Skating on Stilts

This episode puts our experts on the spot with an election-eve question: Will foreign governments attack US electoral rolls or vote-counting machinery in 2018? Remarkably, no one on our panel (Matthew Heiman, Nick Weaver, David Kris, and I) thinks they will. So if you want cybersecurity news, you can stop listening to election coverage and tune in to Episode 238 of The Cyberlaw Podcast.

Our interview features Steve Rice (Deputy CIO for DHS) and Max Everett (CIO for the Department of Energy) and was originally taped at a session of the Homeland Security Week conference.

In the news, Nick evaluates the report that China hijacked the Border Gateway Protocol; he thinks we need more data. David agrees with me that one way to get the data would be a Justice Department subpoena.

Matthew Heiman explains why SCOTUS is skeptical of Google’s cy pres settlement that treated 129 million class members like bystanders at someone else’s party – and why that skepticism may not appear in US Reports any time soon.

Nick and David lay out the painful story of how failures in CIA communications with their assets may have severely compromised HUMINT operations in Iran and China.

Matthew and I talk about the string of right-wing killers in the past few weeks and the tech implications, including the defenestration of Gab and a lot of throat-clearing about amending Section 230 of the Communications Decency Act.

Matthew also explains, then casts doubt on, a Florida Appeals Court decision that rejects the “foregone conclusion” doctrine for compelled passcode disclosure.

After all the Internet-enabled vibrator stories we’ve covered on the podcast, I think we’re obliged by gender equity to cover this effort to use artificial intelligence to improve male sex toys. For those who may face confirmation before the Senate Judiciary Committee any time in the next decade, Nick explains that Markov chain techniques have nothing to do with the Devil’s Triangle.

More hostilities in the US-China Cool War: DOJ has indicted a Chinese-state owned company as well as UMC and three individuals for stealing trade secrets from US companies; and in a coordinated move, the Department of Commerce has placed limits on US businesses interacting with the Chinese company. I wonder whether the Cool War between China and the US is increasingly forcing big foreign tech companies to choose between the two as they develop new technology.

Download the 238th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The theme of this week’s podcast seems to be the remarkable reach of American soft power. Really. We elect Donald Trump, and suddenly everybody’s trolling.

The Justice Department criminally charges a Russian troll factory’s accountant, and before David Kris can finish explaining it, she’s on YouTube, trolling the prosecutors with a housewife schtick.

She’s not alone. Faced with the news that President Trump is using a commercial iPhone for many of his calls – and, Nate Jones points out, getting wiretapped by China, Russia, and others as a result – China has a suggestion that scores at the top of the POTUS Troll Scale.

Tim Cook, meanwhile, goes to Europe to troll Android – and me – with a speech that pushes all my buttons: Europhilia, Apple sanctimony in pursuit of profit, and blind enthusiasm for privacy regulation. But at the end of the day, it's just another Apple-bites-Android story. 

Last in the troll parade comes what can only be described as the understated trolling deployed by the British government when it was asked by the Belgians to investigate whether a Belgian ISP might have been hacked by GCHQ. 

This week’s interview is with Dr. Dipayan Ghosh, Pozen Fellow at Harvard’s Shorenstein Center and co-author of a new report, “Digital Deceit II: A Policy Agenda to Fight Disinformation on the Internet.” It's an interesting mix of good insights and warmed-over Obama-era nostalgia (Carly Rae Jepsen makes a brief appearance). Dipayan and I tangle on privacy but struggle toward common ground on how to limit the power of the Big Platforms. He’s open-minded and flexible about the details of his proposal, so for fans of civil policy debate who are worried about where the platforms’ dominance and ad revenue are taking us, this episode is a keeper.

More news: Why would a Russian technical institute design malware used in an effort to sabotage a major petrochemical plant in Saudi Arabia? Nate Jones lays out the story. Originally suspected of being an Iranian operation, the attack may have originated in Iran, but FireEye persuasively links the underlying (and flawed) malware to Moscow. One possibility is that it’s a Russian false flag job, minus the embarrassing GRU operatives and their Uber receipts. My guess, though, is that the Russian institute is just amortizing malware development costs by selling off exploits developed for the GRU. If so, this may turn out to be another slow motion disaster for the thugs in the Aquarium.

In other news, Yahoo settled a class action over the enormous breach affecting 200 million people and three billion accounts. The price of that settlement? After the lawyers have been paid, the settlement works out to about 25 cents per victim. Seems pretty cheap to me.

For a brief moment, reality has descended on the left coast. It looks like California isn’t eager to get a judicial ruling on its campaign to nullify federal net neutrality law.

In the UK, Facebook is fined the maximum under pre-GDPR law, for what the privacy agency calls a failure to protect personal data from Cambridge Analytica – or, more likely, for the unspeakable crime of not having prevented the election of Donald Trump. And now that GDPR is in effect, the bien pensants of Europe have served notice; failure to prevent the President’s re-election will cost Silicon Valley billions.

Finally, what goes around comes around for the Uber “bounty” hackers. David and I think that this story pretty much answers the question whether they were just confused bounty hunters or extortionists with a clever line of patter.

Download the 237th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In this week's interview we ask whether the midterm elections are likely to suffer as much foreign hacking and interference as we saw in 2016. The answer, from Christopher Krebs, Under Secretary for National Protection and Programs Directorate (soon to be the Cybersecurity and Infrastructure Security Agency), is surprisingly comforting, though hardly guaranteed. Briefly, it’s beginning to look as though the Russians (and maybe the Iranians) are holding their fire for the main event in 2020.

In the News Roundup, Maury Shenk highlights the role of Twitter, trolls, and Saudi royals in the Khashoggi killing. He also explains the apparently ridiculous result in the EU Android competition matter. It may be a case of Google giving the EU what it asked for – good and hard.

Terry Albury certainly got it good and hard from a federal judge. He was sentenced to four years in prison for leaking classified documents to The Intercept. Jamil Jaffer explains why Albury’s claim of being a whistleblower didn’t win him much relief. I suggest that maybe the only people willing to read Intercept articles to the end are federal agents trying to find clues to the leakers’ identities; whatever they’re doing, it’s working.

Maury and I marvel over the flood of venture capital money into China – and a potential ebb tide for Chinese money in Silicon Valley.

Jamil explains the latest SEC report flagging the cost of email fraud; nine firms lost $100 million to cyberfraud.  And to add insult to injury, the SEC hints broadly that future victims may be tagged for violating SEC accounting standards, which should be sufficient to prevent such fraud.

I point to the ABA’s recent ethics opinion mandating breach disclosure to clients – and quite a bit more. Maury instructs me on the question of whether putting names on doorbells violates GDPR. Vienna says yes; Germany, no. Maury is sure the Germans have this right.

Finally, I update listeners on the Equifax data breach engineer who figured out that his company must have been breached and traded on his suspicion. In an act of relative mercy for the clueless engineer, he was fined and sentenced to eight months of home confinement.

Download the 236th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Today we interview Doug, the chief legal officer of GCHQ, the British equivalent of NSA. It’s the first time we’ve interviewed someone whose full identify is classified. Out of millions of possible pseudonyms, he’s sticking with “Doug.” Listen in as he explains why. More seriously, Doug covers the now-considerable oversight regime that governs GCHQ’s intercepts and other intelligence collection, Britain’s view of how the law of war applies in cyberspace, the prospects for UN talks on that topic, the value of attribution, and whether a national security agency should be responsible for civilian cybersecurity (the UK says yes, the US says no).

In the news, Nick Weaver and Matthew Heiman comment on the undying dumpster fire that is Bloomberg’s Chinese supply-chain-attack story. We may not know for sure whether the story is bogus, at least not for a while. But it’s not too late, I argue, to fund a journalist version of the Ig-Nobel Prize. Call it the Bullitzer, for the story with the most potent mix of consequences and BS. Right now, Bloomberg is definitely in the running.

