Steptoe Cyberlaw Podcast (general)

This episode features an interview with Mårten Mickos, the CEO of HackerOne. HackerOne administers bug bounty and vulnerability disclosure programs for a host of private companies as well as DOD’s “Hack the Pentagon” program. He explains how such programs work, how companies and agencies typically get started (with “vulnerability disclosure” programs), the legal and other assurances that companies need to provide to ensure participation, and the role that bounty administration firms play – from hacker reputation management to providing a kind of midnight basketball tournament for otherwise at-risk fourteen-year-old boys. (And they are boys, at least 98% of them, an issue we also explore.) Along the way, there’s even unexpected praise for the Justice Department’s Computer Crime Section, which has produced a valuable framework for vulnerability disclosure programs.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 185th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-185.mp3
Category:general -- posted at: 8:04pm EDT

Today’s news roundup features Shane Harris of the Wall Street Journal, Brian Egan, and Alan Cohn discussing stories that Shane wrote last week. Out of the box, we work through the hall of mirrors that the Kaspersky hacking story has become.

The Russian hacking story is biting more companies than just Kaspersky. Turns out that Twitter deleted all the Russian trolling accounts and tweets when the Russians asked them to. Because privacy! I put in a plug for the rule that privacy always somehow ends up protecting the powerful – in this case Vladimir Putin and, of course, Twitter itself.

We also cover another Wall Street Journal story detailing North Korea’s use of (another) antivirus product to hack South Korea’s military – and US war plans. 

Alan unpacks the Trump Administration’s most detailed statement to date on law enforcement and technology -- Deputy AG Rosenstein’s far-ranging speech on the topic.

Alan and I also touch on the emerging fight over 702 – and the media’s evergreen and credulous “discovery” that the far left and far right are surprisingly close on surveillance issues.

Alan spells out the case for Kirstjen Nielsen as Homeland Security Secretary, along with what some of her detractors are saying.

While Brian lays out the explosive theory behind the latest effort to tag Google and other social media giants with liability for assisting ISIS.

We close with two short hits.

I ask why, if Pornhub’s technology is that good, they’re starting with facial recognition.

And I can’t help noting that, for a while at least, security icon Apple thought that the best password hint was … the password itself! Thanks, Tim Cook! We’ll keep that in mind the next time you argue that the ability to hack every iPhone on the planet should be left with you and not the FBI.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 184th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-184.mp3
Category:general -- posted at: 11:49am EDT

Richard Danzig, former Navy Secretary and a serious defense and technology thinker, speaks to us about the technology tsunami and what it means for the Pentagon.  Among the risks:  lots more accidents, some of them catastrophic, and “emergent” interactions among systems that no one predicts or prepares for.  He calls for the Department of Defense to spend more time thinking about ways in which our weapons might kill us without any enemy action.  Along the way, we ask the hard questions, including whether Kim Jung Un will use gene therapy to make his people smarter, dumber, or better basketball players.

In our news roundup, the House Judiciary Committee has struck the first blow in the 702 renewal debate. Paul Rosenzweig and I assess its bill and end up concluding that it does less damage to national security than expected, except for the unfortunate decision to sacrifice the possibility of conducting “about” collection.

Meanwhile, a turf fight inside Treasury has gotten vicious, with FinCEN lobbing (and leaking) “intelligence scandal” epithets at its sister Office of Intelligence and Analysis.  Brian Egan doesn’t seem surprised about the fighting, while expressing skepticism about the likelihood of a real scandal. In the words of our President, “Sad!”

Irish courts have unsurprisingly punted on the use of standard contracts clauses to export data to the US, Michael Vatis tells us.  The court has referred the hard issues to the European Court of Justice.

Speaking of sad, a third (or maybe a fourth) NSA staffer has taken Top Secret material home with disastrous results.  Kaspersky’s software seems to have been great at spotting the classified malware on the staffer’s machine. The result, Paul notes, is that the malware ended up in Russian government hands, and Kaspersky’s reputation is toast in the West.  Maybe it’s just a coincidence or maybe Kaspersky has given up wooing the West, but its latest report outs an unknown power that has been “piggybacking” on intrusions aimed at or run by Russian and Chinese hackers.

