In episode 166, we interview Kevin Mandia, the CEO and Board Director of FireEye, an intelligence-led security company.  FireEye recently outed a new cyberespionage actor associated with the Vietnamese government.  Kevin tells us how FireEye does attribution and just how good the Vietnamese are (short answer:  surprisingly good but apparently small in scale).  Along the way, we also cover questions such as whether China has its own set of forensic cybersecurity firms, how confident we should be about the attribution of WannaCry to North Korea, and whether PLA Unit 61398 should treat its designation as APT1 as a prestige designation, sort of like having “bob@microsoft” as your email address.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Episode 165 is a WannaCry Festivus celebration, as The Airing of Grievances overtakes The Patching of Old Machines. Michael Vatis joins me in identifying all the entities who’ve been blamed for WannaCry, starting with Microsoft for not patching Windows XP until after the damage was done.  (We exonerate Microsoft on that count.)

Another candidate for WannaCry Goat of the Year is (of course) NSA for allegedly letting a powerful hacking tool fall into the hands of the Shadow Brokers, who released it in time for WannaCry’s authors to drop it into their worm. Private industry’s fingerpointing at NSA has led to introduction of the PATCH Act, which tries to institutionalize (and tilt) the vulnerability equities process.  I raise a caution flag about trying to prevent harmful vulnerability leaks by spreading information about the vulnerabilities to a new batch of civilian agencies.  I also ask whether a rational equities process should require that companies  get the benefit of the process only if they agree to patch their products promptly and if they cooperate to the extent possible with law enforcement rather than forcing agencies to hack their products just to carry out lawful searches.  Somehow I’m guessing that will cool Silicon Valley’s enthusiasm for the whole idea.

Meanwhile, Shadow Brokers, widely thought to be Russian intelligence, may be having an equally awkward Festivus celebration with their masters, since the exploit they released seems to be causing more widespread discomfort in Russia than in the West, probably because of Russia’s high usage of unpatched pirate software.

The North Koreans should be on the carpet as well, since there is increasing reason to believe that WannaCry was a mostly failed effort by Kim Jong Un to raise money through cybercrime. The worm seems to have collected only $100 thousand in bitcoin for its authors, and the worst of its impact was likely felt in China, the world capital of pirated unpatched software.  Since North Korea seems to rely on China’s internet infrastructure to launch and control its cyberattacks, launching one that mainly hurts its host is typically shortsighted.

Finally, the victims don’t escape blame. The SEC unveiled its latest criticism of private sector security practices in the financial industry as the WannaCry publicity reached a peak.

Meanwhile, our own Jon Sallet joins the Oliver-Pai debate on net neutrality, and through the magic of radio, he is able to coffee-cup-shame both of them.  (Sound effects credit to www.zapsplat.com.)  As an encore, Jon explains why the European Commission fined Facebook $122 million over its acquisition of WhatsApp – without undoing the deal.

As always the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

With our sound system back online, episode 163 is already a big step up from Lost Episode 162.  (Transcripts of 162 are available for those who wish by sending email to CyberlawPodcast@steptoe.com.)

Our interview is with Susan Munro, of Steptoe’s Beijing office.  Susan unwinds the complex spool of cyberlaw measures promulgated by the Chinese government.

In the news, Maury Shenk and I note that Putin reran his U.S. playbook in the French election, but the French were ready for him.  Indeed, what we originally thought to be crude Russian forgeries may actually be Macron “honey docs” meant to look like crude Russian forgeries. If so, my hat is off to Macron’s I.T. team. 

Meanwhile, Jennifer Quinn-Barabanov spots a new trend in cybersecurity litigation.  It’s nuts, but that’s not the new part.

The intelligence community’s latest transparency report reveals a shocking stat about “backdoor” FBI searches of 702 for criminal cases.  The bureau did that all of … one time.  Those who want to clog our security services with ever more burdensome processes are going to have to find a bigger scandal.  

