The Cyberlaw Podcast (general)

Our guest for Episode 62 is Dmitri Alperovitch, co-founder and CTO of CrowdStrike Inc. and former Vice President of Threat Research at McAfee. Dmitri unveils a new Crowdstrike case study in which his company was able to impose high costs on an elite Chinese hacking team. The hackers steadily escalated the sophistication of their attacks on one of Crowdstrike’s customers until they finally unlimbered a zero-day. When even that failed, and the producer was alerted to the vulnerability, the attackers found themselves still locked out and now down one zero-day. We mull the possibility that there’s a glimmer of hope for defenders.

Dmitri and I also unpack the Great Cannon -- China’s answer to 4Chan’s Low-Orbit Ion Cannon.  Citizen Lab’s report strongly suggests that the Chinese government used its censorship system to deliberately infect about 2% of the Baidu queries coming from outside China.  The government injected a script into the outsiders’ machines.  The script then DDOSed Github, a U.S. entity that had been making the New York Times available to Chinese readers along with numerous open source projects. The attack is novel, shows a creative and dangerous use of China’s Great Firewall, and provoked not the slightest response from the U.S. government. I ask why any company in the United States that uses the Baidu search engine or serves China-based ads should not be required to notify users that their machines may be infected with hostile code before allowing them to receive ads or conduct searches. Finally, finding something good to say about the FTC’s jurisdiction, I ask why it isn’t deceptive and unfair to automatically expose U.S. consumers to such a risk.

In other news:  The courts are raking the Mississippi Attorney General over the coals for an ill-considered attack on Google. The DEA’s bulk collection program is still undercovered.  The FCC is racing the FTC to investigate big telecom and internet companies for privacy violations. The Baker Plan for punishing North Korea in response to its attack on Sony has been implemented. And I break out my suits and ties from the early 1990s to celebrate the return of split-key escrowed encryption and arguments over the meaning of CALEA.   

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the sixty-second episode (mp3).

 

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Direct download: Podcast_62.mp3
Category:general -- posted at: 3:26pm EDT

Our guest for episode 61 of the Cyberlaw podcast is Joseph Nye, former dean of the Kennedy School at Harvard and three-time national security official for State, Defense, and the National Intelligence Council.  We get a magisterial overview of the challenge posed by cyberweapons, how they resemble and differ from nuclear weapons, and (in passing) some tips on how to do cross-country skiing in the White Mountains.

In the news roundup, Meredith Rathbone explains details of the new sanctions program for those who carry out cyber attacks on US companies.  I mock the tech press reporters who think this must be about Snowden because, well, everything is about Snowden.  Michael Vatis endorses John Oliver’s very funny interview of Edward Snowden.  Not just funny, it’s an embarrassment to all the so-called journalists who’ve interviewed Snowden for the last year without once asking him a question that made him squirm.  In contrast, Oliver almost effortlessly exposes Snowden’s dissembling and irresponsibility.  He hits NSA below the belt as well.

Ben Cooper explains the Ninth Circuit decision refusing to apply disability accommodation requirements to web-only businesses (he filed an amicus brief in the case), and we speculate on the likelihood of a cert grant.

While we’re speculating on judicial outcomes, Maury Shenk takes us through the arguments over the data protection Safe Harbor before the European Court of Justice.  We both think the arguments suggest considerable hostility toward the Safe Harbor.  An unfavorable ECJ decision could greatly complicate the lives of companies that depend on it to allow extensive data transfers across the Atlantic.  And great complications are exactly what we expect.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.comor leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_61.mp3
Category:general -- posted at: 3:49pm EDT

Episode 60 of the Cyberlaw Podcast features Paul Rosenzweig, founder of Red Branch Consulting PLLC and Senior Advisor to The Chertoff Group.  Most importantly he was a superb Deputy Assistant Secretary for Policy in the Department of Homeland Security when I was Assistant Secretary.

Paul discusses the latest developments in ICANN, almost persuading me that I should find them interesting.  He expresses skepticism about the US government’s effort to win WTO scrutiny of China’s indigenous bank technology rules; he also sees the DDOS attack on GitHubas a cheap exercise in Chinese extraterritorial censorship.

Michael Vatis, meanwhile, fills us in on two new cyberlaw cases whose importance is only outweighed by their weirdness. And I dissect the House cybersecurity information sharing bill, concluding that it has gone so far to appease the unappeasable privacy lobby that it may actually discourage information sharing.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.comor leave a message at +1 202 862 5785.

Direct download: Podcast_60.mp3
Category:general -- posted at: 4:17pm EDT

Richard Bejtlich is our guest for episode 59 of the Cyberlaw Podcast. Richard is the Chief Security Strategist at FireEye, an adviser to Threat Stack, Sqrrl, and Critical Stack, and a fellow at Brookings. We explore the significance of China’s recently publicized acknowledgment that it has a cyberwar strategy, FireEye’s disclosure of a gang using hacking to support insider trading, and NSA director Rogers’s recent statement that the US may need to use its offensive cyber capabilities in ways that will deter cyberattacks. 

