Skating on Stilts

In this episode, Brian Egan and I deconstruct the endlessly proliferating “FISA 702 Reform” bills, from the irresponsible House Judiciary bill to the “I’ll see your irresponsible and raise you crazy” bipartisan extremist bill beloved of Sens. Wyden and Paul (which at least deserves praise for truth in advertising:  what better designation for a bill that takes us back twenty years to the pre-9/11 era than S.1997?). Even the relatively restrained Senate Intelligence bill takes fire for its, ahem, “creative” approach to FBI searches of 702 data.  Brian does not share my distaste for all of the options, but agrees that the cornucopia of 702 proposals makes it even more unlikely that anything other than a straight-up short-term reauthorization can be passed before the end of the year. 

In other legislative news, CFIUS reform is also in the air, and Sen. Cornyn's carefully scripted rollout has begun. In her podcast debut, Alexis Early unpacks this complex bill. Need a one-word explanation? China. The bill tries to block all of the avenues China is believed to have traveled in its pursuit of US technology over the last decade. We also discuss how the bill would remove the veneer of “voluntariness” from at least part of the CFIUS process, which could impact a range of filers – particularly US technology companies seeking foreign investment.

Meanwhile, if you’re looking for confirmation that privacy is really just another name for protecting privilege, Twitter is apparently eager to provide it. Even as criticism and warnings about Russian misuse of Twitter to divide Americans and “diss” Hillary Clinton were rolling in last summer, the Russians were busy deleting their phony posts, and Twitter was right there to help. The company told even independent researchers who had saved Russian posts that the researchers had to delete any post that Twitter was deleting (which seems to be anything that the Russians deleted). This of course made it hard to criticize Twitter’s policies on foreign government trolling, since the evidence was gone, but the justification that Twitter offered was, naturally, privacy. Maybe the company’s privacy policy should come with a slogan: “Privacy: Good for you. Better for us.”

Of course, Twitter claims that it has to force the deletion of inconvenient tweets because of EU data protection policy. And indeed, European exceptionalism on the privacy front was front and center last week, with the European Parliament’s approval of a draft ePrivacy directive that law enforcement will hate, an unfavorable opinion on how many data protection authorities can regulate Facebook (clue: all of them), and an absolutely undecipherable explanation from the Article 29 working party of European restrictions on automated decision-making (my translation: “If you use AI in your business and we don’t like you, you’re toast.”). Maury Shenk provides a less jaundiced summary of these developments.

We do quick hits on Kaspersky’s defense, which looks more like it was designed to embarrass the US than to exonerate the company, on Microsoft’s eagerness to drop its gag order lawsuit in response to a change in DOJ policy, and on the FBI’s claim that encryption is now defeating half of the phone searches it tries to do. 

Our interview is with Chris Painter, the State Department’s top cyber diplomat under President Obama. He offers candid views about the Tillerson reorganization, which pushes his old office deeper into the “deep State” bureaucracy. He also assesses what went right and wrong for cyber diplomacy on his watch, and what the US should be doing going forward. Brian Egan referees as Chris and I have what the State Department might call a “frank and candid exchange of views.”

Mark your calendars for November 7^th when we will gather for a live taping of a special episode on Election Cybersecurity at our Dupont Circle offices here in DC. To register please visit the Events page of our website at steptoe.com.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to [email protected] or leave a message at +1 202 862 5785.

Download the 188th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

I had a chance to interview Tom Bossert, President Trump’s Homeland Security Adviser, and we’re releasing the conversation as a bonus episode of the Cyberlaw Podcast.

The talk ranges from the Peggy Noonan Rule for White House staff work to the vast improvement in West Wins carpeting before we turn to the main topic – a looming deadline for renewing authority for FISA section 702.  Tom is deeply familiar with the issues in the debate over 702. He stands by the administration’s position that 702 should be renewed without amendment and without a sunset but he discusses with nuance the many legislative proposals for changing the program as well.  Finally, we talk about the executive order that unleashed a flood of internal reports on empowering DHS to protect the US government’s systems, measures to protect critical infrastructure, and the administration’s hunt for a new cyberspace deterrence strategy.

Coming soon: Mark your calendars for November 7th when we will gather for a live taping of a special episode on Election Cybersecurity at our Dupont Circle offices here in DC. To register please visit the Events page of our website at steptoe.com.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to [email protected] or leave a message at +1 202 862 5785.

