Security Programs & Policies


That’s the question I debate with David Kris and Nick Weaver as we explore the ways in which governments are using location data to fight the spread of COVID-19. Phone location data is being used to enforce quarantines and to track contacts with infected people. It’s useful for both, but Nick thinks the second application may not really be ready for a year – too late for this outbreak.

Our interview subject is Jason Healey, who has a long history with Cyber Command and a deep recent oeuvre of academic commentary on cyber conflict. Jay explains Cyber Command’s doctrine of “persistent engagement” and “defending forward” in words that I finally understand. It makes sense in terms of Cyber Command’s aspirations as well as the limitations it labored under in the Obama Administration, but I end up wondering whether it’s going to be different from “deterrence through having the best offense.” Nothing wrong with that, in my view – as long as you have the best offense by a long shot, something that is by no means proven.

Continue Reading Episode 307: Is privacy in pandemics like atheism in foxholes?

Our interview in this episode is with Glenn Gerstell, freed at last from some of the constraints that come with government service. We cover the Snowden leaks, how private and public legal work differs (hint: it’s the turf battles), Cyber Command, Russian election interference, reauthorization of FISA, and the daunting challenges the US (and its Intelligence Community) will face as China’s economy begins to reinforce its global security ambitions.

Continue Reading Episode 304: Unfiltered: An interview with NSA’s former general counsel

Nick Weaver and I debate Sens. Graham and Blumenthal’s EARN IT Act, a proposal to require that social media firms follow best practices on preventing child abuse. If they don’t, they won’t get full Section 230 immunity from liability for recklessly allowing the abuse. Nick thinks the idea is ill-conceived and doomed to fail. I think there’s a core of sense to the proposal, which simply asks that Silicon Valley firms who are reckless about child abuse on their networks pay for the social costs they’re imposing on society. Since the bill gives the attorney general authority to modify the best practices submitted by a commission of industry, academic, and civic representatives, critics are sure that the final product will reduce corporate incentives to offer end-to-end encryption.

Continue Reading Episode 298: Bill Barr as Bogeyman

This episode features an interview on the Bezos phone flap with David Kaye and Alex Stamos. David is a UN Special Rapporteur and clinical professor of law at UC Irvine who first drew attention to an FTI Consulting report concluding that the Saudis did hack Bezos’ phone. Alex is director of the Stanford Internet Observatory and was the CSO at Facebook; he thinks the technical case against the Saudis needs work, and he calls for a supplemental forensic review of the phone.

Continue Reading Episode 297: Did the Saudi Crown Prince hack Jeff Bezos’s phone?

There’s a fine line between legislation addressing deepfakes and legislation that is itself a deep fake. Nate Jones reports on the only federal legislation addressing the problem so far. I claim that it is well short of a serious regulatory effort – and pretty close to a fake law.

In contrast, India seems serious about imposing liability on companies whose unbreakable end-to-end crypto causes harm, at least to judge from the howls of the usual defenders of such crypto. David Kris explains how the law will work. I ask why Silicon Valley gets to impose the externalities of encryption-facilitated crime on society without consequence when we’d never allow tech companies to say that society should pick up the tab for their pollution because their products are so cool. In related news, the FBI may be turning the Pensacola military terrorism attack into a slow-motion replay of the San Bernardino fight with Apple, this time with more top cover.

Continue Reading Episode 295: The line between deepfake legislation and deeply fake legislation

For this special edition of the Cyberlaw Podcast, we’ve convened a panel of experts on intelligence and surveillance legal matters. We take a look at the Department of Justice Inspector General’s report on the FBI’s use of FISA applications – and the many errors in those applications. We also touch on FBI Director Wray’s response, as well as a public order issued by the Foreign Intelligence Surveillance Court. We wrap up with thoughts on how to resolve some of the issues identified by the IG’s report and suggestions for improving the FISA process.

Continue Reading Episode 294: Examining the DOJ Inspector General’s FBI-FISA Report

Our interview is with Alex Joel, former Chief of the Office of Civil Liberties, Privacy, and Transparency at the Office of the Director of National Intelligence. Alex is now at the American University law school’s Tech, Law, and Security Program. We share stories about the difficulties of government startups and how the ODNI carved out a role for itself in the Intelligence Community (hint: It involved good lawyering). We dive pretty deep on recent FISA court opinions and the changes they forced in FBI procedures. In the course of that discussion, I realize that every “reform” of intelligence dreamed up by Congress in the last decade has turned out to be a self-licking compliance trap, and I take back some of my praise for the DNI’s lawyering.

Continue Reading Episode 283: Is intelligence “reform” a self-licking ice cream cone and compliance trap?

Joel Trachtman thinks it’s a near certainty that the WTO agreements will complicate US efforts to head off an IoT cybersecurity meltdown, and there’s a real possibility that a US cybersecurity regime could be held to violate our international trade obligations. Claire Schachter and I dig into the details of the looming

What is the federal government doing to get compromised hardware and software out of its supply chain? That’s what we ask Harvey Rishikof, coauthor of “Deliver Uncompromised,” and Joyce Corell, who heads the Supply Chain and Cyber Directorate at the National Counterintelligence and Security Center. There’s no doubt the problem is being admired to a fare-thee-well, and some evidence it’s also being addressed. Listen and decide!

Continue Reading Episode 272: Illuminating supply chain security