The Cyberlaw Podcast

This episode of the podcast features Rep. Mike Rogers, former chairman of the House intelligence committee, Doug Kantor, our expert on all things cyber in Congress, and Maury Shenk, calling in from London.  Mike Rogers is now a nationally-syndicated radio host on Westwood One, a CNN national security commentator, and an adviser to Trident Capital’s new cybersecurity fund. The former chairman addresses a host of issues -- gaps in CFIUS, the future of the President’s new cyber threat integration center, the risk of rogue state cyberattacks on US infrastructure – as well as the issues we cover in the news roundup. 

These include Maury’s take on China’s toughening policy toward US technology, the prospects for a workable bill renewing section 215 (the ex-chairman is not as sanguine as Doug Kantor and I) and the administration’s new privacy bill.  (Our take: the bill is ideal for the Twitter age, since you still have 137 characters left after typing “DOA”.)   Maury updates us on the latest reason for delay in adoption of a new European data protection regulation. Doug Kantor and Mike Rogers consider the prospects for an information sharing bill and comment on privacy groups’ goalpost-moving style of congressional negotiation. 

And, finally, I respond to Edward Snowden’s claim that he wants to move to Switzerland by reminding him (and the Swiss)  what he said about them the last time he lived there.  (Said Snowden: “You guys can’t say I look gay any more. I’m living in Switzerland. I’m the straightest-looking man in the country.” Geneva is “nightmarishly expensive and horrifically classist,” and “I have never, EVER seen a people more racist than the swiss.”  Apparently a year in Moscow broadened his horizons.)

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_57.mp3
Category:general -- posted at: 3:32pm EDT

Our guest for Episode 56 of the Cyberlaw Podcast is Siobhan Gorman, who broke many of the top cybersecurity stories for the Wall Street Journal until she left late last year to join the Brunswick Group, which does crisis communications for private companies.  Siobhan comments on the flood of attribution stories in recent days, including the US government’s almost casual attribution of the Sands Las Vegas cyberattack to Iran and the leaked attribution of the Saudi Aramco and US bank attacks to the same nation.  She also compares private sector cyber crisis planning to the US government’s coordination (or lack thereof) in responding to the Sony attack.

In other news, Stephanie Roy and I take a deep and slightly off-center dive into the FCC’s net neutrality ruling.  I predict that within five years the FCC will have used its new Title II authority to impose cybersecurity requirements on US ISPs.  (And in ten years, I suspect, there will be a debate in the FCC over whether to throttle or disfavor communications services that don’t cooperate with the FBI’s effort to deny perfectly encrypted security to criminals.) Stephanie demurs.

Michael Vatis and I chew over China’s “overdetermined” (h/t Mickey Kauspolicy of ousting American tech products in favor of Chinese competitors, the prospects of class action plaintiffs in the Komodia/Superfish/Lenovo flap, and NY financial regulator Benjamin Lawsky’s war on the password.

 

We finally get listener feedback to read on the air, as Michael Samway congratulates Nuala O’Connor for her masterly handling of, well, me.  Those who think they can do a better job of humiliating me will have their work cut out for them, but they’re welcome to try, sending emails to CyberlawPodcast@steptoe.comail and voice mails to +1 202 862 5785.

Direct download: Podcast_56.mp3
Category:general -- posted at: 4:19pm EDT

In Episode 55 of the Cyberlaw Podcast, we revive This Week in NSA to explore the claim that GCHQ stole mass quantities of cell phone encryption keys.  Meanwhile, Jason explains the complex political battles over Rule 41, Michael explains why so many companies have rallied to Twitter’s first amendment claim against the Justice Department, and both of them explain how Yahoo! managed to beat the government’s indefinite gag order – and why Yahoo! might even be right.  After which we melt down into the bottomless hot mess of liability and litigation that surrounds the Lenovo/Superfish/Komodia/Lavasoft flap.

