Would it violate the Posse Comitatus Act to give DOD a bigger role in cybersecurity? In episode 146, Michael Vatis and I call BS on the idea, which I ascribe to Trump Derangement Syndrome and Michael more charitably ascribes to a DOD-DHS turf fight.
Should the FDA allow hospitals to implant defibrillators with known security flaws in unknowing patients? I argue that that’s the question raised by the latest security flaw announcement from the FDA, DHS, and St. Jude Medical (now Abbot Labs).
Repealing the FCC’s internet privacy regulations is well within Congress’s power if it acts soon, says Stephanie Roy, who stresses how rare it is for Republicans to hold the presidency and both houses of Congress. (And who says President Obama didn’t leave a legacy?)
The European Commission isn’t done complaining about US security programs, Maury Shenk tells us. Vera Jourova wants to know more about the US request that Yahoo! screen for certain identifiers and hand over what it finds. That’s apparently too useful for finding terrorists to satisfy delicate European sensibilities. Speaking of which, Angela Merkel is in the bulls-eye for Russian doxing. And to hear Maury tell it, Russia has probably been collecting raw material for years.
Should we start treating Best Buy computer support as though its geeks work for the FBI? And would that be a defense if they find bad stuff on our computers without a warrant? Michael thinks it’s more complicated than that.
Speaking of overhyped stories, Michael and I unpack the claim that President Obama’s team is handing out access to raw NSA product with unseemly haste and enthusiasm. In fact, this proposal has been kicking around the interagency for years, and the access is heavily circumscribed. As for the haste, it could be the outgoing team is afraid its proposal will be unduly delayed by the new guys – or that all its circumscribing will be second-guessed. You make the call!
And for something truly new, we offer “call-in corrections,” as Nebraska law professor Gus Hurwitz tells us about the one time the FTC discussed the NIST Cyber Security Framework. It’s safe to say that this correction won’t leave the FTC any happier than my original charge that the agency can’t get past “Hey! I was here first!”
As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
We interview two contributors to CSIS’s Cybersecurity Agenda for the 45th President. Considering the track record of the last three Presidents, it’s hard to be optimistic, but Davis Hake and Nico Sell offer a timely look at some of the most pressing policy issues in cybersecurity.
In the news roundup, it’s more or less wall to wall President-elect Trump. Michael Vatis, Alan Cohn, and I talk about Russian hacking, the American election, Putin’s longtime enthusiasm for insurgent movements from “Occupy Wall Street” to “Make America Great Again,” and the President-elect’s relationship with the intelligence community.
In other news, I’m forced to choose between dissing the New York Times and dissing Apple’s surrender to Chinese censorship. Tough call, but I make it. Speaking of censorship, Russia is rapidly following China’s innovation in app store regulation. For legal antiquarians, I suggest that the Foreign Agent Registration Act deserves a comeback.
It seems to be solidarity week. Lots of amici have leapt to support LabMD in court now that it looks like a winner. Meanwhile I stick up for Mike Masnick, the man who puts the dirt in Techdirt. He may be an colorfully opinionated jerk, but he doesn’t deserve to be a defendant. And I congratulate Lawfare for joining the Europocrisy campaign on Schrems and China.
As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
We start 2017 the way we ended 2016, mocking the left/lib bias of stories about intercept law. Remember the European Court of Justice decision that undermined the UK’s new Investigatory Powers Act and struck down bulk data retention laws around Europe? Yeah, well, not so much. Maury Shenk walks us through the decision and explains that it allows bulk data retention to continue for "serious" crime, which is really the heart of the matter.
We can’t, of course, resist an analysis of the whole Russian election interference sanctions brouhaha. The FBI/DHS report on Russian indicators in the DNC hack is taking on water, and its ambiguities have not been helped by a Washington Post article on alleged Russian intrusion into Vermont Yankee’s network. That story had to be walked way back, from an implicit attack on the electric grid to an apparently opportunistic infection of one company laptop. No one is surprised that there’s an increasingly partisan split over who’s going to answer the phone now that the 1980s really have called to get their foreign policy back.
Meredith Rathbone walks us through the revamp of the Obama Administration’s cyber sanctions in an attempt to address election meddling. And we manage to find a legal twist to the new sanctions on the FSB. Turns out that large numbers of US tech firms have to deal with the FSB, not as a buyer of services but as a regulator, both of encryption and intercepts inside Russia. If the sanctions prohibit dealing with FSB as a regulator, Maury reports, they could end up imposing unintentionally broad restrictions on a lot of US companies doing business in Russia.
Meredith also updates us on the Wassenaar effort to control exports of “intrusion software” – which some European governments seem to want to regulate in a way that does maximum damage to cybersecurity. The overreaching was blunted in a recent Wassenaar meeting, but not nearly as much as the US government – and industry – had hoped. The issue won’t go away, but it will soon become an appropriate job for the author of “The Art of the Deal.”
Finally, Jennifer Quinn-Barabanov takes us on a tour of the dirtier back streets of privacy class action practice – otherwise known as cy pres awards and their challengers. It sounds like “genteel corruption” to me, but you be the judge.
As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
Fresh off a redeye from Israel, I interview Matthew Green of the Johns Hopkins Information Security Institute. Security news from the internet of things grows ever grimmer, we agree, but I get off the bus when Matt and the EFF try to solve the problem with free speech law.
In the news roundup, Matt joins Michael and me to consider the difficulties of retaliating for Putin’s intrusion into the US election. There just aren’t that many disclosures that would surprise Russians about Vlad, though the Botox rumors are high on my list.
