Header graphic for print
Steptoe Cyberblog

Yearly Archives: 2012

Careers in Computer Security

Posted in Cybersecurity and Cyberwar

One of the things I like about computer security is how uncredentialed the whole field is. Very few senior computer security people started their careers in the field. One of the best I knew started her career as a nurse; others as cops; a few as lawyers. Some even started in computer science. But this… Continue Reading

Taking the Offense to Defend Networks – Another Perspective

Posted in Cybersecurity and Cyberwar, Privacy Regulation

One can certainly understand the frustration of private companies that are repeatedly subject to cyberattacks, and seem to have little ability to keep the intruders out or to get overstretched law enforcement agencies interested in investigating. But the idea of changing the law to authorize “hacking back” is a dangerous one, and unlikely to fix… Continue Reading

Taking the Offense to Defend Networks

Posted in Cybersecurity and Cyberwar, Privacy Regulation

Joseph Menn has an interesting Reuters article on a growing sentiment within network security circles: Frustrated by their inability to stop sophisticated hacking attacks or use the law to punish their assailants, an increasing number of US companies are taking retaliatory action. Known in the cyber security industry as “active defense” or “strike-back” technology, the reprisals… Continue Reading

Chinese Telecom Firms Investigated by House Intelligence Committee

Posted in China, Cybersecurity and Cyberwar, International, Security Programs & Policies

The House Intelligence Committee is conducting a remarkably detailed and bipartisan investigation (subscription required) of ties between two Chinese telecom equipment giants, Huawei and ZTE, and the Chinese government. Widespread security fears have been targeted at these companies over concerns that their equipment would enable Chinese interception of US telephone calls, expanding American cybervulnerabilities from computer networks… Continue Reading

Americans Torn on Cybersecurity

Posted in Cybersecurity and Cyberwar, Security Programs & Policies

A new Washington Post poll suggests that the American public is divided over what to do about cyber threats. And the division does not correlate with party politics. People are divided pretty evenly on whether they are “very” or “fairly” concerned about major cyberattacks on US businesses or the government or “just somewhat” or “not… Continue Reading

Antivirus Software is Not Failproof

Posted in Cybersecurity and Cyberwar, Data Breach

Mikko Hypponen of F-Secure, an antivirus company, wrote an interesting post discussing the limits of antivirus software.  Of particular note is that Flame, Stuxnet, and Duqu were all reported to antivirus firms months or years before they were flagged as malware.  He suggests that his and other antivirus firms failed because of the sophistication of Western intelligence… Continue Reading

White House Private Sector Botnet Initiative

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

The White House today announced a pilot program to be led by the Financial Services Information Sharing and Analysis Center in which ISPs will share data about botnets with financial institutions. ISPs also announced a set of principles for fighting botnets. This is a positive announcement. You shouldn’t be engaged in online banking if your… Continue Reading

New Intellectual Property Regime for the EU?

Posted in International

The EU competition bureau’s recent threat to punish Google  because of “the way Google copies content from competing vertical search services and uses it in its own offerings” struck me. (Vertical search services are specialized search engines like Yelp and Kayak that help people find local restaurants or cheap flights and rental cars.) The EU’s vice president… Continue Reading

Can a Secure Network be Secure?

Posted in Cybersecurity and Cyberwar, Security Programs & Policies

It’s taken two and a half years, but someone has finally developed a “dot-secure” network.  After former Director of National Intelligence Mike McConnell called for a “dot-secure” network, a Silicon Valley startup with $9.6 million in funding has announced plans to launch one. Based on the description, this isn’t intended to be a wholly secure network,… Continue Reading

Who Needs CISPA??

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

If you were wondering why CISPA is necessary, this New York Times article by Eric Lichtblau  ought to tell the tale. Telecommunciatons carriers who volunteer to provide information to law enforcement get tagged with “deep concern” from Congress and the New York Times. Even a whisper of doubt about the legality of information sharing is enough to… Continue Reading

Why we need to fix CISPA, not kill it

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

I joined security guru Dan Kaminsky earlier this year to fight SOPA because it was bad for cybersecurity. For the same reason we joined in a Politico op-ed today to rebut attacks on CISPA, the Cyber Intelligence Sharing and Protection Act: We may have thrown some of the first stones, but SOPA was ultimately buried by… Continue Reading

Cyberwar Law: Rounds Two, and Three, and Four

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

Earlier, I wrote an article for Foreign Policy about the foolishness of letting lawyers determine our cyberwar strategy. The ABA Journal has posted an extensive, no-holds-barred debate over the views expressed in that article. Gen. Charles Dunlap, a former deputy judge advocate general of the US Air Force, contradicts my article with passion, after which I… Continue Reading

Can Chinese Hackers Self-Police?

Posted in China, Cybersecurity and Cyberwar, International

Chinese hackers call for “self-discipline” and an end to commercially motivated cybercrime. The Wall St. Journal (subscription required) suggests it’s because former hackers have grown up and become security professionals. But does it occur to anyone that the Chinese government might be worried about the rising tide of complaints about Chinese hacking, particularly cyber espionage against the… Continue Reading

Cyberhacking is the New Spying

Posted in China, Cybersecurity and Cyberwar, International, Security Programs & Policies

General Keith Alexander, the head of US Cyber Command and the National Security Agency, testified to Congress yesterday that China continues to hack into “defense industrial base companies” and steal military technology (see Don Reisinger‘s latest blog post). And he confirmed what was widely believed already—that China was responsible for the hacks on RSA last… Continue Reading

Green Light Means Go – European Air Passenger Data Made Available to the US

Posted in International, Security Programs & Policies

With mixed feelings, I note that a European Parliament committee has recommended approving the latest PNR deal with the US. It’s a bit of a surprise, especially since the vote wasn’t especially close, and that makes it highly likely the Parliament will also approve the deal. That makes sense, this is a much better deal… Continue Reading

Microsoft Crime Raid – Another Thought

Posted in Cybersecurity and Cyberwar

I wonder whether this strategy will really be all that effective. Apparently “Microsoft does not believe the operators of the facilities it raided on Friday, which rent space to clients on computers connected to the Internet, are in league with the people behind the botnets. And those operators said they had no idea that equipment inside… Continue Reading

Microsoft Net Crime Raid: Innovative Lawyering or Busy Work?

Posted in Cybersecurity and Cyberwar

An article by Nick Wingfield and Nicole Perlroth in the New York Times today details the recent raid Microsoft and United States Marshalls conducted in order to disrupt a string of botnets at work harvesting account and other personal information from millions of other computers. As cybercrime grows more profitable, the criminals are starting to match… Continue Reading

Facebook Log-In Overkill

Posted in Privacy Regulation, Security Programs & Policies

A few weeks ago, everyone agreed that the CFAA civil liability provisions were way overbroad, and the Senate judiciary committee proposed amending the CFAA to abolish CFAA liability for violating a website or webservice’s terms of service. That was the right decision; the unamended law essentially enforced commercial terms of service with criminal penalties. But… Continue Reading