The Cyberlaw Podcast: Nick Bilton, Ross Ulbricht, and the Silk Road Bust; Lawfare, May 29, 2018

[Podcast] Stewart Baker, Lawfare; The Cyberlaw Podcast: Nick Bilton, Ross Ulbricht, and the Silk Road Bust

"This episode features a conversation with Nick Bilton, author of “American Kingpin: The Epic Hunt for the Criminal Mastermind Behind the Silk Road.” His book, out in paperback, tells the story of Ross Ulbricht, the libertarian who created the hidden Tor site known as the Silk Road and rode it to massive wealth, great temptation, and, finally, a life sentence. It’s a fine read in its own right, but for those who know the federal government, the most entertaining parts concern the investigators who brought Ulbricht down. Each one has ambitions and flaws that mirror the stereotypes of their agencies, even—or perhaps especially—when the agents go bad. It’s got everything: sales of body parts, murder (maybe!), rogue cops, turf fights, and justice in the end.

Sadly, I predict this episode will generate more hate mail than any other. Why? You’ll have to listen to find out. Feel free to question my judgment with emails to CyberlawPodcast@steptoe.com."

Target to Pay $18.5M to States Over Data Breach; Inside Counsel, May 24, 2017

P.J. D'Annunuzio, Inside Counsel; 

Target to Pay $18.5M to States Over Data Breach

"Deterrence was a major theme brought up by many of the attorneys general who released statements about the agreement.

The $18.5 million settlement with the states, coupled with the $10 million consumer class action settlement approved last week, may seem like a drop in the bucket for a retail juggernaut like Target, but according to Lambiras, the deterrent effect lies in the residual legal and public relations costs companies incur following a data breach.

In a statement Tuesday, Connecticut Attorney General George Jepsen said the settlement should serve as a wake-up call to companies to tighten their data security. He also gave kudos to Target for working with authorities after the breach."

Boy, 11, hacks cyber-security audience to give lesson on 'weaponisation' of toys; Agence France-Presse via Guardian, May 16, 2017

Agence France-Presse via Guardian; 

Boy, 11, hacks cyber-security audience to give lesson on 'weaponisation' of toys

"“Most internet-connected things have a Bluetooth functionality ... I basically showed how I could connect to it, and send commands to it, by recording audio and playing the light,” [Reuben Paul] told AFP later.

“IOT home appliances, things that can be used in our everyday lives, our cars, lights refrigerators, everything like this that is connected can be used and weaponised to spy on us or harm us.”

They could be used to steal private information such as passwords, as remote surveillance to spy on kids, or employ GPS to find out where a person is, he said. More chillingly, a toy could say “meet me at this location and I will pick you up”, Reuben said."

A Twenty-First Century Framework for Digital Privacy; LAWFARE, May 15, 2017

Jeffrey Rosen, LAWFARE; 

A Twenty-First Century Framework for Digital Privacy

"Editor's note: This is a crosspost from the National Constitution Center's website. Video of the Center's event on digital privacy is available below...

Advances in technology raise numerous important (and difficult) legal questions:

• How can we strike the right balance between security and privacy in the digital age?
• How might we translate Fourth Amendment doctrine in light of technological advances and changing consumer expectations of privacy?
• What constitutional and statutory protections should there be for data stored in the Cloud, and under what circumstances and with what constraints should the government get access to it?
• Does the government have to tell consumers when it searches their email accounts or accesses their data?
• And whose law should govern access to data in our borderless world—a world where data is often stored on servers in other countries and can be transferred across borders at the snap of a finger?

The National Constitution Center, with the support of Microsoft, has assembled leading scholars and thought leaders to publish a series of five white papers, entitled A Twenty-First Century Framework for Digital Privacy.  We’ve asked these contributors to reflect on the challenges that new technologies pose to existing constitutional doctrine and statutory law and to propose solutions—doctrinal, legislative, and constitutional—that translate the Constitution and federal law in light of new technologies.  The overarching question we asked contributors to address is how best to balance privacy concerns against the need for security in the digital age.  These contributors represent diverse points of view and experiences and their papers reflect the Constitution Center’s commitment to presenting the best arguments on all sides of the constitutional issues at the center of American life."

The World Is Getting Hacked. Why Don’t We Do More to Stop It?; New York Times, May 13, 2017

Zeynep Tufekci, New York Times; 

The World Is Getting Hacked. Why Don’t We Do More to Stop It?

"There is also the thorny problem of finding money and resources to upgrade critical infrastructure without crippling it. Many institutions see information technology as an afterthought and are slow in upgrading and investing. Governments also do not prioritize software security. This is a sure road to disaster.

