Steptoe Cyberlaw Podcast

Our guest for episode 64 of the Cyberlaw Podcast is Mary DeRosa, the chief lawyer for the National Security Council during the early years of the Obama Administration, and now a Distinguished Visitor at Georgetown University Law Center. We ask Mary to walk us through a hypothetical set of NSC meetings on the Sony breach and the US response, flagging the legal issues and offices that come to the table. She helps me unpack the differences between the use of force, countermeasures, and an armed attack – and confirms that I have no future at the State Department – an overdetermined outcome if ever there was one. It’s a great primer on the practical ways in which cyberconflict is lawyered (or, in my view, overlawyered). 

In the news roundup, I have to choose between defending the New York Times and defending Hillary Clinton. I choose Hillary, arguing that despite NYT innuendo the Russians aren’t dumb enough to pay tens of millions for a State Department “yes’ vote in CFIUS. Because as far as anyone knows, the State Department has never voted anything but “yes” in CFIUS. 

The House has passed two cyber information sharing bills ‒ H.R. 1560 and H.R. 1731 ‒ and at every stage of the process, the sponsors made concessions to the privacy lobby, which simply pocketed the concessions and moved the goal posts. Michael Vatis and I note that the bill that came out of the Intelligence Committee contained a “privacy tax” on private sector information sharing that will discourage sharing. And the bill as amended on the floor was worse – potentially stripping encryption of its status as a protected “defensive measure” under the act. If privacy groups hadn’t demanded the change, they’d already be screaming about how the House hates crypto. Now the bill moves to the Senate, where it is wrapped around the axle of NSA’s215 metadata program. Debate over that program must conclude by May 22 and will, I predict, be Hobbesian: nasty, brutish, and short. 

Maury Shenk and I discuss the EU’s gift that keeps on giving:  “Mad Dog” Oettinger, the high European official who finally threw away the mask, admitting a determination to regulate US tech companies until Europeans can climb back into the ring. There are rumors that his office is considering a vast new regulatory program for electronic platforms. Meanwhile, a bunch of senior UK intelligence officials are calling US Internet companies ‘terrorist-friendly’ for enabling encrypted communications. 

We quickly reprise the news from RSA: Jeh JohnsonAsh Carter, John Carlin, Tom Wheeler, and Michael Daniel were all in San Francisco last week.  Carter announced a DOD cyberwar strategy that looked at best like a plan to plan for cyberwar but still managed to be an improvement over past DOD efforts. Jeh Johnson wants DHS to have an office in Silicon Valley. And Michael Daniel admitted that the government is still looking for an escrow-type crypto solution. 

Finally, another FTC privacy case is settled, as the Commission declares that the lack of an instore-tracking opt-out is unfair, or deceptive, or newsworthy, or whatever the FTC’s standard for prosecution is these days. Jason Weinstein introduces me to my new heroes –  Maureen Ohlhausen and Joshua Wright‒ the two FTC commissioners who dissented from this lawless decision. 

Direct download: Podcast_64.mp3
Category:general -- posted at: 1:18pm EDT

Our guest for episode 63 of the Cyberlaw Podcast is Alan Cohn, former Assistant Secretary for Strategy, Planning, Analysis & Risk in the DHS Office of Policy and a recent addition at Steptoe. Alan brings to bear nearly a decade of experience at DHS to measure the Department’s growth. He explains how it has undertaken and largely delivered a new civilian cybersecurity infrastructure. And, while Congress dithers, it has begun to build an information sharing network quite independent of the legislative incentives now on offer. Alan also offers his insights into emerging technologies and the risks they may pose, including drones, sensors, and cryptocurrencies.

In the news roundup, the consensus story of the week is the return of Jason Weinstein from a five-week absence, only some of it justified by family vacation and other worthwhile endeavors.  In second place is the concerted European attack on Google and the rest of the US tech sectorMichael Vatis and I mull over a high-ranking European official’s astonishing gaffe in admitting the truth behind the effort – that it’s an attempt to regulate US technology until European industry can compete. Good luck with that.

In the House, Doug Kantor reminds us, it’s cyberweek, so the data breach law has immediately collapsed into such uncertainty that its Democratic sponsor even voted to keep it in committee. The bill has gone back to the shop for repairs to its bipartisan credentials, and the Obama administration, which says it supports a bill, seems to be keeping its distance from the messy business of actually legislating.