In other news, the EU’s cybersecurity agency, ENISA, issues a report on crypto policy that has a surprisingly musty air.
Two new settlements show the limits of privacy law. Michael Vatis covers them both. Ashley Madison settles with the FTC and is assessed a large fine that has to be partially forgiven because the company can’t pay. We all thought that adultery was a more durable business model. And Google settles a class action for unlawful wiretapping by agreeing to scan everyone’s email a few microseconds later than it used to. And to spike the football in its victory, Google offers most victims of the violation damages that amount to, well, nothing.
Ah, but Europe marches on, convinced that more privacy regulation will solve the twenty-first century for Europe. Given a choice between more privacy regulation or less, the EU of course chooses more. Maury Shenk explains. Meanwhile faced with the problem of “fake news” and the real risk that Vladimir Putin will use doxing and propaganda against Angela Merkel in her election next year, Europe has the answer: more regulation, especially regulation that puts all the blame on American social media companies. The first amendment rights of Americans look to be collateral damage.
Too busy to read the 100-page Presidential Commission on Enhancing National Security report on what the next administration should do about cybersecurity? No worries. Episode 142 features a surprisingly contentious but highly informative dialog about the report with Kiersten Todt, the commission’s executive director.
In the news, Lindsey Graham, John McCain, and a host of Dems want to investigate Russia’s role in the recent election, while the President-elect thinks it’s, well, fake news, to borrow a lefty trope. Michael Vatis presses me to pick a side. Long-time listeners won’t be surprised at my answer.
Gen. John Kelly is picked to head DHS. What does that say about its role in cybersecurity? Nothing, I venture. On crypto, though, we could finally see a commission. Chairman McCaul supports the idea, and it’s just possible that foreign government action and the Trump presidency will finally make Silicon Valley nervous enough to stop stonewalling and start talking.
We close with a definitive five-minute briefing on the future of net neutrality. The quick answer is that the dingoes are now running the child care center.
We begin by asking Rihanna to sum up the latest US-EU agreement:
That’s when you need me there
With you I’ll always share …
You can stand under my umbrella
RiRi’s got the theory right: The Umbrella Agreement was supposed to make sure the US and EU would always share law enforcement data. But when the Eurocrats were done piling on the caveats, it was clear what concessions that US had made but it wasn’t clear if the EU had made any at all. So if you're keeping score, that's US=Rihanna, EU=Chris Brown. But we're sure that down deep they really love us, and we'll be moving in together again soon.
Meanwhile, the Investigatory Powers Act has gained royal assent, Maury Shenk walks us through both developments.
The Trump administration is hinting at a change in responsibility for protecting critical infrastructure from cyberattack, and it’s consistent with the President-elect’s enthusiasm for turning hard jobs over to generals. Congress is doing its bit, elevating Cyber Command to full combatant command status.
In good news, DOJ and a boatload of other countries have sinkholed the Avalanche botnet. Michael Vatis has the details.
Kudos to Sen. Cornyn, who held off a series of left/lib attacks on the changes to Rule 41 that are needed to catch even moderately sophisticated child abusers and hackers.
Tom Donilon’s Commission on what the next administration should do about cybersecurity has delivered its recommendations. The response: crickets.
Lastly, Saudi Arabia suffers a major Iranian attack. The US response to this attack on an ally of sorts? Cue the crickets again.
We next turn to an interview with Scott Charney, Corporate Vice President for Trustworthy Computing at Microsoft. I’ve known Scott for 25 years and he’s an acute observer of the international cybersecurity scene. We discuss international pressures on technology companies including the conflicted roles of governments dealing with encryption.
Episode 140 features long-time New York Times reporter, John Markoff, on the past and future of artificial intelligence and its ideological converse – the effort to make machines that augment rather than replace human beings. Our conversation covers everything from robots, autonomous weapons, and Siri to hippie poetry of the 1960s and Silicon Valley’s short memory on use of the term “cyber.”
In the news, Maury Shenk reports that five EU members now say they want EU-wide crypto controls. And that’s not counting France and Germany. Maybe the real question is whether any EU countries oppose encryption regulation. We can’t find any. Tongue firmly in cheek, I thank Tim Cook for bringing the need for government crypto regulation to the attention of governments around the world.
It turns out that the FBI actually hacked more than 8,000 computers in 120 countries in a single child porn investigation. Wow. And the Justice Department is lecturing me on the risk that active defense could cause unexpected foreign relations problems? Well, I guess they would know.
We-Vibe’s undisclosed collection of data about users of its smart-phone enabled vibrators spurs a class action. Or should that be a “lacks class” action? I confess to being nonplussed by the uses to which an Internet-connected vibrator app can be put. And even more nonplussed when Jennifer Quinn-Barabanov explains how We-Vibe could contribute to the law of standing.
The Wages of Defeat, part one: Election hack fever seizes the left, and I ask Alan what the law should do about vulnerable election infrastructure. Jill Stein is almost certainly wrong about election hacking this year (or in it for the money), but now that everyone has some reason to question the integrity of our election process, Alan and I ask whether there’s room for bipartisan improvements in electoral systems?
