The Cyberlaw Podcast

The theme of this week’s podcast seems to be the remarkable reach of American soft power: Really, we elect Donald Trump, and suddenly everybody’s trolling. The Justice Department criminally charges a Russian troll factory’s accountant, and before David Kris can finish explaining it, she’s on YouTube, trolling the prosecutors with a housewife schtick. She’s not alone. Faced with the news that President Trump is using a commercial iPhone for many of his calls—and, Nate Jones points out, getting tapped by China, Russia, and others as a result—China has a suggestion that scores at the top of the POTUS Troll Scale. Tim Cook goes to Europe to troll Android—and me—with a speech that touches all my buttons: Europhilia, Apple sanctimony in pursuit of profit and blind enthusiasm for privacy regulation. And when the Belgians ask for British help investigating a suspected GCHQ hack of a Belgian ISP, as David and I discuss, the British respond with what can only be described as understated trolling.

This week’s interview is with Dr. Dipayan Ghosh, Pozen Fellow at Harvard’s Shorenstein Center and co-author of a new report, “Digital Deceit II: A Policy Agenda to Fight Disinformation on the Internet.” I find it an interesting mix of good insights and warmed-over Obama-era nostrums (Carly Rae Jepsen makes a brief appearance). Dipayan and I tangle on privacy but struggle toward common ground on the question of limiting the power of the Big Platforms. He’s open-minded and flexible about the details of the proposal, so for fans of civil policy debate (especially those worried about where the platforms’ dominance and ad revenue are taking us), this episode is a keeper.

Why would a Russian technical institute design malware used in an effort to sabotage a major petrochemical plant in Saudi Arabia? Nate Jones lays out the story. Originally suspected of being an Iranian operation, the attack may have originated in Iran, but FireEye persuasively links the underlying (and flawed) malware to Moscow. One possibility is that it’s a Russian false flag job, minus the embarrassing GRU operatives’ Uber receipts. My guess, though, is that the Russian institute is just amortizing malware development costs by selling off exploits developed for the GRU. If so, this may turn out to be another slow motion disaster for the thugs in the Aquarium.

In other news, Yahoo settled a class action over the enormous breach affecting 200 million people and three billion accounts. The price of that settlement? After the lawyers have been paid, the $50 million settlement will work out to about 25 cents per victim. Seems pretty cheap to me.

For a brief moment, reality has descended on the left coast. It looks like California isn’t eager for a judicial ruling on its campaign to nullify federal net neutrality law.

In the UK, Facebook is fined the maximum under pre-GDPR law, for what the privacy agency calls a failure to protect personal data from Cambridge Analytica—but what I suspect is the unspeakable crime of not having prevented the election of Donald Trump. And now that GDPR is in effect, the bien pensants of Europe have served notice; failure to prevent the president’s re-election will cost Silicon Valley billions.

Finally, what goes around comes around for the Uber “bounty” hackers. David and I think that pretty much answers the question whether they were just confused bounty hunters or extortionists with a clever line of patter.

 

Download the 237th Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-237.mp3
Category:general -- posted at: 5:02pm EDT

In this episode’s interview we ask whether the midterm elections are likely to suffer as much foreign hacking and interference as we saw in 2016. The answer, from Christopher Krebs, Under Secretary for National Protection and Programs Directorate (soon to be the Cybersecurity and Infrastructure Security Agency), is surprisingly comforting, though hardly guaranteed. Briefly, it’s beginning to look as though the Russians (and maybe the Iranians) are holding their fire for the main event in 2020.

In the News Roundup, Maury Shenk highlights the role of Twitter, trolls and Saudi royals in the Khashoggi killing. He also explains the apparently ridiculous result in the EU Android competition matter. It may be a case of Google giving the EU what it asked for – good and hard.

Terry Albury certainly got it good and hard from a federal judge. He was sentenced to four years in prison for leaking classified documents to The Intercept. Jamil Jaffer explains why Albury’s claim of being a whistleblower didn’t win him much relief. I suggest that the only people who read Intercept articles to the end are federal agents trying to find clues to the leakers’ identities; whatever they’re doing, it’s working.

