Bloomberg Businessweek’s claim that the Chinese bugged Supermicro motherboards leads off our News Roundup. The story is controversial not because it couldn’t happen and not because the Chinese wouldn’t do it but because the story has been denied by practically everyone close to the controversy, including DHS. Bloomberg Businessweek stands by the story. Maybe it’s time for the law, in the form of a libel action, to ride to the rescue.

Congress, astonishingly, has been doing things other than watch the Kavanaugh hearings. It produced a conferenced version of the FAA authorization including authority for DHS and DOJ to intercept drone communications and seize drones without notice or a warrant. This effort to get in front of dangerous technology yields the usual whines from the usual Luddite “technology advocates.” Meantime, Congress has also adopted a bill to change the name of DHS’s cyber and infrastructure security agency to, well, the Cybersecurity and Infrastructure Security Agency. 

ZTE’s troubles continue, as a federal judge slammed the company for violating the terms of its probation. The judge extended ZTE’s probationary term and the term of its monitor – meaning the company now has two US monitors watching as it tries to rebuild its business.

The Trump Administration is following in the Obama Administration’s footsteps, Gus Hurwitz reports, trying to build consensus around norms for cyber conflict. I remain dubious, but at least this effort is limited to countries not actively engaged in cyber hostilities with the United States.  

California has its own air pollution standards; why not its own net neutrality law? Probably because the FCC under Ajit Pai is not the EPA. Gus and I discuss whether any part of California’s law can withstand preemption.

The hits just keep on coming for the GRU, a formerly vaunted Russian intelligence service, which now can’t even keep secret the names of its most secret agents. Bellingcat, a private website, totally pantses the agency, outing not just its nerve agent operatives but 300 others for good measure.  Piling on, the Justice Department indicts another batch of GRU operatives for hacking sports anti-doping authorities. Even Germany musters the courage to join the UK in fingering Russia for its cyberattacks while the mighty Dutch counter-hacking team joins in the sack dance.

Is the Turing test easier if you only have to convince Californians that you’re human? That may be the theory behind California’s SB 1001, making it unlawful for a bot to deceive a Californian about its botitude “in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election.”

More bad news for Justice in Silicon Valley, according to leaks from a court case in which the Department is rumored to have sought a court order forcing Facebook to cooperate in a wiretap of MS-13 members.  

Finally, Dr. Megan Reiss reports, North Korea is apparently getting rich robbing banks. Surprisingly, though, it seems not to be robbing American banks. Yet. 

Download the 234th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

In this news-only episode, Nick Weaver and I muse over the outing of a GRU colonel for the nerve agent killings in the United Kingdom. I ask the question that is surely being debated inside MI6 today: Now that he’s been identified, should British intelligence make it their business to execute Col. Chepiga?

On a lighter note, Uber is paying $148 million to state AGs for a data breach that apparently had no consequences and might not even have been a breach.

About a year too late for Congressional action, a consensus of sorts is emerging among Republicans that Silicon Valley needs broad privacy regulation. The Trump Administration is asking for comment on data privacy principles. And tech giants are pushing lawmakers for federal privacy rules. But the catalyst is an increasing need for federal preemption in the face of California’s new law, and the Dems who are expected to take the House will be hard to sell on preemption. So despite the emerging consensus, a log jam that lasts years could still be in our future.

The sentencing of an NSA employee for taking sensitive tools home – and getting them compromised by Kaspersky – leaves Nick with plenty of additional questions about the source of the tools compromised by Russian proxies in recent years.

Evan Abrams gives us a summary of the NY AG’s report on virtual markets and cryptocurrency. Bottom line: New York is likely to pursue regulation with vigor.

Meanwhile, West Virginia embraces a mobile voting app for the 2018 election. Remarkably, despite the deployment of blockchain buzzwords, none of us thinks the system is secure.

And in quick hits:

• The GRU is taking the “P” in APT way too seriously.
• A content moderator has sued Facebook, claiming that her job gave her PTSD.
• India’s Supreme Court has upheld, with limits, the government’s massive Aadhaar digital ID program.
• Facebook suffered a breach affecting 50 million user accounts and probably 40 million “log on with Facebook” accounts. We’re getting these facts piecemeal thanks to the EU’s dumb 72-hour deadline for reporting breaches under GDPR.
• President Trump says China is interfering in the 2018 elections. But unlike Russia in 2016, all of China’s fake news is on actual newsprint.
• Finally, a quick report roundup:
  • The EU is forcing Silicon Valley to police disinformation without actually defining it. Because we all know that in the EU, everything Trump tweets is classified as disinformation.
  • DOJ’s otherwise pretty good best practices report sadly doubles down on hating hackback. Now with added rationales!
  • China is back to stealing our stuff, but more quietly, think tanks report.
  • House AI report – pro: bipartisan; con: mostly content-free.
  • Yet another set of IoT security guidelines.