Matthew tells us that Treasury has announced its CFIUS pilot program, which will require the filing of notices for Chinese acquisitions in 27 critical industries. I argue that this is one more sign that a predisposed bureaucracy has made President Trump a transformational president in terms of relations with China.

Speaking of bureaucratic predispositions, DOJ is carrying out its predisposition to haul Chinese spies into court. What’s remarkable is that it was able to do that from across the Atlantic. While not a cyberespionage case, the recent arrest and extradition of an accused Chinese economic spy is easy to read as DOJ's answer to those who say that indictments of government spies are ineffectual and a sign of weakness.

Everybody’s going to have to choose sides as Trump and Xi continue on their collision course. Except Google. At least according to Google, which bailed out of a Pentagon program because it didn’t meet Google’s values --oh, and because Google had no chance of winning the contract. Talk about virtue signaling on the cheap!

The EU’s virtue signaling isn’t nearly as cheap, at least for Google, which is now appealing a massive EU competition fine. I can’t help wondering who the hell uses Google Shopping to buy stuff; the EU fine feels like it must be $1 billion for every Google Shopping search ever conducted.

Nick reports on two troubling government reports. He believes one — worrying about the cybersecurity of DOD weapons systems . He’s less impressed by White House concerns about the health of the defense industrial base, having recently done some “Buy America” electronics procurement himself.

Finally, in the latest dog-bites-man story, Vietnam will force local data storage despite Silicon Valley’s protests. Nick, Matthew, and I explore the continuing delusion of US foreign policymakers that the Internet must be borderless and open and free.

Download the 235th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Bloomberg Businessweek’s claim that the Chinese buggered Supermicro motherboards leads off our News Roundup. The story is controversial not because it couldn’t happen and not because the Chinese wouldn’t do it but because the story has been denied by practically everyone close to the controversy, including DHS. Bloomberg Businessweek stands by the story. Maybe it’s time for the law, in the form of a libel action, to ride to the rescue.

Congress, astonishingly, has been doing things other than watch the Kavanaugh hearings. It produced a conferenced version of the FAA authorization including authority for DHS and DOJ to intercept drone communications and seize drones without notice or a warrant. This effort to get in front of dangerous technology yields the usual whines from the usual Luddite “technology advocates.” Meantime, Congress has also adopted a bill to change the name of DHS’s cyber and infrastructure security agency to, well, the Cybersecurity and Infrastructure Security Agency.

ZTE’s troubles continue, as a federal judge slammed the company for violating the terms of its probation. The judge extended ZTE’s probationary term and the term of its monitor – meaning the company now has two US monitors watching as it tries to rebuild its business.

The Trump Administration is following in the Obama Administration’s footsteps, Gus Hurwitz reports, trying to build consensus around norms for cyber conflict. I remain dubious, but at least this effort is limited to countries not actively engaged in cyber hostilities with the United States.

California has its own air pollution standards; why not its own net neutrality law? Probably because the FCC under Ajit Pai is not the EPA. Gus and I discuss whether any part of California’s law can withstand preemption.

The hits just keep on coming for the GRU, a formerly vaunted Russian intelligence service, which now can’t even keep secret the names of its most secret agents. Bellingcat, a private website, totally pantses the agency, outing not just its nerve agent operatives but 300 others for good measure. Piling on, the Justice Department indicts another batch of GRU operatives for hacking sports anti-doping authorities. Even Germany musters the courage to join the UK in fingering Russia for its cyberattacks while the mighty Dutch counter-hacking team joins in the sack dance.

Is the Turing test easier if you only have to convince Californians that you’re human? That may be the theory behind California’s SB 1001, making it unlawful for a bot to deceive a Californian about its botitude “in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election.”

More bad news for Justice in Silicon Valley, according to leaks from a court case in which the Department is rumored to have sought a court order forcing Facebook to cooperate in a wiretap of MS-13 members.

Finally, Dr. Megan Reiss reports, North Korea is apparently getting rich robbing banks. Surprisingly, though, it seems not to be robbing American banks. Yet.

Download the 234th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In this news-only episode, Nick Weaver and I muse over the outing of a GRU colonel for the nerve agent killings in the United Kingdom. I ask the question that is surely being debated inside MI6 today: Now that he’s been identified, should British intelligence make it their business to execute Col. Chepiga?

On a lighter note, Uber is paying $148 million to state AGs for a data breach that apparently had no  adverse consequences and might not even have been a breach. That's a lot to pay just to show that the company is now under new and more responsible management.

About a year too late, a consensus of sorts is emerging among Republicans that Silicon Valley needs broad privacy regulation. The Trump Administration is asking for comment on data privacy principles. And the tech giants are pushing lawmakers for federal privacy rules. But the catalyst is an increasing need for federal preemption in the face of California’s new law, and the Dems who are expected to take the House will be hard to sell on preemption. So despite the emerging consensus, a logjam that lasts years could still be in our future.

The sentencing of an NSA employee for taking sensitive  hacking tools home – and getting them compromised by Kaspersky – leaves Nick with plenty of additional questions about the source of the tools disclosed by Russian proxies in recent years.

Evan Abrams gives us a summary of the NY AG’s report on virtual markets and cryptocurrency. Bottom line: New York is likely to pursue regulation with vigor.

Meanwhile, undeterred by NSA's inability to secure its own systems, West Virginia had embraced a mobile voting app for the 2018 election. Remarkably, despite its firm deployment of blockchain buzzwords, none of us thinks West Virginia has solved the security problem.

And in quick hits:

• The GRU is taking the “P” in APT way too seriously.
• A content moderator has sued Facebook, claiming that her job gave her PTSD. I think it probably did, but I doubt Facebook will be held liable.
• India’s Supreme Court has upheld, with limits, the government’s massive Aadhaar digital ID program.
• Facebook suffered a breach affecting 50 million user accounts and probably 40 million “log on with Facebook” accounts.  Will we hear about more?  Who knows?  We’re getting these facts piecemeal thanks to the EU’s dumb 72-hour deadline for reporting breaches under GDPR.
• President Trump says China is interfering in the 2018 elections. But unlike the Russian version, all of China’s fake news is on actual newsprint.
• Finally, a quick report roundup:
  • The EU is forcing Silicon Valley to restrict disinformation without actually defining, you know, disinformation. Probably because the EU doesn't want to admist that it thinks everything Trump tweets should be banned as disinformation.
  • DOJ’s otherwise pretty good best practices report sadly doubles down on hating hackback. Now with added rationales!
  • China is back to stealing our commercial secrets, but more quietly, think tanks report.
  • House AI report – pro: bipartisan; con: mostly content-free.
  • And here's yet another set of IoT security guidelines

Our guest is Peter W. Singer, co-author with Emerson T. Brooking of LikeWar: The Weaponization of Social Media. Peter’s book is a fine history of the way the Internet went wrong in the Age of Social Media. He thinks we’re losing the Like Wars, and I tend to agree. It’s a deep conversation that turns contentious when we come to his prescriptions, which I see as reinstating the lefty elite that ran journalism for decades, this time with even less self-doubt – and bolstered by AI that can reproduce elite prejudices at scale and without transparency.

In the News Roundup, Dr. Megan Reiss and Peter Singer join me in commenting on the White House and DOD cyber strategies. Bottom line: better than last time, plenty more room to improve.

God bless the Dutch. They’ve pwned Putin’s GRU again. In a truly multinational caper, as Nick Weaver explains, Dutch intel caught Russian spies planning cyberattacks on the Swiss institute that is investigating Russia’s nerve agent attack in Britain.

