Steptoe Cyberlaw Podcast

With Wyndham’s surrender to the FTC after a brutal court of appeals opinion, the last outpost of resistance to the FTC’s cybersecurity agenda is Mike Daugherty, CEO of LabMD.  Daugherty refused to take the easy road and enter into a consent decree with the FTC to settle its claim that the company’s security was insufficient because of a file-sharing program installed on the corporate network.  That decision has cost Daugherty his company.  LabMD has ceased operations.  And it took him on an extraordinary odyssey through Washington that he has described in his book, The Devil Inside the Beltway, and speeches.  I caught up with Mike at the Black Hat Executive Summit where we were both speakers, and he kindly agreed to a short interview describing some of that odyssey. 

I offered the FTC equal time to offer their perspective.  So far, they haven’t taken me up on the offer, but it remains open. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Episode_94.mp3
Category:general -- posted at: 11:25am EDT

Our guest for episode 93 is cybersecurity’s Renaissance Man. Rod Beckstrom started DHS’s National Cybersecurity Center, then headed ICANN; before and after those gigs, he was a Silicon Valley investor and officer in security startups as early as the 1990s and as recently as this year. Our interview spans Rod’s career and what it has taught him about security, privacy, law, and government.

In the news roundup, Alan Cohn and Jason Weinstein talk about proposals to require social media sites to do more about online terrorist activity. Alan and I take a dive into the EU’s achingly slow progress toward new cybersecurity rules for critical infrastructure – and how those rules will affect US companies.

Michael Vatis tells us that Michael Daugherty of LabMD is officially the only challenge facing the FTC as it sets (or at least enforces) cybersecurity requirements for American business. That’s because Wyndham Hotels has officially given up the ghost, agreeing to twenty years of privacy and security monitoring by the FTC.

Finally, Michael Vatis and I agree that encryption has become the Donald Trump of tech issues – but each of us for different reasons.

The podcast will be on hiatus over the holidays, but we won’t completely abandon you. While I was at a BlackHat Executive conference last week, I had a chance to do a short interview of Mike Daugherty about his LabMD experience, and we’ll be releasing that as a special bonus edition of the podcast over the Christmas break. (We’re holding it because I’ve offered the FTC a chance for equal time.  But we’ll be releasing the interview next week in any event, with or without the FTC’s input.)

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_93.mp3
Category:general -- posted at: 4:47pm EDT

Did China’s PLA really stop hacking US companies for commercial secrets? And does it matter? In episode 92, we ask those questions and more of two experts on the topic ‒ Washington Post reporter Ellen Nakashima, who has broken many stories on PLA hacking, and Tony Cole, the Global Government CTO with FireEye, who has fought off his share of PLA hackers.

In the news roundup, Jason Weinstein and Michael Vatis explain how the ‘cannibal cop’ beat the rap for violating the Computer Fraud and Abuse Act. Maury Shenk and Michael mull the fate of the Safe Harbor negotiations – and question whether a deal can be done before the Christmas holidays. Meanwhile, privacy activist Max Schrems is doing his best to close off the other options US companies have used to cushion the blow from losing the Safe Harbor.

The same Europeans who want to punish US tech giants for helping fight terrorism also want to punish them for not helping fight terrorism. Michael and Maury consider the heavy pressure falling on tech companies from the EU, France, Pakistan, and even the Oval Office.

Only the judicial branch still seems like safe ground for the companies. Jason and Michael explain the immunity for ISPs whose typographic errors expose innocent people to computer searches for child porn – as well as the courts’ refusal to give effect to Congress’s plan to impose liquidated damages for privacy violations. In the most strikingly newsworthy item in the podcast, Michael accuses me of not being conservative enough. And in the least newsworthy item, Jason tells us that there is still a stalemate over a law requiring a warrant for the contents of email.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_92.mp3
Category:general -- posted at: 11:27am EDT

Is the internet really worth it? Our guest for episode 91, Jason Healey of the Atlantic Council and Columbia University, recaps a study finding that, even with a worst-case Clockwork Orange Internet, the economic benefits of networking still outweigh the losses from security failures – though the closer we get to the worst case, the more likely we are to get Leviathan Internet, where the inherently controlling aspects of the network are embraced by governments around the world.

Our post-Thanksgiving news roundup is dominated by leftovers – edible and otherwise. Larry Klayman and Judge Leon have apparently run out of time to challenge the now-deceased NSA metadata program, Michael Vatis and I note, while Section 702 has survived a rare judicial challenge.

