The Cyberlaw Podcast (general)

Want to see cyber attribution and deterrence in action? In August, a hacker pulled the names of US military personnel and others out of a corporate network and passed them to ISIL. British jihadist Junaid Hussain exulted when ISIL released the names. “They have us on their ‘hit list,’ and we have them on ours too…,” he tweeted. On the whole, I’d rather be on theirs. Two weeks after his tweet, Hussain was killed in a US airstrike, and two months after that, the hacker was arrested in Malaysia (subscription required) on a US warrant.

We explore that story and more with Gen. Michael Hayden, the only person to serve as both Director of the National Security Agency and of the Central Intelligence Agency. Gen. Hayden explains why he differs with FBI Director Comey on encryption and with the European Court of Justice on whether the US sufficiently respects privacy rights, along with other topics.

Our news roundup dwells again on the ECJ’s decision and the Article 29 Working Party press release on the decision, a release characterized by far more bold font than bold thinking. In other news, magistrates are revolting again, or maybe still, as Magistrate Judge Orenstein hints that Apple’s desire to thwart law enforcement should trump law enforcement’s interest in getting evidence off a locked phone.

Cyber insurance rates are rising, raising questions about who should be covered and whether insurance companies will do the security regulating the government is reluctant to do.

Meanwhile, we’re treated to dueling Wassenaar leaks from government. State says the intrusion software language will be revised not rewritten, while Commerce insists nothing is decided (subscription required). There’s really nothing like the last year of an administration, when every agency has its own policy agenda – and apparently its own spin room. If there were any doubt about whether Commerce is right to want an explanation from the Europeans about how (or, more accurately, whether) they’re enforcing this provision, Citizen Lab provides it with a new report showing that the surreptitious access tool sold by Europe’s FinFisher is present in more than 30 countries, not all of whose civil liberties laws meet a standard set by the United States – or even the lower bar set by the European Union.

Direct download: Podcast_85.mp3
Category:general -- posted at: 11:08am EST

In episode 84 our guest is Jack Goldsmith, Professor at Harvard Law School, a Senior Fellow at the Hoover Institution at Stanford University, and co-founder of the Lawfare blog. Before coming to Harvard, he served as Assistant Attorney General, Office of Legal Counsel and as Special Counsel to the Department of Defense. From cyberespionage to the right to be forgotten and the end of the Safe Harbor, we explore the many ways in which a globalized economy has tied the US government’s hands in cybersecurity matters – and subjected the United States to extensive extraterritorial “soft power” at the hands of Europeans. 

In the news roundup, the headline news is the continuing fallout from the ECJ’s attack on the Safe Harbor. Michael Vatis and Maury Shenk bring us up to date. Jason Weinstein explains why the latest convicted hacker thinks he should be a civil liberties hero/victim – and why weev is every bit the loathsome troll we thought he was when he went to prison.

Michael Vatis explains DOD’s latest cybersecurity rules for contractors. We conclude that DOD is boldly going where no agency has gone before – mandating cybersecurity with traditional command and control regulation. It’s an experiment that many will be watching.

And in another turnabout, banks have discovered the joys of bringing a plaintiffs’ class action – against Target for its credit card breach. We ask whether this means they’ll join the plaintiffs’ bar to oppose further class action reform. Jason also explains the latest ruling in a data breach claim against Coca Cola.

And the White House has made a decision on whether to seek legislation on law enforcement access to encryption. The memo offered three options:

  1. Don’t seek legislation and brag about it.
  2. Don’t seek legislation and keep hoping for help from Silicon Valley.
  3. Continue the current course of not seeking legislation.

To no one’s surprise, the White House has chosen not to seek legislation.

Also to no one’s surprise but almost everyone’s embarrassment, Judge Leon is still stumping relentlessly after his white whale, the NSA section 215 program, crying “You can’t die! I haven’t had a chance to kill you yet!” It looks like the program won’t be the only thing put out of its misery by the end of November.