The downside of sanctions: China has joined with Russia in protesting sanctions on Russian weapons sellers that spilled over to the Chinese military. Maury Shenk and I worry about the risk that overuse of sanctions will create a powerful alliance of countries determined to neutralize the sanctions weapon.

Is it reckless to speculate that the gas fires in Massachusetts could be a cyberattack? I think it’s a fair question, to which we may not have the answer. Nick Weaver (mostly) persuades me I’m wrong.

Amazon finds itself in the sights of the European Commission over its dual role in hosting third party sellers. Maury explains why.

Putin’s enemies list, or a part of it, is disclosed when Google warns Senate staffers that their Gmail has been attacked. Maury and I congratulate Steptoe alum Robert Zarate for making the cut.

Looks like the Mirai botnet kids will be sentenced to help the FBI on cyber investigations.

And Megan sees the hand of Robert Zarate – now officially the Zelig of cyber conflict – in Marco Rubio’s letter to Apple asking why it was so slow to stop an app from sending American user data to China.

Download the 232nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Our interview this week (in our new studio!) is with Hon. Michael Chertoff, my former boss at Homeland Security and newly minted author of Exploding Data: Reclaiming Our Cyber Security in the Digital Age. The conversation – and the book – is wide ranging and shows how much his views on privacy, data, and government have evolved in the decade since he left government. He’s a little friendlier to European notions of data protection, a little more cautious about government authority to access data, and even a bit more open to the idea of letting the victims of cyberattacks leave their networks to find their attackers (under government supervision, that is). It’s a thoughtful, practical meditation on where the digital revolution is taking us and how we should try to steer it.

The News Roundup features Paul Rosenzweig, Matthew Heiman, and Gus Hurwitz – whom we congratulate for his move to tenured status at Nebraska. We all marvel at Europe’s misplaced enthusiasm for regulating the Internet. This fall the Europeans returned from their August vacation to embrace a boatload of gobsmackingly unrealistic tech mandates – so unrealistic that you might almost think they’re designed to allow the endless imposition of crippling fines on Silicon Valley.

In the last week or so, European institutions have pretty much shot the regulatory moon: Matthew sets out the European Parliament’s expensive and wrongheaded copyright rules. Paul covers the European Commission’s proposal that social media take down all terror-inciting speech within one hour, on pain of massive fines. Gus discusses the European Court of Human Rights’ ruling that GCHQ’s bulk data collection practices fail to meet human rights standards, though they can be fixed without dumping bulk collection. And I marvel that France is urging the European Court of Justice, which needs little encouragement to indulge its anti-Americanism, to impose Europe’s “right to be forgotten” censorship regime on Americans and on other users around the world. That’s a position so extreme that it was even opposed by the European Commission. Gus explains.

In other news, Paul outlines the National Academy of Sciences’ report, offering a sensible set of security measures for American voting systems. We all unpack the new California IoT security bill, which is now on the governor’s desk. I predict that, flawed though it is, ten more state legislatures could adopt the bill in the next year.

This Week in Social Media Bias: Paul tells us that Twitter has found a deep well of hate speech in … the United States Code. I tell the ambiguous story of offering up my Facebook account to verify claims of social media censorship.  And Gus reports that the Left has discovered a problem with fact checking for social media posts; to their surprise, it doesn’t always work in their favor.

In closing, we quickly touch on the meltdown of the world’s biggest identity database and The Intercept’s endlessly tendentious article trying to make a scandal out of IBM’s face recognition software, which can apparently search footage by skin color.

Download the 231st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

For those who've been waiting (and maybe hoping) that I'd be suspended from Facebook after I linked to infowars.com, we have an answer.

I began the experiment when a guy named Brandon Straka, leader of the conservative #WalkAway initiative, announced that he had been given a 30-day account suspension for linking from Facebook to his upcoming interview on infowars.  I couldn't believe Facebook was banning people for mentioning Alex Jones or his site, so I decided to put my own account at risk by doing the same. (If I were Cory Booker, I'd call it my "I am Spartacus" moment. But I'm not.)

A few hours later, with Straka getting a lot of clicks for his complaint, Facebook rescinded the ban, calling it a mistake. Straka claims Facebook didn't tell him the ban was lifted but did tell a hostile journalist, who then wrote a snarky article about the incident. 

So that's where things stand. Facebook's messages to Straka clearly show that his link to infowars triggered a 30-day suspension. Then the suspension was quickly reversed. Why? Presumably, whoever pulled the plug on Straka was overruled. But we don't know who issued the ban, or who lifted it, or why. Facebook apparently hasn't said anything publicly.

Lessons? First, now that being censored on social media is a surefire way to win conservative clicks, it's fair to assume that claims of censorship will proliferate, and not all of them will be true. Second, that doesn't mean they're all false, either. When it comes to the right, Silicon Valley almost certainly suffers from what the Valley used to call "epistemic closure" before the Valley embraced it. In that climate, "Sorry, mistake" isn't likely to mollify anyone.

So the right has good reason for its suspicion, and no way to get good evidence that might rebut it. To see if Alex Jones had indeed been turned into Voldemort, I had to put my Facebook account -- and a bit of my reputation -- at risk. And even then,  the fact that my account stayed up might simply show that the censors saw it as a trap that they were smart enough to avoid.

Bottom line: conservative concern about platform bias will continue to grow, and only radical transparency about platform standards and due process is likely to address that concern.

We are fully back from our August hiatus, and leading off a series of great interviews, I talk with Bruce Schneier about his new book, Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World. Bruce is an internationally renowned technologist, privacy and security commentator, and someone  whom I respect a lot more than I agree with. But his latest book opens new common ground between us, as we both foresee a darker future for a world that is digitally connecting things that can kill people -- without figuring out a way to secure them. Breaking with Silicon Valley consensus, we see security regulation in the Valley’s future, despite all the well-known downsides that regulation will bring. We also find plenty of room for disagreement on topics like encryption policy and attribution.

In the News Roundup, I ask Jamil Jaffer, Nate Jones, and David Kris for the stories that people who took August off should go back and read. Jamil nominates the fascinating-as-a-slow-motion-car-wreck story of Maersk’s losing battle with NotPetya. We speculate on whether the Russians caused $10 billion in worldwide damage by mistake or on purpose, and whether anyone other than a US government lawyer would call that indiscriminate attack a war crime.

David nominates the 179-page complaint against a North Korean hacker behind most of that country’s famous hacks. And, as a palate cleanser, the remarkable, score-settling, where-are-they-now story of the companies that challenged the FBI’s attribution of the Sony hack to North Korea.

Finally, I suggest spending some time with what might be called DCLeaks for good guys: Intrusion Truth, a website devoted to outing personal details about the government hackers who have been attacking Western companies. It (and Crowdstrike) provides an old-fashioned pantsing of China’s Ministry of State Security (MSS) – the sort of embarrassing doxing that allowed the MSS to take over much of China’s cyberespionage portfolio from the hapless People’s Liberation Army after it was outed several years ago.

In other news, a Five Country Ministerial (homeland security and immigration ministers from the US, UK, Australia, Canada, and New Zealand) issued a statement on encryption that seemed to threaten action, saying that if tech companies don’t address the ministers’ concerns, “we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.” While this group isn’t really the “Five Eyes” of SIGINT fame, that’s not very comforting for Big Tech, since the statement suggests a wider coalition and another step forward in the effort to bring Big Tech to heel on the issue.

Download the 230th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Allowing me to extend my August hiatus by a week, Alan Cohn hosts the 229th episode of The Cyberlaw Podcast. He takes a deep dive into all things blockchain and cryptocurrency discussing recent regulatory developments and best practices for users of exchanges.

