Skating on Stilts

My latest venture in podcasting features a debate on attributing cyberattacks. Two guests, Thomas Rid and Jeffrey Carr, disagree sharply about how and how well recent cyberattacks can be attributed. Thomas Rid is a Professor of Security Studies at King’s College London and the author of Cyber War Will Not Take Place as well as a recent paper on how attribution should be done. Jeffrey Carr, the founder and CEO of Taia Global, remains profoundly skeptical about the accuracy of most attribution efforts in recent years.

I question both of them, relying heavily on questions supplied by attribution aficionados via Twitter. 

Among the questions we dig into:

• Why is cyber attribution is so controversial? Is it a hangover from the Iraq war? Snowdenista hostility to the US government? Or the publicity to be gained from challenging official attributions? 
• Is the use of secret attribution evidence inherently questionable or an essential tool for ensuring successful attribution? 

I also call out the security experts who heaped scorn on the FBI for its initial fingering of North Korea as the source of the Sony attack. Which of them recanted as the evidence mounted, and which ones doubled down? Details in the podcast.

 In the news roundup, Jason Weinstein and I are joined by Ed Krauland, who outlines the likely impact on technology trade of President Obama’s lifting of Cuba sanctions (short answer: not much).

I linger over the evidence that Europe has swung from hating US tech firms for being too cozy with government to hating them for not being cozy enough: the EU’s top counterterrorism official wants to prevent firms from selling unbreakable encryption, and the French government wants them to take down more terror-related online speech. Later, I spike the ball, pointing to a Pew poll showing that NSA is holding its own in American opinion since the first Snowden revelations and that young voters have a far more favorable view of the agency than those over 65.

In US privacy litigation, Jason tells us that the class action over CarrierIQ’s storage of phone records has gotten a haircut, as the court throws out wiretap claims against hardware makers, and that LabMD has lost yet another peripheral battle in its campaign to force the FTC to spell out exactly what security measures it expects from private companies. And we debate the significance of the revelations about DEA's Hemisphere Project.

Here's where to download the fifty-first episode (mp3). And you can subscribe to the Cyberlaw Podcast here. It is also now on iTunes and Pocket Casts.

I'd welcome feedback, either by voicemail (+1 202 862 5785) or email ([email protected]). 

And special thanks to the Twitterati: @langnergroup, @NateBeachW, @janwinter15, @pwnallthethings, and @marcwrogers, among others.

I occasionally report here on interviews that I’ve been doing for the Steptoe Cyberlaw Podcast.  This week’s guest is David Sanger, the New York Times reporter who broke the detailed story of Stuxnet in his book,  Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power.  His appearance on the podcast is particularly timely because it allowed David to talk about his latest story for the Times.  The story recounts how North Korea developed its cyberattack network, and how the National Security Agency managed to compromise that network and attribute the Sony attack.  He explains that understanding the Obama White House helped him break a story that seemed to be about NSA and the FBI.  I explain why I think North Korean hackers resemble East German Olympic swimmers, and we meditate on the future of cyberwar.

For those who like such things, Michael Vatis and I also cover a news-rich week, beginning with capsule summaries of the President’s State of the Union proposals for legislation on cybersecurity information sharing, breach notification, and Computer Fraud and Abuse Act amendments.  We touch on Europe’s new commitment to antiterrorism surveillance, which officially puts a still-Snowden-ridden United States out of step with just about every developed nation.  I try to summarize the new National Academy of Sciences study on why there isn’t an easy software substitute for bulk collection.  (Short answer:  If you want to recreate the past, you have to bulk-collect the present.)

We ask whether the DEA was the inspiration for NSA’s 215 bulk collection program, call out Rep. Sensenbrenner, who evidently skipped the DEA briefings as well as NSA’s, and wonder why Justice didn’t explain to Congress last year that NSA’s program wasn’t that big a leap from the Justice Department’s own bulk collection – instead of quietly trying to bury its program when the heat built up on NSA.  (OK, we didn’t really wonder why Justice did that.)

If you judge by their joint press conference, Prime Minister Cameron seems to have done more to convert President Obama to skepticism about widespread unbreakable encryption than Jim Comey did.  Save your Clipper Chips, key escrow will rise again!