Meanwhile, it’s beginning to look as though the FTC and LabMD really deserve each other. The FTC has launched an ill-advised appeal in its ill-advised pursuit of LabMD, Michael reports, and LabMD has returned the favor by launching a lawsuit against the three FTC staffers who pursued the company so improvidently. 

The Google cookie case has mostly crumbled, Michael tells us, but the plaintiffs still have one big bite left, raising the chilling prospect of California law as interpreted by Third Circuit judges. 

Alan Cohn describes the NRC’s new cyberattack reporting requirements – and Iranian social media attacks on government workers who don’t usually get any attention at all.

Finally, with help from loyal listener Michael Farrell, I report that China’s use of the Great Cannon to infect Western computers has been emulated by Comcast, which is using China’s technique to inject copyright warnings into users’ screens. I predict that EFF and CDT, who ignored China’s Great Cannon attacks on Western computer users and companies, will go to battle stations now that it turns out the tactic is being used by an Axis of Evil that they actually care about – Big Copyright aligned with Big ISPs.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_91.mp3
Category:general -- posted at: 10:37pm EDT

Our guest for episode 90 is Charlie Savage, New York Times reporter, talking about Power Wars, his monumental new book on the law and politics of terrorism in the Obama (and Bush) administrations.  I pronounce it superb, deeply informative, and fairly unbiased, “for a New York Times reporter.”  With that, the fat is in the fire, and Charlie and I trade views – and occasional barbs – about how the Bush and Obama administrations handled the surveillance issues that arose after 9/11.

In the news roundup, Michael Vatis and I puzzle over the FTC’s astonishing loss on its own home court.  We wonder why the FTC failed to do the right thing and drop the LabMD case when the FTC’s source began to lose credibility by the shovel-load.  I suggest that FTC leadership was suffering from the rarely spotted “Darrel Issa Derangement Syndrome.”     

Jason Weinstein deconstructs the claim that the European Union is “cracking down” on bitcoin in response to the attacks in Paris. 

Stepping out of character, I defend the value of diplomatic “words on paper,” finding promise in the G20’s announcement that all twenty members join in condemning cyberespionage for commercial purposes.  

Michael recaps the latest in litigation over the nearly expired NSA 215 program.  D.C. Circuit Judge Kavanagh has explained why Judge Leon is wrong about the program, depriving the district court judge of the last word on the subject and demonstrating that its lawfulness can be assessed without resort to exclamation points.

Working a technology help desk could drive a man to suicide.  Until ISIS opened its own terrorist help line, though, we thought that was a bug not a feature.  In the same vein, I mock Glenn Greenwald for insisting that Snowden taught ISIS nothing about security about a week before we got to see a tech manual, apparently in use by the terror group, which invokes Fast Eddie’s advice about which remote storage systems are safe to use. 

Direct download: Podcast_90.mp3
Category:general -- posted at: 8:10pm EDT

The NSA metadata program that is set to expire in two weeks was designed to provide early warning of a terror attack planned in a foreign safe haven and carried out inside the United States.  Those are some of the most deadly terror attacks we’ve seen, from 9/11 to Mumbai.  And now Paris.   

Our guest for the podcast is Mark Shuttleworth, founder of Thawte and Canonical/Ubuntu.  He makes it clear from the start that he could hardly disagree with me less on issues such as encryption and intelligence collection.  But we nonetheless get a great tour of the technology horizon.  Mark is helping to build the future of computing, from the internet of things to mobile phones, the desktop, and the cloud.  We explore what that means for privacy and security; we even touch on artificial intelligence and just how suddenly its risks will be upon us.    

In other news, Michael Vatis and I unpack Microsoft’s ground-breaking effort to avoid US jurisdiction over its cloud -- by storing data in Germany under the control of a German company.  

deal appears to be within reach in principle; the main question is how many additional enforcement concessions the EU can wring from the US.  The Paris attacks will make US concessions less likely and weaken European determination to extract them, we suspect. 

Finally, Michael explains how New York is showing its determination to out-regulate the feds when it comes to bank and insurance cybersecurity. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

So should the United States be terminating the 215 program just as the Paris attacks show why it was created?  That’s the question I ask in Episode 89 of the podcast as we watch the DC circuit cut short Judge Leon’s undignified race to give the program one last kick before it’s terminated.   Meanwhile, Alan Cohn and I handicap the US-EU talks aimed at reaching Safe Harbor 2.0.  

deal appears to be within reach in principle; the main question is how many additional enforcement concessions the EU can wring from the US.  The Paris attacks will make US concessions less likely and weaken European determination to extract them, we suspect. 

