This is Stewart Baker's Typepad Profile.
Join Typepad and start following Stewart Baker's activity
Join Now!
Already a member? Sign In
Stewart Baker
Former government official now practicing law
Recent Activity
Richard Bejtlich and Stewart Baker Richard Bejtlich is our guest for episode 59 of the Cyberlaw Podcast. Richard is the Chief Security Strategist at FireEye, an adviser to Threat Stack, Sqrrl, and Critical Stack, and a fellow at Brookings. We explore the significance of China’s recently publicized acknowledgment that it has a cyberwar strategy, FireEye’s disclosure of a gang using hacking to support insider trading, and NSA director Rogers’s recent statement that the US may need to use its offensive cyber capabilities in ways that will deter cyberattacks. In the news roundup, class action defense litigator Jennifer Quinn-Barabanov explains why major automakers are facing cybersecurity lawsuits now, before car-hacking has caused any identifiable damage. I explain how to keep your aging car and swap out its twelve-year-old car radio for a cool new Bluetooth enabled sound system. Michael Vatis disassembles the “$10 million” Target settlement and casts doubt on how much victims will recover. Richard Bejtlich, Stewart Baker, and Jennifer Quinn-Barabanov Michael also covers the approval by a Judicial Conference advisory committee of a rule allowing warrants to extend past judicial district lines, explaining why it may not be such a big deal. Maury Shenk, former head of Steptoe’s London... Continue reading
Posted 6 days ago at Skating on Stilts
Cyberspies can’t count on anonymity any more. The United States (and the private security firm Mandiant) stripped a PLA espionage unit of its cover two years ago with a detailed description of the unit’s individual hackers; that report was followed by federal indictments of members of the unit that described them and their activities is great detail. More recently, the President outed North Korea for the attack on Sony. And as if to underscore the growing confidence of the intelligence community in its attribution capabilities, the Director of National Intelligence almost casually tagged Iran for a destructive cyberattack on Sheldon Adelson’s Las Vegas Sands gambling empire. That’s good news, but it’s only a first step.To make a real difference, attribution has to yield more than talk. Unfortunately, neither the companies victimized by network intrusions nor their governments have yet found ways to turn attribution into deterrence. No one expects to see members of the PLA in federal court any time soon. The administration’s public sanctions on North Korea were barely pinpricks. And Iran could be forgiven for concluding that its cyberattacks were rewarded by concessions in the nuclear enrichment negotiations. But that’s not the last word. I attended a recent... Continue reading
Posted Mar 19, 2015 at Skating on Stilts
In episode 58 of the Cyberlaw Podcast, our guest is Andy Ozment, who heads the DHS cybersecurity unit charged with helping improve cybersecurity in the private sector and the civilian agencies of the federal government. We ask how his agency's responsibilities differ from NSA's and FBI's, quote a scriptural invocation of desert jackals to question his pronunciation of ISAO, dig into the question whether sharing countermeasures is a prelude to cybervigilantism, and address the crucial question of how lawyers should organize cybersecurity information sharing organizations (hint: the fewer lawyers and the more clients the better). In the news roundup, we revisit the cybersecurity implications of net neutrality, and Stephanie Roy finds evidence that leads me to conclude that the FCC has stolen the FTC's playbook (and, for all we know, deflated the FTC's football). This ought to at least help AT&T in its fight with the FTC over throttling, but that's no sure bet. I explain why Hillary Clinton's email server was a security disaster for the first two months of her tenure – and engage in utterly unsupported speculation that she closed the biggest security gap in March 2009 because someone in the intelligence community caught foreign governments reading... Continue reading
Posted Mar 18, 2015 at Skating on Stilts
This episode of the podcast features Rep. Mike Rogers, former chairman of the House intelligence committee, Doug Kantor, our expert on all things cyber in Congress, and Maury Shenk, calling in from London. Mike Rogers is now a nationally-syndicated radio host on Westwood One, a CNN national security commentator, and an adviser to Trident Capital’s new cybersecurity fund. The former chairman addresses a host of issues -- gaps in CFIUS, the future of the President’s new cyber threat integration center, the risk of rogue state cyberattacks on US infrastructure – as well as the issues we cover in the news roundup. These include Maury’s take on China’s toughening policy toward US technology, the prospects for a workable bill renewing section 215 (the ex-chairman is not as sanguine as Doug Kantor and I) and the administration’s new privacy bill. (Our take: the bill is ideal for the Twitter age, since you still have 137 characters left after typing “DOA”.) Maury updates us on the latest reason for delay in adoption of a new European data protection regulation. Doug Kantor and Mike Rogers consider the prospects for an information sharing bill and comment on privacy groups’ goalpost-moving style of congressional negotiation. And,... Continue reading
