Skating on Stilts

Are Russian hacker-spies a bunch of lethargic government drones more interested in smash-and-grabs than stealth?  That’s one of the questions we pose to Mikko Hypponen in episode 86 of the podcast (right after we ask about how to pronounce his name; turns out, that’s harder than you think).  Mikko is the Chief Research Officer at F-Secure and a long-time expert in computer security who has spoken and consulted around the world for over 20 years.  His company recently published a lengthy paper on Russian government cyberspies, which F-Secure calls “the Dukes.”  Mikko describes the Dukes’ targets and tactics, including a remarkably indiscriminate attack on a Tor exit node.  I press him on whether attribution is really getting better.

Mikko also joins us for the news roundup, where we do a damage assessment from the ECJ’s Safe Harbor demolition and I critique Brad Smith’s implausible solution to the transatlantic data rift.  We explain why Israel has decided to cut off data transfers to the U.S. (hint:  it’s not concerns about aggressive counterterror surveillance) . 

And I wonder whether the House of Representatives passage of the Judicial Redress Act makes Jim Sensenbrenner the abused spouse of the European Commission (“I was going to give you this nice cause of action for your citizens when you slapped me upside the head with the Safe Harbor ruling.  So, uh, here it is anyway.  Now do you love me?”).

CISA comes to the floor at last.   I scope the pending amendments.  Two of them would greatly increase the “privacy tax” on information sharing; the only good thing about Sens. Wyden and Heller’s proposals is how much business it will create for lawyers.   Sen. Franken has an amendment that strips the mask from the privacy lobby.   The privacy groups that support the Franken amendment aren’t just pro-privacy, they’re anti-security.   The amendment would prevent companies from sharing information that might disclose a security risk and require instead an individualized determination that the signature makes a compromise “reasonably likely.” The fight over the Cotton amendment to allow sharing with the FBI or Secret Service rather than DHS, meanwhile, looks like a turf fight disguised as a privacy issue.

In other news, we absolve CIA director Brennan of accusations of bad security in his email hack.  And in the back of the paper, where the dog-bites-man stories go, CrowdStrike finds that Chinese cyberspies haven’t yet stopped stealing commercial secrets. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to [email protected] or leave a message at +1 202 862 5785.

Download the eighty-sixth episode (mp3).

Want to see cyber attribution and deterrence in action? In August, a hacker pulled the names of US military personnel and others out of a corporate network and passed them to ISIL. British jihadist Junaid Hussain exulted when ISIL released the names. “They have us on their ‘hit list,’ and we have them on ours too…,” he tweeted. On the whole, I’d rather be on theirs. Two weeks after his tweet, Hussain was killed in a US airstrike, and two months after that, the hacker who obtained the list was arrested in Malaysia (subscription required) on a US warrant.

We explore that story and more with Gen. Michael Hayden, the only person to serve as both Director of the National Security Agency and of the Central Intelligence Agency. Gen. Hayden explains why he differs with FBI director Comey on encryption and with the European Court of Justice on whether the US sufficiently respects privacy rights, along with other topics.

Our news roundup dwells again on the ECJ’s decision and the Article 29 Working Party press release on the decision, a release characterized by far more bold font than bold thinking. In other news, magistrates are revolting again, or maybe still, as Magistrate Judge Orenstein hints that Apple’s desire to thwart law enforcement should trump law enforcement’s interest in getting evidence off a locked phone.

Cyber insurance rates are rising, raising questions about who should be covered and whether insurance companies will do the security regulating the government is reluctant to do.

Meanwhile, we’re treated to dueling Wassenaar leaks from government.  State says the intrusion software language will be revised not rewritten, while Commerce insists nothing is decided (subscription required).  There’s really nothing like the last year of an administration, when every agency has its own policy agenda – and apparently its own spin room. If there were any doubt about whether Commerce is right to want an explanation from the Europeans about how (or, more accurately, whether) they’re enforcing this provision, Citizen Lab provides it with a new report showing that the surreptitious access tool sold by Europe’s FinFisher is present in more than 30 countries, not all of whose civil liberties laws meet a standard set by the United States – or even the lower bar set by the European Union.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to [email protected] or leave a message at +1 202 862 5785.