In the news roundup, class action defense litigator Jennifer Quinn-Barabanov explains why major automakers are facing cybersecurity lawsuits now, before car-hacking has caused any identifiable damage.  I explain how to keep your aging car and swap out its twelve-year-old car radio for a cool new Bluetooth enabled sound system.  Michael Vatis disassembles the “$10 million” Target settlement and casts doubt on how much victims will recover.

Michael also covers the approval by a Judicial Conference advisory committee of a rule allowing warrants to extend past judicial district lines, explaining why it may not be such a big deal.  Maury Shenk, former head of Steptoe’s London office and now a lawyer and a private equity investor and adviser, jumps in to discuss the Chinese cyberwar strategy document as well as China’s effort to exclude US technology companies from its market.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_59.mp3
Category:general -- posted at: 3:59pm EDT

In episode 58 of the Cyberlaw Podcast, our guest is Andy Ozment, who heads the DHS cybersecurity unit charged with helping improve cybersecurity in the private sector and the civilian agencies of the federal government. We ask how his agency's responsibilities differ from NSA's and FBI's, quote scripture to question his pronunciation of ISAO, dig into the question whether sharing countermeasures is a prelude to cybervigilantism, and address the crucial question of how lawyers should organize cybersecurity information sharing organizations (hint: the fewer lawyers and the more clients the better). In the news roundup, we revisit the cybersecurity implications of net neutrality, and Stephanie Roy finds evidence that leads me to conclude that the FCC has stolen the FTC's playbook (and, for all we know, deflated the FTC's football). This ought to at least help AT&T in its fight with the FTC over throttling, but that's no sure bet.

I explain why Hillary Clinton's email server was a security disaster for the first two months of her tenure – and engage in utterly unsupported speculation that she closed the biggest security gap in March 2009 because someone in the intelligence community caught foreign governments reading her mail.

In news with better grounding, the Wyndham case goes to the Third Circuit and the bench is hot. We explain why this is good for Wyndham. In other litigation news, the feds respond to Microsoft in the Irish warrant case. Michael and I agree that the Justice Department is praying for a cold bench.

Finally, in two updates from earlier podcasts, it looks as though China may have backed down on backdoors, for now, so Silicon Valley can go back to worrying about Jim Comey. And, I explain my claim from last week's show that the FREAK vulnerability is overhyped to support a simplistic civil libertarian morality tale.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_58.mp3
Category:general -- posted at: 10:54am EDT

This episode of the podcast features Rep. Mike Rogers, former chairman of the House intelligence committee, Doug Kantor, our expert on all things cyber in Congress, and Maury Shenk, calling in from London.  Mike Rogers is now a nationally-syndicated radio host on Westwood One, a CNN national security commentator, and an adviser to Trident Capital’s new cybersecurity fund. The former chairman addresses a host of issues -- gaps in CFIUS, the future of the President’s new cyber threat integration center, the risk of rogue state cyberattacks on US infrastructure – as well as the issues we cover in the news roundup. 

These include Maury’s take on China’s toughening policy toward US technology, the prospects for a workable bill renewing section 215 (the ex-chairman is not as sanguine as Doug Kantor and I) and the administration’s new privacy bill.  (Our take: the bill is ideal for the Twitter age, since you still have 137 characters left after typing “DOA”.)   Maury updates us on the latest reason for delay in adoption of a new European data protection regulation. Doug Kantor and Mike Rogers consider the prospects for an information sharing bill and comment on privacy groups’ goalpost-moving style of congressional negotiation. 

And, finally, I respond to Edward Snowden’s claim that he wants to move to Switzerland by reminding him (and the Swiss)  what he said about them the last time he lived there.  (Said Snowden: “You guys can’t say I look gay any more. I’m living in Switzerland. I’m the straightest-looking man in the country.” Geneva is “nightmarishly expensive and horrifically classist,” and “I have never, EVER seen a people more racist than the swiss.”  Apparently a year in Moscow broadened his horizons.)

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_57.mp3
Category:general -- posted at: 3:32pm EDT

Our guest for Episode 56 of the Cyberlaw Podcast is Siobhan Gorman, who broke many of the top cybersecurity stories for the Wall Street Journal until she left late last year to join the Brunswick Group, which does crisis communications for private companies.  Siobhan comments on the flood of attribution stories in recent days, including the US government’s almost casual attribution of the Sands Las Vegas cyberattack to Iran and the leaked attribution of the Saudi Aramco and US bank attacks to the same nation.  She also compares private sector cyber crisis planning to the US government’s coordination (or lack thereof) in responding to the Sony attack.

