On May 16, four years after issuing a proposed rule, the FAR Council issued a final cybersecurity-related rule that reaches deep into the supply chain and is applicable to virtually all government contractors and subcontractors.  The rule establishes a new FAR subpart 4.19 and a clause 52.204-21, both of which are entitled “Basic Safeguarding of Covered Contractor Information Systems.”  The rule is effective for solicitations issued on or after June 15, 2016.  A copy is available here.
Continue Reading FAR Council Issues Rule on Basic Safeguarding of Covered Contractor Information Systems

Our guest, Patrick Gray, is the host of the excellent Risky Business security podcast.  He introduces us to the cybersecurity equivalent of decapitation by paper cut and offers a technologist’s take on multiple policy and legal issues.  In the news roundup, Michael explains the many plaintiff-friendly rulings obtained by the banks suing Home Depot over its data breach.  We wonder whether the rulings are so plaintiff-friendly that the banks will eventually regret their successes.  Michael also explains just how deliberately meaningless is the Supreme Court decision in Spokeo, Inc. v. Robins.
Continue Reading Steptoe Cyberlaw Podcast – Interview with Patrick Gray

Dmitri AlperovitchRansomware is the new black.  In fact, it’s the new China.  So says our guest for episode 116, Dmitri Alperovitch, the CTO and co-founder of CrowdStrike.  Dmitri explains why ransomware is so attractive financially – and therefore likely to get much worse very fast.  He and I also explore the implications and attribution of the big bank hacks in Vietnam and Bangladesh.
Continue Reading Steptoe Cyberlaw Podcast – Interview with Dmitri Alperovitch

Orin KerrDoes the FISA court perform a recognizably judicial function when it reviews 702 minimization procedures for compliance with the fourth amendment?  Our guest for episode 115 is Orin Kerr, GWU professor and all-round computer crime guru, and Orin and I spend a good part of the interview puzzling over Congress’s mandate that the FISA court review what amounts to a regulation for compliance with an amendment that is usually invoked only in individual cases.  Maybe, I suggest, the recent court ruling on 702 minimization and the fourth amendment doesn’t make sense from an article III point of view because the FISA judges long ago graduated from deciding cases and controversies to acting as special masters to oversee the intelligence community.  We also explore an upcoming Orin Kerr law review piece on how judicial construction of the fourth amendment should be influenced by statutes that play in the same sandbox. 
Continue Reading Steptoe Cyberlaw Podcast – Interview with Orin Kerr

No holds are barred as a freewheeling panel of cryptographers and security pros duke it out with me and the Justice Department over going dark, exceptional access, and the Apple-FBI conflict.  Among the combatants:  Patrick Henry, a notable cryptographer with experience at GCHQ, NSA, and the private sector; Dan Kaminsky, the Chief Scientist at White Ops; Kiran Raj, who is Senior Counsel to the Deputy Attorney General; and Dr. Zulfikar Ramzan the CTO of RSA Security.  Our thanks to Catherine Lotrionte who generously agreed to let me record this one-hour panel at her remarkable Annual International Conference on Cyber Engagement.
Continue Reading Steptoe Cyberlaw Podcast – Interview with Patrick Henry, Dan Kaminsky, Kiran Raj, and Dr. Zulfikar Ramzan

European news and sensibilities dominate episode 112.  I indulge in some unseemly gloating about Europe’s newfound enthusiasm for the PNR data it wasted years of my life trying to negotiate out of the US counterterrorism toolbox.  I pester our guest, Eric Jensen, about his work on the Talinn 2.0 manual covering the law of cyberwar; the manual seems to offer an ever-more-European take on cyberweapons and the law of armed conflict.  And if you think that’s a compliment, you haven’t been listening.
Continue Reading Steptoe Cyberlaw Podcast – Interview with Eric Jensen

Steptoe recently held a client briefing in its Palo Alto office to update developments in the Chinese legal and regulatory that are impacting US technology companies operating in China.  I took advantage of the event to sneak in a quick discussion with Susan Munro and Ying Huang of Steptoe’s China practice, on how China

Podcast 109In episode 109, we interview Perianne Boring of the Chamber of Digital Commerce on the regulatory challenges of bitcoin and the blockchain.  In the news roundup, we bring back Apple v. FBI for what we hope will be one last round, as the San Bernardino magistrate voids her All Writs Act motion for mootness and attention shifts to other investigators hoping to crack iPhone security, both in the US and in Europe. 
Continue Reading Steptoe Cyberlaw Podcast – Interview with Perianne Boring

Triple Entente
Triple Entente

The Second Annual Triple Entente Beer Summit again filled the Washington Firehouse loft with an audience at least as knowledgeable as the panel, which consisted of Ben Wittes, Shane Harris, Stewart Baker, Tamara Cofman Wittes, and Alan Cohn.  The Triple Entente Beer Summit brings together members of the LawfareRational Security, and the Steptoe Cyberlaw podcasts.
Continue Reading Steptoe Cyberlaw Podcast – Triple Entente Beer Summit II