The episode begins by looking at the landmark decision coming out of the New York Eastern District Court in favor of the Commodity Futures Trading Commission (CFTC). Charles Mills provides an overview of the recent New York federal court decision and CFTC victory against Cabbage Tech, Corp. d/b/a Coin Drop Markets and Patrick K. McDonnell of Staten Island, New York, ordering McDonnell to pay over $1.1 million in civil monetary penalties and restitution in connection with a lawsuit brought by the CFTC alleging fraud in connection with virtual currencies, including Bitcoin and Litecoin. In addition, Charles presents a more general overview of CFTC regulations.

Claire Blakey presents a timeline of the US Securities and Exchange Commission’s (SEC) recent actions regarding ETFs. On August 23, 2018, SEC announced that it would reconsider a decision to reject nine Bitcoin-based exchange traded funds. Earlier this month, SEC staff delayed a decision on the SolidX proposal, stating it needs more time to consider the proposal – the deadline for this decision is September 30, 2018. Claire also discusses CBOE’s filing with SEC for a bitcoin ETF.

Evan Abrams highlights the four takeaways from the Department of Treasury’s Financial Enforcement Network (FinCEN) director’s speech on cryptocurrency. On August 9, 2018, FinCEN Director Kenneth Blanco delivered a speech on the agency’s approach to cryptocurrency where he made a few unexpected remarks. Evan states that this speech offered helpful clarifications and insights, but also left a number of important questions unanswered. In addition, Evan discusses the Office of the Comptroller of the Currency’s proposed charter for online lenders and other FinTech companies in the coming months.  

Finally, Maury Shenk covers the recent reports about the EU finance ministers’ plan to discuss the possibility of cryptocurrency regulation at a meeting in early September. As part of a leaked confidential note, it is expected that EU ministers will discuss anti-money laundering issues amongst other things. Alan and Maury note that while the EU takes a heavier regulatory approach than the US in this area, the process is slow moving but steadily developing. In addition, Maury discusses the European Blockchain Partnership, describing it as an integrated effort for a great blockchain future.

For the interview, the Steptoe team was joined by Sarah Compani, Legal Counsel at Bitfinex. Bitfinex is a full-featured spot trading platform for major digital assets and cryptocurrencies, including Bitcoin, Ethereum, and many more. Bitfinex offers leveraged margin trading through a peer-to-peer funding market, allowing users to securely trade with up to 3.3-times leverage. Sarah took us through the best security practices for users of exchanges, particularly focusing on security settings that users can customize, such as Google Authenticator 2FA, Universal 2nd Factor (U2F), and IP address whitelisting. Sarah provides listeners with three takeaways as she responds to Alan’s questions regarding the future of exchanges, the Bitfinex platform, and potential challenges going forward.

Download the 229th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

We need better, more aggressive options to deter cyberattacks, since the ones we've come up with so far are clearly not deterring our adversaries.  I would like to inspire more ambition, aggressiveness, and creativity in the American response.  As the first stage in that effort, here's an op-ed I published today in the Washington Post:

The United States may have pioneered the idea of fighting wars in cyberspace, but it’s our adversaries who are using cyberattacks most effectively. To deter them, the country needs creative new ways to punish nations if they launch the devastating attacks that are within their grasp.

The need for options to strike back at cyber-aggressors is obvious — and urgent. Despite the sanctions and indictments provoked by Russia’s attack on the 2016 U.S. presidential election, Russian President Vladimir Putin is doubling down on cyber-intrusions. In recent months, Microsoft reported that Russia was trying to infiltrate the computer networks of multiple congressional campaigns.

Worse, the Department of Homeland Security says Russia is making a major push to infiltrate U.S. power-plant control rooms.

The only debate is over Putin’s intent: Is he planning to shut off power in the United States, as he is accused of doing in Ukraine in December 2016, or does he simply want to show that he can do so whenever he wants?

Other adversaries are also delighting in cyberweapons’ leveling effect. U.S. intelligence agencies believe that China is cheating on its Obama-era pledge not to engage in commercial cyberespionage. North Korea has dramatically improved its capabilities, moving its best hackers to China and other countries where Internet service is better, and using them to steal from banks, as well as to threaten the United States. And Iran, which wielded its willingness to attack U.S. corporations, banks and even dams as leverage in nuclear arms talks, remains one of the most active of all the nation-state hackers followed by the cybersecurity firm FireEye. No wonder Director of National Intelligence Daniel Coats recently said of these cyberthreats: “The warning lights are blinking red again.”

U.S. officials have often said the United States has unrivaled offensive cybercapabilities. Why hasn’t that deterred anyone? It’s simple. The United States is so reliant on computer networks that we’re afraid to launch a tit-for-tat exchange in cyberspace. It was true during the Obama administration and remains true today. As Army Lt. Gen. Paul Nakasone said during his confirmation hearing in March to be the nation’s top cyberwarrior, our adversaries “don’t fear us.”

Instead, they’re gradually upping the ante, looking to impose as much pain as possible without triggering serious consequences. The longer we go without an effective response, the more pain we’ll suffer. And if we wait until enemy hackers manage to kill lots of Americans, as they could, we risk a U.S. response so sudden and harsh that it sparks a war.

The country has tried “naming and shaming” attackers by indicting government-sponsored hackers from China, Iran and Russia. That’s fine, but the United States is unlikely ever to arrest those hackers, and, over time, attribution without retribution just advertises weakness. Sanctions have more bite and should still be employed, but their impact is delayed, hard to target and clearly insufficient. These inadequate options are about all the interagency process has coughed up.

We need to get tougher and more inventive. In the hope of inspiring others’ imagination, I offer a few options that belong in the U.S. tool kit:

●The next time North Korea uses its cadre of expatriate hackers in Kenya, Mozambique and other countries to attack the United States, we should demand that the host government expel the hackers. If officials don’t comply, U.S. Special Operations forces have plenty of experience taking action in countries that are unable or unwilling to stop terrorists operating from their soil; they could be sent in to seize the buildings, probably hotels, being used by the cyberattacks and take the hackers into custody.

● Russia has allegedly loaded U.S. electrical control systems with tools that could shut down the grid. Putin’s threat is clear, but two can play that game. It’s possible to build electromagnetic pulse weapons the size of a large copy machine that can fry electronics for a few miles around. Why not install several such weapons in high-rise office spaces around Moscow, including a few places where they’ll be found? Like with Putin’s implants in our grid, he’ll never be sure he has found them all, and there’s no need to use them — unless Putin uses his.

● Iran has shown a willingness to use malware that leaves victim networks irretrievably damaged. If Iran did that to U.S. systems, Iran’s remarkably vulnerable offshore oil platforms would be good targets for payback, from simple interruption of gas flows to complete destruction of as many platforms as are necessary to end or deter an attack.

These options may seem extreme; they were once unthinkable. But, frankly, so was Russia’s playing a major role in a U.S. presidential campaign. If we don’t want to suffer more extreme injuries at the hands of our adversaries, we need a few unthinkable responses of our own.

Our guest for the Cyberlaw podcast interview is Noah Phillips, recently appointed FTC Commissioner and former colleague of Stewart Baker at Steptoe. Noah fields questions about the European Union, privacy, and LabMD, about whether Silicon Valley suppression of conservative speech should be a competition law issue, about how foreign governments’ abuse of merger approvals can be disciplined, and much more.

The imminent adoption of the must-pass National Defense Authorization Act yields a deep dive on the bill. Most important for business lawyers, the bill will include a transformative rewrite of CFIUS’s investment-review procedures and policies.

Gus Hurwitz lays out many of the cyber issues addressed by the NDAA, while Dr. Megan Reiss explains the act’s creation of a “Solarium” commission designed to force serious strategic thinking about cybersecurity and cyberweapons. I offer my contribution to that debate – an effort to think the unthinkable and come up with tougher options for responding to serious cyberattacks. Since we’re trying to think the unthinkable, I argue, we’re really rooting for the itheberg, so I’ve dubbed it the Itheberg Project.  I do, however, make an unusual double-barreled offer to those who might want to participate in the Itheberg Project.