Finally, Brian discusses USTR’s use of the WTO to put a shot across China’s bow on that nation’s cybersecurity law.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 183rd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-183.mp3
Category:general -- posted at: 6:11pm EDT

Episode 182 features a panel of experts on attribution of cyberattacks. I moderated the panel at the Georgia Tech 15th Annual Cyber Security Summit in Atlanta on September 27, 2017.  Panel members included Cristin Goodwin of Microsoft, Rob Knake of the Council on Foreign Relations, Hannah Kuchler of the Financial Times, and Kim Zetter, author of a 2014 book on the Stuxnet attack.

It’s a wide-ranging and compelling discussion of how we’re doing in attributing cyber intrusions and what more is needed in the field. Special thanks to Michael Farrell, Co-Director of Georgia Tech’s Institute for Information Security & Privacy (IISP) and the organizer of the Summit, for all the work and assistance that made this episode possible.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 182nd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-182.mp3
Category:general -- posted at: 5:38pm EDT

Episode 181: Equifax and the Upside of Nation-State Cyberattacks

Was the Equifax breach a nation-state attack? Nick Weaver parses the data, and I explore the surprising upside for Equifax if it was.

Twitter comes to Capitol Hill to talk Russian election interference; it goes home with a flea in its ear and plenty of homework to do. Stephen Heifetz and I ask why the Foreign Agent Registration Act could not be used to discipline nation states' use of social media.

Twitter isn't alone in getting sideways with the government. The Justice Department says that Google is defying court orders on disclosure of data -- while building a system to make compliance impossible.  Nick gives the company a chutzpah award.

Jim Comey is still taking hits from the Hill, months after his departure from public life. Sens. Wyden and Lee are hoping to call him a liar, and they'd like the DNI's help. The good news for Jim Comey is bad news for Section 702, since the attack on Comey is really a way of paving the ground for a major reduction in the kinds of intelligence collection the government can conduct using section 702.

Bet you never thought you'd hear the phrase "Bush-Obama Consensus," but the Trump administration's CFIUS policies are turning "BushObama" into a single word summary of the ancien regime. Stephen Heifetz makes these and other observations in laying out the latest from CFIUS's (2015!) annual report. What can we tell from it?

Finally, Nick and I explore his latest essay viewing the vulnerability equities process through a Vault7 and ShadowBrokers lens: What should the government do when it's pretty sure its critical hacking tools have fallen into enemy hands?

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 181st Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-181.mp3
Category:general -- posted at: 4:49pm EDT

In a delightfully iconoclastic new book, Jeremy Rabkin and John Yoo take the air out of 75 years of inflated claims about the law of war. They do it, not for its own sake, though God knows that would be enough, but as a prelude to discussing how to use the new weapons–robots, space, and cyber–that technology makes possible. Brian Egan and I interview Jeremy Rabkin about these and other aspects of “Striking Power: How Cyber, Robots, and Space Weapons Change the Rules for War."

In the news roundup, cell tower simulators, aka stingrays, take another hit as a divided DC Court of Appeals says warrants are required before they can be used.

Maury Shenk sees good news for industry in the recent meetings between Commissioner Jourova and Secretary Ross; the European Commission is giving every sign of wanting to avoid yet another fight over Privacy Shield, though hotter heads in Europe may yet prevail.

Brian Egan opines on Robert Strayer’s appointment as deputy assistant secretary of state for cyber and international communications and information policy–and the reorganization that his appointment cements for now.

Stewart and Jeremy unpack the implications of the CCleaner attack, and its lessons for advocates of hacking back.

The FTC took a hit–but not a fatal one–from Judge Donato in the D-Link case.

And the OPM breach suits have been dismissed; I conclude that the grounds for dismissal raise questions, but it was, in the end, a mercy killing, since maintaining a class was likely to be impossible.

Julian Assange’s effort to rebrand himself as something other than a Russian stooge spurs skepticism from the panel. As Maury points out, the (only) Russian data leak Wikileaks has posted is more marketing release than a blown whistle.

Embarrassingly, the SEC admits that it was hacked and that the stolen data was likely used for insider trading.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 180th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe partner Stewart Baker (right) with Jeremy Rabkin.

