In episode 133, our guest is The Grugq, famous in hacker circles but less so among Washington policymakers.  We talk about the arrest of an NSA employee for taking malware and other classified materials home, the Shadow Broker leak of Equation Group tools, and the Grugq’s view that the United States has fundamentally misunderstood the nature of cyberconflict.

In the news, Alan Cohn and I discuss the DHS/DNI fingering of Russia – and Putin – for the DNC hack.  We ask whether this means that sanctions will follow, and I characterize the administration’s stance so far as an updating of Groucho Marx’s position:  “These are my red lines.  If you cross them, well, I have others.”  

I award “stupidest privacy scandal of the year” to the complaints that Yahoo! (gasp!) scanned email content in a search for a terror-related signature.  

Continuing what will become a rant-filled episode, I nominate the Third Circuit for membership in a Hall of Judicial Shame.  The court of appeals has joined the European Court of Justice in giving legal effect to the early Guardian articles claiming that PRISM allowed NSA to scan all emails in US webmail services.  That might have been a mistake in 2013, but in 2016, it can only be characterized as a lie, and not one the judiciary should be party to.  Katie Cassel hoses me down.

Maury Shenk, back from honeymoon in Jordan, explains why the TalkTalk case has such prominence in the UK – and why the company was lucky to be assessed one of the highest fines ever imposed by the UK data protection authority.

Katie explains the FCC’s revised proposal for privacy regulations.  But she can’t explain the FTC’s embarrassingly juvenile grandstanding in its ongoing turf war with the FCC.

And, to end the roundup on a choleric note, Alan goads me with HHS’s latest and most astonishingly nit-picking fine ‒ $400,000 for having a supplier contract that hadn’t been updated since the HI-TECH Act modified HIPAA.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

In episode 132, our threepeat guest is Ellen Nakashima, star cyber reporter for the Washington Post.  Markham Erickson and I talk to her about Vladimir Putin’s endless appetite for identifying ‒ and crossing ‒ American red lines, the costs and benefits of separating NSA from Cyber Command, and the chances of a pardon for Edward Snowden.  Ellen also referees a sharp debate between me and Markham over the wisdom of changing Rule 41 to permit judges to approve search warrants for computers outside their district.

In the news roundup, Meredith Rathbone explains the remarkably aggressive, not to say foolish, European proposal to impose export controls on products that would enable state surveillance in cyberspace.  Apparently locked in a contest with Brussels over who can propose the dumbest regulation of cyberspace, California has adopted a law that purports to prohibit entertainment sites like IMDb from publishing the true ages of actors and actresses.  Markham and I debate the constitutionality of the measure.

In other California news, Markham brings us up to date on the surveillance lawsuit against Google.  He also explains the deep Washington maneuvering over FCC Chairman Wheeler’s plan for cable set top boxes.  I call for a rule that requires cable CEOs to wait at home for days of rescheduled calls to find out whether they’re going to get the result they want.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Our interview in episode 131 is with Matt Cutts and Lisa Wiswell from the Pentagon’s Defense Digital Service.  Matt joined the Digital Service from Google where he authored their SafeSearch content filter.  Lisa is a bureaucracy hacker with the Defense Digital Service and previously spent years working on cyber-warfare in DOD’s policy shop and in DARPA.  They both stress that the Service is looking for good code and policy hackers -- and that their Digital Service recruiting link is https://www.usds.gov/join

After a musical intro featuring the Beatles as reimagined by artificial intelligence, Michael Vatis explains why Microsoft's new German datacenters may succeed in putting customer data beyond the reach of US agencies, and why Microsoft might not want to state its goal quite that way.

Jennifer Quinn-Barabanov explains how a new lawsuit on behalf of Gilbert Chagoury will test whether the US government will punish leakers and whether the EU succeeds in its effort to get the Privacy Act to cover European nationals.  

Jen and I also tackle the record-breaking Yahoo! breach, and what it says about the actual impact of data breach risk on companies and investors.  Jen reveals this shocking statistic:   the median cost of a breach is $200,000 by some measures, hardly enough to get even the plaintiffs’ bar out of bed.  And, it turns out, nearly half of corporate GCs have already lived through a breach, so they likely know their own exposure pretty well.  

Speaking of records, Brian Krebs, a podcast alum, experienced his own unenviable record:  victim of world’s biggest DDOS attack, fueled by the Internet of things.  What next?  Networked Fords launching a denial of service attack on GM dealers?

Sliding seamlessly into the interview, Matt Cutts and I dive into the latest OpenSSL bug, the reasons Google launched BoringSSL, and the ways in which being boring is also being secure.  (As pretty much any overprotected ten-year-old boy could have told us.)

Matt and I debate whether SSL everywhere is just good, prudent security or the fruits of a Crypto Derangement Syndrome on the part of a Valley that hopes to secede from the United States (guess which side I took).