Speaking of which, our intro music has been put out of its misery after 83 episodes and not a few complaints. Thanks to all who voted to help us choose a new theme song. And thanks especially to Jason Weinstein’s son, who won the contest going away.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Podcast_84.mp3
Category:general -- posted at: 3:26pm EST

Bruce Schneier joins Stewart Baker and Alan Cohn for an episode recorded live in front of an audience of security and privacy professionals.  Appearing at the conference Privacy. Security. Risk. 2015., sponsored by the IAPP and the Cloud Security Alliance, Bruce Schneier talks through recent developments in law and technology.

The three of us stare into the pit opened by an overwrought (and overdue and overweening) European Court of Justice advisor. If the European Court of Justice follows his lead (and what seems to be its inclinations), we could face a true crisis in transatlantic relations.

VW’s decision to hack its own emissions control software leads to a deep dive into the internet of things that lie to us, the value (or not) of open source, and whether plausible deniability is the next skill that programmers will have to learn.

We also talk China, the OPM hack, and the unique value and unique vulnerability of biometric authenticators. Bruce and Alan dig into the proposed export control rules for intrusion software; when they’re done, so is the case for the rules. The right to be forgotten leads to an exploration of when we should delegate law-making to private companies. I promise a detailed analysis in the future of Google’s law-making to date, and hint that it will not make us more fond of private and hidden law making.

Finally, I ask a hard question about Edward Snowden that no one has asked since he first burst on the scene: Is he so in the tank for the Digital Millennium Copyright Act that he can’t imagine intelligent life anywhere in the universe without it?

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.  More importantly, we need feedback on whether to replace our theme music, and with what.  Please take a listen to the samples at www.steptoe.com/cybermusic and vote for your favorite.  Voting closes on October 9.

Direct download: Podcast_83.mp3
Category:general -- posted at: 12:38pm EST

Cyberlaw negotiations are the theme of episode 82, as the US and China strike a potentially significant agreement on commercial cyberespionage and Europeans focus on tearing up agreements with the US and intruding on US sovereignty.

Our guest for the episode is Jim Lewis, a senior fellow and director of the Strategic Technologies Program at the Center for Strategic and International Studies.  Most importantly, Jim is one of the most deeply informed and insightful commentators on China and cybersecurity.  He offers new perspectives on the Obama-Xi summit and what it means for cyberespionage.

Meanwhile, the news roundup is full of flamboyant European attacks on US sovereignty and US agreements with Europe.  In a pending case involving Facebook, a highly influential advisor to the European Court of Justice has fired both barrels pointblank at the Safe Harbor privacy agreement with the United States.  First, he concludes that any data protection authority is free to defy the primacy of Brussels and refuse to give effect to the EU’s determination that US practices under the Safe Harbor are “adequate” for data transfer purposes.  Second, he concludes that US practices are not adequate because section 702 of the Foreign Intelligence Surveillance Act and other US law permits intelligence collection of European data on a mass scale.  Maury Shenk and I agree that, if followed by the Court, this will be an enormous problem for the transatlantic relationship.  I wonder why we’re giving Europeans the protection of the Privacy Act when their institutions are actively seeking to thwart one of our most effective counterterrorism intelligence programs.

Not to be outdone, Paris put the boot in as well, telling Google that censoring search results on google.fr was not enough.  The right to be forgotten had to be extended to google.com, so that Americans and the rest of the world could be censored at the command of privacy bureaucrats in France’s data protection authority.  Maury and I identify the biggest unanswered question:  Has Google already started to censor its .com search results?

And India seems intent on playing on both sides of the US debate over encryption and lawful access.  After coming down hard for Jim Comey’s side in a draft regulation, Michael Vatis and I note, the Indian government has had a change of heart, withdrawing the draft while leaving uncertain what will replace it.

Finally, in one piece of domestic news, Jason Weinstein unpacks a ruling that refuses to enforce an SEC demand for the passcodes needed to unlock phones.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.  More importantly, we need feedback on whether to replace our theme music, and with what.  Please take a listen to the samples at www.steptoe.com/cybermusic and vote for your favorite.  Voting closes on October 9.

