The Cyberlaw Podcast (general)

Our interview this week is with Amb. Nathan Sales, the State Department’s counterterrorism coordinator. We cover a Trump administration diplomatic achievement in the field of technology and terrorism that has been surprisingly under covered (or maybe it’s not surprising at all, depending on how cynical you are about press coverage of the Trump administration). We also explore new terrorism technology challenges and opportunities in social media, State’s role in designating terrorists, the difference a decade can make in tech and terror policy, and how the ambassador lost his cowboy boots.

In the news roundup, China seems to be hiding behind half our stories this week. Brian Egan and I sift through the entrails of CFIUS’s pronouncements on the Qualcomm-Broadcom takeover fight charts, where Chinese competition in 5G is an ever-present subtext.

More broadly, we point to a flood of stories suggesting that the U.S. government is just beginning to struggle with the challenge posed by an economically strong adversary nation. These include accusations of “weaponized capital,” naïve and compromised US academic institutions, and what amounts to a Chinese intelligence-industrial-unicorn complex.

The SEC says digital coin exchanges may be unlawful; bitcoin takes a market hit. But Matthew Heiman, in his first appearance on the podcast, expresses some doubt about the SEC’s authority over many of the businesses the agency called out.

The SEC wants something else to worry about, maybe it should be paying more attention to the Internet Engineering Task Force, where techno-privacy zealots are getting ready to cripple the ability of business enterprises to secure their networks and comply with employee monitoring requirements. Living down to my rock-bottom view of privacy campaigners, the IETF seems to be saying that in order to signal their virtue on privacy issues, they are happy to sacrifice our security – and compliance with law.

Part of the problem may be a lack of technically sophisticated staffers in government; Matthew and Jamil Jaffer chew over the cyber staffing crisis in government, and what can be done about it.

Finally, Jamil and Matthew comment on FBI director Wray’s statement that the FBI is not looking to blow a regulatory whistle on data-breached companies that ask for the Bureau’s help.

Our guest interview is with Nathan Sales, ambassador-at-large and coordinator for counterterrorism at the State Department.

As always, the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices. If you are interested, visit our website at Steptoe.com/careers.

Download the 207th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-207.mp3
Category:general -- posted at: 8:14pm EDT

Our interview features an excellent and mostly grounded exploration of how artificial intelligence could become a threat as a result of the cybersecurity arms race. Maury Shenk does much of the interviewing in London. He talks to Miles Brundage, AI Policy Research Fellow at the Future of Humanity Institute at Oxford and Shahar Avin of the Centre for the Study of Existential Risk and Research Associate at Cambridge. They are principal authors of a paper titled “The Malicious Use of Artificial Intelligence: Forecasting, Prevention and Mitigation.” The discussion was mostly grounded, as I said, but I did manage to work in a reference to the all-too-plausible threat of a hacking, bargaining AI sent by aliens from other star systems.

In the news roundup, semi-regular contributor Gus Hurwitz does a post-mortem on the oral argument in the Microsoft-Ireland case. Maury notes that Google has issued its most detailed report yet on how it’s implementing the right to be forgotten. My takeaway: Apart from censoring media in their own countries, everyone’s favorite censorship targets seem to be U.S. sites. I am not comforted that 90 percent of the censorship stays home, since the rest of it seems aimed at keeping true facts from, well, me.

Gus evaluates the latest Securities and Exchange Commission cybersecurity guidance. Bottom line: no surprises, but a good thing nonetheless. I do a quick recap of the CFIUS butcher’s bill for Chinese deals. It’s every bit as ugly as you’d expect. The Xcerra and Cogint deals have collapsed over chip and personal data worries. The Genworth deal is on the bubble. And CFIUS is taking unprecedented action to intervene in the Qualcomm-Broadcom proxy fight.

A new contributor, Megan Reiss of the R Street Institute, unpacks a couple of new security industry reports covering the emergence of false flags at the Olympics and the increasingly blurred line between criminal and state cyberespionage.

Maury covers the latest EU effort to wrongfoot Big Tech over scrubbing terrorist content. And I try to broaden the point, noting that the idea of a tech “platform” immunity has begun to fray even in the US, the land of its birth.