As a reminder of what is at stake, ambulances carrying sick children were diverted and heart patients turned away from surgery in Britain by the ransomware attack. Those hospitals may never get their data back. The last big worm like this, Conficker, infected millions of computers in almost 200 countries in 2008. We are much more dependent on software for critical functions today, and there is no guarantee there will be a kill switch next time."

Ex-CIA operative Valerie Plame talks nuclear, cyber threats at CMU; Pittsburgh Post-Gazette, April 22, 2017

Courtney Linder, Pittsburgh Post-Gazette; Ex-CIA operative Valerie Plame talks nuclear, cyber threats at CMU

"Ms. Plame, who worked to prevent the proliferation of nuclear weapons, referred to the Science and Security Board’s “Doomsday Clock” in her keynote speech at Carnegie Mellon University on Friday, prefacing a panel on inclusivity in STEM — or science, technology, engineering and math — for students and faculty.

In her hour-long discussion of nuclear threats and cybersecurity, Ms. Plame kept the conversation solutions-oriented, rather than dwelling on the high-profile “Plamegate” scandal that ended her espionage career."

Stopping trade secret theft in your organization; CSO, April 10, 2017

Frederick Scholl, CSO; 

Stopping trade secret theft in your organization

"The recent Google vs. Uber self-driving car litigation has brought trade secret theft into the news again. I have blogged on this topic before. In this post and the next three I will take a deeper dive into trade secret theft and how you can reduce the chance you will be the next victim.

Trade secret theft is one of the major cybersecurity risks of our time. Organizations now lose nearly $300 billion per year due to theft or misappropriation of intellectual property." 

Economic Development: Intellectual property must be protected from theft; Billings Gazette, April 2, 2017

Dena Johnson and Jennifer Webber, Billings Gazette; 

Economic Development: Intellectual property must be protected from theft

"Rising "intellectual property crime in the United States and abroad threatens our public safety and economic well being.” US Department of Justice.

What does this mean for Main Street businesses? Are they at risk? Or is intellectual property (“IP”) protection only a concern for larger companies? The answer? IP should be a priority for every business owner no matter the size. Your company should “protect the programs and systems that support what makes your company successful and unique.” Federal Bureau of Investigation.

We interviewed attorney Jennifer L. Webber of WEBBERpllc (www.webberpllc.com) to learn more."

9 biggest information security threats through 2019; CIO, March 28, 2017

Thor Olavsrud, CIO; 

9 biggest information security threats through 2019

"The information security threat landscape is constantly evolving. To help you navigate the terrain, each year the Information Security Forum (ISF) — a nonprofit association that researches and analyzes security and risk management issues on behalf of its members — puts out its Threat Horizon report to provide members with a forward-looking view of the biggest security threats over a two-year period. What follows are the nine biggest threats on the horizon through 2019 that your organization may have to manage and mitigate."

Trump Is President. Now Encrypt Your Email.; New York Times, March 31, 2017

Max Read, New York Times; Trump Is President. Now Encrypt Your Email.

"As lawyers and civil libertarians point out, federal criminal law is so vast and complicated that it is easy to unwittingly violate it, and even innocent conversation can later be used to build a criminal case. Encrypting your communication isn’t a matter of hiding criminal activity; it’s a matter of ensuring innocuous activity can’t be deemed suspicious by a zealous prosecutor or intelligence agent. Telling a friend that a party is really going to “blow up” when you arrive is less funny when it’s being entered into evidence against you."

FBI Arrests Hacker Who Hacked No One; Daily Beast, March 31, 2017

Kevin Poulsen, Daily Beast; FBI Arrests Hacker Who Hacked No One

"Now free on bond, Huddleston, 26, is scheduled to appear in a federal courtroom in Alexandria, Virginia on Friday for arraignment on federal charges of conspiracy and aiding and abetting computer intrusions.

Huddleston, though, isn’t a hacker. He’s the author of a remote administration tool, or RAT, called NanoCore that happens to be popular with hackers. NanoCore has been linked to intrusions in at least 10 countries, including an attack on Middle Eastern energy firms in 2015, and a massive phishing campaign last August in which the perpetrators posed as major oil and gas company. As Huddleston sees it, he’s a victim himself—hackers have been pirating his program for years and using it to commit crimes. But to the Justice Department, Huddleston is an accomplice to a spree of felonies.

Depending on whose view prevails, Huddleston could face prison time and lose his home, in a case that raises a novel question: when is a programmer criminally responsible for the actions of his users?"

