The Cyberlaw Podcast

Episode 51 of the podcast features a debate on attributing cyberattacks.  Our two guests, Thomas Rid and Jeffrey Carr, disagree sharply about how and how well recent cyberattacks can be attributed.  Thomas Rid is a Professor of Security Studies at King’s College London and the author of Cyber War Will Not Take Place as well as a recent paper on how attribution should be done.  Jeffrey Carr, the founder and CEO of Taia Global, remains profoundly skeptical about the accuracy of most attribution efforts in recent years. 

I question both of them, relying heavily on questions supplied by attribution aficionados via Twitter (@langnergroup, @NateBeachW, @janwinter15, @pwnallthethings, and @marcwrogers, among others).

I ask why cyber attribution is so controversial.  Is it a hangover from the Iraq war?  Snowdenista sentiment?  Or the publicity to be gained from challenging official attributions? 

We debate whether using secret attribution evidence is inherently questionable or an essential tool for ensuring successful attribution.  

I also call out the security experts who heaped scorn on the FBI for its initial fingering of North Korea as the source of the Sony attack.  Which of them recanted as the evidence mounted, and which ones doubled down?  Details in the podcast. 

In the news roundup, Jason Weinstein and I are joined by Ed Krauland, a partner in Steptoe’s International Department in DC. Ed outlines the likely impact on technology trade of President Obama’s lifting of Cuba sanctions (short answer:  not much).  I linger over the evidence that Europe has swung from hating US tech firms for being too cozy with government to hating them for not being cozy enough: the EU’s top counterterrorism official wants to prevent firms from selling unbreakable encryption, and the French government wants them to take down more terror-related online speech.  Later, I spike the ball, pointing to a Pew poll showing that NSA is holding its own in American opinion since the first Snowden revelations and that young voters have a far more favorable view of the agency than those over 65.


In US privacy litigation, Jason tells us that the class action over CarrierIQ’s storage of phone records has gotten a haircut, as the court throws out wiretap claims against hardware makers, and that LabMD has lost yet another peripheral battle in its campaign to force the FTC to spell out exactly what security measures it expects from private companies.  And we debate the significance of the revelations about DEA's Hemisphere Project.

Direct download: Podcast_51.mp3
Category:general -- posted at: 10:57am EST

Our guest for Episode 50 of the Steptoe Cyberlaw Podcast is David Sanger, the New York Times reporter who broke the detailed story of Stuxnet in his book,  Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power.  David talks about his latest story, recounting how North Korea developed its cyberattack network, and how the National Security Agency managed to compromise the network sufficiently to attribute the Sony attack.  We talk about how understanding the White House helped him break a story that seemed to be about NSA and the FBI, North Korean hackers’ resemblance to East German Olympic swimmers, and the future of cyberwar.

Michael Vatis and I also cover a news-rich week, beginning with capsule summaries of the President’s State of the Union proposals for legislation on cybersecurity information sharing, breach notification, and Computer Fraud and Abuse Act amendments.

We touch on Europe’s new commitment to antiterrorism surveillance, which officially puts a still-Snowden-ridden United States out of step with just about every developed nation.

I try to summarize the new National Academy of Sciences study on why there isn’t an easy software substitute for bulk collection.  (Short answer:  If you want to recreate the past, you have to bulk-collect the present.)

We ask whether the DEA was the inspiration for NSA’s 215 bulk collection program, call out Rep. Sensenbrenner, who evidently skipped the DEA briefings as well as NSA’s, and wonder why Justice didn’t explain to Congress last year that NSA’s program wasn’t that big a leap from the Justice Department’s own bulk collection – instead of quietly trying to bury its program when the heat built up on NSA.  (OK, we didn’t really wonder why Justice did that.)

If you judge by their joint press conference, Prime Minister Cameron seems to have done more to convert President Obama to skepticism about widespread unbreakable encryption than Jim Comey did.  Save your Clipper Chips, key escrow will rise again!