Finally, Michael explains how New York is showing its determination to out-regulate the feds when it comes to bank and insurance cybersecurity. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Podcast_89.mp3
Category:general -- posted at: 10:57pm EDT

Where the hell are the FTC, Silicon Valley, and CDT when human rights and privacy are on the line? If the United States announced that it had been installing malware on 2% of all the laptops that crossed US borders, the lawsuits would be flying thick and fast, and every company in Silicon Valley would be rolling out technical measures to defeat the intrusion. But when China injects malware into 2% of all the computers whose queries cross into Chinese territory, no one says boo. Not the US government, not CDT or EFF, and not the big browser companies. That’s the lesson I draw from episode 88 of the podcast, featuring an in-depth discussion of China’s Great Cannon with Adam Kozy and Johannes Gilger of Crowdstrike. They expand on their 2015 Blackhat talk about China’s deployment of Great Firewall infrastructure to hijack American and Taiwanese computers and use them in a DDOS attack against Github. 

China’s first internet email, in 1987, said “Across the Great Wall we can reach every corner of the world.” And boy, did they mean it. The question now is what the other corners of the world are going to do about it. 

In other news, Michael Vatis covers the latest Safe Harbor developments, as the European Commission releases a statement saying, more or less, that American companies can expect years of litigation over the adequacy of US privacy law. Remarkably, that’s meant to be good news. 

Speaking of dubious European claims to offer good news, Michael and I note that the UK deputy data protection commissioner has announced with pride that the Right to Be Forgotten hasn’t actually “stopped the internet working.” So far; but the net is young. 

I summarize an earlier blog post claiming that the crypto wars are over and USTR has handed Jim Comey a loss while Mary Jo White gets a win. This because the Trans-Pacific Partnership trade deal included language prohibiting members from demanding encryption keys for most purposes other than financial regulation. I also acknowledge a significant caveat drawn to my attention by Simon Lester of Cato: Despite the TPP, a member is free to adopt any measure “that it considers necessary for … the protection of its own essential security.” If Jim Comey’s lawyers can’t squeeze his key access proposals into that provision, the “essential security” of their jobs is seriously at risk. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm. 

 

Direct download: Podcast_88.mp3
Category:general -- posted at: 11:26am EDT

What good is CISA, anyway?

Now that both the House and Senate have passed information sharing bills that are strikingly similar but not identical, the prospects for a change in the law are good. But what are those changes, and how much difference will they make to network defenders?

That’s the topic we explore in episode 87 with our guest, Ari Schwartz. Ari has just finished a tour as senior director for cybersecurity on the United States National Security Council Staff at the White House. He and I and Alan Cohn go deep into the weeds so you won’t have to. Our conclusion? The main value of the bill is that it frees some companies from aging privacy rules that prevented information sharing with groups that include the government. It also enables companies to monitor their networks without fear of liability under even older privacy laws preventing interception of communications without all parties’ consent. The other lesson to be drawn from the bill is that privacy groups are still something of a paper tiger without business support. More than seventy senators voted for CISA over the bleeding bodies of every privacy group in the country.

In other news, Maury Shenk and I unpack the latest claim that the US and EU have agreed in principle on a deal to replace the Safe Harbor struck down by the European Court of Justice. We’re profoundly skeptical that a deal will be reached quickly, or that it will actually give companies much in the way of safety. 

Jason Weinstein provides a blow-by-blow recounting of the fight between Apple and the Justice Department. The real question is whether Magistrate Judge Orenstein will call the fight for Apple before the defendant is sentenced. We think he will.

Also in the category of “Put me in the newspaper, I’m a pro-privacy judge,” the Fourth Circuit panel that insisted on a warrant for historical cell tower location data had better enjoy their fifteen minutes of fame now. Their opinion is going to be reviewed en banc – and Jason and I are betting it won’t survive.