WikiLeaks’ latest release of CIA cyber-tools could blow the cover on agency hacking operations; Washington Post, March 31, 2017

Ellen Nakashima, Washington Posr; WikiLeaks’ latest release of CIA cyber-tools could blow the cover on agency hacking operations

"WikiLeaks’ latest disclosure of CIA cyber-tools reveals a technique used by the agency to hide its digital tracks, potentially blowing the cover on current and past hacking operations aimed at gathering intelligence on terrorists and other foreign targets.

The release Friday of the CIA’s “Marble Framework” comes less than a month after the WikiLeaks dumped onto the Internet a trove of files — dubbed “Vault 7” — that described the type of malware and methods the CIA uses to gain access to targets’ phones, computers and other electronic devices...

WikiLeaks, founded by Julian Assange, has sought to position itself as a champion of transparency and defender of privacy rights. It described the Marble Framework as “the digital equivalent of a specialized CIA tool to place covers over the English language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA.”"

North Korea’s Rising Ambition Seen in Bid to Breach Global Banks; New York Times, March 25, 2017

Paul Mozur and Choe Sang-Hun, New York Times; North Korea’s Rising Ambition Seen in Bid to Breach Global Banks

"The security firm Symantec said it believed that the hackers behind the Poland attack were also behind two other major breaches: the theft of $81 million from the central bank of Bangladesh and a 2014 attack on Sony Pictures, which rocked the film industry.

“We found multiple links, which gave us reasonable confidence that it’s the same group behind Bangladesh as the Polish attacks,” said Eric Chien, a researcher at Symantec, which studied both attacks."

Treasury Secretary Mnuchin Highlights Concerns Regarding Cybersecurity; National Law Review, March 24, 2017

Covington & Burling LLP, National Law Review; Treasury Secretary Mnuchin Highlights Concerns Regarding Cybersecurity

"On March 24, 2017, Treasury Secretary Steven Mnuchin gave a speech in which he identified cybersecurity as his primary concern regarding the financial sector."

Director of CMU's CERT cybersecurity team departs; Pittsburgh Post-Gazette, March 17, 2017

Bill Schackner, Pittsburgh Post-Gazette; 

Director of CMU's CERT cybersecurity team departs

"Six weeks after being named director, Edward (Ned) Deets III has left the CERT Cybersecurity Division of Carnegie Melon University's Software Engineering Institute. No reason for the departure was given."

Justice Department Announces Charges Against Yahoo Hacking Suspects; Huffington Post, March 15, 2017

Ryan Grenoble, Ryan J. Reilly, Huffington Post; 

Justice Department Announces Charges Against Yahoo Hacking Suspects

"The suspects face a number of charges, according to the DOJ: conspiracy, computer fraud and abuse, economic espionage, theft of trade secrets, wire fraud, access device fraud and aggravated identity theft. The most serious of those charges, conspiring to commit wire fraud, carries a maximum sentence of 20 years."

Russian Espionage Piggybacks on a Cybercriminal’s Hacking; New York Times, March 12, 2017

Michael Schwirtz and Joseph Goldstein, New York Times; 

Russian Espionage Piggybacks on a Cybercriminal’s Hacking

"In the summer of 2014, the F.B.I., together with law enforcement agencies in over half a dozen countries, carried out Operation Tovar, a coordinated attack on Mr. Bogachev’s criminal infrastructure that shut down his network and liberated computers infected with GameOver ZeuS."

Under pressure from tech companies, ‘Fair Repair’ bill stalls in Nebraska; Guardian, March 11, 2017

Olivia Solon, Guardian; 

Under pressure from tech companies, ‘Fair Repair’ bill stalls in Nebraska

"“This has the potential to weaken security features in a host of electronic devices. It’s not about dead screen or battery,” said CompTIA’s Alexi Madon, adding that the bill applied to medical equipment and government servers. “Manufacturers are also required to give up sensitive intellectual property.”

Tony Baker, a Nebraska politician who previously provided information solutions to the US military, countered the suggestion that repair rights would infringe on the intellectual property rights and the security of software. He explained how his organization created software running on classified networks that granted different levels of access to different groups of people, depending on their level of authorisation or security clearance. He argued that manufacturers could do the same with their products."

Olivia Solon, Guardian; 

With the latest WikiLeaks revelations about the CIA – is privacy really dead?

"In the week that WikiLeaks revealed the CIA and MI5 have an armoury of surveillance tools that can spy on people through their smart TVs, cars and cellphones, the FBI director, James Comey, has said that Americans should not have expectations of “absolute privacy”.