Our interview is with the charming and feisty CEO of the Center for Democracy and Technology, Nuala O’Connor.  Nuala and I square off over end-to-end encryption, privacy, and section 215, while managing to find common ground on TLS and even child-rearing.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_55.mp3
Category:general -- posted at: 2:06pm EDT

Episode 54 of the Cyberlaw Podcast features a guest appearance by Lawfare’s own Ben Wittes, discussing cybersecurity in the context of his forthcoming book, The Future of Violence, authored by Ben and Gabriella Blum.  (The future of violence, you won’t be surprised to hear, looks bright.)  Ben also floats the idea of taping an episode of all the Lawfare-affiliated podcasts in a bar with some of our listeners.  More on that idea to come.

In the news roundup, I cover the President’s surprisingly news-light cybersecurity summit in Silicon Valley.  Jason comments on state attorneys generals’ predictable sniping at Anthem for delays in identifying all the potential victims of its hack.  I note with satisfaction a serious loss by EFF in the Jewel lawsuit over the US government’s access to AT&T traffic.  And Jason lays out a report  by the New York State Department of Financial Services on insurance company cybersecurity.

We both express concern about two Kaspersky security reports that identify new hacking tactics and new dangers for computer networks.  The patient infiltration of large bank networks and the extraction of hundreds of millions of dollars casts doubt on the safety of banking systems around the world.  Equally troubling is the discovery that what Kaspersky calls the “Equation” group used firmware exploits to achieve enduring access to a wide variety of hard drives.  (Though Kaspersky’s claim that the access depended on having the hard drive makers’ source code looks wrong.)

 

As always, send your questions, suggestions for interview candidates and offers to stand a round at the Beer Summit to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_54.mp3
Category:general -- posted at: 9:58am EDT

In this week’s episode of the Cyberlaw Podcast, I take our new mobile recording equipment to Paris to talk about Europe’s cybersecurity directive with Alex Klimburg, of the Hague Institute for Strategic Studies and the Harvard Kennedy School’s Belfer Center.  The directive is in its final stages after a two-year buildup, and the most recent drafts suggest that the EU is finding it hard to muster the will for heavy regulation in this area.

In our news roundup, Jason Weinstein covers the Anthem hackand probable Chinese responsibilityfor it.  I point out that American privacy groups have said more or less nothing about the idea that a massive database about Americans might be assembled by China.

Stephanie Roy explains the FCC’s proposed net neutrality regs. And Doug Kantor lays odds on the five most prominent cybersecurity proposals.  Short version:  information-sharing is looking doable, and a national breach law might be as well.  CFAA changes look less easy, and the ECPA changes are stuck in a fight between people who hate Wall Street and privacy campaigners. The President’s $14 billion appropriation request for cybersecurity will get sliced, diced, and roasted, but he’ll likely end up with a lot of that money.

Cybersecurity scrutiny continues for financial institutions.  Jason reports on two recent regulators’ warning shots.  And I cover a variety of surveillance news, including the irony that a UK tribunal declaredthat an otherwise unlawful GCHQ practice had been saved by none other than Edward Snowden, who provided the transparency the tribunal considered necessary.  Thanks, Eddie!

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_53.mp3
Category:general -- posted at: 11:37am EDT

In this week’s episode, our guest is Rebecca Richards, NSA’s director of privacy and civil liberties.  We ask the tough questions:   Is her title an elaborate hoax or is she the busiest woman on the planet?  How long will it be before privacy groups blame the Seattle Seahawks’ loss on NSA’s policy of intercepting everything?  How do you tell an extroverted NSA engineer from an introvert?  And, more seriously, now that acting within the law isn’t apparently enough, how can an intelligence agency assure Americans that it shares their values without exposing all its capabilities? 

In the week’s news, Jason Weinstein, Michael Vatis and I explore the DEA’s license plate collection program and what it means, among other things, for future Supreme Court jurisprudence on location and the fourth amendment.   We take on the WikiLeaks-Google flap and conclude that there’s less there than meets the eye. 