For those listeners afraid to traverse the feverswamps of conservative media, I bring back a story that shows why the loss of Big Tech platform immunity is shaping up as a bipartisan issue. Would you believe that CNN has bought an industrial washing machine so that it can spin stories more efficiently before airing them?  Do you need Snopes.com to tell you that’s satire? Does anyone need an anonymous Big Tech finger-wagger to tell you it’s fake news and threaten the site with penalties for repeat offenses? If not, you can see the right is uncomfortable with Big Tech as media gatekeeper.

Finally, as a bit of comic relief, last week Edward Snowden took to Twitter to criticize Apple for posing as a protector of privacy while actually cozying up to a dictatorship. Really. You can’t make this stuff up.

As always The Cyberlaw Podcast is open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The Cyberlaw Podcast is thinking of hiring a part-time intern for our Washington, DC offices. If you are interested, visit our website in the next week or so at Steptoe.com/careers.

Download the 206th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-206.mp3
Category:general -- posted at: 9:16pm EDT

Today’s news roundup begins with Maury Shenk and Brian Egan offering their views about the Supreme Court oral argument in the Microsoft-Ireland case. We highlight some of the questions that may tip the Justices’ hand.

Brian and I dig into the Democrats reply memo on the Carter Page FISA applications. I’m mostly unshocked by the outcome of the dueling memos, though I find one sentence of the application utterly implausible. I also foresee a possible merging of the Clinton-Obama Trump-smearing scandal with the Trump-Russia collusion scandal—call it the scandularity!

In other Russia news, the Justice Department is standing up a task force on all things cyberJim Lewis and I disagree about whether Russian hacking of the electoral infrastructure is likely to be a serious problem in 2018. We agree that the Twitter bot war on the American body politic will continue, since it seems to be a pretty cheap hobby for Putin’s favorite supplier of catered meals. Indeed, he seems to have gotten into the business as a way of squelching online protests that his school lunches were lousy. I suggest that Michelle Obama probably wishes she’d heard about that tactic sooner.

Google has announced an Advanced Protection program for people who think they may be high value targets for government cyberespionage. In a Cyberlaw Podcast first, I offer a product review. Short version: I’m still using it, despite some flaws in what looks like a beta program, but as a supply chain buff, I can’t help wondering who the hell Feitian Technologies is and what ties they have to the Chinese government.

March 1 is D-Day for Apple moving the crypto keys for Chinese iPhones' cloud data to China.

And Keeper continues to pursue its misguided libel suit against Ars Technica. Ars Technica’s answering brief is here. While security researchers have been wasting their time on politically correct whining about the Computer Fraud and Abuse Act, libel suits are turning into far more effective tools for chilling security research.

Finally, for fans of the podcast in the Washington area, Steptoe is thinking of hiring a part-time intern to handle much of the organizational work associated with the podcast. If you’re interested, keep an eye on Steptoe.com/careers, which is where we’ll post the position if this idea bears fruit.

As always The Cyberlaw Podcast is open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 205th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-205.mp3
Category:general -- posted at: 7:51pm EDT

In our 204th episode of The Cyberlaw Podcast, the team bumbles forward without Stewart Baker, who is spending the week racing his offspring down mountain slopes somewhere in Utah. Brian Egan and Jamil Jaffer begin by covering a few implications of Special Counsel Robert Mueller’s indictment from Friday—the legal theories of the case and what the indictment does and doesn’t cover—as well as the follow-on false statement indictment against a former associate of a major law firm. In an amazing convergence of viewpoints, everyone, from Presidents Obama and Trump to Brian and Jamil—agrees that Russia appears to be winning, and the U.S. is losing, on the topic of interference with U.S. elections.

At the same time, the state secretaries of state gathered in Washington last week to discuss cybersecurity and U.S. elections—coming in the face of a fairly damning report published by the Center forAmerican Progress on shortcomings in U.S. election-related cyber defenses. In light of these threats, we ponder whether a return to the old paper ballots, or even the  “mail-only” approach that is operative in a few states, is better than an electronic ballot.

