Steptoe Cyberlaw Podcast (general)

We couldn’t resist.  This week’s topic is of course President-elect Trump and what his election could mean for All Things Cyber.  It features noted cybercommentator Paul Rosenzweig and Daily Beast reporter Shane Harris. 

In the news, we’re reminded of the old Wall Street saying that bulls and bears can both make money in the market but pigs eventually get slaughtered. The same goes for the pigheaded, as the FTC has learned. Whatever modest satisfaction the FTC got from denying a stay of its order against LabMD surely evaporated when it forced the Eleventh Circuit to make an early call on the stay. The result: the court of appeals practically overrides the FTC decision on the motion. Or was the Commission just trying to make sure the proposed television series about LabMD had an ample supply of villains? If so, way to go, guys!

Katie Cassel announces her imminent retirement from the podcast. She also explains the DMCA’s new exemption for security researchers

This is getting ugly: Yahoo now says that some of its employees knew about its massive data breach in 2014 – two years before it was disclosed. Why the delay?  Yahoo says it’s investigating – and that it can’t be sure Verizon will follow through on the deal to buy the company.

Russia is getting ready to put some teeth in its data localization law. LinkedIn looks like the sacrificial goat, Maury Shenk tells us, and that’s just the camel’s nose under the tent.

How can section 230 immunity provide protection against one claim but not another based on the same facts? Katie makes it sound almost reasonable. Boy, are we going to miss her.

The Germans have revived an investigation of Facebook for not blocking Germany’s idea of hate speech, which probably includes hats that say “Make America Great Again.” Oh, this is going to be a fun four years.

Speaking of which, I wonder if the GRU woke up with the same hangover as the rest of the United States, suddenly realizing that they had no freaking clue what policies a Trump administration would follow. That would explain the rash of phishing attacks on Washington think tanks.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-138.mp3
Category:general -- posted at: 9:59am EDT

The episode features a vigorous and friendly debate between me and Frank Cilluffo over his Center’s report on active defense, titled “Into the Gray Zone.”  It’s a long and detailed analysis by the Center for Homeland and Cyber Security at GW University. My fear: the report creates gray zones for computer defense that should not be seen as lawful—and turns far too many genuine gray zones black. 

Maury Shenk returns after missing last week due to the British determination not to follow US daylight savings practice. He updates us on challenges to the Privacy Shield Agreement in EU courts by privacy true believers (two and counting) and EU court challenges to government data practices in China, Russia, Algeria, and Saudi Arabia (none in evidence). Speaking of which, China has actually adopted the cybersecurity law it’s been threatening Western tech companies with for months, if not years.

Congress is starting to notice the FDA’s hapless response to medical device security. I predict that the FDA will not take serious notice until heart implants start tweeting: “I’d give this guy a cardiac arrest shock, but I’m too busy DDOSing the DNC.” 

Michael Vatis tells us what’s in the FTC’s Business Guide to Data Breach Response. It’s pretty good, but even if it weren’t, no one can ignore it, since it’s as close to rulemaking as the FTC gets in this field.

A remarkable official leak says that U.S. Cyber Command has pwned Russia’s IT infrastructure from its power grid to its military command system and is ready to strike if the Russians mess with the US election. Is it true? Clint Eastwood has the best answer.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-137.mp3
Category:general -- posted at: 5:01pm EDT

Jonathan Zittrain, who holds a surfeit of titles at Harvard, is our guest for episode 136. Among other topics, we explore the implications of routine doxing of political adversaries. Along the way I extract kind words from Jonathan for Sarah Palin and welcome him to the club of those who think mass doxxers are evil punks.  It’s a wide-ranging, informative, and un-ideological performance of the sort we’ve come to expect from Jonathan.

In the news, I note that the FBI seems to be getting reinforcements in the Great Crypto War, as European prosecutors prepare the battlefield with complaints about Islamic State use of Western encryption.

We’re seeing the rise of a new kind of security disclosure mandate, Katie Cassel tells us. First DOD and now Treasury are requiring their industry to disclose not just personal data breaches but the details of security breaches. But only Treasury was clever enough to do it without new regulatory authority.

NHTSA proposes some pretty thin cybersecurity guidance for vehicles, says Michael Vatis, and a couple of Senate Dems predictably call for tougher mandatory standards.

In more dog-bites-man news, European data protectionists have more hassles for US tech companies; this time it’s WhatsApp and Yahoo in the crosshairs.

Michael leads a tour of the FCC’s new “opt-in” privacy rules for ISPs. I make a bold prediction about how the privacy fight will shake out, and Michael—remarkably—thinks I may be right.

Katie explains HHS’s latest fine for a company that allowed file-sharing of medical files on one of its servers. Mike Daugherty, time to call your office.

Would the revolting magistrates have scuppered the FBI's effort to extract Huma's emails from Weiner's computer? Michael and I debate Orin Kerr's suggestion that there's a legal problem with expanding the search (or the seizure) to a new and different investigation. We mostly disagree with Orin.