Jason celebrates a festival of FTC news.   The staff report on the Internet of Things provokes a commissioner to dissent from feel-good privacy bromides.  The FTC data security scalp count grows to 53, with more on the way.  We discover that the FTC has aspirations to become the Federal Telecommunications Commission, regulating telecommunications throttling as well as cramming – and apparently forcing the FCC into the business of regulating hotels.  To be fair, we find ourselves rooting for the Commission as it brings the hammer down on a revenge porn site

And Michael finds the key to understanding China’s policies on cybersecurity and encryption.

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_52.mp3
Category:general -- posted at: 4:03pm EDT

Episode 51 of the podcast features a debate on attributing cyberattacks.  Our two guests, Thomas Rid and Jeffrey Carr, disagree sharply about how and how well recent cyberattacks can be attributed.  Thomas Rid is a Professor of Security Studies at King’s College London and the author of Cyber War Will Not Take Place as well as a recent paper on how attribution should be done.  Jeffrey Carr, the founder and CEO of Taia Global, remains profoundly skeptical about the accuracy of most attribution efforts in recent years. 

I question both of them, relying heavily on questions supplied by attribution aficionados via Twitter (@langnergroup, @NateBeachW, @janwinter15, @pwnallthethings, and @marcwrogers, among others).

I ask why cyber attribution is so controversial.  Is it a hangover from the Iraq war?  Snowdenista sentiment?  Or the publicity to be gained from challenging official attributions? 

We debate whether using secret attribution evidence is inherently questionable or an essential tool for ensuring successful attribution.  

I also call out the security experts who heaped scorn on the FBI for its initial fingering of North Korea as the source of the Sony attack.  Which of them recanted as the evidence mounted, and which ones doubled down?  Details in the podcast. 

In the news roundup, Jason Weinstein and I are joined by Ed Krauland, a partner in Steptoe’s International Department in DC. Ed outlines the likely impact on technology trade of President Obama’s lifting of Cuba sanctions (short answer:  not much).  I linger over the evidence that Europe has swung from hating US tech firms for being too cozy with government to hating them for not being cozy enough: the EU’s top counterterrorism official wants to prevent firms from selling unbreakable encryption, and the French government wants them to take down more terror-related online speech.  Later, I spike the ball, pointing to a Pew poll showing that NSA is holding its own in American opinion since the first Snowden revelations and that young voters have a far more favorable view of the agency than those over 65.

 

In US privacy litigation, Jason tells us that the class action over CarrierIQ’s storage of phone records has gotten a haircut, as the court throws out wiretap claims against hardware makers, and that LabMD has lost yet another peripheral battle in its campaign to force the FTC to spell out exactly what security measures it expects from private companies.  And we debate the significance of the revelations about DEA's Hemisphere Project.

Direct download: Podcast_51.mp3
Category:general -- posted at: 10:57am EDT

Our guest for Episode 50 of the Steptoe Cyberlaw Podcast is David Sanger, the New York Times reporter who broke the detailed story of Stuxnet in his book,  Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power.  David talks about his latest story, recounting how North Korea developed its cyberattack network, and how the National Security Agency managed to compromise the network sufficiently to attribute the Sony attack.  We talk about how understanding the White House helped him break a story that seemed to be about NSA and the FBI, North Korean hackers’ resemblance to East German Olympic swimmers, and the future of cyberwar.

Michael Vatis and I also cover a news-rich week, beginning with capsule summaries of the President’s State of the Union proposals for legislation on cybersecurity information sharing, breach notification, and Computer Fraud and Abuse Act amendments.

We touch on Europe’s new commitment to antiterrorism surveillance, which officially puts a still-Snowden-ridden United States out of step with just about every developed nation.

I try to summarize the new National Academy of Sciences study on why there isn’t an easy software substitute for bulk collection.  (Short answer:  If you want to recreate the past, you have to bulk-collect the present.)

We ask whether the DEA was the inspiration for NSA’s 215 bulk collection program, call out Rep. Sensenbrenner, who evidently skipped the DEA briefings as well as NSA’s, and wonder why Justice didn’t explain to Congress last year that NSA’s program wasn’t that big a leap from the Justice Department’s own bulk collection – instead of quietly trying to bury its program when the heat built up on NSA.  (OK, we didn’t really wonder why Justice did that.)