“There is no such thing as absolute privacy in America: there is no place outside of judicial reach,” Comey said at a Boston College conference on cybersecurity. The remark came as he was discussing the rise of encryption since Edward Snowden’s 2013 revelations of the NSA’s mass surveillance tools, used on citizens around the world...

So, where does this leave us? Is privacy really dead, as Silicon Valley luminaries such as Mark Zuckerberg have previously declared?

Not according to the Electronic Frontier Foundation’s executive director, Cindy Cohn.

“The freedom to have a private conversation – free from the worry that a hostile government, a rogue government agent or a competitor or a criminal are listening – is central to a free society,” she said."

FBI's James Comey: 'There is no such thing as absolute privacy in America'; Guardian, March 8, 2017

Julian Borger, Guardian; 

FBI's James Comey: 'There is no such thing as absolute privacy in America'

[Kip Currier, March 10, 2017: I've copied below a post I made to my Ethics and Information Blog a couple of days ago.]

---------------------------------------------------------------------------------

[Kip Currier: 2,000th post since starting this Ethics Blog in 2010. Very thought-provoking privacy (are we now in a "post-privacy world"?) quote by FBI Director Comey--great fodder for Information Ethics class discussions, as well as around "the dinner table" and workplace water cooler/caffeine dispenser!]

"“There is no such thing as absolute privacy in America,” the FBI director, James Comey, has declared after the disclosure of a range of hacking tools used by the CIA.

Comey was delivering prepared remarks at a cybersecurity conference in Boston, but his assessment has deepened privacy concerns already raised by the details of CIA tools to hack consumer electronics for espionage published by WikiLeaks on Tuesday.

“All of us have a reasonable expectation of privacy in our homes, in our cars, and in our devices. But it also means with good reason, in court, government, through law enforcement, can invade our private spaces,” Comey said at the conference on Wednesday. “Even our memories aren’t private. Any of us can be compelled to say what we saw … In appropriate circumstances, a judge can compel any of us to testify in court on those private communications.”"

With WikiLeaks Claims of C.I.A. Hacking, How Vulnerable Is Your Smartphone?; New York Times, March 7, 2017

Steve Lohr and Katie Benner, New York Times; 

With WikiLeaks Claims of C.I.A. Hacking, How Vulnerable Is Your Smartphone?

"If the documents are accurate, did the C.I.A. violate commitments made by President Barack Obama?

In 2010, the Obama administration promised to disclose newly discovered vulnerabilities to companies like Apple, Google and Microsoft. But the WikiLeaks documents indicate that the agency found security flaws, kept them secret and then used them for surveillance and intelligence gathering.

Why is it so hard to keep these cyberweapons under wraps?

Unlike nuclear weapons, which can be guarded and protected, cyberweapons are “just computer programs which can be pirated like any other,” WikiLeaks notes. “Since they are entirely comprised of information they can be copied quickly with no marginal cost.”

There is a growing black market dedicated to trading these weapons, and government agencies from around the world will pay well for their discovery."

WikiLeaks Releases What It Calls CIA Trove Of Cyber-Espionage Documents; NPR, March 7, 2017

Camila Domonoske, NPR; 

WikiLeaks Releases What It Calls CIA Trove Of Cyber-Espionage Documents

"WikiLeaks has released thousands of files that it identifies as CIA documents related to the agency's cyber-espionage tools and programs.

The documents published on Tuesday include instruction manuals, support documents, notes and conversations about, among other things, efforts to exploit vulnerabilities in smartphones and turn smart TVs into listening devices. The tools appear to be designed for use against individual targets, as part of the CIA's mandate to gather foreign intelligence."

No One Should Give In to Cyber Extortion Unless It's a Life or Death Situation; Slate, March 7, 2017

Josephine Wolff, Slate; 

No One Should Give In to Cyber Extortion Unless It's a Life or Death Situation

"Paying ransoms and caving to extortion demands just encourages more of the same activity, directed at both previous victims and new ones. The only way to effectively discourage this kind of crime is to make it so fruitless, so unprofitable, so profoundly ineffective that the perpetrators find a new outlet for their energies. And the only way to do that is to stop relying on individual victims and organizations to make these choices themselves and implement policies that explicitly penalize the payment of online ransoms in most circumstances."

Top Cybersecurity Innovations of 2017; Inside Scoop, March 8, 2017

Amanda Ciccatelli, Inside Scoop; 

Top Cybersecurity Innovations of 2017

"So far this year, there have been three key cybersecurity developments including blockchain, cloud security, and machine learning/artificial intelligence (AI). Michael Whitener, VLP Partner, sat down with Inside Counsel to discuss the new cybersecurity developments of 2017 and how they will affect the future of the industry."