Download the 187th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

Our interview is another in our series on section 702 reform, featuring Mieke Eoyang of the National Security Program at Third Way and Jamil Jaffer of George Mason University and IronNet Security.  They begin with the history of the program but quickly focus on proposals to require warrants for FBI criminal searches of already collected 702 data, which Mieke broadly supports and Jamil broadly opposes.  The debate ends up in a surprising place -- Las Vegas.  Because the shootings there raise the question, "Are we really going to make the FBI wait for a warrant before it checks its own 702 database to see whether Stephen Paddock has been in communication with terror groups and what he's been saying?" 

In the news roundup, Jim Lewis of the Center for Strategic and International Studies and Brian Egan nerd out with me on the DOD's objections to section 1621(f) of the National Defense Authorization Act.  Neither Jim nor Brian finds them persuasive.

I give a preview of my plans to celebrate Halloween as a Russian Twitter troll, and Jim predicts that the main fallout from the entirely predictable Russian use of Twitter will be on Silicon Valley:  What I call the Magaziner Consensus, already dying abroad, is starting to look a little peaked here at home.             

Meanwhile, the North Korean hackers are still robbing banks, semisuccessfully.  And, remarkably, they're finding studios even more willing to cave to cyberblackmail than Sony.  It turns out Nork hackers apparently were able to kill a BBC show they found objectionable. Jim insists that these kinds of attacks tell us more about the calculating rationality of Kim Jong Un than his craziness. And, since Kim's getting away with both kinds, maybe Jim is right.

I riff on the latest in sex toy security, introducing our audience to an entirely new internet vocabulary.  Though I'm not sure that "Make screwdrivers, not wardrivers" will ever outpoll the original.

Also, the medical profession seems to be putting its collective head in the sand about medical device security. Jim is sure that liability for producers — and for doctors — will solve that problem before Congress does. Knowing the FDA's shaky grasp of the issue, I’m not so sure. 

Finally, Brian reports that the EU's first Privacy Shield report found US data protection practices "adequate" under EU law.  He thinks it's because the administration is taking the EU process seriously; I think it's because the EU is taking President Trump seriously — and has decided he's not someone whose adequacy you want to question lightly. 

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to [email protected] or leave a message at +1 202 862 5785.

Download the 186^th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

This episode features an interview with Mårten Mickos, the CEO of HackerOne.  HackerOne administers bug bounty and vulnerability disclosure programs for a host of private companies as well as DOD’s “Hack the Pentagon” program.  Mårten explains how such programs work, how companies and agencies typically get started (with “vulnerability disclosure” programs), the legal and other assurances that companies need to provide to ensure participation, and the role that bounty administration firms play – from hacker reputation management to providing a kind of midnight basketball tournament for otherwise at-risk fourteen-year-old boys.  (And they are boys, at least 98% of them, an issue we also explore.)  Along the way, there’s even unexpected praise for the Justice Department’s Computer Crime Section, which has produced a valuable framework for vulnerability disclosure programs.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to [email protected] or leave a message at +1 202 862 5785.

Download the 185th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

Today’s news roundup features Shane Harris of the Wall Street Journal, Brian Egan, and Alan Cohn discussing stories that Shane wrote last week.  Out of the box, we work through the hall of mirrors that the Kaspersky hacking story has become.

The Russian hacking story is biting more companies than just Kaspersky.  Turns out that Twitter deleted all the Russian trolling accounts and tweets when the Russians asked them to.  Because privacy!  I put in a plug for the rule that privacy always somehow ends up protecting the powerful – in this case Vladimir Putin and, of course, Twitter itself. 

We also cover another Wall Street Journal story detailing North Korea’s use of (another) antivirus product to hack South Korea’s military – and US war plans. 

Alan unpacks the Trump Administration’s most detailed statement to date on law enforcement and technology -- Deputy AG Rosenstein’s far-ranging speech on the topic.

Alan and I also touch on the emerging fight over 702 – and the media’s evergreen and credulous “discovery” that the far left and far right are surprisingly close on surveillance issues.

Alan spells out the case for Kirstjen Nielsen as Homeland Security Secretary, along with what some of her detractors are saying. 

While Brian lays out the explosive theory behind the latest effort to tag Google and other social media giants with liability for assisting ISIS. 

We close with two short hits.

I ask why, if Pornhub’s technology is that good, they’re starting with facial recognition. 