In other Russia-related news, Kaspersky turned to (literally) one of the oldest pages in the book—the Bill of Attainder clause in the U.S. Constitution—in suing to block the application of a provision in the NDAA that prohibits federal agencies from using Kaspersky products. Jamil posits that the case seems less frivolous than may appear at first blush, while Brian muses about the history of Bill of Attainder litigation in the United States.

Finally, Jamil and Brian discuss the U.S. and U.K. decision to attribute the NotPetya attack to Russia and the continued trend in the Obama and Trump Administrations to publicly identify perpetrators of state-sponsored cyber attacks (along with the risks inherent in this approach). Notwithstanding the NotPetya attribution, as well as a recent White House report on the increased economic costs of cyberattacks and Congressional hearings on data breaches, we explain why we believe it to be unlikely that Congress will pass federal data breach/data notification legislation any time soon.

As always The Cyberlaw Podcast is open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 204th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-204.mp3
Category:general -- posted at: 6:43pm EDT

This episode consists of Jamil Jaffer and me interviewing Glenn Gerstell, the general counsel of the National Security Agency. Glenn explains what it was like on the inside of the effort to reauthorize section 702 of the Foreign Intelligence Surveillance Act. Jamil and I ask him whether the Foreign Intelligence Surveillance Court has the authority to deal with material omissions in FISA applications, and he actually answers. Glenn also touches on how it feels to discover that data subject to a judicial retention order has been inadvertently deleted, his secret exercise regime, his future plans, and how the United States should respond to the cybersecurity crisis.

Download the 203rd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-203.mp3
Category:general -- posted at: 5:09pm EDT

Cyberlaw Podcast alumnus Marten Mickos was called before the Senate commerce committee to testify about HackerOne’s bug bounty program. But the unhappy star of the hearings was Uber, which was heavily criticized for having paid out a large bonus under cloudy circumstances. Sen. Richard Blumenthal and others on the Hill treated the payment as more ransom than bounty and pilloried Uber for not disclosing what they called a breach. Even Uber, under new management, was critical of its performance.

As the only cyberlaw podcast with a Davos correspondent, we ask Alan Cohn to give highlights of the event from a cybersecurity point of view. I bring the color commentary and snark.

With the Microsoft Ireland case heading to argument, the Justice Department and Big Tech are hoping to head the court off with a legislative solution. Jamil Jaffer explains what the CLOUD Act will do. I point out who’s missing from the Grand Coalition and question whether Big Privacy has the clout to stop the act.

Fancy Bear hackers seeking high-tech weapons data from U.S. defense contractors get lucky—up to 40% of their phishing links strike paydirt. Michael Mutek explains what this likely means for the Defense Department—more regulation, probably. Whether more regs and more compliance will produce more security is the question no one can answer.

A cyber-diplomacy office is back from the dead, sort of: Secretary of State Rex Tillerson now says he’ll create a bureau for cyberspace headed by an assistant secretary. And, as Jamil explains, the fight switches to which undersecretary will oversee the office.

Nick Weaver and Jamil comment on the news that the Justice Department has pulled in an impressive haul of cyber-fraudsters, bookended by doubts whether any hackers can ever be extradited from places like the UK and Ireland. Because, face it, how many can’t claim to be on the spectrum?

I close with a tribute to John Perry Barlow, who died last week. If you wanted to know how many women would fall for a combination Grateful Dead lyricist, technologist, and cowboy, John could tell you. Exactly.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 202nd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-202.mp3
Category:general -- posted at: 2:13pm EDT

The crypto wars return to The Cyberlaw Podcast in episode 201, as I interview Susan Landau about her new book on the subject, ‘Listening In: Cybersecurity in an Insecure Age.’ Susan and I have been debating each other for decades now, and this interview is no exception.

In the news roundup, Brian Egan and Nick Weaver join me for the inevitable mastication of the Nunes memo. (My take: The one clear scandal here is the way Glenn Simpson and Chris Steele treated the U.S. national security apparatus, including the national security press, as just another agency to be lobbied – and the success they had in milking it for partisan advantage and private profit.)

Meanwhile, if you needed a reminder of just how enthusiastically and ham-handedly China conducts its espionage, just ask the African Union, whose Chinese-built headquarters is pwned from top to bottom.