Direct download: SteptoeCyberlawPodcast-180.mp3
Category:general -- posted at: 8:46am EDT

Our interview is with Jeanette Manfra, DHS’s Assistant Secretary for Cyber Security and Communications. We cover her agency’s binding directive to other civilian agencies to purge Kaspersky software from their systems, and her advice to victims of the Equifax breach (and to doctors who think that Abbott Labs’ heart implants don’t need a security patch because no one has been killed by hackers yet). I also ask how she’s doing at expanding civilian agency security from intrusion prevention to monitoring inside networks – and the future of her agency at DHS.

CFIUS is back in the news as President Trump kills his first deal on national security grounds. Stephen Heifetz explains what he did and what it means for roughly 15 more deals caught in CFIUS’s toils.

For those who are following the 702 Upstream issue from last week’s episode, a bipartisan group of House Judiciary members have come down on Liza Goitein’s side of the debate, saying they’ll abolish upstream collection “about” terrorists. Whether they can sell the moderates of both parties on that, especially in the Senate, remains to be seen.

Jennifer Quinn-Barabanov explains how bad things have gotten for Equifax: a delayed patching process that will be cast as negligent, dozens of class actions, an FTC investigation, multiple Congressional committee hearings, possible SEC inquiries, and the state attorneys general too. I point out that no one has suffered harm from the breach yet and question whether this disaster will look quite so bad in three or four months.

The Trump administration imposes its first cyber attack sanctions, against Iranian hackers. Stephen and I note that three astonishingly different Presidents have managed to pursue cyber policies that are more or less indistinguishable from each other.

I suggest a surprising likely victim of the Russian probe: the effort to enshrine in law the requirement that electronic provider content only be provided in response to a search warrant, not a subpoena. The social media companies that dealt with Russian advertisers have provided less information to the Senate intelligence committee than to Robert Mueller. Why? Because the Senate doesn’t issue search warrants. So if Congress adopts a statutory warrant requirement to get electronic content, it will doom Congressional committees to perennial second-class status in future investigations. I doubt Congress is going to want to do that.

In fact, I predict, Silicon Valley is in for a bad half decade in Washington, as left and right grow increasingly suspicious of the power of social media companies.

Finally, to close out the news on a legal note, Jennifer unpacks two recent and, ahem, “divergent” opinions of the Eighth Circuit on breach lawsuit standing.

Download the 179th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-179.mp3
Category:general -- posted at: 8:03am EDT

The Cyberlaw Podcast kicks off a series exploring section 702 – the half-US/half-foreign collection program that has proven effective against terrorists while also proving controversial with civil liberties groups.  With the program due to expire on December 31, we’ll examine the surveillance controversies spawned by the program. Today, we look at the “upstream” collection program under section 702.  We talk to Becky Richards, NSA’s Civil Liberties and Privacy and (whew!) Transparency Officer as well as Liza Goitein of the Brennan Center for Justice.

In the news, Equifax is taking a beating both for a massive and serious data breach and for a series of missteps in its mitigation effort.  Michael Vatis lays out the gory details.

Speaking of ugly, the climate for the online ad business is getting a lot worse, or so I predict, as Russia's use of social media ads and trolls gets attention in Washington.

Had enough?  Nope.  Now the European Court of Human Rights is piling on, limiting employers' right to monitor employees.  Maury Shenk explains the law; and I marvel at the court’s ability to take an obligation imposed on governments and turn it into a code of conduct for private employers.

But wait, it gets worse.  Symantec says that a hacker who looks a lot like the Russian government has installed sophisticated hacking tools on the networks that directly control US electric grid systems.  I predict that the Trump administration will do, well, nothing, following an Obama administration tradition in grid hacking cases.

OK, it’s not the power grid, but would you really want hackers to be able to tell your Echo, “Alexa, send me two metric tons of garbanzo beans overnight?”  Now, thanks to what I call the Evil Dolphin attack, they can do exactly that – with you in the room.  Quick, get all the Echos out of Marine World!

OK, here’s a bit of good news, or at least man-bites-dog news.  Maury reports that the European Court of Justice has sent Intel's $1.26 billion monopolization fine back to the European General Court.  Any time a European court doesn’t reach out to arbitrarily smack a US tech company, it’s cause for wonder.

In other news, Michael reports that Lenovo has settled (and pretty cheaply) with the FTC and a batch of states for installing spyware on its laptops.

To follow up on last week’s podcast, Best Buy has dumped Kaspersky software, so the mistrust virus is spreading from government to the private sector.