Wages of Defeat, part two: Fake news fever seizes the left. For sure it’s a real problem, and Putin is part of it, but solutions are hard to find. Fake news is often in the eye of the beholder, and neither the mainstream media (see, e.g., here or here) nor the barons of social media (Milo Yiannapoulos, call your office) have been exactly even-handed in dealing with conservative views. If we want to go after foreign government sponsored fake news, I suggest, maybe an updated Foreign Agent Registration Act is worth looking at. Between the first amendment and a lack of trust in would-be fake news umpires, there aren’t a lot of other attractive solutions out there.
In this week’s episode, we guess at the near-term future with Betsy Cooper and Steve Weber of UC Berkeley’s Center for Long Term Cybersecurity. In all of their scenarios, the future is awash in personal data; the only question is how it’s used. I argue that it will be used to make us fall in love – with our machines.
In the news of the week, we explore the policy consequences of President-elect Trump’s personnel choices. I point out that the quickest route to the new administration’s short list seems to be an interview on the Steptoe Cyberlaw Podcast.
The internet advertising industry is trying to stamp out ad malware so that firms following a set of guidelines will earn a seal of approval Katie Cassel explains. Color me skeptical: would you buy an antivirus product that proclaimed that it scans “a reasonable percentage of” incoming code?
It’s apparently guidelines week in cybersecurity-land, as agencies rush to release their work before the transition. Two agencies issued guidelines on security practices. The Department of Homeland Security released the recommendations for internet-connected devices that Rob Silvers forecast on the podcast last month. Alan Cohn summarizes the principles, which include steps like security by design and regular vulnerability patches. Meanwhile, Katie tells us, NIST has released its guidance for small business network security. We compare its guidance to the FTC’s. NIST wins.
Two Chinese Android phone backdoors have emerged in one week. Researchers at Kryptowire have uncovered a secret backdoor in large numbers of Android phones that ships users’ personal data, including their SMS messages and location, back to China. The company responsible, Shanghai Adups Technology Company, says it was a mistake, and that the software wasn’t supposed to be installed on phones for sale in the US. Or perhaps the mistake was in getting caught. Investigations will follow, one hopes.
The second backdoor is an unsecured firmware upgrade channel that would allow a man-in-the-middle to add arbitrary code to an upgrade. I point out that Apple uses the same backdoor – just better secured – for the same purpose. So its claim that it’s fighting the FBI to protect us from backdoors and their security risks is balderdash.
The 1990s have called, and they want their competition policy back. At least that seems to be the gravamen of Kaspersky’s complaint that Microsoft Defender is killing third party antivirus companies.
In other news that isn’t new, the effort to override Rule 41 changes still looks as dead as General Franco. That doesn’t mean that a forlorn left-right coalition will give up, of course, since there is still sympathetic lib/left press coverage to be milked from the issue.
Finally, in a sign of just how serious the cybersecurity crisis is, almost 2 in 5 American adults said they would give up sex for a year in exchange for never having to worry about being hacked. And once the machines make us fall in love with them, that number will approach 100%.
We couldn’t resist. This week’s topic is of course President-elect Trump and what his election could mean for All Things Cyber. It features noted cybercommentator Paul Rosenzweig and Daily Beast reporter Shane Harris.
In the news, we’re reminded of the old Wall Street saying that bulls and bears can both make money in the market but pigs eventually get slaughtered. The same goes for the pigheaded, as the FTC has learned. Whatever modest satisfaction the FTC got from denying a stay of its order against LabMD surely evaporated when it forced the Eleventh Circuit to make an early call on the stay. The result: the court of appeals practically overrides the FTC decision on the motion. Or was the Commission just trying to make sure the proposed television series about LabMD had an ample supply of villains? If so, way to go, guys!
Katie Cassel announces her imminent retirement from the podcast. She also explains the DMCA’s new exemption for security researchers.
This is getting ugly: Yahoo now says that some of its employees knew about its massive data breach in 2014 – two years before it was disclosed. Why the delay? Yahoo says it’s investigating – and that it can’t be sure Verizon will follow through on the deal to buy the company.
Russia is putting some teeth in its data localization law. LinkedIn looks like the sacrificial goat, Maury Shenk tells us, and that’s just the camel’s nose under the tent.
How can section 230 immunity provide protection against one claim but not another based on the same facts? Katie makes it sound almost reasonable. Boy, are we going to miss her.
The Germans have revived an investigation of Facebook for not blocking Germany’s idea of hate speech, which probably includes hats that say “Make America Great Again.” Oh, this is going to be a fun four years.
Speaking of which, I wonder if the GRU woke up with the same hangover as the rest of the United States, suddenly realizing that they had no freaking clue what policies a Trump administration would follow. That would explain the rash of phishing attacks on Washington think tanks.
The episode features a vigorous and friendly debate between me and Frank Cilluffo over his new report on active defense, titled “Into the Gray Zone.” It’s a long and detailed analysis by the Center for Homeland and Cyber Security at GW University. My fear: the report creates gray zones for computer defense that should be seen as purely lawful — and turns far too many genuine gray zones black.
Maury Shenk returns after missing last week due to the British determination not to follow US daylight savings practice. After my rant in favor of Sunday Daylight Hoarding Time, he updates us on challenges to the Privacy Shield Agreement in EU courts by privacy true believers (two and counting) and EU court challenges to government data practices in China, Russia, Algeria, and Saudi Arabia (none in evidence). Speaking of which, China has actually adopted the cybersecurity law it’s been threatening Western tech companies with for months, if not years.
Congress is starting to notice the FDA’s hapless response to medical device security. I predict that the FDA will not take serious notice until heart implants start tweeting: “I’d give this guy cardiac arrest, but I’m too busy DDOSing the DNC.”