And I can’t help noting that, for a while at least, security icon Apple thought that the best password hint was … the password itself! Thanks, Tim Cook! We’ll keep that in mind the next time you argue that the ability to hack every iPhone on the planet should be left with you and not the FBI.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to [email protected] or leave a message at +1 202 862 5785.

Download the 184th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

Richard Danzig, former Navy Secretary and a serious defense and technology thinker, speaks to us about the technology tsunami and what it means for the Pentagon.  Among the risks:  lots more accidents, some of them catastrophic, and “emergent” interactions among systems that no one predicts or prepares for.  He calls for the Department of Defense to spend more time thinking about ways in which our weapons might kill us without any enemy action.  Along the way, we ask the hard questions, including whether Kim Jung Un will use gene therapy to make his people smarter, dumber, or better basketball players.

In our news roundup, the House Judiciary Committee has struck the first blow in the 702 renewal debate. Paul Rosenzweig and I assess its bill and end up concluding that it does less damage to national security than expected, except for the unfortunate decision to sacrifice the possibility of conducting “about” collection.

Meanwhile, a turf fight inside Treasury has gotten vicious, with FinCEN lobbing (and leaking) “intelligence scandal” epithets at its sister Office of Intelligence and Analysis.  Brian Egan doesn’t seem surprised by the fighting, while expressing skepticism about the likelihood of a real scandal. In the words of our President, “Sad!”

Irish courts have unsurprisingly punted on the use of standard contracts clauses to export data to the US, Michael Vatis tells us.  The court has referred the hard issues to the European Court of Justice.

Speaking of sad, a third (or maybe a fourth) NSA staffer has taken Top Secret material home with disastrous results.  Kaspersky’s software seems to have been great at spotting the classified malware on the staffer’s machine. The result, Paul notes, is that the malware ended up in Russian government hands, and Kaspersky’s reputation is toast in the West.  Maybe it’s just a coincidence or maybe Kaspersky has given up wooing the West, but its latest report outs an unknown power that has been “piggybacking” on intrusions aimed at or run by Russian and Chinese hackers.

Finally, Brian discusses USTR’s use of the WTO to put a shot across China’s bow on that nation’s cybersecurity law.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to [email protected] or leave a message at +1 202 862 5785.

Download the 183rd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

Episode 182 features a panel of experts on attribution of cyberattacks. I moderated the panel at the Georgia Tech 15th Annual Cyber Security Summit in Atlanta on September 27, 2017. Panel members included Cristin Goodwin of Microsoft, Rob Knake of the Council on Foreign Relations, Hannah Kuchler of the Financial Times, and Kim Zetter, author of a 2014 book on the Stuxnet attack.

It’s a wide-ranging and compelling discussion of how we’re doing in attributing cyber intrusions and what more is needed in the field. Special thanks to Michael Farrell, Co-Director of Georgia Tech’s Institute for Information Security & Privacy (IISP) and the organizer of the Summit, for all the work and assistance that made this episode possible.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to [email protected] or leave a message at +1 202 862 5785.

Download the 182nd Episode (mp3). Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

Was the Equifax breach a nation-state attack? Nick Weaver parses the data, and I explore the surprising upside for Equifax if it was.

Twitter comes to Capitol Hill to talk Russian election interference; it goes home with a flea in its ear and plenty of homework to do. Stephen Heifetz and I ask why the Foreign Agent Registration Act could not be used to discipline nation states' use of social media.

Twitter isn't alone in getting sideways with the government. The Justice Department says that Google is defying court orders on disclosure of data -- while building a system to make compliance impossible.  Nick gives the company a chutzpah award.

Jim Comey is still taking hits from the Hill, months after his departure from public life. Sens. Wyden and Lee are hoping to call him a liar, and they'd like the DNI's help. The good news for Jim Comey is bad news for Section 702, since the attack on Comey is really a way of paving the ground for a major reduction in the kinds of intelligence collection the government can conduct using section 702.

Bet you never thought you'd hear the phrase "Bush-Obama Consensus," but the Trump administration's CFIUS policies are turning "BushObama" into a single word summary of the ancien regime. Stephen Heifetz makes these and other observations in laying out the latest from CFIUS's (2015!) annual report. What can we tell from it?

Finally, Nick and I explore his latest essay viewing the vulnerability equities process through a Vault7 and ShadowBrokers lens: What should the government do when it's pretty sure its critical hacking tools have fallen into enemy hands?

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to [email protected] or leave a message at +1 202 862 5785.

Download the 181st Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!