Meanwhile, Jason explains why cops are paying ransom to cybercrooks to get their data decrypted; Michael tells us a district court has given life to class action Google Wallet privacy claims under a sweeping theory; and I note that Julian Assange’s Wikileaks has hit a new low in offering a searchable database of stolen Sony email messages. Finally, the SEC’s Mary Jo White is taking heat for standing in the way of ECPA amendments, and the Chinese technological autarky movement seems to be alive and well, with a little help from US companies.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.comor leave a message at +1 202 862 5785.

Download the sixty-third episode (mp3).

 

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Direct download: Podcast_63.mp3
Category:general -- posted at: 10:59am EDT

Our guest for Episode 62 is Dmitri Alperovitch, co-founder and CTO of CrowdStrike Inc. and former Vice President of Threat Research at McAfee. Dmitri unveils a new Crowdstrike case study in which his company was able to impose high costs on an elite Chinese hacking team. The hackers steadily escalated the sophistication of their attacks on one of Crowdstrike’s customers until they finally unlimbered a zero-day. When even that failed, and the producer was alerted to the vulnerability, the attackers found themselves still locked out and now down one zero-day. We mull the possibility that there’s a glimmer of hope for defenders.

Dmitri and I also unpack the Great Cannon -- China’s answer to 4Chan’s Low-Orbit Ion Cannon.  Citizen Lab’s report strongly suggests that the Chinese government used its censorship system to deliberately infect about 2% of the Baidu queries coming from outside China.  The government injected a script into the outsiders’ machines.  The script then DDOSed Github, a U.S. entity that had been making the New York Times available to Chinese readers along with numerous open source projects. The attack is novel, shows a creative and dangerous use of China’s Great Firewall, and provoked not the slightest response from the U.S. government. I ask why any company in the United States that uses the Baidu search engine or serves China-based ads should not be required to notify users that their machines may be infected with hostile code before allowing them to receive ads or conduct searches. Finally, finding something good to say about the FTC’s jurisdiction, I ask why it isn’t deceptive and unfair to automatically expose U.S. consumers to such a risk.

In other news:  The courts are raking the Mississippi Attorney General over the coals for an ill-considered attack on Google. The DEA’s bulk collection program is still undercovered.  The FCC is racing the FTC to investigate big telecom and internet companies for privacy violations. The Baker Plan for punishing North Korea in response to its attack on Sony has been implemented. And I break out my suits and ties from the early 1990s to celebrate the return of split-key escrowed encryption and arguments over the meaning of CALEA.   

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the sixty-second episode (mp3).

 

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Direct download: Podcast_62.mp3
Category:general -- posted at: 3:26pm EDT

Our guest for episode 61 of the Cyberlaw podcast is Joseph Nye, former dean of the Kennedy School at Harvard and three-time national security official for State, Defense, and the National Intelligence Council.  We get a magisterial overview of the challenge posed by cyberweapons, how they resemble and differ from nuclear weapons, and (in passing) some tips on how to do cross-country skiing in the White Mountains.

In the news roundup, Meredith Rathbone explains details of the new sanctions program for those who carry out cyber attacks on US companies.  I mock the tech press reporters who think this must be about Snowden because, well, everything is about Snowden.  Michael Vatis endorses John Oliver’s very funny interview of Edward Snowden.  Not just funny, it’s an embarrassment to all the so-called journalists who’ve interviewed Snowden for the last year without once asking him a question that made him squirm.  In contrast, Oliver almost effortlessly exposes Snowden’s dissembling and irresponsibility.  He hits NSA below the belt as well.

Ben Cooper explains the Ninth Circuit decision refusing to apply disability accommodation requirements to web-only businesses (he filed an amicus brief in the case), and we speculate on the likelihood of a cert grant.

While we’re speculating on judicial outcomes, Maury Shenk takes us through the arguments over the data protection Safe Harbor before the European Court of Justice.  We both think the arguments suggest considerable hostility toward the Safe Harbor.  An unfavorable ECJ decision could greatly complicate the lives of companies that depend on it to allow extensive data transfers across the Atlantic.  And great complications are exactly what we expect.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.comor leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_61.mp3
Category:general -- posted at: 3:49pm EDT

1