Michael Vatis tells us what’s in the FTC’s Business Guide to Data Breach Response. It’s pretty good, but even if it weren’t, no one can ignore it, since it’s as close to rulemaking as the FTC gets in this field.
A remarkable official leak says that US Cyber Command has pwned Russia’s IT infrastructure, from its power grid to its military command system, and is ready to strike if the Russians mess with the US election. Is it true? Clint Eastwood has the best answer.
Jonathan Zittrain, who holds a surfeit of titles at Harvard, is our guest for episode 136. Among other topics, we explore the implications of routine doxing of political adversaries. Along the way I extract kind words from Jonathan for Sarah Palin and welcome him to the club of those who think mass doxxers are evil punks. It’s a wide-ranging, informative, and unideological performance of the sort we’ve come to expect from Jonathan.
In the news, I note that the FBI seems to be getting reinforcements in the Great Crypto War, as European prosecutors prepare the battlefield with complaints about Islamic State use of Western encryption.
We’re seeing the rise of a new kind of security disclosure mandate, Katie Cassel tells us. First DOD and now Treasury are requiring their industry to disclose not just personal data breaches but the details of security breaches. But only Treasury was clever enough to do it without new regulatory authority.
NHTSA proposes some pretty thin cybersecurity guidance for vehicles, says Michael Vatis, and a couple of Senate Dems predictably call for tougher mandatory standards.
In more dog-bites-man news, European data protectionists have more hassles for US tech companies; this time it’s WhatsApp and Yahoo in the crosshairs.
Michael leads a tour of the FCC’s new “opt-in” privacy rules for ISPs. I make a bold prediction about how the privacy fight will shake out, and Michael -- remarkably – thinks I may be right.
Katie explains HHS’s latest fine for a company that allowed file-sharing of medical files on one of its servers. Mike Daugherty, time to call your office.
Would the revolting magistrates have scuppered the FBI's effort to extract Huma's emails from Weiner's computer? Michael and I debate Orin Kerr's suggestion that there's a legal problem with expanding the search (or the seizure) to a new and different investigation. We mostly disagree with Orin.
And in continuing Rule 41 news, I narrowly escape an NFL taunting penalty while reporting that a whopping 23 out of 535 lawmakers are whining about expanded searches of pedophile computers.
Our guest for the episode is Rob Silvers, the assistant secretary for cybersecurity policy at DHS. He talks about what the government can and should do about newly potent DDOS attacks and the related problem of the Internet of Things. The only good news: insecure debrillators and pacemakers may kill you, but they haven’t yet been implicated in any DDOS attacks.
In the news, Michael Vatis and I debate whether the netizen reaction to a search warrant that also allows the FBI to collect phone security fingerprints during the search is overheated or justified. Maury Shenk explains an unusual UK tribunal ruling, holding that GCHQ’s and MI5’s bulk collection of data was once a violation of the European Convention on Human Rights. Luckily for the UK government, that illegality was cured by the government’s acknowledgment of the collection.
The financial industry faces new cybersecurity regulations; Katie Cassel explains. Then, as the junior member of the podcast crew, Katie also finds herself called on to explain when defense contractors have to disclose cyberattacks to the Department.
In other news, NSA contractor Harold Martin is looking less like a hoarder and more like a serious threat to national security, thanks to the Justice Department motion opposing bail. Maury explains why the EU’s top court thinks that even dynamic IP addresses are personal data. And I explain (or try to) why Julian Assange is a first amendment cover boy when he blows national security secrets but apparently the second coming of Josef Stalin when he blows politically embarrassing secrets of the Clinton Global Initiative. Or is the real problem the risotto recipe?
Episode 134 features John Carlin’s swan song as assistant attorney general for national security. We review the highs and lows of his tenure from a cybersecurity point of view and then look to the future, including how the US should respond to Russia’s increasingly uninhibited use of cyberpower. I introduce John to Baker’s Law of Post-Government Policy Advice: “The good news about leaving government is that you can say what you want. The bad news is that you can say what you want because nobody cares.”
In the news roundup, we explore the Geofeedia flap, in which large Silicon Valley companies are claiming the right to deny law enforcement access to public postings, even when that access is limited to particular geographic areas, such as the location of an ongoing riot. Remarkably, they seem to think we ought to be praising them for this antisocial stand. Michael Vatis and I consider whether law enforcement can subpoena the same data from antisocial media.
Michael and I also mull over the troubling news that Carbanak is targeting SWIFT endpoints. The G7 has financial cybersecurity guidelines, but it seems unlikely that they’ll turn the tide of an increasingly at-risk banking system.
Michael and I also touch on an Akamai report confirming that the Internet of things isn’t exclusively used to launch DDOS attacks on Brian Krebs; sometimes it’s used to launch mass credential theft attacks as well. I volunteer to bring the first lawsuit.
Maury Shenk updates us on the UK’s new privacy guidelines – and China’s effort to make its internet more protective of children, and the state.
As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
In episode 133, our guest is The Grugq, famous in hacker circles but less so among Washington policymakers. We talk about the arrest of an NSA employee for taking malware and other classified materials home, the Shadow Broker leak of Equation Group tools, and the Grugq’s view that the United States has fundamentally misunderstood the nature of cyberconflict.
In the news, Alan Cohn and I discuss the DHS/DNI fingering of Russia – and Putin – for the DNC hack. We ask whether this means that sanctions will follow, and I characterize the administration’s stance so far as an updating of Groucho Marx’s position: “These are my red lines. If you cross them, well, I have others.”