Download the 233rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Our guest is Peter W. Singer, co-author with Emerson T. Brooking of LikeWar: The Weaponization of Social Media. Peter’s book is a fine history of the way the Internet went wrong in the Age of Social Media. He thinks we’re losing the Like Wars, and I tend to agree. It’s a deep conversation that turns contentious when we come to his prescriptions, which I see as reinstating the lefty elite that ran journalism for decades, this time empowered by even less self-doubt – and AI that can reproduce its prejudices at scale and without transparency.

In the News Roundup, Dr. Megan Reiss and Peter Singer join me in commenting on the White House and DOD cyber strategies. Bottom line: better than last time, plenty more room to improve.

“God Bless the Dutch.” They’ve pwned Putin’s GRU again. In a truly multinational caper, as Nick Weaver explains, Dutch intel caught Russian spies planning cyberattacks on the Swiss institute investigating Russia’s nerve agent attack in Britain.

The downside of sanctions. China has joined with Russia in protesting sanctions on Russian weapons sellers that spilled over to the Chinese military. Maury Shenk and I worry about the risk that overuse of sanctions will create a powerful alliance of countries determined to neutralize the sanctions weapon.

Is it reckless to speculate that the gas fires in Massachusetts could be a cyberattack? I think it’s a fair question, to which we may not have the answer. Nick Weaver (mostly) persuades me I’m wrong.

Amazon finds itself in the sights of the European Commission over its dual role in hosting third party sellers. Maury explains why.

Putin’s enemies list, or a part of it, is disclosed when Google warns Senate staffers that their Gmail has been attacked. Maury and I congratulate Steptoe alum Robert Zarate for making the cut. Looks like the Mirai botnet kids will be sentenced to help the FBI on cyber investigations. And Megan sees the hand of Robert Zarate – now officially the Zelig of cyber conflict – in Marco Rubio’s letter to Apple asking why it was so slow to stop an app from sending American user data to China.

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Our interview this week is with Hon. Michael Chertoff, my former boss at Homeland Security and newly minted author of Exploding Data: Reclaiming Our Cyber Security in the Digital Age. The conversation – and the book – is wide ranging and shows how much his views on privacy, data, and government have evolved in the decade since he left government. He’s a little friendlier to European notions of data protection, a little more cautious about government authority to access data, and even a bit more open to the idea of letting the victims of cyberattacks leave their networks to find their attackers (under government supervision, that is). It’s a thoughtful, practical meditation on where the digital revolution is taking us and how we should try to steer it.

The News Roundup features Paul Rosenzweig, Matthew Heiman, and Gus Hurwitz – whom we congratulate for his move to tenured status at Nebraska. We all marvel at Europe’s misplaced enthusiasm for regulating the Internet. This fall the Europeans returned from their August vacation to embrace a boatload of gobsmackingly unrealistic tech mandates – so unrealistic that you might almost think they’re designed to allow the endless imposition of crippling fines on Silicon Valley.

In the last week or so, European institutions have pretty much shot the regulatory moon: Matthew sets out the European Parliament’s expensive and wrongheaded copyright rules. Paul covers the European Commission’s proposal that social media take down all terror-inciting speech within one hour, on pain of massive fines. Gus discusses the European Court of Human Rights’ ruling that GCHQ’s bulk data collection practices fail to meet human rights standards, though they can be fixed without dumping bulk collection. And I marvel that France is urging the European Court of Justice, which needs little encouragement to indulge its anti-Americanism, to impose Europe’s “right to be forgotten” censorship regime on Americans and on other users around the world. That’s a position so extreme that it was even opposed by the European Commission. Gus explains.

In other news, Paul outlines the National Academy of Sciences’ report, offering a sensible set of security measures for American voting systems. We all unpack the new California IoT security bill, which is now on the governor’s desk. I predict that, flawed though it is, ten more state legislatures could adopt the bill in the next year.

This Week in Social Media Bias: Paul tells us that Twitter has found a deep well of hate speech in … the United States Code. I tell the ambiguous story of offering up my Facebook account to verify claims of social media censorship.  And Gus reports that the Left has discovered a problem with fact checking for social media posts; to their surprise, it doesn’t always work in their favor.

We are fully back from our August hiatus, and leading off a series of great interviews, I talk with Bruce Schneier about his new book, Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World. Bruce is an internationally renowned technologist, privacy and security commentator, and someone I respect a lot more than I agree with. But his latest book opens new common ground between us, and we both foresee a darker future for a world that has digitally connected things that can kill people without figuring out a way to secure them. Breaking with Silicon Valley consensus, we see security regulation in the Valley’s future, despite all the well-known downsides that regulation will bring. We also find plenty of room for disagreement on topics like encryption policy and attribution.

