The Cyberlaw Podcast

Our guest this week is Joanne McNabb, Director of Privacy Education and Policy for the California Attorney General’s Office.  Joanne discusses the findings and recommendations in the recently released 2014 California Data Breach Report.  She also offers insight into some of the key factors the Attorney General’s Office considers in deciding whether or not to investigate a breach.  Finally, she discusses changes in California privacy law that will go into effect on January 1 – including SB568, the so-called “online eraser” for minors seeking to delete unwanted posts, and AB1710, which extends data security requirements to companies that “maintain” personal information, not just those that own or license it.  Finally, she settles a dispute only privacy lawyers could find interesting regarding the scope of AB1710’s provision requiring identity theft prevention/mitigation services.

We almost got through the week without any NSA news, but the FISA court made the news for doing exactly what you’d expect – renewing the section 215 orders for metadata.  More interesting was the news from Turkey, which effectively rewrites the history of cyberwar, and it no longer begins with Stuxnet.  It looks as though Russia launched a distinctly kinetic and sophisticated cyberattack in 2008 on the Turkish-Azeri pipeline that threatened to break its chokehold on Caspian oil.  Michael Vatis takes the day off to file an amicus brief in support of Microsoft in the fight over overseas warrants.

The Sony breach fallout continues to be severe. Things are bad enough that the Hollywood Reporter is asking me to write op-eds. We question whether Sony is really resorting to “active measures” to block distribution of the stolen files. And Aaron Sorkin calls the media “dishonorable” for publishing all these leaked documents. Funny, but I don’t remember him saying the same thing when it was Manning and Snowden putting stolen docs on the front page.

Chris Conte explains the SEC’s new cybersecurity rules for exchanges and other trading platforms.

And the lame duck allows cybersecurity legislation to pass in a convoy:  Five cybersecurity bills, all modest in impact, were adopted by Congress in the last few days:

            S. 1691 – allowing pay flexibility to attract cybersecurity professionals;

            H.R. 2952 – requiring DHS to adopt a workforce strategy and assessment plan;

            S. 2519 – authorizing  DHS to run an integration center providing threat information to civilian agencies and modifying federal government data breach rules;

            S. 1353 – a very NIST-centered set of authorizations for cybersecurity awareness, research and workforce measures that may or may not be funded

            S. 2521 – confirming DHS’s role in providing FISMA oversight under OMB guidance

And Sony has company. It turns out that an Iranian hack on the Sands Las Vegas may be first cyberattack on US soil. Both Sony and Sands join the DDOS attacks on our banks as cyberattacks on the US that have gone unanswered. Instead of a digital Pearl Harbor, it looks as though we’re getting a lot of digital Sudetenlands.

 

We remind everyone that the Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Direct download: Podcast_47.mp3
Category:general -- posted at: 2:49pm EDT

Our interview focuses on Shane Harris and his new book, @War:  The Rise of the Military-Internet Complex.   It’s a good read and a good book, marred by the occasional deployment of easy lefty tropes – government contractors are mercenaries, the military sees war as an opportunity to expand turf, cybersecurity is a threat to privacy, anonymity is all about rights, etc.  But Harris is first and foremost a storyteller, and his zeal for the story is far more important to him than ideology.  When he tells the story of the guys who used cybertactics to break al Qaeda in Iraq during the surge, or of the banks’ cyberbattle with Iran, he lets the reader decide who to root for. 

We talk about some of the more surprising stories that Harris tells, including: 

            The (contested) claim that Chinese hackers caused a large Florida blackout by mistake

            The mismatch between an estimated 300-1000 US government hackers and China’s estimated 20 thousand  (A land war in Asia could be coming to a network near you)

            Harris’s controversial suggestion that the banks may be assembling their own zero-day exploits in preparation for a hackback campaign against Iran

            The possibility that foreign governments systematically compromised the networks of American natural gas pipeline companies in preparation for an attack – and whether we’d even know when cyberweapons had been used

In our news roundup, we start with This Week in NSA, but the latest Intercept story on NSA and cell phone interception is so boring and opaque it’s practically encrypted.   So we switch to This Week in GCHQ.   At the suggestion of a listener, we mine the UK parliamentary report on the killing of a soldier on the streets of London for lessons about the need for MLAT reform in the United States. 

Verizon escapes an FTC investigation without an eternal oversight regime.  Why?  Because of its aggressive effort to cure a security flaw or because the FTC realized it had overreached?  You be the judge.

We unpack the judicial decision refusing to dismiss bank claims against Target for its credit card breach, raise questions about a Boston hospital’s surprisingly cheap settlement of a privacy case arising from a stolen laptop.  And then dive into the biggest breach case of the year, maybe the decade: Sony. We think North Korea did the hack, and the lack of a US response could have bad consequences for the country.  Among other things, the only bad guys we’ll ever see in future movies are Serbs. And US government officials, of course. 

 

We remind everyone that the Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Direct download: Podcast_46.mp3
Category:general -- posted at: 2:58pm EDT

Our guest for the week is Troels Oerting, the head of EC3, Europe’s new cybercrime coordination center.  He talks about EC3’s role in the recent take down of over 400 darknet sites, arrests of travelers using fake credit cards and of users of the Blackshades Remote Access Tool. He repeats his view that there are probably only a hundred talented criminal writers of malware, whose work is then used by a host of dimmer bulbs.  So striking at the hundred could make a big difference.  Troels Oerting thinks we’re in a position to hurt a number of them.

The interview compares US and European willingness to name and shame Chinese PLA hackers.  I ask Troels if he’d order the arrest of any of the five indicted PLA hackers if they vacationed in Europe.  And we compare US and EU legal constraints on private sector “direct action” against hackers. 

This week in the NSA:  NSA’s privacy officer speaks; and she has a sense of humor.  Regin schools hackers around the world, and German hypocrisy about NSA spying is on full display.  It turns out that Angela Merkel’s phone was being tapped by the Brits, the Chinese, the Russians and even the North Koreans.  But Merkel has yet to say that Russian, Chinese, or North Korean spying reminds her of the Stasi; only NSA seems to remind her of Communist espionage.  Meanwhile, the BND reveals that it too spies on everyone but Germans, and that it has a remarkably narrow definition of who qualifies as “German.”

Michael Vatis previews a Supreme Court argument about when online abuse passes from colorful imitations of rap lyrics to prosecutable threats.   Jason Weinstein counts the growing library of lawsuits against Home Depot and evaluates the risk.

Doug Kantor, a Steptoe government affairs partner specializing in cybersecurity issues, gives a rundown on the new, Republican-dominated Congress, including the many chair changes in both House and Senate.  Firedoglake makes an appearance.

Meanwhile, US tech companies have become all-purpose European whipping boys.  They don’t volunteer enough information about terrorists to satisfy the Brits. They don’t hide enough “right to be forgotten” information to satisfy the European privacy regulators.  And they make too much money for the European Parliament, which wants to break up Google.

The Justice Department has claimed a scalp in its campaign against spyware.  Jason has the back story. And it’s a good thing the All Writs Act didn’t come with a sunset clause, or it would too would be attracting the wrath of EFF and Silicon Valley.  Michael explains why the act is now part of Apple’s future, and Google’s too.

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_45.mp3
Category:general -- posted at: 10:44am EDT

1