I award “stupidest privacy scandal of the year” to the complaints that Yahoo! (gasp!) scanned email content in a search for a terror-related signature.
Continuing what will become a rant-filled episode, I nominate the Third Circuit for membership in a Hall of Judicial Shame. The court of appeals has joined the European Court of Justice in giving legal effect to the early Guardian articles claiming that PRISM allowed NSA to scan all emails in US webmail services. That might have been a mistake in 2013, but in 2016, it can only be characterized as a lie, and not one the judiciary should be party to. Katie Cassel hoses me down.
Maury Shenk, back from honeymoon in Jordan, explains why the TalkTalk case has such prominence in the UK – and why the company was lucky to be assessed one of the highest fines ever imposed by the UK data protection authority.
And, to end the roundup on a choleric note, Alan goads me with HHS’s latest and most astonishingly nit-picking fine ‒ $400,000 for having a supplier contract that hadn’t been updated since the HI-TECH Act modified HIPAA.
As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
In episode 132, our threepeat guest is Ellen Nakashima, star cyber reporter for the Washington Post. Markham Erickson and I talk to her about Vladimir Putin’s endless appetite for identifying ‒ and crossing ‒ American red lines, the costs and benefits of separating NSA from Cyber Command, and the chances of a pardon for Edward Snowden. Ellen also referees a sharp debate between me and Markham over the wisdom of changing Rule 41 to permit judges to approve search warrants for computers outside their district.
In the news roundup, Meredith Rathbone explains the remarkably aggressive, not to say foolish, European proposal to impose export controls on products that would enable state surveillance in cyberspace. Apparently locked in a contest with Brussels over who can propose the dumbest regulation of cyberspace, California has adopted a law that purports to prohibit entertainment sites like IMDb from publishing the true ages of actors and actresses. Markham and I debate the constitutionality of the measure.
In other California news, Markham brings us up to date on the surveillance lawsuit against Google. He also explains the deep Washington maneuvering over FCC Chairman Wheeler’s plan for cable set top boxes. I call for a rule that requires cable CEOs to wait at home for days of rescheduled calls to find out whether they’re going to get the result they want.
As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
Our interview in episode 131 is with Matt Cutts and Lisa Wiswell from the Pentagon’s Defense Digital Service. Matt joined the Digital Service from Google where he authored their SafeSearch content filter. Lisa is a bureaucracy hacker with the Defense Digital Service and previously spent years working on cyber-warfare in DOD’s policy shop and in DARPA. They both stress that the Service is looking for good code and policy hackers -- and that their Digital Service recruiting link is https://www.usds.gov/join
After a musical intro featuring the Beatles as reimagined by artificial intelligence, Michael Vatis explains why Microsoft's new German datacenters may succeed in putting customer data beyond the reach of US agencies, and why Microsoft might not want to state its goal quite that way.
Jennifer Quinn-Barabanov explains how a new lawsuit on behalf of Gilbert Chagoury will test whether the US government will punish leakers and whether the EU succeeds in its effort to get the Privacy Act to cover European nationals.
Jen and I also tackle the record-breaking Yahoo! breach, and what it says about the actual impact of data breach risk on companies and investors. Jen reveals this shocking statistic: the median cost of a breach is $200,000 by some measures, hardly enough to get even the plaintiffs’ bar out of bed. And, it turns out, nearly half of corporate GCs have already lived through a breach, so they likely know their own exposure pretty well.
Speaking of records, Brian Krebs, a podcast alum, experienced his own unenviable record: victim of world’s biggest DDOS attack, fueled by the Internet of things. What next? Networked Fords launching a denial of service attack on GM dealers?
Sliding seamlessly into the interview, Matt Cutts and I dive into the latest OpenSSL bug, the reasons Google launched BoringSSL, and the ways in which being boring is also being secure. (Which pretty much any overprotected ten-year-old boy could have told us.)
Matt and I debate whether SSL everywhere is just good, prudent security or a sign of Crypto Derangement Syndrome on the part of a Valley that hopes to secede from the United States (guess which side I took).
We take a long look at the Digital Service and what it has done so far. Lisa Wiswell brags on “Hacking the Pentagon,” which paid the first bug bounties ever offered by a US government agency. I congratulate her on avoiding the alternative ‒ filing a STFU lawsuit against the security researchers, unlike some I could mention (*cough* St. Judes *cough*). This leads to a colloquy on what it will take to fix IT procurement in the US government. We make a little progress, but find no silver bullets.
In a law-heavy news roundup, Katie Cassel and I talk about New York’s dangerously prescriptive cybersecurity regs for banks and insurers. Maury Shenk and I uncover the seamy industrial politics behind the EU’s latest copyright and telecom proposals. The Sixth Circuit deepens a circuit split over standing and how much injury it takes to support a federal data breach lawsuit – and then, oddly, decides not to publish its opinion. Michael Vatis explains.
In other news, Michael notes that the CFTC has adopted its own very prescriptive cybersecurity testing rules. At least pen testers should be happy; their specialty is increasingly required by regulators. Katie hoses me down on the significance of the Ninth Circuit’s latest “failure to warn” decision for section 230 of the Communications Decency Act. Good news for section 230, not so much for Match.com.