And in continuing Rule 41 news, I narrowly escape an NFL taunting penalty while reporting that a whopping 23 out of 535 lawmakers are whining about expanded searches of pedophile computers.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-136.mp3
Category:general -- posted at: 5:32pm EDT

Our guest for the episode is Rob Silvers, the assistant secretary for cybersecurity policy at DHS.  He talks about what the government can and should do about newly potent DDOS attacks and the related problem of the Internet of Things. The only good news: insecure defibrillators and pacemakers may kill you, but they haven’t yet been implicated in any DDOS attacks.

In the news, Michael Vatis and I debate whether the netizen reaction to a search warrant that also allows the FBI to collect phone security fingerprints during the search is overheated or justified. Maury Shenk explains an unusual UK tribunal ruling, holding that GCHQ’s and MI5’s bulk collection of data was once a violation of the European Convention on Human Rights. Luckily for the UK government, that illegality was cured by the government’s acknowledgment of the collection.

The financial industry faces new cybersecurity regulations; Katie Cassel explains. Then, as the junior member of the podcast crew, Katie also finds herself called on to explain when defense contractors have to disclose cyberattacks to the Department.

In other news, NSA contractor Harold Martin is looking less like a hoarder and more like a serious threat to national security, thanks to the Justice Department motion opposing bail. Maury explains why the EU’s top court thinks that even dynamic IP addresses are personal data. And I explain (or try to) why Julian Assange is a First Amendment cover boy when he blows national security secrets but apparently the second coming of Josef Stalin when he blows politically embarrassing secrets of the Clinton Global Initiative.  Or is the real problem the risotto recipe?

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-135.mp3
Category:general -- posted at: 1:31pm EDT

Episode 134 features John Carlin’s swan song as assistant attorney general for national security.  We review the highs and lows of his tenure from a cybersecurity point of view and then look to the future, including how the U.S. should respond to Russia’s increasingly uninhibited use of cyberpower.  I introduce John to Baker’s Law of Post-Government Policy Advice: “The good news about leaving government is that you can say what you think. The bad news is that you can say what you think because nobody cares.”

In the news roundup, we explore the Geofeedia flap, in which large Silicon Valley companies are claiming the right to deny law enforcement access to public postings, even when that access is limited to particular geographic areas, such as the location of an ongoing riot.  Remarkably, they seem to think we ought to be praising them for this antisocial stand.

Maury Shenk updates us on the UK’s new privacy guidelines—and China’s effort to make its internet more protective of children, and the state.

Michael Vatis and I mull over the troubling news that Carbanak is targeting SWIFT endpoints. The G7 has financial cybersecurity guidelines, but it seems unlikely that they’ll turn the tide of an increasingly at-risk banking system.

Michael and I also touch on an Akamai report confirming that the Internet of things isn’t exclusively used to launch DDOS attacks on Brian Krebs; sometimes it’s used to launch mass credential theft attacks as well. Maybe, I suggest, this is a problem that lawsuits can address.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Episode_134.mp3
Category:general -- posted at: 1:51pm EDT

In episode 133, our guest is The Grugq, famous in hacker circles but less so among Washington policymakers.  We talk about the arrest of an NSA employee for taking malware and other classified materials home, the Shadow Broker leak of Equation Group tools, and the Grugq’s view that the United States has fundamentally misunderstood the nature of cyberconflict.

In the news, Alan Cohn and I discuss the DHS/DNI fingering of Russia – and Putin – for the DNC hack.  We ask whether this means that sanctions will follow, and I characterize the administration’s stance so far as an updating of Groucho Marx’s position:  “These are my red lines.  If you cross them, well, I have others.”  

I award “stupidest privacy scandal of the year” to the complaints that Yahoo! (gasp!) scanned email content in a search for a terror-related signature.  

Continuing what will become a rant-filled episode, I nominate the Third Circuit for membership in a Hall of Judicial Shame.  The court of appeals has joined the European Court of Justice in giving legal effect to the early Guardian articles claiming that PRISM allowed NSA to scan all emails in US webmail services.  That might have been a mistake in 2013, but in 2016, it can only be characterized as a lie, and not one the judiciary should be party to.  Katie Cassel hoses me down.

Maury Shenk, back from honeymoon in Jordan, explains why the TalkTalk case has such prominence in the UK – and why the company was lucky to be assessed one of the highest fines ever imposed by the UK data protection authority.

Katie explains the FCC’s revised proposal for privacy regulations.  But she can’t explain the FTC’s embarrassingly juvenile grandstanding in its ongoing turf war with the FCC.

And, to end the roundup on a choleric note, Alan goads me with HHS’s latest and most astonishingly nit-picking fine ‒ $400,000 for having a supplier contract that hadn’t been updated since the HI-TECH Act modified HIPAA.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Episode_133.mp3
Category:general -- posted at: 9:19am EDT

In episode 132, our threepeat guest is Ellen Nakashima, star cyber reporter for the Washington Post.  Markham Erickson and I talk to her about Vladimir Putin’s endless appetite for identifying ‒ and crossing ‒ American red lines, the costs and benefits of separating NSA from Cyber Command, and the chances of a pardon for Edward Snowden.  Ellen also referees a sharp debate between me and Markham over the wisdom of changing Rule 41 to permit judges to approve search warrants for computers outside their district.