In the News Roundup, I ask Jamil Jaffer, Nate Jones, and David Kris for the stories that people who took August off should go back and read. Jamil nominates the fascinating-as-a-slow-motion-car-wreck story of Maersk’s losing battle with NotPetya. We speculate on whether the Russians caused $10 billion in worldwide damage by mistake or on purpose, and whether anyone other than a US government lawyer would call that indiscriminate attack a war crime.

David nominates the 179-page complaint against a North Korean hacker behind most of that country’s famous hacks. And, as a palate cleanser, the remarkable, score-settling, where-are-they-now story of the companies that challenged the FBI’s attribution of the Sony hack to North Korea.

Finally, I suggest spending some time with what might be called DCLeaks for good guys: Intrusion Truth, a website devoted to outing personal details about the government hackers who have been attacking Western companies. It (and Crowdstrike) provides an old-fashioned pantsing of China’s Ministry of State Security (MSS) – the sort of embarrassing doxing that allowed the MSS to take over much of China’s cyberespionage portfolio from the hapless People’s Liberation Army after it was outed several years ago.

Download the 230th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

On September 4th, Alan Cohn hosted the 229th episode of The Cyberlaw Podcast. We took a deep dive into all things blockchain and cryptocurrency discussing recent regulatory developments and best practices for users of exchanges.

Our episode begins by looking at the landmark decision coming out of the New York Eastern District Court in favor of the Commodity Futures Trading Commission (CFTC). Charles Mills provides an overview of the recent New York federal court decision and CFTC victory against Cabbage Tech, Corp. d/b/a Coin Drop Markets and Patrick K. McDonnell of Staten Island, New York, ordering McDonnell to pay over $1.1 million in civil monetary penalties and restitution in connection with a lawsuit brought by the CFTC alleging fraud in connection with virtual currencies, including Bitcoin and Litecoin. In addition, Charles presents a more general overview of CFTC regulations.

Claire Blakey presents a timeline of the US Securities and Exchange Commission’s (SEC) recent actions regarding ETFs. On August 23, 2018, SEC announced that it would reconsider a decision to reject nine Bitcoin-based exchange traded funds. Earlier this month, SEC staff delayed a decision on the SolidX proposal, stating it needs more time to consider the proposal – the deadline for this decision is September 30, 2018. Claire also discusses CBOE’s filing with SEC for a bitcoin ETF.

Evan Abrams highlights the four takeaways from the Department of Treasury’s Financial Enforcement Network (FinCEN) director’s speech on cryptocurrency. On August 9, 2018, FinCEN Director Kenneth Blanco delivered a speech on the agency’s approach to cryptocurrency where he made a few unexpected remarks. Evan states that this speech offered helpful clarifications and insights, but also left a number of important questions unanswered. In addition, Evan discusses the Office of the Comptroller of the Currency’s proposed charter for online lenders and other FinTech companies in the coming months.

Finally, Maury Shenk covers the recent reports about the EU finance ministers’ plan to discuss the possibility of cryptocurrency regulation at a meeting in early September. As part of a leaked confidential note, it is expected that EU ministers will discuss anti-money laundering issues amongst other things. Alan and Maury note that while the EU takes a heavier regulatory approach than the US in this area, the process is slow moving but steadily developing. In addition, Maury discusses the European Blockchain Partnership, describing it as an integrated effort for a great blockchain future.

In our interview, the Steptoe team was joined by Sarah Compani, Legal Counsel at Bitfinex. Bitfinex is a full-featured spot trading platform for major digital assets and cryptocurrencies, including Bitcoin, Ethereum, and many more. Bitfinex offers leveraged margin trading through a peer-to-peer funding market, allowing users to securely trade with up to 3.3-times leverage. Sarah took us through the best security practices for users of exchanges, particularly focusing on security settings that users can customize, such as Google Authenticator 2FA, Universal 2nd Factor (U2F), and IP address whitelisting. Finally, Sarah provides listeners with three takeaways as she responds to Alan’s questions regarding the future of exchanges, the Bitfinex platform, and potential challenges going forward.

Download the 229th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

We’re still on hiatus, but we’re back again this week with another bonus episode. Our next season will feature an interview with Bruce Schneier, cryptography, computer science, and privacy guru, about his latest book, Click Here to Kill Everybody: Security and Survival in a Hyper-connected World. So it only seems appropriate to revisit my May 2015 interview with Bruce about his earlier work, the best-selling Data and Goliath – a book I annotated every few pages of with the words, “Bruce, you can’t possibly really believe this.” And that’s pretty much how the interview goes, as Bruce and I mix it up over hackbacks, whether everyone but government should be allowed to use Big Data tools, Edward Snowden, whether “mass surveillance” has value in fighting terrorism, and whether damaging cyberattacks are really infrequent and hard to attribute. We disagree mightily – and with civility.