In other news, Stephanie Roy and I take a deep and slightly off-center dive into the FCC’s net neutrality ruling.  I predict that within five years the FCC will have used its new Title II authority to impose cybersecurity requirements on US ISPs.  (And in ten years, I suspect, there will be a debate in the FCC over whether to throttle or disfavor communications services that don’t cooperate with the FBI’s effort to deny perfectly encrypted security to criminals.) Stephanie demurs.

Michael Vatis and I chew over China’s “overdetermined” (h/t Mickey Kauspolicy of ousting American tech products in favor of Chinese competitors, the prospects of class action plaintiffs in the Komodia/Superfish/Lenovo flap, and NY financial regulator Benjamin Lawsky’s war on the password.

 

We finally get listener feedback to read on the air, as Michael Samway congratulates Nuala O’Connor for her masterly handling of, well, me.  Those who think they can do a better job of humiliating me will have their work cut out for them, but they’re welcome to try, sending emails to CyberlawPodcast@steptoe.comail and voice mails to +1 202 862 5785.

Direct download: Podcast_56.mp3
Category:general -- posted at: 4:19pm EDT

In Episode 55 of the Cyberlaw Podcast, we revive This Week in NSA to explore the claim that GCHQ stole mass quantities of cell phone encryption keys.  Meanwhile, Jason explains the complex political battles over Rule 41, Michael explains why so many companies have rallied to Twitter’s first amendment claim against the Justice Department, and both of them explain how Yahoo! managed to beat the government’s indefinite gag order – and why Yahoo! might even be right.  After which we melt down into the bottomless hot mess of liability and litigation that surrounds the Lenovo/Superfish/Komodia/Lavasoft flap.

Our interview is with the charming and feisty CEO of the Center for Democracy and Technology, Nuala O’Connor.  Nuala and I square off over end-to-end encryption, privacy, and section 215, while managing to find common ground on TLS and even child-rearing.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_55.mp3
Category:general -- posted at: 2:06pm EDT

Episode 54 of the Cyberlaw Podcast features a guest appearance by Lawfare’s own Ben Wittes, discussing cybersecurity in the context of his forthcoming book, The Future of Violence, authored by Ben and Gabriella Blum.  (The future of violence, you won’t be surprised to hear, looks bright.)  Ben also floats the idea of taping an episode of all the Lawfare-affiliated podcasts in a bar with some of our listeners.  More on that idea to come.

In the news roundup, I cover the President’s surprisingly news-light cybersecurity summit in Silicon Valley.  Jason comments on state attorneys generals’ predictable sniping at Anthem for delays in identifying all the potential victims of its hack.  I note with satisfaction a serious loss by EFF in the Jewel lawsuit over the US government’s access to AT&T traffic.  And Jason lays out a report  by the New York State Department of Financial Services on insurance company cybersecurity.

We both express concern about two Kaspersky security reports that identify new hacking tactics and new dangers for computer networks.  The patient infiltration of large bank networks and the extraction of hundreds of millions of dollars casts doubt on the safety of banking systems around the world.  Equally troubling is the discovery that what Kaspersky calls the “Equation” group used firmware exploits to achieve enduring access to a wide variety of hard drives.  (Though Kaspersky’s claim that the access depended on having the hard drive makers’ source code looks wrong.)

 

As always, send your questions, suggestions for interview candidates and offers to stand a round at the Beer Summit to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_54.mp3
Category:general -- posted at: 9:58am EDT

In this week’s episode of the Cyberlaw Podcast, I take our new mobile recording equipment to Paris to talk about Europe’s cybersecurity directive with Alex Klimburg, of the Hague Institute for Strategic Studies and the Harvard Kennedy School’s Belfer Center.  The directive is in its final stages after a two-year buildup, and the most recent drafts suggest that the EU is finding it hard to muster the will for heavy regulation in this area.

In our news roundup, Jason Weinstein covers the Anthem hackand probable Chinese responsibilityfor it.  I point out that American privacy groups have said more or less nothing about the idea that a massive database about Americans might be assembled by China.

Stephanie Roy explains the FCC’s proposed net neutrality regs. And Doug Kantor lays odds on the five most prominent cybersecurity proposals.  Short version:  information-sharing is looking doable, and a national breach law might be as well.  CFAA changes look less easy, and the ECPA changes are stuck in a fight between people who hate Wall Street and privacy campaigners. The President’s $14 billion appropriation request for cybersecurity will get sliced, diced, and roasted, but he’ll likely end up with a lot of that money.

Cybersecurity scrutiny continues for financial institutions.  Jason reports on two recent regulators’ warning shots.  And I cover a variety of surveillance news, including the irony that a UK tribunal declaredthat an otherwise unlawful GCHQ practice had been saved by none other than Edward Snowden, who provided the transparency the tribunal considered necessary.  Thanks, Eddie!

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_53.mp3
Category:general -- posted at: 11:37am EDT