All that pales next to a surprisingly lively discussion of circuits splitting over insurance coverage of cyber-related fraud losses. Gus and Matthew Heiman predict that the Supreme Court (or an insurance contract rewrite) will be necessary to resolve the issue – and both of them think the issue is well worth the Court’s time. No one tell Judge Kavanaugh or he may just decide to stay on the DC Circuit!

In a “lightning” round that the FTC may soon investigate for deceptive labeling:

• Gus mocks the ACLU’s rigged test of Amazon’s face recognition software.
• China screws Qualcomm despite the US deal to save ZTE, letting the NXP acquisition die of neglect.
• The New York Public Service Commission revokes its 2016 conditional approval of the Charter-Time Warner merger.
• And India chooses favorable ground for a fight with WhatsApp over end-to-end encryption.

Download the 228th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In this episode, Bobby Chesney charts the emergence of undetectably forged videos.  They’re not here yet, but before we’re ready the internet will be awash with fake revenge porn, fake human rights atrocities, and fake political scandals.  My talk with Bobby revolves around a recent paper by him and Danielle Citron.  I confess to having seriously considered federal support for a fake video involving Osama bin Laden and kumquats (not what

Patt Cannaday and Stewart Baker 

you’re thinking, though that would have been good too). Bobby and I discuss the ways in which the body politic – and particular political bodies – might protect themselves.  This leads Bobby to propose a Cyberlaw Podcast mug prize for listeners who suggest what – and where – I should get inked as my last line of defense.  He’s on.  Send your suggestions to cyberlawpodcast@steptoe.com.

In the news, Maury Shenk and I puzzle over the EU’s questionable competition ruling (and $5 bn fine) for Google’s alleged abuse of a dominant position in mobile operating systems.  Once again I find myself agreeing more with Donald Trump than his critics.

Patt Cannaday, a Steptoe summer associate, finds what’s new in the Justice Department’s Cyber Digital Task Force report:  principally a set of rules to make sure that outing foreign governments interfering in our elections doesn’t become Justice Department interference in our elections.  We both think Justice plans to give social media platforms privileged access to data about foreign governments’ tactics and plans.  I propose that any such access be conditioned on the platforms pledging not to use the information to squelch speech that they just don’t like.

Nick Weaver explains why the recent Spectre and other side channel attacks on speculative execution are going to continue – and how big a performance hit our computers will take as we try to protect ourselves.

Congress is negotiating with the administration on penalties for ZTE. Nick thinks the result has been confusion between the export control penalties, which can be compromised, and supply chain restrictions, which shouldn’t be.

All the states have now asked for federal aid to defend their electoral systems from hackers.   I argue that it’s now on them to prepare for attacks, including efforts to disrupt rather than throw this fall’s election.

All those podcasts with Steve Vladeck have left Bobby more comfortable blocking left hooks, but he and I still manage to engage profitably on the Carter Page FISA application document dump.  We cover its implications for Devin Nunes’s early memo.  We question the durability of the application’s reliance on early press stories claiming that Trump forces tilted the GOP platform against Ukraine.  And I suggest that higher officials in Justice and the intelligence community should have demanded more overt vetting (and disclosure) of any partisanship tainting the evidence.  It’s a blind spot they wouldn’t have had, I argue, if the FBI wanted to wiretap Carter Page while he infiltrated the ACLU.

Download the 227th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In Episode 226 of The Cyberlaw Podcast, I'm deep in the Cologado wilderness, and the News Roundup team (Brian Egan with Matthew Heiman, Jim Lewis, and Dr. Megan Reiss) muddles through without him.

Matthew and Jim discuss Friday’s indictment of 12 Russian GRU personnel by the Department of Justice and Special Counsel Mueller. Matthew explains that, while we shouldn’t expect extradition proceedings to take place any time soon (or ever), DOJ has a theory for pursuing these types of indictments in selected cases. I weigh in by Twitter, bemoaning somewhat surprisingly (given the source) that the indictments reflect a poor interagency coordination process and a lack of appreciation for diplomacy. From Jim’s perspective, these indictments are about as good as diplomacy is going to get on this issue…

Matthew walks through the continued bipartisan work in the Senate on the Secure Elections Act, which would facilitate information sharing amongst the states on election threats and take other steps in an attempt to improve election cybersecurity. Matthew explains that federalism may well end up limiting what can be done (or what Congress will agree to do) on this issue.

Megan weighs in on Commerce’s announcement on Friday that it lifted the Denial Order against ZTE after ZTE paid an additional $1.4 billion in penalties and took other steps pursuant to the new settlement agreement reached in June. Megan forecasts continued pressure on ZTE from Capitol Hill, even if the additional penalties against ZTE are generally seen as significant. Jim thinks that the US government’s approach to ZTE is shortsighted and may end up harming national security interests down the road.  

Megan and Jim also discuss the efforts of another Chinese company – the video surveillance camera company Hikvision – to fight back against US government concerns related to espionage. We ask ourselves: is there anything that a Chinese company can do to rebut US espionage and related concerns? And Jim weighs in on the “state of the state” of the 2015 "no commercial cyberespionage" handshake agreement between the US and China, which the State Department confirms is the rare international deal entered into under President Obama that has not yet been ripped up by President Trump.

Elsewhere, Matthew explains why Twitter follower numbers dropped precipitously last week after Twitter’s latest attempts to clean up suspicious accounts. (Justin Bieber and Katy Perry were hit hard, but my account may be down to zero.) Luckily, Jim has some practical tips for maintaining one’s Twitter follower numbers.

And finally, Jim weighs in on a workmanlike GAO report on the Committee on Foreign Investment in the United States, the Department of Defense, and national security concerns – which concludes, among other things, that (1) technology transfers should be an area of concern for the US government and (2) the US government is poorly situated to identify the areas of technology transfer that should be of concern. Over to you, Congress!

I prerecorded the interview of Woody Hartzog, author of Privacy’s Blueprint: The Battle to Control the Design of New Technologies, and a professor of law and computer science at Northeastern. Woody’s thesis is that traditional privacy law has focused unduly on notice and consent, yielding unreadable privacy notices and consents that mean nothing but have great legal impact. Instead, he suggests a focus on how platforms design their user interfaces, borrowing from consumer protection and products liability law. My skeptical of the open-ended nature of the obligations Woody would like Silicon Valley to undertake, but they both at least agree that designers and government are surprisingly well-matched bedfellows.

Download the 226th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Our interview is with Gen. Michael Hayden, author of The Assault on Intelligence: American National Security in an Age of Lies. Gen. Hayden is a former head of the CIA and NSA, and a harsh critic of the Trump Administration. We don’t agree on some of his criticisms, but we have a productive talk about how intelligence should function in a time of polarization and foreign intervention in our national debates.

General Michael Hayden and Stewart Baker

In the news, David Kris reports that ZTE has gotten a limited life-support order from the Commerce Department. Meanwhile, Nate Jones tells us that China Mobile’s application to provide telecom service to Americans is also likely to bite the dust – after nearly seven years of dithering. Taking advantage of my preview of stories on Facebook, Tony Rutkowski suggests we call this the revenge of the “neocoms.” So we do.

Remarkably, the European Parliament fails to live down to my expectations, showing second thoughts about self-destructive copyright maximalism. Nick Weaver thinks this outbreak of common sense may only be temporary.

Paul Rosenzweig confesses to unaccustomed envy of EU security hardheadedness. Turns out that Europe has been rifling through immigrants’ digital data in a fashion the Trump Administration probably wouldn’t dare to try. More predictably, the Israelis are digging deep into social media to combat the stabbing attacks that afflicted the country until recently.