Finally, Centcom’s public affairs team, which can’t keep ISIS sympathizers out of its Twitter and YouTube feeds, deserves 24 hours of deep embarrassment, which is surprisingly exactly what it gets.

Direct download: Podcast_50.mp3
Category:general -- posted at: 12:23pm EST

Our guest commentator for episode 49 of the Steptoe Cyberlaw podcast is Juan Zarate, a senior adviser at the Center for Strategic and International Studies (CSIS), the senior national security analyst for CBS News, a visiting lecturer at the Harvard Law School, and Chairman and Co-Founder of the Financial Integrity Network.  Before joining CSIS, Juan was the first ever assistant secretary of the treasury for terrorist financing and financial crimes.

We inaugurate a new headline news feature, “News or Snooze.” Some highlights:

·         EU Data Supervisor Presses for Privacy Overhaul in 2015” – Hit the snooze button and you can hear this again in 2016.  And probably 2017 too.

·          “New Credit Cards May Fall Short on Fraud Control” – This is news for everyone who thought we were moving to chip and pin to get better credit card security.

·         FBI Says Warrants Not Needed for Stingrays, Senators Express Doubts” – No surprises here.

·          “Lyft and Uber answer Sen. Franken” – Will consumers punish Uber for its privacy woes and reward Lyft for playing nice with the Senator?  Stewart bets that they won’t.

·          “Sony Hackers ‘Got Sloppy’ says FBI director” – This is news:  Jim Comey provides new evidence supporting the North Korea attribution.  Skeptics move to a new grassy knoll.

·         French terror attacks:  Big news for surveillance in both Europe and the US.  The ghost of Edward Snowden is starting to fade, as are prospects for dumping the NSA 215 program.

In the interview, Juan Zarate and Steptoe’s own Meredith Rathbone lead us through a bracing discussion of U.S. sanctions on North Korea for the Sony attack.  Bottom line:  the Treasury sanctions announced so far are unlikely to have much impact, but they do open the door to future approaches that could.  Juan endorses tougher OFAC sanctions for the beneficiaries of cyberespionage and international sanctions for attacks on banks.  He even has a kind word for letters of marque that would give the private sector more authority to pursue cyberattackers.  By the end, he’s demonstrated anew why we call him the Lord Byron of cyberpolicy. 


We remind everyone that the Podcast welcomes feedback, either by email ( or voicemail (+1 202 862 5785).

Direct download: Podcast_49.mp3
Category:general -- posted at: 12:35pm EST

Our guest for the first podcast of 2015 is Jim Lewis, a senior fellow and director of the Strategic Technologies Program at CSIS, where he writes on technology, security, and the international economy.

We try a new, slightly shorter format for 2015, with quick takes on a batch of headlines:

We dig a little deeper into other stories. 

  • FBI investigates Banks for Revenge Hacking of Iran: Stewart, Jason, and Jim Lewis debate the wisdom of taking down DDOS command and control servers without waiting for the government. And Israel’s role as a haven for private hacking back.
  • And, of course, all things Sony: We discuss the weird “grassy knoll” determination to blame someone other than North Korea. Turns out many of those challenging the FBI’s attribution have questionable credentials or are outspoken Snowden supporters, calling into question their judgment. We deprecate US financial sanctions on North Korea as a deterrent and the South Korean who is taking seriously Stewart’s suggestion that The Interview be dropped on the North from balloons. 
  • Finally, Jim Lewis offers his insider’s view of China’s approach to cyber conflict – the norms that apply in cyberwar, where cyberweapons fit into China’s warfighting doctrine, and a possible split between China’s leadership and its PLA on when and whether to carry out cyberespionage for Chinese companies.  

Later this year we will be joined by Becky Richards of the NSA Privacy office.   


We remind everyone that the Podcast welcomes feedback, either by email ( or voicemail (+1 202 862 5785).

Direct download: Podcast_48.mp3
Category:general -- posted at: 4:43pm EST