If you judge by their joint press conference, Prime Minister Cameron seems to have done more to convert President Obama to skepticism about widespread unbreakable encryption than Jim Comey did.  Save your Clipper Chips, key escrow will rise again!

 

Finally, Centcom’s public affairs team, which can’t keep ISIS sympathizers out of its Twitter and YouTube feeds, deserves 24 hours of deep embarrassment, which is surprisingly exactly what it gets.

Direct download: Podcast_50.mp3
Category:general -- posted at: 12:23pm EDT

Our guest commentator for episode 49 of the Steptoe Cyberlaw podcast is Juan Zarate, a senior adviser at the Center for Strategic and International Studies (CSIS), the senior national security analyst for CBS News, a visiting lecturer at the Harvard Law School, and Chairman and Co-Founder of the Financial Integrity Network.  Before joining CSIS, Juan was the first ever assistant secretary of the treasury for terrorist financing and financial crimes.

We inaugurate a new headline news feature, “News or Snooze.” Some highlights:

·         EU Data Supervisor Presses for Privacy Overhaul in 2015” – Hit the snooze button and you can hear this again in 2016.  And probably 2017 too.

·          “New Credit Cards May Fall Short on Fraud Control” – This is news for everyone who thought we were moving to chip and pin to get better credit card security.

·         FBI Says Warrants Not Needed for Stingrays, Senators Express Doubts” – No surprises here.

·          “Lyft and Uber answer Sen. Franken” – Will consumers punish Uber for its privacy woes and reward Lyft for playing nice with the Senator?  Stewart bets that they won’t.

·          “Sony Hackers ‘Got Sloppy’ says FBI director” – This is news:  Jim Comey provides new evidence supporting the North Korea attribution.  Skeptics move to a new grassy knoll.

·         French terror attacks:  Big news for surveillance in both Europe and the US.  The ghost of Edward Snowden is starting to fade, as are prospects for dumping the NSA 215 program.

In the interview, Juan Zarate and Steptoe’s own Meredith Rathbone lead us through a bracing discussion of U.S. sanctions on North Korea for the Sony attack.  Bottom line:  the Treasury sanctions announced so far are unlikely to have much impact, but they do open the door to future approaches that could.  Juan endorses tougher OFAC sanctions for the beneficiaries of cyberespionage and international sanctions for attacks on banks.  He even has a kind word for letters of marque that would give the private sector more authority to pursue cyberattackers.  By the end, he’s demonstrated anew why we call him the Lord Byron of cyberpolicy. 

 

We remind everyone that the Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Direct download: Podcast_49.mp3
Category:general -- posted at: 12:35pm EDT

Our guest for the first podcast of 2015 is Jim Lewis, a senior fellow and director of the Strategic Technologies Program at CSIS, where he writes on technology, security, and the international economy.

We try a new, slightly shorter format for 2015, with quick takes on a batch of headlines:

We dig a little deeper into other stories. 

  • FBI investigates Banks for Revenge Hacking of Iran: Stewart, Jason, and Jim Lewis debate the wisdom of taking down DDOS command and control servers without waiting for the government. And Israel’s role as a haven for private hacking back.
  • And, of course, all things Sony: We discuss the weird “grassy knoll” determination to blame someone other than North Korea. Turns out many of those challenging the FBI’s attribution have questionable credentials or are outspoken Snowden supporters, calling into question their judgment. We deprecate US financial sanctions on North Korea as a deterrent and the South Korean who is taking seriously Stewart’s suggestion that The Interview be dropped on the North from balloons. 
  • Finally, Jim Lewis offers his insider’s view of China’s approach to cyber conflict – the norms that apply in cyberwar, where cyberweapons fit into China’s warfighting doctrine, and a possible split between China’s leadership and its PLA on when and whether to carry out cyberespionage for Chinese companies.  

Later this year we will be joined by Becky Richards of the NSA Privacy office.   

 

We remind everyone that the Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Direct download: Podcast_48.mp3
Category:general -- posted at: 4:43pm EDT