The DNC is trying to improve security, and it has trained 80% of its staff not to click on bad links. But as Nick Weaver and Paul Rosenzweig point out, that’s not good enough – even though there are few institutions that can get much above the DNC’s 80%. The answer? Nick says it’s two-factor authentication. We join forces to nudge Firefox toward offering the same level of support for 2FA as Google Chrome.

The feds are getting wise to the Dark Web, Nick tells us. They’re focusing on compromising the money launderers – and then their customers. This looks like a strategy that could work for the long haul.

Finally, David Kris revisits NSA’s still-troubled metadata program, asking whether “the juice is worth the squeeze.”

We’re going to keep tweeting and posting some of the week’s stories that look like candidates for the News Roundup. Please reply to or retweet those you think we should cover. Relevant feeds: @stewartbaker on Twitter, Stewart Baker on LinkedIn, and stewart.a.baker on Facebook.

Download the 225th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In this episode I interview Duncan Hollis, another Steptoe alumnus patrolling the intersection of international law and cybersecurity. With Matt Waxman, Duncan has written an essay on why the US should make the Proliferation Security Initiative (PSI) a model for international rulemaking for cybersecurity. Since “coalition of the willing” was already taken, we settle on “potluck cyber policy” as shorthand for the proposal. To no one’s surprise, Duncan and I disagree about the value of international law in the field, but we agree on the value of informal, agile, and “potluck” actions on the world stage -- pretty much what PSI represents. In further support, I offer Baker’s Law of International Institutions: “The secretariat is the natural enemy of the United States.”

In closing, Duncan briefly mentions his work with Microsoft on international rulemaking, leading me to throw down on “Brad Smith’s godforsaken proposal.” Brad, if you are willing to come on the podcast to defend that proposal, I’ve promised Duncan a highly coveted Cyberlaw Podcast mug.

In the news, California has a new privacy law, as Steptoe summer associate Laura Hillsman explains, though what it will look like when it finally takes effect in 2020 remains to be seen. 

Chris Conte reports that the SEC has charged a second Equifax manager with insider trading. I ask whether he shouldn’t also have been charged with lousy site design.

The White House draws a line in the sand over ZTE in a letter to the Hill – but Maury and I suspect the real message is in the lack of a veto threat. Maury thinks President Trump’s “go big, then go deal” negotiating strategy is also at work in his decision only to beat up Chinese investments once rather than twice over trade tensions.

NSA’s metadata program was restructured to rely on telecom companies rather than NSA’s own programmers. Congressional ideologues' insistence on leaving the metadata with the companies rather than in NSA’s computers predictably produced a private-sector meltdown. Which they’ll probably blame on NSA.  Jamil Jaffer and I discuss.

What do you know? Reality does win in the end, and Reality Winner finally got the hint (as well as a pretty good plea deal).

Nextgov reveals an unimpressive showing for the Cybersecurity Information Sharing Act’s (CISA) information-sharing provisions, at least as far as sharing with DHS goes. Jamil and I agree, though, that information sharing within the private sector may be a better measure of CISA’s value.

In other news, The Intercept continues to pioneer relevance-free journalism. And trust in social media is collapsing, especially among Republicans, who (remarkably) now think tech companies need more regulation.

Finally, in an experiment we may abandon at any moment, I’m going to start tweeting and posting some the stories this week that look like candidates for the News Roundup. Please reply to or retweet those you think we should cover. Relevant feeds: @stewartbaker on Twitter, Stewart Baker on LinkedIn, and stewart.a.baker on Facebook.

 Download the 224th Episode (mp3).

Laura Hillsman, Chris Conte, and Stewart Baker

 You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

I interview David Sanger in this episode on his new book, The Perfect Weapon – War, Sabotage, and Fear in the Cyber Age. It is a true first draft of history, chronicling how the last five years transformed the cyberwar landscape as dozens of countries followed a path first broken by Stuxnet -- and then, to our horror, branched out to new and highly successful ways of waging cyberwar. Mostly against us.  David depicts an Obama administration paralyzed by the Rule of Lawyers and a fear that our opponents would always have one more rung than we did on the escalation ladder. The Trump administration also takes its lumps, sometimes fairly and sometimes not. 

At center stage in the book is Putin’s uniquely brazen and impactful use of information warfare, but the North Koreans and the Chinese also play major roles.  It is as close to frontline war reporting as cyber journalism is likely to get.

Cyberlaw news this week is dominated by a couple of Supreme Court decisions: In Carpenter the Court held 5-4 that warrants are required to collect a week of location data from cell phone companies. Michael Vatis lays out the ruling, and I complain that the Court has kicked off a generation of litigation over issues this decision opens up but fails to address. Tune in as Michael invokes James Madison and I counter with Ben Franklin. Who knew that the founding fathers had so much to say about the third-party doctrine?

Stewart Baker with David Sanger

Speaking of Court decisions that write checks for others to redeem, the 5-4 Wayfair decision is equally insouciant about triggering a generation of litigation about when internet companies must collect sales tax. After 50 years of waiting for Congress to decide a question that is clearly better resolved by legislation than judicial rule, the Court gave up and struck down the holding that a physical presence was required before sales tax had to be collected. Pat Derdenger explains just how much litigation he’ll be involved in. To his plea that Congress step in, I repeat a line I first used 25 years ago: Why should a Republican Congress enable the collection of taxes it can’t spend?

North Korea may be our President’s best bud these days, but it’s still hacking banks and conducting cyberespionage, Matthew Heiman points out. Jim Lewis advances a Darwinian justification for letting the North Koreans keep it up.

Matthew and Jim also agree that Chinese hackers are getting stealthier – probably in part because they’re chiseling around the edges of their agreement not to steal commercial secrets from US firms. We also ask whether the Chinese have begun releasing data from their OPM hack to criminal actors. David Sanger thinks not.

America's lack of a coherent cyberwar strategy is becoming apparent not just to adversaries but also to Congress, which is in the process of mandating a new commission on cyberwar strategy.  Whether calling it Project Solarium, a hallowed name in defense thinking, will make the commission more successful remains to be seen.

In payback news, I am pleased to report that there’s more libel litigation in store for the Southern Poverty Law Center, which specializes in feeding Silicon Valley’s worst prejudices about conservatives.

The Administration is struggling to come up with privacy principles that can compete with GDPR. Matthew and I predict that it won’t succeed.

One last note: David Sanger is on a book tour– if you’re in the Washington DC area, he will be hosting a talk and book signing at Politics & Prose on Thursday, June 28, at 7pm.

Download the 223rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Our interview is with Megan Stifel, whose paper for Public Knowledge offers a new way of thinking about cybersecurity measures, drawing by analogy on the relative success of sustainability initiatives in spurring environmental consciousness. She holds up pretty well under my skeptical questioning.

In this week’s news, Congress and the Executive branch continue to fight over the bleeding body of ZTE, which has already lost nearly 40% of its market value. The Commerce Department has extracted a demanding compliance and penalty package from the Chinese telecom equipment manufacturer. The Senate, meanwhile, has amended the NDAA to overturn the package and re-impose what amounts to a death penalty (see section 1727). Brian Egan and I dig into the Senate’s language and conclude that it may do a lot less than the Senators think it does, and that may be the best news ZTE is going to get from Washington this year.

Judge Leon has approved the AT&T-Time Warner merger. Gus Hurwitz puts the ruling in context. His lesson: next time, the Justice Department needs better evidence.

Brian gives us an update on what’s not in the CFIUS reform bill now that the CFIUS reform bill is in the NDAA and on its way to adoption. I suggest that the bill is a symptom of a new Cool War, and the beginning of a long, slow process of breaking the commercial world back into competing blocs. Complete with mirror-imaging, as both China and DOD start publishing lists of the technologies they expect to use in the burgeoning competition.