We take a long look at the Digital Service and what it has done so far.  Lisa Wiswell brags on “Hacking the Pentagon,” which paid the first bug bounties ever offered by a US government agency.   I congratulate her on avoiding the alternative ‒ filing a STFU lawsuit against the security researchers, unlike some I could mention (*cough* St. Judes *cough*).  This leads to a colloquy on what it will take to fix IT procurement in the US government.  We make a little progress, but find no silver bullets.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

In a law-heavy news roundup, Katie Cassel and I talk about New York’s dangerously prescriptive cybersecurity regs for banks and insurers. Maury Shenk and I uncover the seamy industrial politics behind the EU’s latest copyright and telecom proposals.  The Sixth Circuit deepens a circuit split over standing and how much injury it takes to support a federal data breach lawsuit – and then, oddly, decides not to publish its opinion.  Michael Vatis explains.

In other news, Michael notes that the CFTC has adopted its own very prescriptive cybersecurity testing rules.  At least pen testers should be happy; their specialty is increasingly required by regulators.  Katie hoses me down on the significance of the Ninth Circuit’s latest “failure to warn” decision for section 230 of the Communications Decency Act.  Good news for section 230, not so much for Match.com.

Finally, the FTC continues to vie for the title of federal agency with the least sense of moderation. The FTC is opposing a motion to stay in the LabMD case.  Pending appeal, it wants to impose strict cybersecurity procedures on a business whose servers are probably stored in Mike Daugherty’s garage.  As Winston Churchill said about nuclear weapons, at some point all you’re doing it making the rubble bounce.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

This week’s podcast interview is with Ciaran Martin, the chief executive of the UK’s National Cyber Security Centre. While the US political climate makes it implausible that the National Security Agency would be asked to head a nationwide cybersecurity center designed to work with the private sector, that’s exactly the job that the United Kingdom given to GCHQ, the British equivalent of NSA. I ask why, and a lot more too.

In episode 129, Alan Cohn and I dive deep on the Government Oversight Committee’s predictably depressing and unpredictably entertaining report on the OPM hack.  Cheeky Chinese hackers register their control sites to superhero alter egos.  And poor, patriotic Cytech finds an intruder during a sales demo, rushes to provide support without a contract, and ends up not just stiffed but accused of contributing to a violation the Antideficiency Act. The overmatched OPM security team launches a desperate operation Big Bang to oust one team of hackers, while another is safely ensconced in the network, biding its time before exfiltrating all its data.  

And for those who’ve complained that we never talk about cybertax law, a feast:  Steptoe’s premier international tax partner (and head of the firm) explains everything you need to know about the fight between Apple and the EU over Ireland’s tax regime for the company.  I am shocked to discover that Brussels is doing, well, what Brussels usually does.  

Alan and I talk about one more PlayPen decision, United States v. Torres.  It may be the last word on the subject, in part because it’s so sensible (the FBI did perform a search, it had a warrant and probable cause, the warrant didn’t conform to Rule 41, but so what?  No suppression) and in part because the Supreme Court has agreed to change the Rule.  I confidently predict that Sen. Wyden’s effort to stop the rule change will fail.

The podcast is back with a bang from hiatus.  Our guest, Scott DePasquale, is the CEO of Utilidata, an electric utility IoT and cybersecurity company.  Scott talks about his contribution to the Internet Security Alliance’s upcoming book, The Cyber Security Social Contract.  

Episode 128 also brings you a news roundup from the most momentous August in cybersecurity history.  Maury Shenk brings the SWIFT hack to life by describing his own brush with cyber bank fraud.   I cover the Shadow Brokers’ disclosure of what most believe to be an NSA hacking toolkit.   Meanwhile, Russia is hacking our political process and only the side whose ox is being gored seems to care.  

The EU, with an instinct for the capillaries, continues to fight the US on these issues.  Privacy Shield is up, and a lot of serious companies are signing up, despite the uncertainties.  Maury and I note the entry of France and Germany into the Great Crypto World War – at a comfortably leisurely pace.  And, in a welcome move, the European Court of Justice has reaffirmed that there are still some (modest and blurry) limits to the assertion of data protection jurisdiction over internet merchants.

The FTC had a busy month.  It served LabMD a mess of home cookin’ and the company is now free to argue its case before an unbiased court of appeals.  Speaking of which, the ninth circuit court of appeals shot down the FTC’s effort to steal the FCC’s common-carrier-regulating turf, and the FTC has finally deigned to notice (and even pat on the head) NIST’s Cybersecurity Framework. 

The UK’s terror watchdog has more or less endorsed the value of bulk collection of personal data.  And Baltimore has put it into effect, adopting an “eye in the sky” technology that has solved serious crimes without harming anyone’s privacy; naturally the privacy lobby is determined to make sure it’s never used again.

