Back at last from hiatus, the podcast finds a host of hot issues to cover. Matthew Heiman walks us through all the ways that China and the US found to get in each other’s way on technology. China’s new data security and privacy laws take effect this fall, and in keeping with a longstanding

Episode 166 is the interview that goes with episode 165’s news roundup, released separately to ensure the timeliness of the news.

In episode 166, we interview Kevin Mandia, the CEO and Board Director of FireEye, an intelligence-led security company.  FireEye recently outed a new cyberespionage actor associated with the Vietnamese government.  Kevin tells us

On May 18, 2016, the Department of Defense published “Change 2” to the National Industrial Security Program Operating Manual (NISPOM) that requires contractors to establish and maintain a program to detect, deter and mitigate insider threats by November 30, 2016.  Although cleared contractors are already obligated to protect classified information to which they have access,

Where the hell are the FTC, Silicon Valley, and CDT when human rights and privacy are on the line? If the United States announced that it had been installing malware on 2% of all the laptops that crossed US borders, the lawsuits would be flying thick and fast, and every company in Silicon Valley would be rolling out technical measures to defeat the intrusion. But when China injects malware into 2% of all the computers whose queries cross into Chinese territory, no one says boo. Not the US government, not CDT or EFF, and not the big browser companies. That’s the lesson I draw from episode 88 of the podcast, featuring an in-depth discussion of China’s Great Cannon with Adam Kozy and Johannes Gilger of Crowdstrike. They expand on their 2015 Blackhat talk about China’s deployment of Great Firewall infrastructure to hijack American and Taiwanese computers and use them in a DDOS attack against Github.
Continue Reading Steptoe Cyberlaw Podcast – Interview with Adam Kozy and Johannes Gilger

In an earlier post I talked about how the Chinese government has used its “Great Firewall” censorship machinery on an expanded list of targets – from its own citizens to ordinary Americans who happen to visit Internet sites in China.  By intercepting the ad and analytics scripts that Americans downloaded from Chinese sites, the Chinese government was able to infect the Americans’ machines with malware.  Then the government used that malware to create a “Great Cannon” that aimed a massive number of packets at the US company GitHub.  The goal was to force the company to stop making news sites like the New York Times and Greatfire.org available to Chinese citizens.  The Great Cannon violated a host of US criminal laws, from computer fraud to extortion. The victims included hundreds of thousands of Americans.  And to judge from a persuasive Citizen Lab report, China’s responsibility was undeniable.  Yet the US government has so far done nothing about it.

US inaction is thus setting a new norm for cyberspace.  In the future, it means that many more Americans can expect to be attacked in their homes and offices by foreign governments who don’t like their views.

The US government should be ashamed of its acquiescence.  Especially because the Great Cannon is surprisingly vulnerable. After all, it only works if foreigners continue to visit Chinese sites and continue to download scripts from Chinese ad networks.  They supply the ammunition that the Great Cannon fires.  If no one from outside China visits Chinese search sites or loads Chinese ads, the Cannon can’t shoot.
Continue Reading The GitHub Attack and Internet Self-defense

Cyberspies can’t count on anonymity any more.

The United States (and the private security firm Mandiant) stripped a PLA espionage unit of its cover two years ago with a detailed description of the unit’s individual hackers; that report was followed by federal indictments of members of the unit that described them and their activities is

This week in NSA: We take a look at the other half of the Lofgren amendment, which prohibits NSA and CIA from asking a company to “alter its product or service to permit electronic surveillance.”  So if Mullah Omar orders a phone from Amazon, the government can’t ask Amazon to put a bug in it

In our eighth episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Michael Vatis, Jason Weinstein and guest commentators Stephen Heifetz and Stephanie Roy discuss:

  • This week in NSA/Snowden: Law Firm Surveillance Report Cited in Legal Challenge and Report: American law firm’s communications spied on; Merkel Backs Plan to Keep European Data in Europe and EU

In our seventh episode of the Steptoe Cyberlaw Podcast, Jason Weinstein discusses:

  • This week in NSA: Clapper says Snowden exploited perfect storm of security lapses/Snowden swiped password from NSA coworker; FISA Court backs Pres. Obama’s changes to phone metadata program/government seeking info about private sector’s ability to hold the data; Rand Paul sues Pres. Obama