Finally, the FTC continues to vie for the title of federal agency with the least sense of moderation. The FTC is opposing a motion to stay in the LabMD case. Pending appeal, it wants to impose strict cybersecurity procedures on a business whose servers are probably stored in Mike Daugherty’s garage. As Winston Churchill said about nuclear weapons, at some point all you’re doing it making the rubble bounce.
In episode 129, Alan Cohn and I dive deep on the Government Oversight committee’s predictably depressing and unpredictably entertaining report on the OPM hack. Highlights: Cheeky Chinese hackers registering their control sites to superhero alter egos like Tony Stark. And poor, patriotic Cytech finds an intruder during a sales demo, rushes to provide support without a contract, and ends up not just stiffed but accused of contributing to a violation of the Antideficiency Act. The overmatched OPM security team launches a desperate operation Big Bang to oust one team of hackers, while another is safely ensconced in the network, biding its time before exfiltrating all of OPM's data.
And for those who’ve complained that we never talk about cybertax law, a feast: Steptoe’s premier international tax partner (and head of the firm), Phil West, explains everything you need to know about the fight between Apple and the EU over Ireland’s tax regime for the company. I profess to be shocked to discover that Brussels is doing, well, what Brussels usually does -- screw US companies for the crime of being American and better at tech than the EU.
Alan and I talk about one more PlayPen decision, United States v. Torres. It may be the last word on the subject, in part because it’s so sensible (holding: the FBI did perform a search, it had a warrant and probable cause, the warrant didn’t conform to Rule 41, but so what? No suppression) and in part because the Supreme Court has agreed to change the Rule. I confidently predict that Sen. Wyden’s effort to stop the rule change will come to nothing, as it should.
The podcast is back with a bang from hiatus. Our guest, Scott DePasquale, is the CEO of Utilidata, an electric utility IoT and cybersecurity company. Scott talks about his contribution to the Internet Security Alliance’s upcoming book, The Cyber Security Social Contract.
Episode 128 also brings you a news roundup from the most momentous August in cybersecurity history. Maury Shenk brings the SWIFT hack to life by describing his own brush with cyber bank fraud. I cover the Shadow Brokers’ disclosure of what most believe to be an NSA hacking toolkit. Meanwhile, Russia is hacking our political process and only the side whose ox is being gored seems to care.
The EU, with its unerring instinct for the capillaries, continues to fight the US on these issues. Privacy Shield is up, and a lot of serious companies are signing up, despite the uncertainties. Maury and I note the entry of France and Germany into the Great Crypto World War – at a comfortably leisurely pace. And, in a welcome move, the European Court of Justice has reaffirmed that there are still some (modest and blurry) limits to the assertion of data protection jurisdiction over internet merchants.
The FTC had a busy month. It served LabMD a mess of home cookin’ and the company is now free to argue its case before an unbiased court of appeals. Speaking of which, the ninth circuit court of appeals shot down the FTC’s effort to steal the FCC’s common-carrier-regulating turf, and the FTC has finally deigned to notice (and even pat on the head) NIST’s Cybersecurity Framework.
The UK’s terror watchdog has more or less endorsed the value of bulk collection of personal data. And Baltimore has put it into effect, adopting an “eye in the sky” technology that has solved serious crimes without harming anyone’s privacy; naturally the privacy lobby is determined to make sure it’s never used again.
In privacy class action news, the lawyers for CareFirst deserve a bonus; they’ve now killed three class action cases (here, here, and here) where the breach was serious but the plaintiffs couldn’t claim that the stolen data was ever used to harm them. And Judge Koh, to her shame, has approved $4 million in legal fees for the lawyers who brought a class action against Yahoo! and settled for a no-damages injunction that lets Yahoo! keep reading its users emails, but after it’s been sent, not before. That's worth $4 mil for sure. Not.
I know we promised to take August off, but I was inspired by the flap over the DNC hack and the fact that I’m at the Aspen Homeland Security Working Group meeting in Colorado. I waylaid two former intelligence community members on the Aspen campus and asked for their views on the DNC hack. Well, to be accurate, I start the interview by asking whether Putin really has the balls to step into the US electoral campaign in this way.
Answering the question are two men with long years dealing with Soviet and then Russian intelligence: Charles Allen, who became intelligence chief for DHS after a full career at CIA, and John McLaughlin, who ended his career at CIA as the Deputy Director and Acting Director.
If Vladimir Putin can do it, so can we. This week the podcast dives deep into the US presidential campaign.
I of course talk with Maury Shenk about evidence that the Russians are behind “Guccifer 2.0” and the DNC data leak – aided by a Wikileaks that looks more and more like an FSB front. I compare the largely indistinguishable Dem and GOP platform planks on encryption ‒ and draw a lesson from the straddles: there’s little doubt that every lobbyist who contributed to the platforms was working for Silicon Valley, so the failure to endorse the Valley’s view may spell trouble for techie triumphalism. I also spike the football for the Justice Department, whose policy views on the dangers of hacking back were swamped when the GOP called for letting victims of hacking have their way with the hackers.
Our interview this week touches on the insider threat. Andy Irwin describes the new DOD rule requiring contractors to devise insider monitoring plans for cleared personnel, and two industry leaders, Ed Hammersla, CSO of Forcepoint, and Brian White, COO of RedOwl Analytics, talk about what technology can do to spot incipient employee defections and data theft. A discussion of the role of natural language processing naturally reminds me of George Carlin and the seven dirty words you can’t say on the radio.