In privacy class action news, the lawyers for CareFirst deserve a bonus; they’ve now killed three class action cases (here, here, and here) where the breach was serious but the plaintiffs couldn’t claim that the stolen data was ever used to harm them.  And Judge Koh, to her shame, has approved $4 million in legal fees for the lawyers who brought a class action against Yahoo! and settled for a no-damages injunction that lets Yahoo! keep reading its users emails, but after it’s been sent, not before.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

I know we promised to take August off, but I was inspired by the flap over the DNC hack and the fact that I’m at the Aspen Homeland Security Working Group meeting in Colorado. I waylaid two former intelligence community members on the Aspen campus and asked for their views on the DNC hack.  Well, to be accurate, I start the interview by asking whether Putin really has the balls to step into the US electoral campaign in this way.  Answering the question are two men with the perspective of long years dealing with Soviet and then Russian intelligence:  Charles Allen, who became intelligence chief for DHS after a full career at CIA, and John McLaughlin, who ended his career at CIA as the Deputy Director and Acting Director.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.!

If Vladimir Putin can do it, so can we. This week the podcast dives deep into the US presidential campaign.

I of course talk with Maury Shenk about evidence that the Russians are behind “Guccifer 2.0” and the DNC data leak – aided by a Wikileaks that looks more and more like an FSB front.  I compare the largely indistinguishable Dem and GOP platform planks on encryption ‒ and draw a lesson from the straddles:  there’s little doubt that every lobbyist who contributed to the platforms was working for Silicon Valley, so the failure to endorse the Valley’s view may spell trouble for techie triumphalism.  I also spike the football for the Justice Department, whose policy views on the dangers of hacking back were swamped when the GOP called for letting victims of hacking have their way with the hackers.

Our interview this week touches on the insider threat. Andy Irwin describes the new DOD rule requiring contractors to devise insider monitoring plans for cleared personnel, and two industry leaders, Ed Hammersla, CSO of Forcepoint, and Brian White, COO of RedOwl Analytics, talk about what technology can do to spot incipient employee defections and data theft.  A discussion of the role of natural language processing naturally reminds me of George Carlin and the seven dirty words you can’t say on the radio.

In other news, Katie Cassel unpacks another in a long line of increasingly incoherent 9th Circuit rulings on when it violates the CFAA for unwanted visitors to log on to a site.  Katie also explains why the outcome of another data breach lawsuit might persuade Scottrade to change its name to Scot-Free.

Maury updates us on UK politics, from Theresa May’s honeymoon to the possibility that UK data retention law will survive review in the European Court of Justice.  I flag a good (and, sadly, already outdated) House Homeland Security Committee report on 100 ISIS-linked terror plots against the West since 2014, a surprise reprieve for Silent Circle, and Whatsapp’s continuing “If it’s Tuesday we must be shut down; if it’s Wednesday we must be back up” drama in Brazil.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

In the news roundup, Michael Vatis covers Microsoft’s surprising Second Circuit victory over the Justice Department in litigation over a warrant for data stored in Ireland.  The hidden issue in that case was data localization – the same issue driving the Justice Department’s new legislative proposal to allow foreign nations to obtain information from US data repositories.  That proposal is unpacked by special guest David Kris, former Assistant Attorney General for National Security and author of the treatise, National Security Investigations and Prosecutions.

In other news, LabMD has found yet another defendant in its campaign against Tiversa.  Michael discusses what may be the first judicial decision requiring a warrant to use a Stingray to locate a criminal suspect.  And HHS tries to achieve a plausible policy goal with an overreaching legal interpretation; as Michael explains, the result could be massive unintended consequences.

In quick hits:  more evidence that foreign nations are targeting our energy grid, FDIC engages in a surprisingly successful breach cover-up, a Chinese browser sends data back to China unmolested (all because we still haven’t funded the Europocrisy Prize, I argue), and the cyberwar on ISIS is going slowly, mainly, I argue, because cyberwar on ISIS is not all that good an idea.

What’s the argument in favor of hacking back that is best calculated to infuriate the State Department?  We talk hackback with the father and son team that produced a thoughtful paper on the topic for the Hoover Institution.  Jeremy, a law professor at the Scalia Law School, and his son, Ariel Rabkin, a computer scientist out of Berkeley, have the expertise to deal gracefully and concisely with the policy debate over hacking back.  Their proposal charts a middle ground while cheerfully eviscerating State’s hand-wringing about the international consequences of permitting hacking victims to act outside their networks.  Bonus feature:  lifetime career advice from yours truly!

Our interview is with Jeremy Rabkin and Ariel Rabkin, author of Hacking Back without Cracking Up, published by the Hoover Institution.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.