Maury and I marvel over the flood of venture capital money into China—and a potential ebb tide for Chinese money in Silicon Valley.

Jamil explains the latest SEC report flagging the cost of email fraud; nine firms lost $100 million to cyberfraud. And to add insult to injury, the SEC hints broadly that future victims may be tagged for violating SEC accounting standards, which should be sufficient to prevent such fraud.

I point to the ABA’s recent ethics opinion mandating breach disclosure to clients – and quite a bit more. Maury instructs me on the question of whether putting names on doorbells violates GDPR. Vienna says yes; Germany, no. Maury is sure the Germans have this right.

Finally, I update listeners on the Equifax data breach engineer who figured out that his company must have been breached and traded on his suspicion. In an act of relative mercy for the clueless engineer, he was fined and sentenced to eight months of home confinement.

 

Download the 236th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-236.mp3
Category:general -- posted at: 10:09am EDT

Today we interview Doug, the chief legal officer of GCHQ, the British equivalent of NSA. It’s the first time we’ve interviewed someone whose full identify is classified. Out of millions of possible pseudonyms, he’s sticking with “Doug.” Listen in as he explains why. More seriously, Doug covers the now-considerable oversight regime that governs GCHQ’s intercepts and other intelligence collection, Britain’s view of how the law of war applies in cyberspace, the prospects for UN talks on that topic, the value of attribution, and whether a national security agency should be responsible for civilian cybersecurity (the UK says yes, the U.S. says no).

In the news, Nick Weaver and Matthew Heiman comment on the ongoing controversy surrounding Bloomberg Businessweek’s Chinese supply-chain-attack story.

Matthew tells us that Treasury has announced its CFIUS pilot program, which will require the filing of notices for Chinese acquisitions in 27 critical industries. I argue that a predisposed bureaucracy has made President Trump a transformational president in terms of relations with China.

Speaking of bureaucratic predispositions, DOJ is showing enthusiasm in carrying out its predisposition to haul Chinese spies into court. What’s remarkable is that it was able to do that from across the Atlantic. While not a cyberspy, the recent arrest and extradition of an accused Chinese economic spy is easy to read as DOJ's answer to those who say indictments of government spies are a sign of weakness.

Everybody’s going to have to choose sides as Trump and Xi continue on their collision course. Except Google. At least according to Google, which bailed out of a Pentagon program because it didn’t meet Google’s values. Oh, and because Google had no chance of winning the contract. Talk about virtue signaling on the cheap!

The EU’s virtue signaling isn’t nearly as cheap, at least for Google, which is now appealing a massive EU competition fine. I can’t help wondering who the hell uses Google Shopping searches; the EU fine must be $1 billion for every biased search.

Nick reports on two troubling government reports. He believes one — the cybersecurity of DOD weapons systems really is a problem. He’s less impressed by White House concerns about the health of the defense industrial base, having recently done some “Buy America” electronics procurement himself.

Finally, Vietnam will force local data storage over Silicon Valley’s protests. Nick, Matthew and I explore the continuing delusion of U.S. foreign policymakers in insisting that the Internet must be borderless and open and free. 

Download the 235th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-235.mp3
Category:general -- posted at: 10:01am EDT

Bloomberg Businessweek’s claim that the Chinese bugged Supermicro motherboards leads off our News Roundup. The story is controversial not because it couldn’t happen and not because the Chinese wouldn’t do it but because the story has been denied by practically everyone close to the controversy, including DHS. Bloomberg Businessweek stands by the story. Maybe it’s time for the law, in the form of a libel action, to ride to the rescue.