The Republicans complaining about Susan Rice and “unmasking” can find more to work with in the report. Turns out that Americans were identified in masked or unmasked form in about 4000 reports last year, but by the time the report writers and the intelligence consumers were done, about 3000 reports had seen their Americans unmasked. With numbers like that, if the issue hadn’t been raised first by Republicans, every newspaper in America would be calling for an investigation of unmasking standards.

Okay, this is getting embarrassing.  The White House has now spent more time drafting a cyber EO calling for urgent reports from the departments than it’s giving the departments to write the urgent reports.  And so far, as Alan Cohn points out, all we have to show for it is … another leaked draft.

Jennifer explains why the latest Home Depot settlement is both good and bad for the plaintiffs’ bar. 

Alan dives deep for substance in the White House’s EO creating an American Tech Council.  He comes up empty.  The EO is purely procedural.

Maury explains the UK’s draft surveillance obligations, concluding there’s not much new in them.  And Germany’s intelligence service is complaining both about Russian hacking and about its lack of authority to, uh, hack back to destroy third party servers.  Chris Painter, call your office!

Alan tells us that DHS cybersecurity did pretty well in budget deal, but only if your point of comparison is EPA’s budget. 

At least DHS is making the right enemies.  Jennifer explains DHS backpedaling on the privacy rights of non-Americans.  And Alan and I flag the ABA’s interest in border searches of lawyers’ electronics.

Finally, in cybersecurity news, the Guardian plays the world’s smallest violin for billionaire superyacht owners, and the recent defeat of a common form of two-factor authentication will put new cybersecurity pressure on SS7.   

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

In this episode, I debate Michael Schmitt, a prime mover in two Talinn Manuals on international law and cyber operations. We are joined by an expert on the topic and a new Steptoe partner, Brian Egan, who was formerly the State Department legal adviser, among other accomplishments. And among the hypotheticals is indeed a DDOS attack on the United States by internet-enabled vibrators with unchangeable default passwords. Because, as the news roundup covers, the FTC may soon be wrestling with the question of how to regulate such security violations.

Meanwhile, Michael Vatis and I clash over the meaning of the NSA’s decision to abandon productive intelligence collection. I think it’s risk aversion and a return to September 10. Michael thinks it’s too early to make that judgment.

Stephanie Roy gives an overview of Ajit Pai’s plan to undo the last two Federal Communications Commissions’ net neutrality strategies.

Michael reports on two Silicon Valley giants who fell prey to $100 million (each) cyberscams. I wonder if this means that technologists will stop gloating that Snowden and Shadowbrokers show that only private companies can be trusted to do security right.

This week in news that isn’t news at all: The Russians who hacked Clinton are going after Emmanuel Macron in France, says Trend Micro.  

Finally, vigilante justice seems to be sweeping the internet, as the spousal spyware firm, Flexispy, is doxed, and Brickerbot starts securing insecure IOT devices the hard way—by bricking them.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

In this episode, Alan Cohn and Maury Shenk look at questions in Europe and elsewhere in Stewart’s absence. Maury delves into why Google was ordered to turn over foreign data accessible from U.S., a decision that seems at odds with the Microsoft Ireland case. Alan considers claims made by David Sanger and William Broad in The New York Times that U.S. blew up North Korea’s most recent missile test, and Jeffrey Lewis’s rebuttal in Foreign Policy.  Alan and Maury both remain skeptical.

Leaving the Korean peninsula, Maury discusses the current effort by EU data protection regulators to enact e-privacy regulations that would, among other things, put in place detailed standards for location tracking and content associated with metadata.  No surprises, but potentially more headaches for US industry.   And back on U.S. soil, Alan comments on the U.S. Justice Department’s apparent decisions to reconsider criminal charges against Wikileaks for the CIA cyber-tools leak.  Maury provides some color on the Trump Administration’s (lack of) views on Privacy Shield.

Finally, Alan reviews the bidding on dual-use export controls and cyber technologies, explaining both the most recent negotiations under the Wassenaar Arrangement and the EU’s efforts to amend its dual-use export controls to include cyber-surveillance technologies. 

