In this episode’s interview we ask whether the midterm elections are likely to suffer as much foreign hacking and interference as we saw in 2016. The answer, from Christopher Krebs, Under Secretary for National Protection and Programs Directorate (soon to be the Cybersecurity and Infrastructure Security Agency), is surprisingly comforting, though hardly guaranteed. Briefly, it’s beginning to look as though the Russians (and maybe the Iranians) are holding their fire for the main event in 2020.

Continue Reading Episode 236: Twitterlaw and the Khashoggi killing

I interview Duncan Hollis, another Steptoe alumnus patrolling the intersection of international law and cybersecurity. With Matt Waxman, Duncan has written an essay on why the US should make the Proliferation Security Initiative a model for international rulemaking for cybersecurity. Since “coalition of the willing” was already taken, we settle on “potluck policy” as shorthand for the proposal. To no one’s surprise, Duncan and I disagree about the value of international law in the field, but we agree on the value of informal, agile, and “potluck” actions on the world stage. In support, I introduce Baker’s Law of International Institutions: “The secretariat always sees the United States as its natural enemy.”

At the end, Duncan mentions in passing his work with Microsoft on international rulemaking, and I throw down on “Brad Smith’s godforsaken proposal.” Brad, if you are willing to come on the podcast to defend that proposal, I’ve promised Duncan a highly coveted Cyberlaw Podcast mug.

Continue Reading Episode 224 with Duncan Hollis: Do we need an international “potluck” cyber coalition?

What good is CISA, anyway?

Now that both the House and Senate have passed information sharing bills that are strikingly similar but not identical, the prospects for a change in the law are good.  But what changes, and how much difference will they make to network defenders?  That’s the topic we explore in episode 87 with our guest, Ari Schwartz.  Ari has just finished a tour as senior director for cybersecurity on the United States National Security Council Staff at the White House.  He and I and Alan Cohn go deep into the weeds so you won’t have to.  Our conclusion?  The main value of the bill is that it frees some companies from aging privacy rules that prevented information sharing with groups that include the government.  It also enables companies to monitor their networks without fear of liability under even older privacy laws preventing interception of communications without all parties’ consent.  The other lesson to be drawn from the bill is that privacy groups are still something of a paper tiger without business support.  More than seventy senators voted for CISA over the bleeding bodies of every privacy group in the country. 
Continue Reading Steptoe Cyberlaw Podcast – Interview with Ari Schwartz

Are Russian hacker-spies a bunch of lethargic government drones more interested in smash-and-grabs than stealth?  That’s one of the questions we pose to Mikko Hypponen in episode 86 (right after we ask about how to pronounce his name; turns out, that’s harder than you think).  Mikko is the Chief Research Officer at F-Secure and a long-time expert in computer security who has spoken and consulted around the world for over 20 years.  His company recently published a lengthy paper on Russian government cyberspies, which F-Secure calls “the Dukes.”  Mikko describes the Dukes’ targets and tactics, including a remarkably indiscriminate attack on a Tor exit node.  I press him on whether attribution is really getting better, and on whether F-Secure’s paper eases or heightens concerns about Kaspersky’s ties to Russian intelligence.
Continue Reading Steptoe Cyberlaw Podcast – Interview with Mikko Hypponen