Congress, astonishingly, has been doing things other than watch the Kavanaugh hearings. It produced a conferenced version of the FAA authorization including authority for DHS and DOJ to intercept drone communications and seize drones without notice or a warrant. This effort to get in front of dangerous technology yields the usual whines from the usual Luddite “technology advocates.” Meantime, Congress has also adopted a bill to change the name of DHS’s cyber and infrastructure security agency to, well, the Cybersecurity and Infrastructure Security Agency

ZTE’s troubles continue, as a federal judge slammed the company for violating the terms of its probation. The judge extended ZTE’s probationary term and the term of its monitor – meaning the company now has two US monitors watching as it tries to rebuild its business.

The Trump Administration is following in the Obama Administration’s footsteps, Gus Hurwitz reports, trying to build consensus around norms for cyber conflict. I remain dubious, but at least this effort is limited to countries not actively engaged in cyber hostilities with the United States.  

California has its own air pollution standards; why not its own net neutrality law? Probably because the FCC under Ajit Pai is not the EPA. Gus and I discuss whether any part of California’s law can withstand preemption.

The hits just keep on coming for the GRU, a formerly vaunted Russian intelligence service, which now can’t even keep secret the names of its most secret agents. Bellingcat, a private website, totally pantses the agency, outing not just its nerve agent operatives but 300 others for good measure.  Piling on, the Justice Department indicts another batch of GRU operatives for hacking sports anti-doping authorities. Even Germany musters the courage to join the UK in fingering Russia for its cyberattacks while the mighty Dutch counter-hacking team joins in the sack dance.

Is the Turing test easier if you only have to convince Californians that you’re human? That may be the theory behind California’s SB 1001, making it unlawful for a bot to deceive a Californian about its botitude “in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election.”

More bad news for Justice in Silicon Valley, according to leaks from a court case in which the Department is rumored to have sought a court order forcing Facebook to cooperate in a wiretap of MS-13 members.  

Finally, Dr. Megan Reiss reports, North Korea is apparently getting rich robbing banks. Surprisingly, though, it seems not to be robbing American banks. Yet. 

 

Download the 234th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-234.mp3
Category:general -- posted at: 5:31pm EDT

In this news-only episode, Nick Weaver and I muse over the outing of a GRU colonel for the nerve agent killings in the United Kingdom. I ask the question that is surely being debated inside MI6 today: Now that he’s been identified, should British intelligence make it their business to execute Col. Chepiga?

On a lighter note, Uber is paying $148 million to state AGs for a data breach that apparently had no consequences and might not even have been a breach.

About a year too late for Congressional action, a consensus of sorts is emerging among Republicans that Silicon Valley needs broad privacy regulation. The Trump Administration is asking for comment on data privacy principles. And tech giants are pushing lawmakers for federal privacy rules. But the catalyst is an increasing need for federal preemption in the face of California’s new law, and the Dems who are expected to take the House will be hard to sell on preemption. So despite the emerging consensus, a log jam that lasts years could still be in our future.

The sentencing of an NSA employee for taking sensitive tools home – and getting them compromised by Kaspersky – leaves Nick with plenty of additional questions about the source of the tools compromised by Russian proxies in recent years.

Evan Abrams gives us a summary of the NY AG’s report on virtual markets and cryptocurrency. Bottom line: New York is likely to pursue regulation with vigor.

Meanwhile, West Virginia embraces a mobile voting app for the 2018 election. Remarkably, despite the deployment of blockchain buzzwords, none of us thinks the system is secure.

And in quick hits:

  • The GRU is taking the “P” in APT way too seriously.
  • A content moderator has sued Facebook, claiming that her job gave her PTSD.
  • India’s Supreme Court has upheld, with limits, the government’s massive Aadhaar digital ID program.
  • Facebook suffered a breach affecting 50 million user accounts and probably 40 million “log on with Facebook” accounts. We’re getting these facts piecemeal thanks to the EU’s dumb 72-hour deadline for reporting breaches under GDPR.
  • President Trump says China is interfering in the 2018 elections. But unlike Russia in 2016, all of China’s fake news is on actual newsprint.
  • Finally, a quick report roundup:

Download the 233rd Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: TheCyberlawPodcast-233.mp3
Category:general -- posted at: 5:15pm EDT

1