In the news roundup, Meredith Rathbone explains the remarkably aggressive, not to say foolish, European proposal to impose export controls on products that would enable state surveillance in cyberspace.  Apparently locked in a contest with Brussels over who can propose the dumbest regulation of cyberspace, California has adopted a law that purports to prohibit entertainment sites like IMDb from publishing the true ages of actors and actresses.  Markham and I debate the constitutionality of the measure.

In other California news, Markham brings us up to date on the surveillance lawsuit against Google.  He also explains the deep Washington maneuvering over FCC Chairman Wheeler’s plan for cable set top boxes.  I call for a rule that requires cable CEOs to wait at home for days of rescheduled calls to find out whether they’re going to get the result they want.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Episode_132.mp3
Category:general -- posted at: 2:02pm EDT

Our interview in episode 131 is with Matt Cutts and Lisa Wiswell from the Pentagon’s Defense Digital Service.  Matt joined the Digital Service from Google where he authored their SafeSearch content filter.  Lisa is a bureaucracy hacker with the Defense Digital Service and previously spent years working on cyber-warfare in DOD’s policy shop and in DARPA.  They both stress that the Service is looking for good code and policy hackers -- and that their Digital Service recruiting link is https://www.usds.gov/join

 

After a musical intro featuring the Beatles as reimagined by artificial intelligence, Michael Vatis explains why Microsoft's new German datacenters may succeed in putting customer data beyond the reach of US agencies, and why Microsoft might not want to state its goal quite that way.

 

Jennifer Quinn-Barabanov explains how a new lawsuit on behalf of Gilbert Chagoury will test whether the US government will punish leakers and whether the EU succeeds in its effort to get the Privacy Act to cover European nationals.  

Jen and I also tackle the record-breaking Yahoo! breach, and what it says about the actual impact of data breach risk on companies and investors.  Jen reveals this shocking statistic:   the median cost of a breach is $200,000 by some measures, hardly enough to get even the plaintiffs’ bar out of bed.  And, it turns out, nearly half of corporate GCs have already lived through a breach, so they likely know their own exposure pretty well.  

Speaking of records, Brian Krebs, a podcast alum, experienced his own unenviable record:  victim of world’s biggest DDOS attack, fueled by the Internet of things.  What next?  Networked Fords launching a denial of service attack on GM dealers?

Sliding seamlessly into the interview, Matt Cutts and I dive into the latest OpenSSL bug, the reasons Google launched BoringSSL, and the ways in which being boring is also being secure.  (As pretty much any overprotected ten-year-old boy could have told us.)

Matt and I debate whether SSL everywhere is just good, prudent security or the fruits of a Crypto Derangement Syndrome on the part of a Valley that hopes to secede from the United States (guess which side I took).

We take a long look at the Digital Service and what it has done so far.  Lisa Wiswell brags on “Hacking the Pentagon,” which paid the first bug bounties ever offered by a US government agency.   I congratulate her on avoiding the alternative ‒ filing a STFU lawsuit against the security researchers, unlike some I could mention (*cough* St. Judes *cough*).  This leads to a colloquy on what it will take to fix IT procurement in the US government.  We make a little progress, but find no silver bullets.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Episode_131.mp3
Category:general -- posted at: 11:39am EDT

In a law-heavy news roundup, Katie Cassel and I talk about New York’s dangerously prescriptive cybersecurity regs for banks and insurers. Maury Shenk and I uncover the seamy industrial politics behind the EU’s latest copyright and telecom proposals.  The Sixth Circuit deepens a circuit split over standing and how much injury it takes to support a federal data breach lawsuit – and then, oddly, decides not to publish its opinion.  Michael Vatis explains.

In other news, Michael notes that the CFTC has adopted its own very prescriptive cybersecurity testing rules.  At least pen testers should be happy; their specialty is increasingly required by regulators.  Katie hoses me down on the significance of the Ninth Circuit’s latest “failure to warn” decision for section 230 of the Communications Decency Act.  Good news for section 230, not so much for Match.com.

Finally, the FTC continues to vie for the title of federal agency with the least sense of moderation. The FTC is opposing a motion to stay in the LabMD case.  Pending appeal, it wants to impose strict cybersecurity procedures on a business whose servers are probably stored in Mike Daugherty’s garage.  As Winston Churchill said about nuclear weapons, at some point all you’re doing it making the rubble bounce.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: Episode_130.mp3
Category:general -- posted at: 4:02pm EDT

This week’s podcast interview is with Ciaran Martin, the chief executive of the UK’s National Cyber Security Centre. While the US political climate makes it implausible that the National Security Agency would be asked to head a nationwide cybersecurity center designed to work with the private sector, that’s exactly the job that the United Kingdom given to GCHQ, the British equivalent of NSA. I ask why, and a lot more too.

Direct download: Episode_129a.mp3
Category:general -- posted at: 9:35am EDT