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

This week the podcast features an extended news roundup with two guest commentators—Julian Sanchez of the Cato Institute and Gus Hurwitz of Nebraska Law School.  

We talk about the latest, mostly overhyped, Shadowbrokers dump, and whether Google Translate can be taught to render plain text into Shadowbrokerese as well as Klingon.

Stephanie Roy kicks off speculation about the future of net neutrality in the Pai FCC. The future looks bright for litigators.

Abbott Labs takes a short but brutal session in the woodshed from the FDA. Looks like Abbott’s now-subsidiary, St. Jude Medical, knew for years that its backdoor could be found by outsiders, but it stuck to the view that hardcoded access was a feature not a bug. Too bad Uber has already trademarked the name, because if ever there were a feature that deserved to be called “God mode,” this is it.

Burger King triggers a technical battle with Google and an editing war with Wikipedia with a commercial that begins, “Okay, Google, what’s a Whopper burger?” But, law nerds that we are, all we can talk about is whether Burger King is liable under the Computer Fraud and Abuse Act.  

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Our guest interview is with Nick Weaver, of Berkeley’s International Computer Science Institute.  It covers the latest dumps of hacker tools, the vulnerability equities process, the so-bad-you-want-to-cover-your-eyes story of Juniper and the Dual_EC hacks, and ends with a tour of recent computer security disasters, from the capture of a bank’s entire online presence, to the pwning of Dallas’s emergency sirens and a successful campaign to compromise the outsourcing firms that supply IT to small and medium sized businesses.

In the news roundup, Maury Shenk, and Jamil Jaffer, of George Mason’s National Security Law & Policy Program, talk with me about the likely outcome of the European movement to regulate encryption.  The bad news for Silicon Valley is that the US isn’t likely to play much of a moderating role when the Europeans tighten the screws.

In other news, Jennifer Quinn-Barabanov explains the two-front battle that Wendy’s is facing (and mostly losing) over data breach liability.

I acknowledge the latest Silicon Valley fad:  filing lawsuits on behalf of their customers’ privacy.  So far, Twitter has chalked up a win, and Facebook a loss. 

LabMD has also chalked up another win, this time in a Bivens action to hold FTC officials personally liable for aggressively enforcing the law against the company as punishment for its outspoken critique of the Commission.  The case has mostly survived a motion to dismiss.  

Meanwhile in Massachusetts, outmoded privacy laws continue to burden would-be undercover journalists, and Jennifer reports that the prospects for invalidating a law banning recordings of oral conversations on first amendment grounds took a hit last week, at least as it relates to public officials.

Finally, in other computer security news around the globe, Germany’s security services are claiming a lack of authority to take needed action in response to cyber threats.  In India, in contrast, enthusiasts for better attribution of India’s populace are forcing everyone to register in a detailed identity database – despite the efforts of India’s top court to ensure that the system remains voluntary.  The death of anonymity will be a prolonged affair, but the outcome seems inevitable.
As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Episode 157 digs into the security of the medical internet of things.  Which, we discover, could be described more often than we’d like as an internet of things that want to kill us.  Joshua Corman of the Atlantic Council and Justine Bone, CEO of MedSec, talk about the culture clash that has made medical cybersecurity such a treacherous landscape for security researchers, manufacturers, regulators, and, unfortunately, a lot of patients who remain in the dark about the security of devices they carry around inside them.  

In the news roundup, Phil Khinda takes us through the likely trend in SEC cybersecurity enforcement in the new administration.  Stephen Heifetz does the same for the Committee on Foreign Investment in the United States, or CFIUS.

I claim that Eli Lake’s Bloomberg story finally explains why Republicans think that Obama administration surveillance and unmasking of Trump team members needs to be investigated.  Stephen calls it a distraction.

In other news, Buzzfeed gets taken down by a lawyer with a sense of humor, big claims are made for the impact of the third Wikileaks Vault7 document dump, and Donald Trump may have forgiven Apple.  Finally, Jim Comey’s twitter account may have been outed; that’s the story, because the tweets themselves are anodyne in the extreme.

