The Cyberlaw Podcast

Our interview in episode 131 is with Matt Cutts and Lisa Wiswell from the Pentagon’s Defense Digital Service.  Matt joined the Digital Service from Google where he authored their SafeSearch content filter.  Lisa is a bureaucracy hacker with the Defense Digital Service and previously spent years working on cyber-warfare in DOD’s policy shop and in DARPA.  They both stress that the Service is looking for good code and policy hackers -- and that their Digital Service recruiting link is https://www.usds.gov/join

 

After a musical intro featuring the Beatles as reimagined by artificial intelligence, Michael Vatis explains why Microsoft's new German datacenters may succeed in putting customer data beyond the reach of US agencies, and why Microsoft might not want to state its goal quite that way.

 

Jennifer Quinn-Barabanov explains how a new lawsuit on behalf of Gilbert Chagoury will test whether the US government will punish leakers and whether the EU succeeds in its effort to get the Privacy Act to cover European nationals.  

Jen and I also tackle the record-breaking Yahoo! breach, and what it says about the actual impact of data breach risk on companies and investors.  Jen reveals this shocking statistic:   the median cost of a breach is $200,000 by some measures, hardly enough to get even the plaintiffs’ bar out of bed.  And, it turns out, nearly half of corporate GCs have already lived through a breach, so they likely know their own exposure pretty well.  

Speaking of records, Brian Krebs, a podcast alum, experienced his own unenviable record:  victim of world’s biggest DDOS attack, fueled by the Internet of things.  What next?  Networked Fords launching a denial of service attack on GM dealers?

Sliding seamlessly into the interview, Matt Cutts and I dive into the latest OpenSSL bug, the reasons Google launched BoringSSL, and the ways in which being boring is also being secure.  (As pretty much any overprotected ten-year-old boy could have told us.)

Matt and I debate whether SSL everywhere is just good, prudent security or the fruits of a Crypto Derangement Syndrome on the part of a Valley that hopes to secede from the United States (guess which side I took).

We take a long look at the Digital Service and what it has done so far.  Lisa Wiswell brags on “Hacking the Pentagon,” which paid the first bug bounties ever offered by a US government agency.   I congratulate her on avoiding the alternative ‒ filing a STFU lawsuit against the security researchers, unlike some I could mention (*cough* St. Judes *cough*).  This leads to a colloquy on what it will take to fix IT procurement in the US government.  We make a little progress, but find no silver bullets.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Episode_131.mp3
Category:general -- posted at: 11:39am EDT

In a law-heavy news roundup, Katie Cassel and I talk about New York’s dangerously prescriptive cybersecurity regs for banks and insurers. Maury Shenk and I uncover the seamy industrial politics behind the EU’s latest copyright and telecom proposals.  The Sixth Circuit deepens a circuit split over standing and how much injury it takes to support a federal data breach lawsuit – and then, oddly, decides not to publish its opinion.  Michael Vatis explains.

In other news, Michael notes that the CFTC has adopted its own very prescriptive cybersecurity testing rules.  At least pen testers should be happy; their specialty is increasingly required by regulators.  Katie hoses me down on the significance of the Ninth Circuit’s latest “failure to warn” decision for section 230 of the Communications Decency Act.  Good news for section 230, not so much for Match.com.

Finally, the FTC continues to vie for the title of federal agency with the least sense of moderation. The FTC is opposing a motion to stay in the LabMD case.  Pending appeal, it wants to impose strict cybersecurity procedures on a business whose servers are probably stored in Mike Daugherty’s garage.  As Winston Churchill said about nuclear weapons, at some point all you’re doing it making the rubble bounce.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: Episode_130.mp3
Category:general -- posted at: 4:02pm EDT

This week’s podcast interview is with Ciaran Martin, the chief executive of the UK’s National Cyber Security Centre. While the US political climate makes it implausible that the National Security Agency would be asked to head a nationwide cybersecurity center designed to work with the private sector, that’s exactly the job that the United Kingdom given to GCHQ, the British equivalent of NSA. I ask why, and a lot more too.

Direct download: Episode_129a.mp3
Category:general -- posted at: 9:35am EDT

In episode 129, Alan Cohn and I dive deep on the Government Oversight Committee’s predictably depressing and unpredictably entertaining report on the OPM hack.  Cheeky Chinese hackers register their control sites to superhero alter egos.  And poor, patriotic Cytech finds an intruder during a sales demo, rushes to provide support without a contract, and ends up not just stiffed but accused of contributing to a violation the Antideficiency Act. The overmatched OPM security team launches a desperate operation Big Bang to oust one team of hackers, while another is safely ensconced in the network, biding its time before exfiltrating all its data.  

And for those who’ve complained that we never talk about cybertax law, a feast:  Steptoe’s premier international tax partner (and head of the firm) explains everything you need to know about the fight between Apple and the EU over Ireland’s tax regime for the company.  I am shocked to discover that Brussels is doing, well, what Brussels usually does.  

Alan and I talk about one more PlayPen decision, United States v. Torres.  It may be the last word on the subject, in part because it’s so sensible (the FBI did perform a search, it had a warrant and probable cause, the warrant didn’t conform to Rule 41, but so what?  No suppression) and in part because the Supreme Court has agreed to change the Rule.  I confidently predict that Sen. Wyden’s effort to stop the rule change will fail.

 

Direct download: Episode_129.mp3
Category:general -- posted at: 11:28am EDT

The podcast is back with a bang from hiatus.  Our guest, Scott DePasquale, is the CEO of Utilidata, an electric utility IoT and cybersecurity company.  Scott talks about his contribution to the Internet Security Alliance’s upcoming book, The Cyber Security Social Contract.  

Episode 128 also brings you a news roundup from the most momentous August in cybersecurity history.  Maury Shenk brings the SWIFT hack to life by describing his own brush with cyber bank fraud.   I cover the Shadow Brokers’ disclosure of what most believe to be an NSA hacking toolkit.   Meanwhile, Russia is hacking our political process and only the side whose ox is being gored seems to care.  

The EU, with an instinct for the capillaries, continues to fight the US on these issues.  Privacy Shield is up, and a lot of serious companies are signing up, despite the uncertainties.  Maury and I note the entry of France and Germany into the Great Crypto World War – at a comfortably leisurely pace.  And, in a welcome move, the European Court of Justice has reaffirmed that there are still some (modest and blurry) limits to the assertion of data protection jurisdiction over internet merchants.

The FTC had a busy month.  It served LabMD a mess of home cookin’ and the company is now free to argue its case before an unbiased court of appeals.  Speaking of which, the ninth circuit court of appeals shot down the FTC’s effort to steal the FCC’s common-carrier-regulating turf, and the FTC has finally deigned to notice (and even pat on the head) NIST’s Cybersecurity Framework. 

The UK’s terror watchdog has more or less endorsed the value of bulk collection of personal data.  And Baltimore has put it into effect, adopting an “eye in the sky” technology that has solved serious crimes without harming anyone’s privacy; naturally the privacy lobby is determined to make sure it’s never used again.

In privacy class action news, the lawyers for CareFirst deserve a bonus; they’ve now killed three class action cases (here, here, and here) where the breach was serious but the plaintiffs couldn’t claim that the stolen data was ever used to harm them.  And Judge Koh, to her shame, has approved $4 million in legal fees for the lawyers who brought a class action against Yahoo! and settled for a no-damages injunction that lets Yahoo! keep reading its users emails, but after it’s been sent, not before.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

 

Direct download: Episode_128.mp3
Category:general -- posted at: 10:41am EDT

1