York Times article demonstrates that the decision to pay up was at least plausibly justified. But as if to demonstrate why the company never gets the benefit of the doubt, Bloomberg reports on Uber’s latest scofflaw-ware scandal. Luckily for journalists everywhere, Uber continues to adopt colorfully damaging nicknames for its scofflaware. In this case their product locked or deleted data sought by local law enforcement with the touch of a panic button. It was named, of course, after Sigourney Weaver’s character, Ripley, who declared that the only way to deal with an alien-infested installation was to “nuke it from orbit.”

Sheila Jackson-Lee gets an admiring mention for winning House passage of a cyber vulnerability disclosure bill that is probably nuanced enough to be adopted by the Senate as well.

And Deputy Attorney General Rosenstein makes a short pitch for “responsible” encryption that actually manages to move the debate forward a step.

Talk about 21st century warfare. Russia is claiming it fought off swarms of drones with cyberweapons. As Nick Weaver points out, that’s just the beginning.

Brian assesses the state of CFIUS reform legislation and the claim that Sen. Cornyn’s bill would result in CFIUS’s regulation of technology transfers that would be better addressed through export controls.

Finally, having already critiqued Apple and Uber, I feel obliged to offer equal time to Twitter, which remarkably can’t even identify advertisements that invite users to log on to fake Twitter sites and steal their credentials. If you want to understand the worst of Silicon Valley, I argue, you shouldn’t look to the big rich companies; it’s the struggling would-be unicorns who show what the Valley really cares about. And security ain’t it. Speaking of which, where is that Ad Transparency Center that Twitter promised any day now back in the fall of 2017?

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 198th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Cyberlaw Podcast — Interview with Mara Hvistendahl

Posted in China, European Union, International, Privacy Regulation

Episode 197:  Interview with Mara Hvistendahl

While the US was transfixed by posturing over the Trump presidency, China has been building the future. Chances are you’ll find one part of that future – social credit scoring – both appalling in principle and irresistible in practice. That at least is the lesson I draw from our interview of Mara Hvistendahl, National Fellow at New America and author of the definitive article on the allure, defects and mechanics of China’s emerging social credit system.

In the news roundup, Nick Weaver dives deep on the Spectre and Meltdown security vulnerabilities while I try to draw policy and litigation implications from the debacle. TL;DR — this is bad, but the class actions will settle for pennies. Oh, and xkcd has all you need to know.

I note that US Customs and Border Protection under Trump has imposed new limitations on border searches of electronic devices. So naturally the press is all “Trump has stepped up border searches aggressively.” No good deed unpunished, as they say.

Maury Shenk explains President Macron’s latest plans to regulate cyberspace in the name of fighting Russian electoral interference and fake news. The Germans, meanwhile, have begun implementing their plan to fight hate speech on the internet. Predictably, it looks as though hate speech is winning.

In the litigation outrage of the month, a company called Keeper (apparently a competitor of LastPass and other password managers) got caught distributing software with a security flaw. So they did what any security-conscious company would – they sued the website that publicized the flaw for libel. It’s a crappy suit, and we should all hope they end up assessed with costs and fees. But the real question is this: Google found and disclosed the flaw, while Microsoft distributed Keeper to its users. When will they file as amici to say that no company with a mature security model files STFU libel suits against people who point out legitimate security problems?  TL;DR – Keeper: Loser.

Finally, Hal Martin pleads guilty to one of twenty-plus counts and takes a ten-year sentence. So far, so ordinary in the world of plea bargaining. But as Nick points out, this wasn’t a bargain.  Martin can still be tried and sentenced on all the other counts. And it effectively stipulates the maximum sentence for the one count he’s pleading guilty to. There must be a strategy here, but we can’t say for sure what it is.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 197th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Cyberlaw Podcast — Interview with Elsa Kania

Posted in China, Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

Episode 196: Did AlphaGo launch an arms race with China?

In this episode, I interview Elsa Kania, author of a Center for a New American Security report on China’s plan for military uses of artificial intelligence – a plan that seems to have been accelerated by the asymmetric impact of AlphaGo on the other side of the Pacific.

In the news, Brian Egan notes that China’s perspective on “sovereignty in cyberspace” was further elaborated at China’s World Internet Conference and I point out that China continues its “two steps forward, one step back” process of bringing US companies to heel on security issues.