Direct download: Podcast_82.mp3
Category:general -- posted at: 6:18pm EST

Episode 81 features China in the Bull Shop, as the White House prepares for President Xi’s visit and what could be ugly talks on cyber issues. Our guest commentator, Margie Gilbert, is a network security professional with service at NSA, CIA, ODNI, Congress, and the NSC. Now at Team Cymru, she’s able to offer a career’s worth of perspective on how three Presidents have tried to remedy the country’s unpreparedness for network intrusions.

In the news roundup, there’s a high likelihood that President Obama will be accusing and Xi will be denying China’s role in cyberespionage. You might say it’s a “he said, Xi said” issue. Alan Cohn and I debate whether the US should settle for a “no first use” assurance to protect critical infrastructure in peacetime.  

On encryption, the White House (and Silicon Valley) are certainly raising the issue’s visibility. But they aren’t necessarily persuading anyone who isn’t already persuaded. From MI5 to the NYDFS to the new Indian government, dissing strong encryption is a surprisingly popular pastime.

The never-ending saga of when email content can be obtained with something less than probably cause and a warrant seems to be winding down to a bizarre resolution. Agencies investigating terrorists and white collar fraud that costs consumers hundreds of millions will have to jump through the warrant hoop. Agencies looking to impose regulatory penalties or file civil claims will not. Michael Vatis, Jason Weinstein, and I wonder aloud whether this realpolitik accommodation between politicians who love civil liberties and politicians who hate banks will survive its internal contradictions.

After a decade of stutter-stepping, the EU is bailing on its own data retention law, leaving the issue, and the mess, to member states. Maury Shenk provides a definitive short analysis.

Elsewhere, Judge Leon gets the section 215 plaintiff he sought with everything short of a personal ad in Craigslist,  practically guaranteeing another storm of exclamation points in F.Supp. – followed by a lengthy proceeding to have his opinion vacated as moot.

In good news, a Heartland hacker pleads guilty. Jason Weinstein celebrates – as much as is seemly for someone involved in the case. And in a rare moment of humility, I confess to having learned something from listener criticism, as Robert Horn schools me on some of the lesser-known risks associated with health data breaches.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. More importantly, we need feedback on whether to replace our theme music; please take a listen to the samples at http://www.steptoe.com/cybermusic and vote for your favorite. Voting closes on October 9.

Direct download: Podcast_81.mp3
Category:general -- posted at: 11:28am EST

Still trying to dig out from under our hiatus backlog, we devote episode 80 to our regulars. We’ll bring back a guest next week. This week it’s a double dose of Jason Weinstein, Michael Vatis, Stewart Baker, and Congress-watcher Doug Kantor

Michael offers an analysis of the Second Circuit’s oral argument in the Microsoft lawsuit over producing data stored in Ireland. The good news: it was a hot bench, deeply engaged, that let oral argument go to triple the usual length. The bad news for Microsoft: by far the hottest member of the panel was Judge Lynch, who made no secret of his deep opposition to Microsoft’s arguments. 

I offered a skeptical view of the US-EU umbrella “deal” on exchange of law enforcement data and the “Judicial Redress Act” that Congress seems ready to rush through in support of the agreement. The problem? It looks as though DOJ sold out the rest of government and much of industry. Justice promised to make the one change in US law the EU wants, granting Europeans a right of action under the Privacy Act, in exchange for, well, pretty much nothing except a bit of peace of mind for DOJ. Since the EU is more a receiver than sender of data, it already has a lot of leverage in data exchanges and there haven’t been many attempts to thwart the exchange of strictly criminal evidence. What the US really wants is for the EU to stop threatening the Safe Harbor, to stop penalizing US companies to pressure the US government about its use of data, and to guarantee that it isn’t holding the US to higher privacy standards than it imposes on EU governments. The DOJ-led negotiations got none of those concessions. And I’m willing to bet that the EU didn’t even give up the right to bitch, moan, and cut off data flows in the future if it doesn’t like how the umbrella applies. (On top of everything, the agreement is still under wraps, so the rush to praise and implement it is particularly imprudent.)