Finally, Uber, not content with God mode, also invented Hell, a program that fooled Lyft drivers into chasing fake customers.  Now Hell seems to have come for Uber, as it turns out the now-abandoned escapade might have violated the Computer Fraud and Abuse Act and is the subject of an SDNY/FBI probe.

Download the 178th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-178_1.mp3
Category:general -- posted at: 9:51am EDT

In Episode 177, fresh from hiatus, we try to summarize the most interesting cyber stories to break in August. Paul Rosenzweig kicks things off with the Shunning of Kaspersky. I argue that the most significant–though unsupported–claim about Kaspersky is Sen. Shaheen’s assertion that all of the company’s servers are in Russia. If true, that’s certainly an objective reason not to let Kaspersky install sensors in non-Russian computers. The question that remains is how much due process companies like Kaspersky should get. That’s a question unlikely to go away, as DOD is now comprehensively shunning DJI drones, issuing guidance that sounds a lot like Edward Snowden demanding that users uninstall all DJI apps and remove all batteries and storage media.

Speaking of companies the US government can’t trust, Paul and I note that Apple has lost control of its secure enclave software. At the same time, Apple has pulled VPN apps from the Apple store at the direction of the Chinese government. Tim Cook explains that this makes perfect sense because Chinese law is on the Chinese government’s side but US law was not on the US government’s side. Right. Sounds like Tim is as good at lawyering as he is at coding, or at finding new breakthrough products for that matter.

Alan Cohn offers a potentially groundbreaking IOT security act.

Maury Shenk lays out the future of UK data protection law after Brexit.

And Paul and I look for ways in which DNA malware could be used.

To everyone’s surprise, election hacking is still making news. I use the item to tease our latest plan–an open house Election Day special where a panel of experts debates election security in front of a live Steptoe audience.

Finally, in our long interview, Alan and Maury talk Bitcoin, blockchain, and distributed ledgers with Michael Mainelli, Co-Founder and Chairman of Z/Yen, a think-tank and venture firm in the City of London; Emeritus Professor and Chairman at Gresham College; an alderman of the City of London; and a founder of Long Finance.

Download the 177th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-177.mp3
Category:general -- posted at: 5:30pm EDT

Everybody’s a critic, and everybody’s a censor, at least if you judge by today’s episode: Maury Shenk tells us the European Court of Justice will soon rule on its authority to censor what Americans read. Markham Erickson discusses the Ninth Circuit decision upholding national security letter gag orders. And Maury says that China is getting impressively good at deleting images it doesn’t like from citizens’ phones in real time.

In other news, Congressional sanctions on Russia look like a done deal; Anthony Rapa explains (contra the NYT) that the sanctions weren’t watered down in the House – and the fuss they’re likely to cause among our European trading partners.

Speaking of sanctions, how long before Putin decides to sanction the extended Trump family by going after their property, either with legal decrees or illegal hacks? The Trump hotels are already prime targets for credit card hacks; adding doxing and bricking to the mix wouldn’t be hard.

In fact, that’s a lesson Hollywood seems to have absorbed. To keep from getting hacked a la Sony, it looks as though other studios are airbrushing Vladimir Putin from their upcoming films.

Meanwhile, Reuters and others report that Silicon Valley’s Big Tech seems to be AWOL in the fight over section 702 renewal. Not necessarily out of patriotism but possibly also because the EU has tried to tie the fate of 702 with the Privacy Shield, which is the agreement that allows for free data flows between the regions.

As antidote, Stephanie Roy describes one profile in corporate courage – Microsoft’s lawsuit against Russia’s GRU (though they don’t of course name the intelligence agency). Microsoft is using trademark rights to take back some of the GRU’s command and control infrastructure.  It may not change the world, but it’s the best use of trademark enforcement in years.

Finally, our guest for the episode is Dave Aitel, Founder and CEO of Immunity, Inc. Dave combines deep cyber security expertise with a willingness to weigh in on policy issues.  A VEP expert (and contrarian), Dave thinks the recent Belfer Center paper on the topic is embarrassingly wrong and will have to be withdrawn. We cover other issues as well, from when a cyberweapon should be condemned as an indiscriminate violation of international humanitarian law to Kaspersky’s defenestration and the wisdom and proper regulation of private sector hacking back.  It’s a great tour of current issues in cybersecurity.

As always the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 176th Episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-176.mp3
Category:general -- posted at: 6:34pm EDT