Kaspersky is getting a lesson in Cool War bloc dynamics, as the EU Parliament trashes the company as a malicious actor and the company acts out, terminating its cybersecurity arrangements with EU institutions.

Megan Stifel and I explore what it means that Chinese hackers are apparently back to their old tricks – stealing competitive secrets for commercial advantage. 

Given a choice between EFF and the EU, I come down on the EFF’s side, at least when the EU is snuggling up to Big Copyright and forcing Internet companies to automatically scan customer uploads for copyright violations. This is bad news for users, of course, since the tools are never perfect, and the incentives will be to err on the side of preventing speech. But, really, EU, if you were wondering why you’ll never have a vibrant tech startup scene, it’s time to look in the mirror. This measure may sound as though it will be tough on YouTube, but it will be fatal to its smaller competitors.

But surely, you say, the owners of intellectual property will be constrained by the need to keep their consumers happy. Yeah, right. If you believe that, you might want to take a closer look at the astonishing surveillance system that IP owners have dreamed up in Spain. At least nothing so intrusive could be done in Europe, where GDPR has created a privacy utopia …

More Cool War casualties: US sanctions on Russia have hit a couple of companies that Silicon Valley thought of as friends and neighbors. This dividing-into-blocs business has some surprising costs. Brian, of course, wants to know how to square these sanctions with the president’s view of Russia. I supply the answer (two, actually), but you’ll have to listen to find out what they are.

Gus Hurwitz plugs his new privacy paper, which pantses privacy campaigners for hypocrisy. 

Gus also comments on Apple’s new USB restricted mode, which law enforcement support contractors say they’ve already defeated.

In the good news of the week, the Southern Poverty Law Center gets a comeuppance in the form of an unconditional apology and $3.4m libel settlement for including Maajid Nawaz in its nasty and irresponsible 2016 “Field Guide to Anti-Muslim Extremists.” If you’re keeping score at home, that’s $3.37 million down, $429 million to go before SPLC’s grotesquely swollen endowment is used up.

Speaking of comeuppances, I get mine for correcting Jennifer Quinn-Barabanov’s pronunciation of cy près as “sigh pray.” I’m a “see pray” guy. Alert listener Tim White decided to call up Brian Garner of Garner’s Dictionary of Modern Legal Usage for a ruling. In a moment straight out of a Woody Allen film, Garner responds through an editor that “Professor Garner is editing the entries in Black’s and Garner’s Dictionary of Legal Usage to reflect that /sigh/ is the traditional anglicized pronunciation and that /see/ is a repatriated French pronunciation. So both pronunciations will be listed, but /sigh/ will be listed first as the preferred one.” Short version: I’m condemned as an egregious grammar snob who doesn’t know a repatriated French pronunciation when he sees one. I think I owe Jennifer Quinn-Barabanov an apology – and $3.37.

Megan Stifel and Stewart Baker

Download the 222nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The 11th Circuit’s LabMD decision is a dish served cold for Michael Daugherty, the CEO of the defunct company. The decision overturns decades of FTC jurisdiction, acquired over the years by a kind of bureaucratic adverse possession. Thanks to the LabMD opinion, practically all the FTC’s privacy and security consent decrees are at risk of being at least partly unenforceable — and if the dictum holds, the FTC may have to show that everything it views as an “unfair” lack of security is actually a negligent security practice.

Commerce says it has a deal with ZTE. Nate Jones wonders whether the bipartisan opposition to the deal from Congress is too late.

David Kris introduces a remarkable week for Justice Department responses to leaks of classified information. A long-time security director at the Senate Intelligence Committee succumbs first to the wiles of an aspiring reporter, and then to the temptation to lie about the romance to the FBI. James Wolfe will pay a heavy price for his leaks of classified information — without ever being tried for leaking classified information.

I can’t help asking how the FBI gathered as much information as they did from supposedly secure services like Signal and WhatsApp. Nick Weaver and David point to metadata as the fatal flaw in Wolfe’s security — and to cloud backup as the fatal flaw in Manafort’s (along with the problem that any secret shared with another is a hostage to that party’s inclinations).

The Chinese are having a hell of a run at US secrets, David also reports, as evidenced by an espionage arrest, another espionage conviction, and a major story about a Chinese hack to harvest Pentagon technology. The Chinese recruitment of Hansen, who faced money trouble, maybe the first fruits harvested by the Chinese from their trove of OPM files listing all the weaknesses of US clearance holders.

DHS (and DOJ) want new authority to regulate drones. Nick is enthusiastic and offers some exciting and chilling video to support his view that drones will soon pose a wide variety of threats.

Nate reports on the Democrats’ effort to get a threat assessment of President Trump’s phone use.

Speaking of things we really need to worry about more, Nick tells us the Russian’s VPNFilter is worse than we thought, and we already thought it was bad. It’s time to take the security of your home router very seriously.

I close with a quick rant, calling out Twitter, Facebook, Google, and Amazon for all accepting advice on who is a “hate” group from the irresponsible and irredeemably biased Southern Poverty Law Center. Really, guys, if you want half the country to hate Silicon Valley, this is exactly what you should be doing.

Download the 221st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

GDPR has finally arrived, Maury Shenk reminds us, bringing both expected and unexpected consequences. Among the expected: New Schrems lawsuits for more money from the same old defendants; and the wasting away of the cybersecurity resource that is WHOIS, as German courts ride to the rescue of insecurity — in the name of privacy.

Also probably to be expected, at least for those who have paid attention to the history of technology regulation: The biggest companies are likely to end up boosting their market dominance.

Less expected: The decision of some big US media to just say no to European readers, recognizing them as the Typhoid Marys of the Internet, carrying a painful and stupid regulatory infection to every site they visit.

In other unsurprising news, Gus Hurwitz and Megan Reiss note, Kaspersky has now lost both its lawsuits against US government bans in a single district court ruling.

In genuinely troubling news, Iran is signaling a willingness to attack US industrial controls, which run the electric grid and pipelines and sewage systems, using the same malware it used against the Saudis. Since Iran was willing to launch DDoS attacks on US banks the last time negotiations over its nuclear program hit a snag, this is a threat that needs to be taken seriously.

The good news is that the US government released two reports this week on how to we’ll respond to both threats — cyberattacks on our grid and DDoS attacks on our web companies. The bad news is that both reports suck. If you were feeling optimistic before this, I argue, a close reading of the reports will leave you with a sinking feeling that this is the fourth administration in a row without a clue about how to deal with such attacks.

Quick Hits

Russia wants Apple’s help in subduing Telegram, Maury reports. I predict that Tim Cook will fold like a cheap lawn chair. I’m guessing that it’s really only American law enforcement that he’s willing to thwart.

North Korea is getting credit for peacemaking while spreading malware to US and South Korean infrastructure. A lot of the attacks are enabled by phishing emails built around hot news about the Trump-Kim summit. Which, come to think of it, may be the real reason Kim keeps turning the summit off and on: He’s got to generate clickbait for all those phishing emails.

Trump wants to relieve ZTE of its company-killing Commerce sanctions, but Congress may not let him. Hardest hit? Paul Ryan, who’ll have to decide whether to let the House take a free vote to thwart the President on national security grounds. 

Gus takes us quickly through the next big security issue: IMSI catchers and SS7 exploitation. This is a big problem, or really two big problems that are bound to get real media attention – just as soon as civil liberties groups figure out how to blame them on Trump.

In other news, I’ll be hosting a Reddit AMA on r/legaladvice on June 6 starting at 2pm ET. The best questions may be read in the next episode, so be sure to contribute. You can find more information in the announcement here.