Nick Weaver explains that the US financial institutions’ “project doomsday” could just as easily be cast as “fire hydrant standardization.” It could be, but it won’t, at least not by headline writers.

Nick also calls out Apple for failing to follow US law in responding to pen/trap and wiretap orders.

I take a victory lap, as the Director of National Intelligence promises to apply the Gates procedures to unmasking of transition officials. As recommended by me (well, and the House Intelligence Committee).  No need to call them the Baker procedures, though, guys.

Bleeping Computer says Germany is planning backdoors into modern devices.  Maybe so, I offer, but whether that includes encryption is not at all clear.

Finally, Nick digs into the remarkable work that Citizen Lab and Bill Marczak continue to do on authoritarian government hacking. He says, with evidence, that efforts to control sales to untrustworthy governments are actually working.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 196th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Cyberlaw Podcast — Interview with Susan Hennessey and Andrew McCarthy

Posted in China, Cybersecurity and Cyberwar, Security Programs & Policies

Interview with Susan Hennessey and Andrew McCarthy

Episode 195 features an interview with Susan Hennessey of Lawfare and Andrew McCarthy of the National Review.  They walk us through the “unmasking” of US identities in intelligence reports — one of the most divisive partisan issues likely to come up in the re-enactment of section 702 of FISA.  I bask momentarily in the glow of being cast as a civil liberties extremist.  And Thidwick the Big-Hearted Moose offers insights into 702 reform.

Steptoe partner Stewart Baker with Susan Hennessey

In the news roundup, I try to count votes after the Supreme Court argument in Carpenter v. United States.  I count at least four likely votes to require a warrant for cell phone location data and only two likely votes for the United States (and the preservation of the third party doctrine).  The other Justices didn’t exactly wear their votes on their sleeve, but the smart money favors a whole new ballgame for criminal discovery.  The Court’s biggest problem will be finding a rationale that doesn’t open up decades of litigation.  Justice Gorsuch distinguishes himself with a rationale that is creative, libertarian-conservative, and, well, cockamamie.

Phil West provides the tech angle on the biggest Congressional news — tax reform and what it means for Silicon Valley

Nick Weaver and Jamil Jaffer walk us through the Justice Department’s impressive haul of indictments and guilty pleas in the world of cyberespionage. Yet another NSA exploit hoarder has been caught and pled guilty.  And for the first time, Justice has the goods on cyberespionage by Boyusec, a Chinese “security” firm tied to China’s Ministry of State Security.  The company has conveniently gone out of business after being outed, but the indictment does raise the question whether the US-China agreement on commercial cyberespionage was really just about which Chinese cyberspies would be allowed to steal US commercial secrets.

There’s yet another flashpoint in China-US cyber relations – drones.  A DHS analyst has publicly trashed the dominant drone maker, China’s DJI, as providing the Chinese government with access to data collected by its drones and as targeting sensitive US infrastructure for its sales.  The DJI response is not exactly nuanced: A DJI spokesman called the report “insane.”

Meanwhile, Uber’s problems seem neverending.  The latest disaster focuses on the company’s use of quick-to-vanish messaging services like Wickr and Telegram. Such services are popular among “Technorati” who like to fancy themselves as targets of government surveillance.  Problem is, when they are under surveillance, or just a discovery obligation, the use of evanescent messaging is often seen as a sign of guilt.  This messaging movement could turn out to be extremely costly – first for Uber and then for Silicon Valley in general.  I’m not sure that putting employees on the honor system not to use those services for company business is going to be enough.

Apple was in the news for giving up root access to anyone who insisted. And its attempt to rush out a patch wins the Equifax Prize for Breach Fixes That Create New Security Problems. Perhaps the security team was off providing support to Tim Cook for his keynote speech at the celebration of the Chinese internet (“We are proud to have worked alongside many of our partners in China to help build a community that will join a common future in cyberspace.”)  Nick Weaver suggests as a result that we take a closer look at Facetime intercept capability.

Finally, it’s down to the wire on 702.  Jamil Jaffer, Susan Hennessey and our other commentators think we may escape without too much damage to the intelligence program.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 195th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Defense Contractors Take Note: NIST’s Compliance Deadline is Almost Here!