Finally, it looks as though privacy groups didn’t just waste money asking the Second Circuit to block the last month of the section 215 bulk collection program. They actually managed to effectively overrule the only court of appeals decision finding the program unlawful. In rejecting the privacy campaigners’ motion for an injunction, the Second Circuit declared that Congress had knowingly authorized it and therefore that it no longer violated the relevant statute. Pyrrhus salut.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_87.mp3
Category:general -- posted at: 4:58pm EDT

Are Russian hacker-spies a bunch of lethargic government drones more interested in smash-and-grabs than stealth? That’s one of the questions we pose to Mikko Hypponen in episode 86 (right after we ask about how to pronounce his name; turns out, that’s harder than you think). Mikko is the Chief Research Officer at F-Secure and a long-time expert in computer security who has spoken and consulted around the world for over 20 years. His company recently published a lengthy paper on Russian government cyberspies, which F-Secure calls “the Dukes.” Mikko describes the Dukes’ targets and tactics, including a remarkably indiscriminate attack on a Tor exit node. I press him on whether attribution is really getting better, and on whether F-Secure’s paper eases or heightens concerns about Kaspersky’s ties to Russian intelligence.

Mikko also joins us for the news roundup, where we do a damage assessment from the ECJ’s Safe Harbor demolition and I critique Brad Smith’s implausible solution to the transatlantic data rift. We explain why Israel has decided to cut off data transfers to the U.S. (hint: it’s not concerns about aggressive counterterror surveillance). 

And I wonder whether the House of Representatives passage of the Judicial Redress Act makes Jim Sensenbrenner the abused spouse of the European Commission (“I was going to give you this nice cause of action for your citizens when you slapped me upside the head with the Safe Harbor ruling. So, uh, here it is anyway. Now do you love me?”).

CISA comes to the floor at last. I scope the pending amendments. Two of them would greatly increase the “privacy tax” on information sharing; the only good thing about Senators Wyden and Heller’s proposals is how much business it will create for lawyers. Senator Franken has an amendment that strips the mask from the privacy lobby. The privacy groups that support the Franken amendment aren’t just pro-privacy, they’re anti-security. The amendment would prevent companies from sharing information that might disclose a security risk and require instead an individualized determination that the signature makes a compromise “reasonably likely.” The fight over the Cotton amendment to allow sharing with the FBI or Secret Service rather than DHS, meanwhile, looks like a turf fight disguised as a privacy issue.

In other news, we absolve CIA director Brennan of accusations of bad security in his email hack. And in the back of the paper, where the dog-bites-man stories go, CrowdStrike finds that Chinese cyberspies haven’t yet stopped stealing commercial secrets.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_86.mp3
Category:general -- posted at: 4:28pm EDT

Want to see cyber attribution and deterrence in action? In August, a hacker pulled the names of US military personnel and others out of a corporate network and passed them to ISIL. British jihadist Junaid Hussain exulted when ISIL released the names. “They have us on their ‘hit list,’ and we have them on ours too…,” he tweeted. On the whole, I’d rather be on theirs. Two weeks after his tweet, Hussain was killed in a US airstrike, and two months after that, the hacker was arrested in Malaysia (subscription required) on a US warrant.

We explore that story and more with Gen. Michael Hayden, the only person to serve as both Director of the National Security Agency and of the Central Intelligence Agency. Gen. Hayden explains why he differs with FBI Director Comey on encryption and with the European Court of Justice on whether the US sufficiently respects privacy rights, along with other topics.

Our news roundup dwells again on the ECJ’s decision and the Article 29 Working Party press release on the decision, a release characterized by far more bold font than bold thinking. In other news, magistrates are revolting again, or maybe still, as Magistrate Judge Orenstein hints that Apple’s desire to thwart law enforcement should trump law enforcement’s interest in getting evidence off a locked phone.

Cyber insurance rates are rising, raising questions about who should be covered and whether insurance companies will do the security regulating the government is reluctant to do.

Meanwhile, we’re treated to dueling Wassenaar leaks from government. State says the intrusion software language will be revised not rewritten, while Commerce insists nothing is decided (subscription required). There’s really nothing like the last year of an administration, when every agency has its own policy agenda – and apparently its own spin room. If there were any doubt about whether Commerce is right to want an explanation from the Europeans about how (or, more accurately, whether) they’re enforcing this provision, Citizen Lab provides it with a new report showing that the surreptitious access tool sold by Europe’s FinFisher is present in more than 30 countries, not all of whose civil liberties laws meet a standard set by the United States – or even the lower bar set by the European Union.

Direct download: Podcast_85.mp3
Category:general -- posted at: 11:08am EDT