We’ll be back in September with another edition of Blockchain Takes Over the Cyberlaw Podcast, followed by the new interview with Bruce Schneier.

Download the Bonus Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

We’re officially on hiatus this month, but we just couldn’t stay away that long. If you can’t live without The Cyberlaw Podcast in your life, then you’re in luck. We’re releasing a couple bonus episodes with some of my favorite past interviews.

This week I revisit my April 2015 interview with Joseph Nye, former dean of the Kennedy School at Harvard and three-time national security official for State, Defense, and the National Intelligence Council. We get a magisterial overview of the challenge posed by cyberweapons, how they resemble and differ from nuclear weapons, and (in passing) some tips on how to do cross-country skiing in the White Mountains.

We’ll be back in September with another edition of Blockchain Takes Over the Cyberlaw Podcast. I’ll return the following week with an interview with Bruce Schneier, so be sure to tune in.

Download the Bonus Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Our guest for the interview is Noah Phillips, recently appointed FTC Commissioner and former colleague of Stewart Baker at Steptoe. Noah fields questions about the European Union, privacy, and LabMD, about whether Silicon Valley suppression of conservative speech should be a competition law issue, about how foreign governments’ abuse of merger approvals can be disciplined, and much more.

The imminent passage of the must-pass National Defense Authorization Act yields a deep dive on the bill. Most important for business lawyers, the bill will include a transformative rewrite of CFIUS’s investment-review procedures and policies.

Gus Hurwitz lays out many of the cyber issues addressed by the NDAA, while Dr. Megan Reiss explains the act’s creation of a “Solarium” commission designed to force serious strategic thinking about cybersecurity and cyberweapons. I offer my contribution to that debate—an effort to think the unthinkable and come up with tougher options for responding to serious cyberattacks. Since we’re trying to think the unthinkable, I argue, we’re really rooting for the itheberg, so I’ve dubbed it the Itheberg Project. (There must be a Robert Frost reference in there somewhere—about the world ending in solarium or in ithe—but I can’t find it.) I do, however, make an unusual double-barreled offer to those who might want to participate in the Itheberg Project.

All that pales next to a surprisingly lively discussion of circuits splitting over insurance coverage of cyber-related fraud losses. Gus and Matthew Heiman predict that the Supreme Court (or an insurance contract rewrite) will be necessary to resolve the issue – and both of them think the issue is well worth the Court’s time. No one tell Judge Kavanaugh or he may just decide to stay on the DC Circuit!

In a “lightning” round that the FTC may soon investigate for deceptive labeling:

• Gus mocks the ACLU’s rigged test of Amazon’s face recognition software.
• China screws Qualcomm despite the US deal to save ZTE, letting the NXP acquisition die of neglect.
• The New York Public Service Commission revoked its 2016 conditional approval of the Charter-Time Warner merger.
• And India chooses favorable ground for a fight with WhatsApp over end-to-end encryption.

Download the 228th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

In our 227th episode of The Cyberlaw Podcast, Stewart Baker interviews Bobby Chesney (@BobbyChesney), who recently co-authored a paper with Danielle Citron (@DanielleCitron) titled, “Deep Fakes: A Looming Challenge for Privacy, Democracy, and National Security.” Stewart and Bobby are joined by Maury Shenk, Nick Weaver (@ncweaver), and Patt Cannaday to discuss:

• Is the EU’s $5 billion fine on Google a bad idea grounded in anti-Americanism? President Trump seems to think so;
• The DOJ cyber digital report (PDF) sets sensible new standards for avoiding partisanship while naming foreign states trying to influence US opinion – but if DOJ gives Big Tech special access to intelligence, will Big Tech use the intel in a nonpartisan way?
• Recent speculative execution attacks on Intel and ARM processors (Spectre et al.);
• Overdoing it wrong? Senate doesn’t just cave on ZTE penalties for violating export control law – it also caves on US supply chain worries;
• The FISA document dump on Carter Page – sure, it undercuts Devin Nunes, but what are the ramifications for FISA applications that rely heavily on news media articles?
• All 50 states have taken federal funds (PDF) to improve election cybersecurity – now it’s up to them to deliver a secure election in November;
• EU and Japan agree on mutual adequacy findings allowing personal data transfers – but will the findings meet the European Court of Justice’s absurdly solipsistic requirements?

You can also find Bobby Chesney on the National Security Law Podcast(@NSLpodcast), which he co-hosts with Steve Vladeck (@steve_vladeck). If you want to learn more about deep fakes, check out the Heritage Foundation’s recent discussion in which Bobby participated.

Download the 227th Episode (mp3).

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.