Posted in Government Contracts

Steptoe’s Government Contracts Group recently issued an interesting advisory for defense contractors:

The end of the year approaches and that means Department of Defense (DoD) contractors must make changes to their own unclassified information systems to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.

This advisory provides an overview of the clause and identifies recently released guidance from DoD and NIST to assist with implementation of the NIST standards. Click here to read more.

The Global Reach of GDPR

Posted in European Union, Privacy Regulation

The Global Reach of GDPR – Steptoe Webinar Series

As the deadline approaches for the EU General Data Protection Regulation to take effect, please join us for Part I of a Steptoe webinar series titled “The Long Arm of the New EU Data Protection Jurisdiction” on Wednesday, December 6 from 5:00 – 6:00 pm CET.  Click here to register.

The Cyberlaw Podcast — Interview with Rob Reid

Posted in Cybersecurity and Cyberwar, European Union, International

Episode 194: Mass Bioterrorism, Runaway Artificial Intelligence, and Other Romps with Rob Reid

Our interview this week is with Rob Reid, author of After On and Year Zero, two books that manage to translate serious technology nightmares into science fiction romps.  We cover a lot of ground: synbio and giving eighth graders the tools for mass human extinction, the possibility that artificial intelligence will achieve takeoff and begin to act counter to humanity’s interests in a matter of hours. Along the way, we consider the possibility that the first AI will arise from a social media behemoth and will devote its exponential power to maximizing human hookups.

In the news, we explore the massive PR disaster that is the Uber data breach and reach the surprising conclusion that the whole thing may turn out worse in the media than in the courts.  Except in the EU, Maury Shenk reminds me.  Europe just hates Uber viscerally.  So much so that Jim Lewis suggests the company’s EU subsidiary will soon have to be renamed Unter.

Actually, it’s not just Uber the EU hates.  It’s all things technological, at least to judge by the European Parliament’s latest plan to use export controls to cripple technology companies whose products can be misused by authoritarian governments.

I note the release of the ODNI’s report on the intelligence community’s “masking” of US identities in intel reports.  We talk about the temptation to weaponized unmasking during transitions, and I ask why the “Gates procedures” that provide special protection for unmasking of Congressional identities shouldn’t also be used to protect Presidential transition teams.

Jim and I discuss Russia’s imposition of constraints on Radio Free Europe that match the new restrictions on RT in the US.  Jim and I struggle toward a Universal Theory of Putin as Overrated Global Troll.

Remember those Chinese “security” cameras deployed by US agencies that we covered in the last episode?  Yeah, it’s worse than you thought: the Chinese are getting close to identifying everyone caught on camera using gait and facial recognition.

I note that Sen. Wyden (D-OR) has another campaign underway to imply that the Justice Department is imposing decryption assistance requirements under FISA without judicial review.  In fact, if there is such an effort, the company on the receiving end already has a judicial remedy.  And Maury explains that the head of Germany’s new cybersecurity agency is joining the German government chorus arguing for “hack back,” but only by the German government.

My candidate for Dumbest Public Policy Battle of the Season:  The complaint that someone faked a bunch of meaningless, content-free comments on net neutrality.  The problem is really the idea that the policy debate should be influenced by counting votes in the World’s Skeeviest Online Poll, an idea that seems to have sparked a kind of bot arms race between supporters and opponents of the FCC’s policy.

And my candidate for Coolest Technology Story of the Season:  Feeding graphene to spiders and discovering that it greatly strengthens their webs.  Every fifteen-year-old science fair participant should take heart: It turns out that with great quantities of graphene comes great responsibility.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 194th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Cyberlaw Podcast — Interview with David Ignatius

Posted in China, Cybersecurity and Cyberwar, Data Breach, International

Episode 193:  David Ignatius and The Quantum Spy

We celebrate the holiday season by interviewing David Ignatius, Columnist and Associate Editor at The Washington Post and the author of multiple spy thrillers, including his most recent, The Quantum Spy.  David and I discuss themes from the book, from quantum computing to ethnic and gender tensions at the Agency, while managing to avoid spoilers. It’s a fun and insightful work.

Steptoe partner Stewart Baker with David Ignatius.