Finally, Centcom’s public affairs team, which can’t keep ISIS sympathizers out of its Twitter and YouTube feeds, deserves 24 hours of deep embarrassment, which is surprisingly exactly what it gets.

The Podcast welcomes feedback, either by voicemail (+1 202 862 5785) or email ([email protected]).

Download the fiftieth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

I've got a short op-ed about returning American jihadis in the Room for Debate section of today's New York Times site.  Here's what it says:

Americans returning home from a foreign jihad pose a very real danger to this country, now and for years to come, as the Charlie Hebdo attacks reveal. One of the attackers, Cherif Kouachi, had been caught and convicted of trying to join the war in Iraq, and his brother may have trained with Al Qaeda in Yemen. Despite these warning signs, French authorities lacked the resources to keep watching the brothers.

Our law is even less suited to the threat than France's. We have not made it a federal crime for Americans to join the fight against a U.S. ally. And, like the French, we cannot afford to put 24-hour tails on every returnee. We could afford to conduct electronic surveillance of the returnees, but that would require specific evidence of a new plot here at home. And new plots, the Kouachis showed, are often easy to hide from the authorities.

Until we can distinguish the reformed from the continuing threats, the penalty for this new crime should at a minimum include years of probation and electronic surveillance.

These are gaps we should fix. It should be unlawful to join a foreign war against the United States or its allies. That doesn't mean that every returnee should go to jail. I like to think that many will find themselves disillusioned and repelled by the reality of life under Islamist rule. Some will become valuable sources of intelligence on their former comrades, others will simply want to live down a profound mistake.

But until we can distinguish the reformed from the continuing threats, the penalty for this new crime should at a minimum include years of probation and electronic surveillance. Under U.S. law, the government hasfar greater authority to search parolees than ordinary citizens, especially when the purpose of the surveillance is to ensure that the probationer is fully rehabilitated. So even if all prosecutions under the new law were to end in suspended sentences and long paroles, we would greatly cut the risk that the most dangerous of the returnees will evade government monitoring the way the Kouachis did.

Government policymakers have been hoping for twenty years that companies will be driven to good cybersecurity by the threat of tort liability.  That hope is understandable.  Tort liability would allow government to get the benefit of regulating cybersecurity without taking heat for imposing restrictions directly on the digital economy.  

Those who see tort law as a cybersecurity savior are now getting their day in court.  Literally. Mandatory data breach notices have led, inevitably, to data breach class actions.  And the class actions have led to settlements. And those freely negotiated deals set what might be called a market price for data breach liability, a price that can be used to decide how much money a company ought to spend on security.  

So, how much incentive for better security comes from the threat of data breach liability?  Some, but not much.  As I've been saying for a while, the actual damages from data breaches are pretty modest in dollar terms, and the pattern of losses makes it very hard to sustain a single class, something that forces up the cost of litigation for the plaintiffs.

You can see this pattern in recent data breach settlements.  I put this chart together for a talk on the subject at the Center for Strategic and International Studies. While the settlements below all have complications (Sony's settlement was mostly in free game play, for example), they all cap the defendants' total liability.  And what's striking about the caps is how low a price these agreements set, espectially on an individual basis, where $2.50 per victim looks to set the high end and 50 cents the low. Of course, to determine how much you spend annually to avoid that liability, a company would have to discount the settlement price by the probability of a breach in any given year.  Even Sony doesn't have a breach every year, so a probability adjustment cuts the value of avoiding liability to something between a half and a tenth. At those prices, I wouldn't expect much change in corporate cybersecurity budgets. 

(I know that these charts don't account for the biggest claims in cases like Target and Home Depot --  banks suing for the cost of reissuing credit cards.  That's a very different theory of liability mainly applicable to a limited number of big retailers.  In the end I doubt that liabilities to issuing banks will drive much cybersecurity either, not because the claims are low -- they're more likely to be in the $50 per card range -- but because establishing liability will not be all that easy and because things like tokenization will likely prove much cheaper than improving security.)

Maybe so. Compare this study:

A recent study conducted at the Norwegian University of Science and Technology has revealed that being born during a period of heightened solar activity can shorten our lifespan by over five years.

With this one:

The plot below ... shows the size of the biggest individual spots in each year between 1900 and 2000. Notable spots include the Great Sunspot of 1947, which was three times larger than [a 1991 sunstorm].