Michael and Jason deliberate on why Justice would obtain a text intercept order for Apple and then not react to the utterly predictable claim by Apple that it had no way to implement such an intercept. We note the further irony of Apple simultaneously defying the US government on privacy grounds while rushing to comply with Russia’s anti-privacy localization law.

The administration seems unable to impose sanctions on China’s cyberattackers or to stop talking about imposing sanctions on China’s cyberattackers. Sounds like a job for Stewart Baker! I offer my proposed sanctions for the Github attack, already laid out in detail here and here.

One barrier to sanctions may be the fear of hitting the wrong target, and in that regard, the Justice Department is wearing a full coat of egg after dropping its indictment of a purported Chinese spy amid allegations that it had simply misunderstood the technology in question. 

Doug Kantor offers a detailed and surprisingly upbeat assessment of the information-sharing bills’ chances for passage later this year. We also alert defense contractors to an expanded breach disclosure obligation.

And, finally, we decide to crowdsource the decision whether to keep our current theme music or to adopt one of three challengers. One of the candidates gets a heart-tugging endorsement from Jason that you’ll have to listen to the podcast to hear. Here’s the link to listen and vote for your favorite: www.steptoe.com/cybermusic.

 

The Cyberlaw Podcast is now open to feedback. Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_80.mp3
Category:general -- posted at: 10:51am EST

The cyberlaw podcast is back from hiatus with a bang. Our guest is Peter Singer, author of Ghost Fleet, a Tom Clancy-esque thriller designed to illustrate the author’s policy and military chops. The book features a military conflict with China that uses all the weapons the United States and China are likely to deploy in the next decade. These include China’s devilishly effective sabotage of the US defense supply chain, Silicon Valley’s deployment of a letter of marque, and some spot-on predictions of the likely response of our sometime allies. 

Episode 79 also recaps some of the most significant cyberlaw developments of the past month.

First, to no one’s surprise, the cybersecurity disaster just keeps getting worse, and the climate for victims does too: breach losses are being measured in the tens or even hundreds of millions of dollars, with a networking company losing $30 million and unlawful insider trading profits reaching $100 million.

Meanwhile, the courts are less than sympathetic. The Seventh Circuit cleared the way for a breach suit against Neiman Marcus, while the FTC and the Third Circuit were kicking Wyndham around the courtroom and down the courthouse steps. We wonder what exactly Wyndham did to earn the court’s ire. 

Next, we savor the “long, withdrawing, roar” of 215 metadata litigation, as privacy groups try with ever more desperation to pile a judicial ruling on top of their Congressional win. We ask what the hell the DC circuit’s splintered ruling means, and whether Judge Leon is really determined to jam still more exclamation points into the case despite its imminent mootness. (Answer from Judge Leon: Hell, yes!!!). Privacy groups are agitating for the Second Circuit to issue an injunction against the program. We ask: is that as dumb and violative of ordinary judicial procedures as it sounds? Stay tuned.

Finally, the messy fight over location data and the warrant requirement just won’t die, and may be metastasizing. Judge Koh and the Fourth Circuit say a warrant is needed for location data, revitalizing a circuit conflict that looked as though it was curing itself. Meanwhile, DOJ gets in the act, declaring as a matter of policy that federal use of stingrays needs a warrant. The result is that thousands of Baltimore cases could be at risk as a result? Luckily, Jason Weinstein hints, most of those cases wouldn’t have yielded a conviction.

 

The Cyberlaw Podcast is now open to feedback. Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_79.mp3
Category:general -- posted at: 12:04pm EST

Bonus Episode 78: Dmitri Alperovitch, Harvey Rishikof, Stewart Baker, and Melanie Teplinsky debate whether the United States should start doing commercial espionage. 

