May 2016

On May 16, four years after issuing a proposed rule, the FAR Council issued a final cybersecurity-related rule that reaches deep into the supply chain and is applicable to virtually all government contractors and subcontractors.  The rule establishes a new FAR subpart 4.19 and a clause 52.204-21, both of which are entitled “Basic Safeguarding of Covered Contractor Information Systems.”  The rule is effective for solicitations issued on or after June 15, 2016.  A copy is available here.
Continue Reading FAR Council Issues Rule on Basic Safeguarding of Covered Contractor Information Systems

Our guest, Patrick Gray, is the host of the excellent Risky Business security podcast.  He introduces us to the cybersecurity equivalent of decapitation by paper cut and offers a technologist’s take on multiple policy and legal issues.  In the news roundup, Michael explains the many plaintiff-friendly rulings obtained by the banks suing Home Depot over its data breach.  We wonder whether the rulings are so plaintiff-friendly that the banks will eventually regret their successes.  Michael also explains just how deliberately meaningless is the Supreme Court decision in Spokeo, Inc. v. Robins.
Continue Reading Steptoe Cyberlaw Podcast – Interview with Patrick Gray

Dmitri AlperovitchRansomware is the new black.  In fact, it’s the new China.  So says our guest for episode 116, Dmitri Alperovitch, the CTO and co-founder of CrowdStrike.  Dmitri explains why ransomware is so attractive financially – and therefore likely to get much worse very fast.  He and I also explore the implications and attribution of the big bank hacks in Vietnam and Bangladesh.
Continue Reading Steptoe Cyberlaw Podcast – Interview with Dmitri Alperovitch

Orin KerrDoes the FISA court perform a recognizably judicial function when it reviews 702 minimization procedures for compliance with the fourth amendment?  Our guest for episode 115 is Orin Kerr, GWU professor and all-round computer crime guru, and Orin and I spend a good part of the interview puzzling over Congress’s mandate that the FISA court review what amounts to a regulation for compliance with an amendment that is usually invoked only in individual cases.  Maybe, I suggest, the recent court ruling on 702 minimization and the fourth amendment doesn’t make sense from an article III point of view because the FISA judges long ago graduated from deciding cases and controversies to acting as special masters to oversee the intelligence community.  We also explore an upcoming Orin Kerr law review piece on how judicial construction of the fourth amendment should be influenced by statutes that play in the same sandbox. 
Continue Reading Steptoe Cyberlaw Podcast – Interview with Orin Kerr

Podcast 114Our guest for episode 114 is General Michael Hayden, former director of the NSA and CIA; he also confirms that he personally wrote every word of his fine book, Playing to the Edge: American Intelligence in the Age of Terror.   In a sweeping interview, we cover everything from Jim Comey’s performance at the AG’s hospital bedside (and in the Clinton email investigation) to whether the missed San Diego 9/11 calls were discovered before or after the 215 program was put in place.  Along the way, we settle the future of Cyber Command,  advise the next President on intelligence, and lay out the price the intelligence community is paying for becoming so darned good at hunting terrorists.
Continue Reading Steptoe Cyberlaw Podcast – Interview with General Hayden