Download the eighty-fifth episode (mp3).

In episode 84 our guest is Jack Goldsmith, Professor at Harvard Law School, a Senior Fellow at the Hoover Institution at Stanford University, and co-founder of the Lawfare blog.  Before coming to Harvard, he served as Assistant Attorney General, Office of Legal Counsel and Special Counsel to the Department of Defense.  From cyberespionage to the right to be forgotten and the end of the Safe Harbor, we explore the many ways in which a globalized economy has tied the US government’s hands in cybersecurity matters – and subjected the United States to extensive extraterritorial “soft power” at the hands of Europeans. 

 In the news roundup, the headline news is the continuing fallout from the ECJ’s attack on the Safe Harbor.  Michael Vatis and Maury Shenk bring us up to date.  Jason Weinstein explains why the latest convicted hacker thinks he should be a civil liberties hero/victim – and how weev has found yet another outlet for his bitterness at DOJ

 Michael Vatis explains DOD’s latest cybersecurity rules for contractors.  We conclude that DOD is boldly going where no agency has gone before – mandating cybersecurity with traditional command and control regulation.  It’s an experiment that many will be watching.

 And in another turnabout, banks have discovered the joys of bringing a plaintiffs’ class action – against Target for its credit card breach.  We ask whether this means they’ll join the plaintiffs’ bar to oppose further class action reform.   Jason also explains the latest ruling in a data breach claim against Coca Cola.

 And the White House has made a decision on whether to seek legislation on law enforcement access to encryption.  The memo offered three options: 

1.  Don’t seek legislation and brag about it.

2. Don’t seek legislation and keep hoping for help from Silicon Valley.

3.  Continue the current course of not seeking legislation.

 To no one’s surprise, the White House has chosen not to seek legislation.

 Also to no one’s surprise but almost everyone’s embarrassment, Judge Leon is still stumping relentlessly after his white whale, the NSA section 215 program, crying “You can’t die!  I haven’t had a chance to kill you yet!”  It looks like the program won’t be the only thing put out of its misery by the end of November.

 Speaking of which, our intro music has been put out of its misery after 83 episodes and not a few complaints.  Thanks to all who voted to help us choose a new theme song. And thanks especially to Jason Weinstein’s son, who won the contest going away.

 As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to [email protected] or leave a message at +1 202 862 5785. 

 Download the eighty-fourth episode (mp3).

 Subscribe to the Cyberlaw Podcast here.  We are also now on iTunes and Pocket Casts!

Bruce Schneier joins Stewart Baker and Alan Cohn for an episode of the podcast recorded live in front of an audience of security and privacy professionals.  Appearing at the conference Privacy.Security.Risk. 2015., sponsored by the IAPP and the Cloud Security Alliance, Bruce Schneier talks through recent developments in law and technology.

The three of us stare into the pit opened by an overwrought (and overdue and overweening) European Court of Justice advisor.  If the European Court of Justice follows his lead (and what seems to be its inclinations), we could face a true crisis in transatlantic relations.

VW’s decision to hack its own emissions control software leads to a deep dive into the internet of things that lie to us, the value (or not) of open source, and whether plausible deniability is the next skill that programmers will have to learn.

We also talk China, the OPM hack, and the unique value and unique vulnerability of biometric authenticators.  Bruce and Alan dig into the proposed export control rules for intrusion software; when they’re done, so is the case for the rules.  The right to be forgotten leads to an exploration of when we should delegate law-making to private companies.  I promise a detailed analysis in the future of Google’s law-making to date, and hint that it will not make us more fond of private and hidden law making.

Finally, I ask a hard question about Edward Snowden that no one has asked since he first burst on the scene:  Is he so in the tank for the Digital Millennium Copyright Act that he can’t imagine intelligent life anywhere in the universe without it?

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to [email protected] or leave a message at +1 202 862 5785.  More importantly, we need feedback on whether to replace our theme music, and with what.  Please take a listen to the samples at www.steptoe.com/cybermusic and vote for your favorite.  Voting closes on October 9.

Download the eighty-third episode (mp3).