Brian lays out a significant Ninth Circuit Anti-Terrorism Act case absolving Twitter of liability for providing “material assistance” to ISIS by requiring a more direct relationship between Twitter’s acts and the harm suffered by the private plaintiffs. Not a surprise, but a relief for Silicon Valley.

Nick fulminates about the security threat that a sophisticated recent malvertising campaign poses and wonders when enterprises will start requiring ad-blockers on corporate internet software. In a related story, we wonder how much incentive Twitter really has to kill off its armies of fake followers.

Are the Dutch paying the price for punching above their weight in the cyberespionage game? And did American leaks kill their success? All we can do is speculate, unfortunately.

You know you’ve missed This Week in Sex Toy Security, so we bring it back to cover yet another internet-connected vibrator company trying to shake off a privacy class action. 

Finally, as a sign that we’ve finally reached peak cybersecurity and peak privacy, both topics are ending up on the agendas of international trade negotiators. The EU says its privacy rules are untouchable in negotiations (although other countries’ overly protectionist data flow policies are fair game) and the NAFTA negotiators have reportedly agreed to add to NAFTA cyber security “principles” based on the NIST Cyber Security Framework.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 201st Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-201.mp3
Category:general -- posted at: 11:51am EDT

Whether they call it the fitbit or the “Ohsh*t!bit,” governments are learning that the exercise internet of things is giving away their geospatial secrets at a rapid clip. Nick Weaver walks us through what most in the U.S. would call a security disaster—and how it could become an intelligence bonanza. As an example of what can be done, Jeffrey Lewis highlights Taiwan's secret cruise missile command center.

Of course, as soon as authoritarian governments learn to use fitbits to oppress their people, we can expect the European Union and the Wassenaar export control group to slap export controls on them.  Meredith Rathbone reports on the effort to persuade Europe and Wassenaar not to throw the security industry out with the intrusion software. Turns out that progress is being made on both fronts.

Nick and I talk through the latest stories on Russian cyberspying. Meduza and Buzzfeed have a persuasive and dispiriting story about how Eugene Kaspersky might have been forced to cooperate with the Russian FSB. Looking at questions being raised about U.S. firms allowing the Russians to inspect their source code, we conclude that Balkanization of cybersecurity products is a near certainty, with the only question being how many markets there will be.

Speaking of Russia, the Dutch, not prominent among hacking intelligence agencies until now, have apparently counted cybercoup on the Russians.

Meredith and I dig into the latest round in the European Court of Justice between Max Schrems and Facebook. We call it a draw, with special props to Facebook for creativity in arguing that Schrems is no longer a consumer because he’s obviously turned suing Facebook into a profession.

And, in an overdue event, jackpotting coming to an ATM near you.

Finally, in the interview, we talk to Tim Maurer, co-director of the Cyber Policy Initiative and author of the new book, “Cyber Mercenaries: The State, Hackers, and Power.” Tim tells us the hidden story behind his book’s title and then jumps into a fascinating comparative study of how different governments try (or don’t try) to control the hackers they recruit, because it turns out that they all recruit hackers, just in very different ways. Tim points out an increasing fad for having hackers from one country move to another country to ply their trade. (North Koreans to China; Chinese to Africa) and the additional deterrence options this offers the U.S. government.

As always The Cyberlaw Podcast is open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 200th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: TheCyberlawPodcast-200.mp3
Category:general -- posted at: 8:10am EDT

In this guestless episode, Michael Vatis, Markham Erickson, and Nick Weaver join me to round up the news. I explore the final results of the intense jockeying that led to passage of S. 139, which gave Section 702 of Foreign Intelligence Surveillance Act a new lease on life. The administration did well, weathering the president’s tweets, providing a warrant process for backend searches that will likely be used once a year if that, and—almost without anyone noticing—pulling the unmasking reform provisions from the bill and substituting an Office of the Director of National Intelligence rule. My guess? This was a tactic to make it easier for Dems to support the bill; if so, it worked.

And just in time, as the days after passage brought new whiffs of scandal, from the four-page House Republican memo alleging improprieties in the FBI’s FISA application to wiretap a Trump campaign hanger-on to two cases in which the FBI and NSA destroyed evidence they were supposed to be preserving. Michael Vatis and I cross sword over whether the FISA abuse memo is worth taking seriously or just partisan flak.

