January 2016

If there really is another crypto war in Washington, then this week’s podcast features several war correspondents and at least one victim of PTSD.  Our guest is Melanie Teplinsky, former cybersecurity lawyer at Steptoe, adjunct professor at American University’s Washington College of Law, advisory board member for Crowdstrike, and a regular columnist on privacy

Back for a rematch, John Lynch and I return to the “hackback” debate in episode 97, with Jim Lewis of CSIS providing color commentary.  John Lynch is the head of the Justice Department’s computer crime section.  We find more common ground than might be expected but plenty of conflict as well.  I suggest that Sheriff Arpaio in Arizona may soon be dressing hackers in pink while deputizing backhackers, while Jim Lewis focuses on the risk of adverse foreign government reactions.  We also consider when it’s lawful to use “web beacons” and whether trusted security professionals should be given more leeway to take action outside their customers’ networks.  In response to suggestions that those who break into hacker hop points might be sued by the third parties who nominally own those hop points, I suggest that those parties could face counterclaims for negligence.  We close with a surprisingly undogmatic discussion of Justice Department “no-action letters” for computer security practitioners considering novel forms of active defense.
Continue Reading Steptoe Cyberlaw Podcast – Interview with John Lynch

Following the attacks in Paris and San Bernardino, polls show that Americans identify terrorism—more than any other issue—as the most important problem facing the US.  In this environment, some media outlets have predicted a pending “crackdown” on digital currencies, particularly by European governments, because of the risk that the technology could be used to fund

The intelligence tools that protect us from terrorism are under attack, and from an unlikely quarter. Europe, which depends on America’s intelligence reach to fend off terrorists, has embarked on a path that will sabotage some of our most important intelligence capabilities. This crisis has been a long time brewing, and up to now, the

How do you graduate as a conservative with two Harvard degrees? We learn this and much more from Sen. Tom Cotton (R-AR), our guest for episode 96 .  We dive deep with the Senator on the 215 metadata program and its USA FREEDOM Act replacement.  We ask what the future holds for the 702 program, one of the most important counterterrorism programs and just entering yet another round of jockeying over renewal; Sen. Cotton has already come out in favor of making the program permanent.  To round things out, Sen. Cotton assesses the risks of Going Dark for our intelligence community and the difficulties that the Safe Harbor negotiations pose for US intelligence.
Continue Reading Steptoe Cyberlaw Podcast – Interview with Senator Tom Cotton

On December 31, 2015, the US Treasury Department, Office of Foreign Assets Control (OFAC) issued the Cyber-Related Sanctions Regulations (CRSR), 31 C.F.R. Part 578.  The CRSR formally implement the sanctions set forth in Executive Order (EO) 13694 of April 1, 2015, which authorizes sanctions against persons involved in malicious “cyber-enabled” activities, and are effective immediately.

We’re back from hiatus with a boatload of news and a cautiously libertarian technologist guest in Nick Weaver of the International Computer Science Institute in Berkeley.  To start Episode 95 of the podcast, Michael Vatis and I plumb the meaning of the Cyber Security Act’s passage.  The big news?  Apparently Santa is real, state

On Wednesday, December 16, 2015, the Commodity Futures Trading Commission (CFTC or Commission) approved for publication two proposed rules to amend existing regulations addressing cybersecurity.  The proposed rules would establish testing obligations and safeguards for the automated systems used by designated contract markets (DCMs), swap execution facilities (SEFs), swap data repositories (SDRs) (the Exchange Proposal), and derivatives clearing organizations (DCOs) (the Clearing Proposal and, together, the Proposals).1

The Commission’s Proposals grant regulated entities with significant deference with respect to the development and implementation of policies and procedures reasonably designed to demonstrate compliance with the new cybersecurity provisions.  However, these new regulatory burdens will come with significant operational, technology, and other resource burdens, including ongoing testing and engagement with third-party service providers.  Furthermore, the scope of the Proposals for testing may extend further than similar cybersecurity standards established by other federal agencies.

The Commission unanimously approved the Proposals.  They were published in the Federal Register on December 23, 2015 and are subject to a 60-day public comment period ending on February 22, 2016.
Continue Reading CFTC Adopts Proposed Cybersecurity Regulations