For those wanting to dig deeper into medical device cybersecurity, Joshua Corman recommends the following links, all referenced in the interview:

• Hippocratic Oath for Connected Medical Devices

• Safety Critical Coordinated Vulnerability Disclosure Programs

• I am the Cavalry Position on Disclosure

• US Commerce NTIA work on Safety Critical Coordinated Vulnerability Disclosure (1)

• US Commerce NTIA work on Safety Critical Coordinated Vulnerability Disclosure (2)

• 18 (and counting) points of support in US Government for Coordinated Vulnerability Disclosure

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Our interview is with Michael Daniel, former Special Assistant to the President and Cybersecurity Coordinator at the White House and current President of the Cyber Threat Alliance. We ask Michael how the new guys are doing in his job, what he most regrets not getting done, why we didn’t float thumb drives filled with “The Interview” into North Korea on balloons, and any number of other politically incorrect questions. His answers are considerably more nuanced.

In the news roundup, we note that the second Wikileaks release is a damp squib, full of outmoded Apple exploits.

Michael Vatis and I unpack the Third Circuit ruling upholding imposition of contempt penalties on a defendant who has “forgotten” the password to his child porn trove.  It turns out that the case offers a road map for prosecutors and police who want to make sure no one ever forgets a password in their jurisdiction.

Stephanie Roy notes that Congress has begun the process of repealing the ISP privacy and security regulations adopted under Chairman Wheeler.  What, if anything, will replace them, and when, is a matter for lengthy speculation.

I note that the privacy zealots of Silicon Valley have fatally miscalculated the kind of support they’ll get in Europe for end-to-end encryption. Face it, guys, Europe hates you no matter what you do, and they’ll happily impose massive fines both for violating user privacy and for protecting it too well.

Does GCHQ spy on Americans for NSA? Nope. The real question is whether Rick Ledgett, number two at NSA, has already stopped sounding like a government employee when he talks to the press.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Episode 155 of the podcast offers something new: equal time for opposing views. Well, sort of, anyway.  In place of our usual interview, we’re running a debate over hacking back that CSIS sponsored last week.  I argue that U.S. companies should be allowed to hack back; I’m opposed by Greg Nojeim, Senior Counsel at the Center for Democracy & Technology and Jamil Jaffer, Vice President for Strategy & Business Development of IronNet Cybersecurity.  (Jeremy Rabkin, who was supposed to join me in arguing the affirmative, was trapped in Boston by a snowstorm.)

In the news, we can’t avoid the unedifying—and cynical—spat between press and White House over wiretapping. Turning to legal news, I note the D.C. Circuit’s adoption of a cursory and unpersuasive reading of the Foreign Sovereign Immunities Act in the context of state-sponsored hacking of activists in the United States. Maury Shenk unpacks the latest ECJ opinion refusing to apply the “right to be forgotten” across the board to government databases. So far, the only clear application is to American tech giants. That’s also true of the latest German proposal to make the internet safe for censors, government and nongovernment alike. As Maury explains, the German Justice Minister is proposing fines up to $50 million for tech giants that don’t censor online speech fast enough or hire enough European private censors to keep up with the workload.

The Justice Department’s indictments in the Yahoo! hack show just how remarkably intertwined Russian intelligence and Russian cybercrime have become.

Alan Cohn and I chew over the latest developments in the new administration’s approach to cybersecurity—a determination to cripple botnets more effectively, and a willingness to exempt SHS cyber programs from what looks like a drastic set of budget cuts for nondefense agencies. Whether the administration can make progress on botnets while sticking to voluntary measures is uncertain; equally uncertain is whether the plus-ups for DHS cyber reflects satisfaction with the agency’s performance on that mission in recent years. 

Finally, Maury and I ask whether the German government is surrendering to reality in pursuing more effective video surveillance of possible criminals and terrorists.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.