Our guest for episode 64 of the Cyberlaw Podcast is Mary DeRosa, the chief lawyer for the National Security Council during the early years of the Obama Administration, and now a Distinguished Visitor at Georgetown University Law Center. We ask Mary to walk us through a hypothetical set of NSC meetings on the Sony breach and the US response, flagging the legal issues and offices that come to the table. She helps me unpack the differences between the use of force, countermeasures, and an armed attack – and confirms that I have no future at the State Department – an overdetermined outcome if ever there was one. It’s a great primer on the practical ways in which cyberconflict is lawyered (or, in my view, overlawyered). 

In the news roundup, I have to choose between defending the New York Times and defending Hillary Clinton. I choose Hillary, arguing that despite NYT innuendo the Russians aren’t dumb enough to pay tens of millions for a State Department “yes’ vote in CFIUS. Because as far as anyone knows, the State Department has never voted anything but “yes” in CFIUS. 

The House has passed two cyber information sharing bills ‒ H.R. 1560 and H.R. 1731 ‒ and at every stage of the process, the sponsors made concessions to the privacy lobby, which simply pocketed the concessions and moved the goal posts. Michael Vatis and I note that the bill that came out of the Intelligence Committee contained a “privacy tax” on private sector information sharing that will discourage sharing. And the bill as amended on the floor was worse – potentially stripping encryption of its status as a protected “defensive measure” under the act. If privacy groups hadn’t demanded the change, they’d already be screaming about how the House hates crypto. Now the bill moves to the Senate, where it is wrapped around the axle of NSA’s215 metadata program. Debate over that program must conclude by May 22 and will, I predict, be Hobbesian: nasty, brutish, and short. 

Maury Shenk and I discuss the EU’s gift that keeps on giving:  “Mad Dog” Oettinger, the high European official who finally threw away the mask, admitting a determination to regulate US tech companies until Europeans can climb back into the ring. There are rumors that his office is considering a vast new regulatory program for electronic platforms. Meanwhile, a bunch of senior UK intelligence officials are calling US Internet companies ‘terrorist-friendly’ for enabling encrypted communications. 

We quickly reprise the news from RSA: Jeh Johnson, Ash Carter, John Carlin, Tom Wheeler, and Michael Daniel were all in San Francisco last week.  Carter announced a DOD cyberwar strategy that looked at best like a plan to plan for cyberwar but still managed to be an improvement over past DOD efforts. Jeh Johnson wants DHS to have an office in Silicon Valley. And Michael Daniel admitted that the government is still looking for an escrow-type crypto solution. 

Finally, another FTC privacy case is settled, as the Commission declares that the lack of an instore-tracking opt-out is unfair, or deceptive, or newsworthy, or whatever the FTC’s standard for prosecution is these days. Jason Weinstein introduces me to my new heroes –  Maureen Ohlhausen and Joshua Wright‒ the two FTC commissioners who dissented from this lawless decision.