I know, I know, we promised that the Cyberlaw Podcast would go on hiatus for the month of August.  But we also hinted that there might be a bonus episode.  And here it is, a stimulating panel discussion sponsored by the Atlantic Council and moderated by Melanie Teplinsky.  The topic is whether the United States should abandon its longstanding policy of refusing to steal the commercial secrets of foreigners to help American companies compete.  The discussion is lively, with plenty of disagreements and an audience vote at the start and finish of the discussion to gauge how persuasive we were.  Enjoy!

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Episode_78.mp3
Category:general -- posted at: 11:13am EST

Our guest for episode 77 is Bruce Andrews, the deputy secretary of the Commerce Department. Alan Cohn and I pepper Bruce with questions about export controls on cybersecurity technology, stopping commercial cyberespionage, the future of the NIST cybersecurity framework, and how we can get on future cybersecurity trade missions, among other things.

In the news roundup, Alan and I puzzle over the administration’s reluctance to blame China for its hacks of US agencies.

The furor over cybersecurity export controls continues unabated, with a couple of hundred hostile comments filed and Congress beginning to stir. Alan Cohn fills us in.

The UK high court ruling on data retention makes history but maybe only the most evanescent of law. Alan and I discuss whether the ruling will resemble Marbury v. Madison in more ways than one.

France finalizes expansion of surveillance. Bush administration figures come out against back doors. Cyberweek begins and, the cyber left hopes, ends without progress on CISA.

This Week in Prurient Cybersecurity: The first Ashley Madison subscriber is outed. And he’s Canadian. Looks like the nights really are longer up there. Ottawa apparently leads the world in percentage of would-be adulterers, followed by Washington, DC. No further comment seems necessary.

And Bloomberg says that the Chinese attempt to build a database on Americans didn’t begin with OPM or Anthem, but with the compromise of travel databases two years ago.

This time, Alan hints, the FTC may throw away the key, as it once again takes action against LifeLock. And the Seventh Circuit wades into the debate over how much harm a data breach plaintiff must suffer to have standing to sue.

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_77.mp3
Category:general -- posted at: 3:37pm EST

Episode 76 of the podcast features the power couple of privacy and cybersecurity, Peter Swire and Annie Antón, both professors at Georgia Institute of Technology. I question them on topics from the USA FREEDOM Act to the enduring gulf between writing law and writing code. 

In the news roundup, as our listeners have come to expect, we do indeed return to our recurring feature, This Week in Prurient Cybersecurity, with a riff on the Ashley Madison hack. But you’ll have to wait until the end, when we’re loosened up. 

We begin more soberly, with Jason Weinstein and Michael Vatis covering the courts’ mopping up after passage of the USA FREEDOM Act. The DC Circuit has received supplemental briefs on Section 215, and the ACLU is leading the hopeless charge against the 215 program in the Second Circuit.

The Hacking Team doxxing draws attention to the risk involved in hiring hackers. When they’re disgruntled, they don’t just slam the door on the way out. Still, Alan Cohn and I can’t help but be fascinated by the Hacking Team proposal to use drones to hover over the target, intercepting his Wi-Fi connection.

In regulatory news, Alan Cohn and Jason Weinstein discuss the FERC’s revisions to the CIP cybersecurity requirements, with a focus on supply chain practices, and a Boston hospital’s settlement of HIPAA charges, prompting me to ask whether HHS’s Office of Civil Rights is the most hypocritically aggressive privacy regulator in government.

Russia’s Right to Be Forgotten law is signed, after further tweaks. And Google announces that it has officially tipped more than one million links into the dustbin of history.

I respond to listener feedback by walking back my mockery of Tony Scott’s “TLS Everywhere” initiative, noting that it might have some modest security benefits after all. Instead of “privacy theater” perhaps I should have called it a “privacy skit.” And as attribution gets better, so does the temptation to fly false flags. It looks as though the Russians will pioneer this particular development, attacking US sites under the nom de guerre of the Cyber Caliphate. And the US government response to the Russian attacks? A predictable silence.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_76.mp3
Category:general -- posted at: 4:29pm EST