In other news, Katie Cassel unpacks another in a long line of increasingly incoherent 9th Circuit rulings on when it violates the CFAA for unwanted visitors to log on to a site. Katie also explains why the outcome of another data breach lawsuit might persuade Scottrade to change its name to Scot-Free.
Maury updates us on UK politics, from Theresa May’s honeymoon to the possibility that UK data retention law will survive review in the European Court of Justice. I flag a good (and, sadly, already outdated) House Homeland Security Committee report on 100 ISIS-linked terror plots against the West since 2014, a surprise reprieve for Silent Circle, and Whatsapp’s continuing “If it’s Tuesday we must be shut down; if it’s Wednesday we must be back up” drama in Brazil.
Inspired by this week's podcast episode and a conversation with Brock Meeks, an old friend and sparring partner, I contributed the following op-ed to Atlantic Media's BRINK site. Many thanks to Victoria Muth for her assistance in turning my good intentions into an actual article.
Corporate executives are fed up with the current approach to network security. They’ve been spending more and more on security. Despite that spending, they’re told that they can’t expect to keep intruders out of their networks; the best they can hope for is to lock the intruders out of their most important files, or to keep hackers from exfiltrating all that data.
Government help seems useless. It rarely catches intruders or offers security advice beyond the obvious; however, it’s quite happy to punish corporate hacking victims after the fact, often imposing fines and liability on the victim for failing to implement a security measure that three-quarters of government agencies haven’t implemented.
It’s pretty clear that building higher walls around our networks is a dead end. So is tighter scrutiny and control over what happens on the network. These things have their place, just as locks on our doors and windows have a place in physical security; however, locks won’t stop thieves if they don’t have to worry about getting caught and sent to jail for breaching the homeowner’s security measures.
Government is failing us there, too. While there have been more high-profile indictments and even somewhat more prosecutions of hackers, the government lacks the resources to attribute most network compromises. A single large financial institution probably spends more on static network defense than the entire Federal Bureau of Investigation and Justice Department spend investigating intrusions nationwide.
Worse, the Justice Department and FBI have been spending at least some of those scarce resources trying to stop victims from going beyond static network defense, claiming that deploying active defenses that might have an effect outside the victim’s network islegally questionable under the Computer Fraud and Abuse Act(CFAA). Corporate network defenders know that they can’t defend their way out of the current crisis. More needs to be done to identify and deter attackers who, today, act with impunity.
More Effective Attacker Retribution Needed
We need, in short, a more effective method to attribute attacks—and more effective retribution for the attackers. That means taking another look at the laws and policies that have discouraged private companies from taking any active steps to attribute and deter intrusions. This could mean any number of measures. It might mean building “beacons” into documents so that when they are opened by attackers, they phone home to alert defenders that their information was compromised. It might mean using information provided by beacons to compromise the attackers’ network and gather evidence as to the attackers’ identities. It might mean stopping a DDOS attack by taking over the botnet, or by patching the vulnerability by which the botnet conscripted third-party machines.
We need a more effective method to attribute cyber attacks—and more effective retribution for the attackers.
Opponents call this “hacking back,” and they conjure dire consequences, such as the accidental shutdown of hospital intensive care networks, or massive retaliation against the United States because private actors have thwarted a state-sponsored intrusion. But network defenders aren’t forced to choose between huddling at home, waiting to be attacked and launching the cyber equivalent of a thermonuclear exchange. There are many ways to improve both our attribution and our retribution tools without resorting to indiscriminate attacks.
For example, Jeremy and Ariel Rabkin recently offered an interesting essay showing the kinds of intermediate steps that victims could sponsor without risking World War III. In essence, the Rabkins suggest that the government license private forensic firms to travel outside victims’ networks to attribute attacks.
We already live in a world where private investigators with special authorities and responsibilities supplement the efforts of government. Private investigators arguably transformed the security debate in 2009 by exposing a sophisticated espionage program known as GhostNet that attacked the network of the Dalai Lama. Attribution has only gotten better since then. Drawing in part on the work of private forensics firms, the U.S. has been able to attribute major cyber attacks to Iran, North Korea and China. The more investigators we can deploy, the more attacks we can attribute, and that means drawing on the security budgets of private industry, not just the federal government.
Putting Teeth in Retribution Efforts
After attribution comes retribution. Here, too, the U.S. government has made progress. For example, the Executive Branch and Congress have proposed a “Strategy on Mitigating the Theft of Trade Secrets” as well as a “Joint Strategic Plan on Intellectual Property Enforcement,” calling for improved protections by “naming and shaming” countries that don’t take certain actions against hackers. Justice Department indictments, even if they never produce arrests, have changed the sense of impunity in hacking circles.
But again, government cannot do the job alone. We need to bring private resources to bear on retribution as well as attribution—not by endorsing network attacks, but by encouraging retribution within the law. Luckily, once an attack has been attributed, legal remedies begin to look quite realistic. Companies that have received their competitors’ trade secrets from hackers begin to look quite vulnerable. These companies often do business in the U.S., and they can be sued here under several existing statutes.
The CFAA offers a private right of action against both hackers and those who benefit from the hacking. The new federal Trade Secrets Act allows suits against those who use trade secrets that they knew or had reason to know were stolen. And the International Trade Commission can ban a product from the U.S. if it incorporates hacked trade secrets.
So, if you’re a corporate official whose network is under attack and you’re persuaded that active defense is the only approach that will work, what can you do now, under current law?