Posted Mar 11, 2015 at Skating on Stilts
Our guest for Episode 56 of the Cyberlaw Podcast is Siobhan Gorman, who broke many of the top cybersecurity stories for the Wall Street Journal until she left late last year to join the Brunswick Group, which does crisis communications for private companies. Siobhan comments on the flood of attribution stories in recent days, including the US government’s almost casual attribution of the Sands Las Vegas cyberattack to Iran and the leaked attribution of the Saudi Aramco and US bank attacks to the same nation. She also compares private sector cybercrisis planning to the US government’s coordination (or lack thereof) in responding to the Sony attack. Stephanie Roy, Siobhan Gorman, Stewart Baker In other news, Stephanie Roy and I take a deep and slightly off-center dive into the FCC’s net neutrality ruling. I predict that within five years the FCC will have used its new Title II authority to impose cybersecurity requirements on US ISPs. (And in ten years, I suspect, there will be a debate in the FCC over whether to throttle or disfavor communications services that don’t cooperate with the FBI’s effort to deny perfectly encrypted security to criminals.) Stephanie demurs. Michael Vatis and I chew over China’s... Continue reading
Posted Mar 3, 2015 at Skating on Stilts
In Episode 55 of the Cyberlaw Podcast, we revive This Week in NSA to explore the claim that GCHQ stole mass quantities of cell phone encryption keys. Meanwhile, Jason explains the complex political battles over Rule 41, Michael explains why so many companies have rallied to Twitter’s first amendment claim against the Justice Department, and both of them explain how Yahoo! managed to beat the government’s indefinite gag order – and why Yahoo! might even be right. After which we melt down into the bottomless hot mess of liability and litigation that surrounds the Lenovo/Superfish/Komodia/Lavasoft flap. Nuala O’Connor, Stewart Baker, and Jason Weinstein Our interview is with the charming and feisty CEO of the Center for Democracy and Technology, Nuala O’Connor. Nuala and I square off over end-to-end encryption, privacy, and section 215, while managing to find common ground on TLS and even child-rearing. As always, send your questions and suggestions for interview candidates or leave a message at +1 202 862 5785. Download the fifty-fifth episode (mp3). Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts! Continue reading
Posted Feb 25, 2015 at Skating on Stilts
Episode 54 of the Cyberlaw Podcast features a guest appearance by Lawfare’s own Ben Wittes, discussing cybersecurity in the context of his forthcoming book, The Future of Violence, authored by Ben and Gabriella Blum. (The future of violence, you won’t be surprised to hear, looks bright.) Ben also floats the idea of taping an episode of all the Lawfare-affiliated podcasts in a bar with some of our listeners. More on that idea to come. In the news roundup, I cover the President’s surprisingly news-light cybersecurity summit in Silicon Valley. Jason comments on state attorneys generals’ predictable sniping at Anthem for delays in identifying all the potential victims of its hack. I note with satisfaction a serious loss by EFF in the Jewel lawsuit over the US government’s access to AT&T traffic. And Jason lays out a report by the New York State Department of Financial Services on insurance company cybersecurity. We both express concern about two Kaspersky security reports that identify new hacking tactics and new dangers for computer networks. The patientinfiltration of large bank networks and the extraction of hundreds of millions of dollars casts doubt on the safety of banking systems around the world. Equally troubling is the... Continue reading
Posted Feb 20, 2015 at Skating on Stilts
In this week’s episode, our guest is Rebecca Richards, NSA’s director of privacy and civil liberties. We ask the tough questions: Is her title an elaborate hoax or is she the busiest woman on the planet? How long will it be before privacy groups blame the Seattle Seahawks’ loss on NSA’s policy of intercepting everything? How do you tell an extroverted NSA engineer from an introvert? And, more seriously, now that acting within the law isn’t apparently enough, how can an intelligence agency assure Americans that it shares their values without exposing all its capabilities? In the week’s news, Jason Weinstein, Michael Vatis and I explore the DEA’s license plate collection program and what it means, among other things, for future Supreme Court jurisprudence on location and the fourth amendment. We take on the WikiLeaks-Google flap and conclude that there’s less there than meets the eye. Jason celebrates a festival of FTC news. The staff report on the Internet of Things provokes a commissioner to dissent from feel-good privacy bromides. The FTC data security scalp count grows to 53, with more on the way. We discover that the FTC has aspirations to become the Federal Telecommunications Commission, regulating telecommunications throttling... Continue reading