Nick and I delve into the gigabytes of hacked data mislaid by another player in the phone hacking game—Lebanese intelligence. Nick wonders whether the data obtained Electronic Frontier Foundation and Lookout violated the Computer Fraud and Abuse Act. I don’t.

The first known death by SWATting has yielded charges; the egregious SWATter for hire, SWauTistic, has been charged with involuntary manslaughter.

Almost as scary is the news that electric system malware is getting remarkably sophisticated, and common.

The Supreme Court will hear argument in the Microsoft Ireland case next month, and there are dozens of amici briefs, including one by Michael Vatis, who lays out his direct appeal to Justice Neil Gorsuch’s property-based view of the fourth amendment.

Matt Green (and Nick Weaver) have some questions for Apple about its moving China cloud data to a third party Chinese cloud provider. I’ve got one too. If treating Taiwan as a separate country from China leads to humiliating penalties for Western companies, does that mean Apple can’t store Taiwanese and Hong Kong users outside China?

And, for once on the podcast, a sweet life-long love story, spelled out cryptographically.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 199th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-199_1.mp3
Category:general -- posted at: 8:21am EDT

It turns out that the most interesting policy story about Kaspersky software isn’t why the administration banned its products from government use; it’s why the last administration didn’t. Shane Harris is our guest for the podcast, delving into the law and politics of the Kaspersky ban. Along the way, I ask why the Foreign Sovereign Immunities Act, which allows suits against foreign governments for some torts committed in the United States, shouldn’t allow suits against foreign governments that hack computers located in the United States.

In the news, the House comfortably adopts a bill to reauthorized 702 surveillance; the Senate is expected to act today as well. While the House bill makes some changes to the law, it endorses the most moderate of the reform proposals.

In case you haven’t heard, Apple is handing off its iCloud operations to a local cloud storage company – with none of the histrionic civil liberties posturing the company displays in the United States. Whose data is being transferred to the tender mercies of Chinese authorities? Who knows? Not Apple, which can’t even send out notices to its customers without getting confused about who’s covered by the new policy.

It’s a “three-peat” for state authority to make online companies collect sales tax from their customers. The Supreme Court has agreed to reconsider a dormant commerce clause doctrine that it has already affirmed twice.

I apologize to Uber for snarking on their “bounty” payment of $100,000 to a hacker who exposes a serious security flaw and gained access to large amounts of personal data. A good New York Times article demonstrates that the decision to pay up was at least plausibly justified. But as if to demonstrate why the company never gets the benefit of the doubt, Bloomberg reports on Uber’s latest scofflaw-ware scandal. Luckily for journalists everywhere, Uber continues to adopt colorfully damaging nicknames for its scofflaware. In this case their product locked or deleted data sought by local law enforcement with the touch of a panic button. It was named, of course, after Sigourney Weaver’s character, Ripley, who declared that the only way to deal with an alien-infested installation was to “nuke it from orbit.”

Sheila Jackson-Lee gets an admiring mention for winning House passage of a cyber vulnerability disclosure bill that is probably nuanced enough to be adopted by the Senate as well.

And Deputy Attorney General Rosenstein makes a short pitch for “responsible” encryption that actually manages to move the debate forward a step.

Talk about 21st century warfare. Russia is claiming it fought off swarms of drones with cyberweapons. As Nick Weaver points out, that’s just the beginning.

Brian assesses the state of CFIUS reform legislation and the claim that Sen. Cornyn’s bill would result in CFIUS’s regulation of technology transfers that would be better addressed through export controls.

Finally, having already critiqued Apple and Uber, I feel obliged to offer equal time to Twitter, which remarkably can’t even identify advertisements that invite users to log on to fake Twitter sites and steal their credentials. If you want to understand the worst of Silicon Valley, I argue, you shouldn’t look to the big rich companies; it’s the struggling would-be unicorns who show what the Valley really cares about. And security ain’t it. Speaking of which, where is that Ad Transparency Center that Twitter promised any day now back in the fall of 2017?

 

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 198th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: TheCyberlawPodcast-198.mp3
Category:general -- posted at: 9:50pm EDT