Download the 220th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

This episode features a conversation with Nick Bilton, author of American Kingpin: The Epic Hunt for the Criminal Mastermind Behind the Silk Road.  His book, out today in paperback, tells the story of Ross Ulbricht, the libertarian who created the hidden Tor site known as the Silk Road, and rode it to massive wealth, great temptation, and, finally, a life sentence. 

It’s a fine read in its own right, but for those who know the federal government, the most entertaining parts concern the investigators who bring Ulbricht down.  They all have ambitions and flaws that mirror the stereotypes of their agencies, even -- or perhaps especially -- when the agents go bad. It’s got everything – sales of body parts, murder (maybe!), rogue cops, turf fights, and justice in the end. 

Sadly, I predict this episode will generate more hate mail than any other.  Why?  You’ll have to listen to find out.  Feel free to question my judgment with emails to CyberlawPodcast@steptoe.com.lp

Download the 219th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions and suggestions for topics or interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In this episode, Markham Erickson highlights the Mugshots.com prosecution. The site had a loathsome business model, publishing mugshots for free and charging hundreds of bucks to people who wanted the record of their arrests taken down. Now the owners are being prosecuted in a case that combines the worst of European crazy (“surely criminals have a right to be forgotten”) and California crazy (“profits are being earned here – surely that calls for a criminal investigation”). Markham explains why this may be a hard case for California to win – and then joins me in expressing schadenfreude for the owners, whose mugshots are even now spread all across the internet.

Meanwhile, the ZTE mess gets messier as Congress moves to block President Trump’s proposed sanctions relief. Democrats are joining national security Republicans to move legislation on the topic. Who says President Trump is the divider-in-chief?

Michael Vatis digs into the FBI’s latest high-profile problem: it grossly overstated the number of encrypted phones it encountered last year. Was it a mistake or a misrepresentation? Our panel leans toward mistake.

Michael and I also criticize President Trump’s decision to dump government security for his phone. Michael reminds us of the President’s scathing treatment of Hillary Clinton’s insecure email server and asks why an insecure cell phone is different.

And in a new feature that we still haven’t made up our mind about, we do a lightning round of stories we couldn’t get to:

• GDPR has arrived at last, and typically, the European Parliament isn’t ready.
• Suspected CIA leaker Joshua Schulte was busted for kiddie porn but should have been arrested for stone stupidity.
• Kaspersky sets up shop in Switzerland; will that save the business? I’m skeptical.
• Ecuador’s budget for protecting Assange ran into the millions of dollars, and it looks as though he may be on the street any minute now. A bad week for hackers and leakers. ;-)
• Germany’s misbegotten effort to tame hate on Facebook is going to end up censoring what Americans can read. When will Congress act to preserve the first amendment from other governments?
• China’s bragging that its social credit system has blocked people from 11 million flights already; when will that system be expanded to everyone in the hacked OPM files?
• In a declassified report, a federal commission treats EMP attacks as a serious threat, not the stuff of an Alex Jones rant, as elite opinion seems to think.
• There’s a circuit split regarding border cell phone searches.
• The NTSB has issued a gobsmacking preliminary report on the fatal crash involving Uber’s autonomous vehicle.

Download the 218th Episode (mp3).

 You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions and suggestions for topics or interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In our 217th episode of The Cyberlaw Podcast, the blockchain and cryptocurrency team seizes control of the podcast again.

Alan Cohn hosts another of the podcast’s periodic deep dives into all things blockchain and cryptocurrency to discuss recent regulatory developments and the current state of play of the industry.

Our episode begins by looking at the Department of Treasury’s letter regarding initial coin offerings (“ICOs”). Jack Hayes tells us the key takeaways from the letter, including that persons engaged in ICOs could be considered a Money Transmitter under FinCEN’s regulations. Not only does the letter address companies based in the US that are issuing tokens, but also those based outside of the US that may have a substantial part of their business in the US or be issuing tokens to US persons. The idea that FinCEN can reach outside of the US border is not a new one. Last summer we saw a civil enforcement action against BTC-e, a foreign cryptocurrency exchange.

Jack and Alan also discuss the New York Attorney General’s recent voluntary transparency questionnaire sent to both US and non-US cryptocurrency exchanges. New York has seen its fair share of controversy with respect to cryptocurrency with the implementation of the BitLicense and the resulting exodus of a number of cryptocurrency companies.

Lisa Zarlenga provides an expert overview of the Internal Revenue Service’s (“IRS”) activity in the space starting with IRS Notice 2014-21. For tax purposes, convertible virtual currency (“CVC”) is treated as property, which means that every time you buy or sell CVC you are engaging in a taxable event and need to report capital gains or losses. The Notice did not provide much guidance on accounting for and determining basis of cryptocurrency. Lisa also discusses whether exchanging one cryptocurrency for another cryptocurrency is a like-kind exchange and how the 2018 Tax Reform Bill changes things. With the increasing popularity of airdrops, Lisa and Alan tell us about the tax treatment of tokens received during an airdrop.

Chelsea Parker discusses trends coming out of New York Blockchain Week 2018. Consensus 2018 was three times bigger than Consensus 2017 and there were almost three dozen other official conferences and events that were part of NY Blockchain Week. Needless to say, interest in blockchain appears to be at an all-time high, and there was a particularly high international presence. Government officials from countries such as Gibraltar and Bermuda highlighted their proactive steps to implement regulation while still encouraging innovation and protecting consumers. This idea of balancing regulation while still encouraging innovation was a common theme across panels.

Alan highlights Steptoe’s panel “Blockchain in Supply Chain, Navigating the Legal Waters” and the key questions discussed during Alan Cohn and Lisa Zarlenga’s presentations on the tax treatment of digital currencies and tokens at the Accounting Blockchain Coalition’s conference. Finally, the panelists highlight where they see the industry going next in terms of adoption and regulation. Lisa discusses the possibility of additional guidance from the IRS while Jack discusses the future of sovereign cryptocurrencies and the resulting regulatory challenges.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 217th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The Cyberlaw Podcast has now succumbed to an irresistible media trend: We begin the episode with a tweet from President Trump. In this one, he promises to get ZTE “back in business, fast.” Paul Rosenzweig and Nick Weaver provide the backstory, and a large helping of dismay, at the President’s approach to the issue.

I question the assumption that this will make the life of Chinese telecom equipment makers easier in the US. If anything it could be worse. The 2019 NDAA being drafted in the House will make it very difficult for telecom companies that do business with the Pentagon to rely on Chinese (or Russian) equipment. If anything, the President probably ensured a unanimous Democratic vote for the measure.

The cyber coordinator position in the White House is on the endangered list. Paul explains why it should survive. His take is not completely snark-free. Summing up the first two stories, I suggest that it proves the maxim (which, come to think of it, might be my maxim) that every President gets the White House he deserves.

Nick explains how badly American democracy could be harmed by a relatively trivial Russian (or Iranian, or North Korean) cyberattack on voter registration databases later in 2018. Indeed, they had a chance to launch such an attack in 2016, according to the Senate Intelligence Committee. This is an avoidable disaster if election officials take action now, I point out, but Paul doubts they will.

Paul and I lament the insouciance and ahistoricity of the Fourth Circuit’s ruling adding half a dozen new judicial constraints to border searches of cell phones.

Speaking of cyberattacks, you’d better buckle up, because Iranian retribution for US withdrawal from the Joint Comprehensive Plan of Action is probably being prepared as you read this. And according to a highly educational Recorded Future/Insikt report, Iran’s semi-privatized hacking ecosystem is likely to err on the side of escalation.

The Iranians aren’t the only ones upping their game. Nick summarizes an excellent Crowdstrike report on the new sophistication of Nigerian scammers.

We close with Nick’s dissection of the troubling code decisions underlying a pedestrian death caused by Uber’s autonomous vehicle. 

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 216th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!