Don’t expect much comfort from the Justice Department or the FBI. They’ll say that active defense is at least arguably a violation of the CFAA. What they won’t tell you, though, is that the CFAA exempts actions taken under law enforcement authority. Not federal law enforcement authority. Any law enforcement authority. If you can find a sheriff or attorney general who’s willing to deputize your forensics team, federal threats to invoke the CFAA lose most of their force.
In short, you don’t have to sit and take it anymore. There are plenty of risks in trying to go beyond passive network defenses, but there may be more risk in doubling down on an approach to network defense that has been failing ever more spectacularly for 30 years.
What’s the one argument in favor of hacking back best calculated to infuriate the State Department? It's been found by the father and son, authors of a thoughtful paper on the topic for the Hoover Institution. I interview them in episode 125 of the podcast. Jeremy, a law professor at the Scalia Law School, and his son, Ariel Rabkin, a computer scientist out of Berkeley, have the expertise to deal gracefully and concisely with the policy debate over hacking back. Their proposal charts a middle ground while cheerfully mocking State’s hand-wringing about the international consequences of permitting hacking victims to act outside their networks. Bonus feature: lifetime career advice from yours truly!
In the news roundup, Michael Vatis covers Microsoft’s surprising Second Circuit victory over the Justice Department in litigation over a warrant for data stored in Ireland. The hidden issue in that case was data localization – the same issue driving the Justice Department’s new legislative proposal to allow foreign nations to obtain information from US data repositories. That proposal is unpacked by special guest David Kris, former Assistant Attorney General for National Security and author of the treatise, National Security Investigations and Prosecutions.
In other news, LabMD has found yet another defendant in its campaign against Tiversa. Michael discusses what may be the first judicial decision requiring a warrant to use a Stingray to locate a criminal suspect. And HHS tries to achieve a plausible policy goal with an overreaching legal interpretation; as Michael explains, the result could be massive unintended consequences.
In quick hits: more evidence that foreign nations are targeting our energy grid, FDIC engages in a surprisingly successful breach cover-up, a Chinese browser sends data back to China unmolested (all because we still haven’t funded the Europocrisy Prize, I argue), and the cyberwar on ISIS is going slowly, mainly, I argue, because cyberwar on ISIS is not all that good an idea.
Edward Snowden criticizes Russia’s mass surveillance law, and a Russian official retaliates by outing him ‒ as a Russian intelligence source. Silent Circle, the phone company that built its marketing on fear and loathing of the NSA, is nearing bankruptcy. Members of the dominant European Parliament faction are asking the Commission, “Hey! How come you keep demanding more data export and privacy concessions from the US without asking for bupkis from China?” And the FBI now has three politically viable paths to win back authority to obtain electronic communications transaction records with a National Security Letter.
Truly, episode 123 feels like a reward for living through 2013.
In other news, Alan Cohn and Katie Cassel report on the Bank for International Settlements’ surprisingly sophisticated cybersecurity standards. I whinge about Bob Litt’s 18 pages of binding commitments to Europe on how the US will conduct intelligence from now on. Alan and I compliment CBP on its technical savvy in easing border clearance ‒ and ponder the role of stools in protecting the homeland.
I report that Belgian courts have reversed a verdict by the local DPA against Facebook, and Maury Shenk comments on broader implications for EU data protection. Katie notes that FTC commissioner Maureen Olhausen continues to tout the advantages of her agency’s “flexible” privacy and security standard and to diss the FCC’s more explicit approach. I mock the ACLU for demanding the right to violate criminal law to get information from private companies and ask if I can do the same to get the ACLU to answer my Twitter questions about whether it provides real security for its clients. And Maury reports that China is still rolling out new internet regulations, from online search standards to where to store Chinese citizens’ personal data (China, natch).
Was Iran’s cyberattack bricking vast numbers of Saudi Aramco computers justified by a similar attack on the National Iranian Oil Company a few months’ earlier? Does NSA have the ability to “replay” and attribute North Korean attacks on companies like Sony? And how do the last six NSA directors stack up against each other? Those and other questions are answered by our guest for episode 122, Fred Kaplan, author of Dark Territory: The Secret History of Cyber War.
In the news roundup, we explore British corollary of the Pottery Barn Rule: “You Brexit, you owns it.” As the UK and the EU struggle to deal with fallout from the historic UK vote, all the incentives seem to be in place for the EU to do what it does best: vindicate the worst instincts of the European elite. In the name of deterring other departures, the EU is unlikely to offer the UK much in the way of concessions. On data protection, for example, Maury Shenk points out that the UK will likely have to keep its current law -- and adapt to the new regulation -- just to avoid a claim that British privacy law is inadequate.
In other news, DHS has released final guidelines for protecting privacy while sharing cyber threat information; I think they’re pretty good.
Michael Vatis and I also puzzle over the dicta adopted in a recent EDVA opinion that the utter insecurity of personal computers leaves users without a reasonable expectation of privacy and allows the FBI to use hackers’ tools without a warrant. I love it when a district court stakes out territory that makes even me feel like a civil libertarian.
The FTC drops a heavy fine on inMobi. Michael points out the much heavier weaponry that COPPA allows the Commission to deploy in privacy cases that involve children. But we have trouble mustering much sympathy for inMobi.
Finally, we’re still trolling for listener feedback on whether we should go to the trouble of trying to arrange CLE credit for listening to the podcast. Based on reaction so far, we won’t. So if you’d like to get CLE credit for the podcast, it’s time to send your vote to CyberlawPodcast@Steptoe.com.
As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.