Cyber order coming soon, says exec briefed by White House; FedScoop, March 6, 2017

Shaun Waterman, FedScoop; Cyber order coming soon, says exec briefed by White House

Ethics And Hacking: What You Need To Know; Forbes, March 6, 2017

Forbes Technology Council, Forbes; 

Ethics And Hacking: What You Need To Know

"The term hacking gets bandied about a great deal in both the industry and in the media. Some stories carry the image of bored tweens, building skills while bragging about tearing up someone else’s hard work. Other stories talk more about offshore groups using server farms to mass phish for information.

The kinds of damage that hackers can cause is as varied as functions of a computer or device: Lost finances, trade secrets, and files swapped or erased are only the tip of what could be done to a person or company. Sometimes, just being one of the few people aware that different companies are talking to each other about business can mean opportunities for the unethical.

So the question gets raised: Can the arts of hacking be used to improve lives on a broader scale, or is it a purely destructive activity? Below, Forbes Technology Council members weigh in on ethics and hacking."

China’s theft of U.S. trade secrets under scrutiny; Science, February 28, 2017

Mara Hvistendahl, Science; 

China’s theft of U.S. trade secrets under scrutiny

"When it comes to intellectual property (IP) theft, there’s the rest of the world, and then there’s China, a new report says. In 2015, mainland China and Hong Kong accounted for 87% of counterfeit goods seized by the U.S. Customs and Border Patrol. China’s share of trade secrets theft, though harder to track, is not far behind, claims the Commission on the Theft of American Intellectual Property in Washington, D.C., a bipartisan nongovernmental group co-chaired by former Utah Governor Jon Huntsman Jr., who served as U.S. ambassador to China from 2009 to 2011.

Stolen trade secrets, pirated software, and counterfeiting cost the United States between $225 billion and $600 billion per year, the commission estimates...

Scholars often take issue with efforts to put a price tag on IP theft... 

Also up for debate is how best to address IP theft. The Obama administration pursued a strategy heavy on prosecutions of Chinese-born U.S. scientists (see here, here, and here), along with symbolic moves against overseas offenders, such as the 2014 indictment of five members of a People’s Liberation Army hacking unit. Policy tools improved under Obama went “largely unused,” the report said. For instance, a 2015 law enabling the president to sanction foreign countries, companies, and individuals for IP theft has not yet been invoked."

The EU Is Fighting A Lopsided Battle Against Russian Disinformation; Huffington Post, March 3, 2017

Nick Robins-Early, Huffington Post; 

The EU Is Fighting A Lopsided Battle Against Russian Disinformation

"The Lisa case is an extreme example of what analysts say is a sprawling campaign of Russian disinformation that seeks to influence European Union politics and sow discord among voters. It’s a problem that European governments are increasingly concerned about, but one they are struggling to produce an effective way to counter...

The EU vowed this year to expand its efforts to defend against false reports, as upcoming elections in France, Germany and the Netherlands raise the stakes on misinformation influencing voters. In November, the European Parliament passed a motion that called on the EU and member states to do more to counter Russian “disinformation and propaganda warfare.” Russian President Vladimir Putin accused the bloc of trying to silence dissenting opinions.

But the European Union views the threat of disinformation as a serious challenge. In January, EU politicians pledged to give more funding for an 11-person task force set up in 2015 called East Stratcom, which aims to address Russian disinformation and highlight its distortions. The task force issues weekly newsletters on disinformation campaigns, makes viral-style explainer videos on how false reports spread and fact checks suspect news stories." 

Lawmakers troubled by cyber-enabled information warfare; FedScoop, March 1, 2017

Chris Bing, FedScoop; Lawmakers troubled by cyber-enabled information warfare

Russia Heats Up Its Infowar With the West; Daily Beast, March 3, 2017

Ilan Berman, Daily Beast; Russia Heats Up Its Infowar With the West

"[Russia's information operations] objective is clear and unequivocal: to obscure objective facts through a veritable “firehose of falsehood,” thereby creating doubt in Western governments, undermining trust in democratic institutions, and garnering greater sympathy for the Russian government (or, at least, greater freedom of action) for its actions abroad.

Last month, in a presentation before the Duma, Russia’s lower house of parliament, Defense Minister Sergei Shoigu formally unveiled the establishment of a new military unit designed to conduct “information operations” against the country’s adversaries. The goal of the new initiative, according to Vladimir Shamanov, head of the Duma’s defense committee, is to “protect the national defense interests and engage in information warfare.”"