In the news, I flag Twitter’s weird journey from the free speech wing of the free speech party to the censorship wing of the Censor’s Party.  Twitter is now revoking the verification checks for people whose speech it disapproves of.  It’s even de-checking people based on its assessment of their off-line conduct.  So maybe that should be the Stasi wing of the Censor’s Party.  And, not surprisingly, given Silicon Valley’s steep leftward-tilt, the censorship seems to fall far more harshly on the right than on less PC targets.

Markham Erickson and I treat Twitter’s wobbly stance as a symptom of the breakdown of the Magaziner Consensus, as both left and right for their own reasons come to view Big Tech with suspicion.  Markham has shrewd observations about what it all means for the (questionable) future of social media’s section 230 immunity.

We dive into a surprising new analysis of China’s “50c Army.”  Turns out that the Chinese government strategy for flooding the internet is 180 degrees off from Russia’s.  Instead of a Trollfest, Chinese government-funded social media is saccharine sweet.  Cheerleading and changing the subject are what its army does best.

Markham, Brian Egan, and I give broadly positive reviews to the US government’s recently announced Vulnerability Equities Process.  And, in a correction to those who’ve said that other countries don’t have such a process, I point to evidence that China has one – in which all the equities seem to point to exploit, exploit, exploit.

All of which ought to turn the story of US agencies using Chinese “security” cameras from disquieting to positively frightening.  Speaking of which, the Chinese company that made your drone has provided a case study on how not to do a bug bounty program.  Read it and weep.

On a lighter note, we talk backflipping robots and a surprising peril of traveling with your family this holiday season – thumbprint phone security failure followed by titanic spousal air rage.  Where is Tim Cook’s privacy schtick when we really need it?

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 193rd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Cyberlaw Podcast — Discussion with Michael Sulmeyer and Nicholas Weaver

Posted in Cybersecurity and Cyberwar, Data Breach

Episode 192: Discussion with Michael Sulmeyer and Nicholas Weaver

With the Texas church shooting having put encryption back on the front burner, I claim that Apple is becoming the FBI’s crazy ex-girlfriend in Silicon Valley — and offer the tapes to prove it. When Nick Weaver rises to Apple’s defense, I point out that Apple responded to a Chinese government man-in-the-middle attack on iCloud users with spineless obfuscation rather than a brave defense of user privacy.  Nick asks for a citation. Here it is: https://support.apple.com/en-us/HT203126 (Careful:  don’t click without a chiropractor standing by.) Nick provides actual news to supplement the NYT’s largely news-free front page story about leak and mole fears at NSA. I gloat, briefly, over hackback’s new respectability, as the ACDC act acquires new cosponsors, including Trey Gowdy, and hacking back acquires new respectability. But not everywhere. Michael Sulmeyer finally gets a word in edgewise as the conversation shifts to the NDAA passes.  He discusses the MGT Act, the growing Armed Services Committee oversight of cyberoperations, and the decision to lift — and perhaps separate — Cyber Command from NSA.  I take issue with any decision that requires that a three-star NSA director argue intelligence equities with a four-star combatant commander. We end with Michael Sulmeyer and I walking through the challenges for DoD of deterring cyberattacks.  We both end up expressing skepticism about the current path.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 192nd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Cyberlaw Podcast — Election Cybersecurity Panel with Chris Krebs and Ed Felten

Posted in Security Programs & Policies

191: Election security may be better than you think.  Unless you live in New Jersey.

Episode 191 is our long-awaited election security podcast before a live, and lively, audience.  Our panel consists of Chris Krebs, formerly of Microsoft and now the top cybersecurity official at DHS (with the longest title in the federal government as proof), and Ed Felten, formerly the deputy CTO of the federal government and currently Princeton professor focused on cybersecurity and policy.  We walk through the many stages of election machinery and the many ways that digitizing those stages has introduced new insecurities into our election results.

When all is said and done, however, the entire panel ends up more or less in one place:  Election security is not to be taken for granted; it will be hard to achieve, but it’s not impossible, or even unaffordable.  With sufficient will and focus, and perhaps a touch of Ned Ludd, we may be able to overcome the risk of foreign hackers interfering in our elections.  At least outside of New Jersey.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 191th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe partner Stewart Baker with Ed Felten (left) and Chris Krebs (right)