Posted Feb 3, 2015 at Skating on Stilts
My latest venture in podcasting features a debate on attributing cyberattacks. Two guests, Thomas Rid and Jeffrey Carr, disagree sharply about how and how well recent cyberattacks can be attributed. Thomas Rid is a Professor of Security Studies at King’s College London and the author of Cyber War Will Not Take Place as well as a recent paper on how attribution should be done. Jeffrey Carr, the founder and CEO of Taia Global, remains profoundly skeptical about the accuracy of most attribution efforts in recent years. I question both of them, relying heavily on questions supplied by attribution aficionados via Twitter. Among the questions we dig into: Why is cyber attribution is so controversial? Is it a hangover from the Iraq war? Snowdenista hostility to the US government? Or the publicity to be gained from challenging official attributions? Is the use of secret attribution evidence inherently questionable or an essential tool for ensuring successful attribution? I also call out the security experts who heaped scorn on the FBI for its initial fingering of North Korea as the source of the Sony attack. Which of them recanted as the evidence mounted, and which ones doubled down? Details in the podcast. In... Continue reading
Posted Jan 27, 2015 at Skating on Stilts
I occasionally report here on interviews that I’ve been doing for the Steptoe Cyberlaw Podcast. This week’s guest is David Sanger, the New York Times reporter who broke the detailed story of Stuxnet in his book, Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power. His appearance on the podcast is particularly timely because it allowed David to talk about his latest story for the Times. The story recounts how North Korea developed its cyberattack network, and how the National Security Agency managed to compromise that network and attribute the Sony attack. He explains that understanding the Obama White House helped him break a story that seemed to be about NSA and the FBI. I explain why I think North Korean hackers resemble East German Olympic swimmers, and we meditate on the future of cyberwar. For those who like such things, Michael Vatis and I also cover a news-rich week, beginning with capsule summaries of the President’s State of the Union proposals for legislation on cybersecurity information sharing, breach notification, and Computer Fraud and Abuse Act amendments. We touch on Europe’s new commitment to antiterrorism surveillance, which officially puts a still-Snowden-ridden United States out of step with... Continue reading
Posted Jan 21, 2015 at Skating on Stilts
I've got a short op-ed about returning American jihadis in the Room for Debate section of today's New York Times site. Here's what it says: Americans returning home from a foreign jihad pose a very real danger to this country, now and for years to come, as the Charlie Hebdo attacks reveal. One of the attackers, Cherif Kouachi, had been caught and convicted of trying to join the war in Iraq, and his brother may have trained with Al Qaeda in Yemen. Despite these warning signs, French authorities lacked the resources to keep watching the brothers. Our law is even less suited to the threat than France's. We have not made it a federal crime for Americans to join the fight against a U.S. ally. And, like the French, we cannot afford to put 24-hour tails on every returnee. We could afford to conduct electronic surveillance of the returnees, but that would require specific evidence of a new plot here at home. And new plots, the Kouachis showed, are often easy to hide from the authorities. Until we can distinguish the reformed from the continuing threats, the penalty for this new crime should at a minimum include years of probation... Continue reading
Posted Jan 13, 2015 at Skating on Stilts
Government policymakers have been hoping for twenty years that companies will be driven to good cybersecurity by the threat of tort liability. That hope is understandable. Tort liability would allow government to get the benefit of regulating cybersecurity without taking heat for imposing restrictions directly on the digital economy. Those who see tort law as a cybersecurity savior are now getting their day in court. Literally. Mandatory data breach notices have led, inevitably, to data breach class actions. And the class actions have led to settlements. And those freely negotiated deals set what might be called a market price for data breach liability, a price that can be used to decide how much money a company ought to spend on security. So, how much incentive for better security comes from the threat of data breach liability? Some, but not much. As I've been saying for a while, the actual damages from data breaches are pretty modest in dollar terms, and the pattern of losses makes it very hard to sustain a single class, something that forces up the cost of litigation for the plaintiffs. You can see this pattern in recent data breach settlements. I put this chart together for... Continue reading
Posted Jan 11, 2015 at Skating on Stilts
Maybe so. Compare this study: A recent study conducted at the Norwegian University of Science and Technology has revealed that being born during a period of heightened solar activity can shorten our lifespan by over five years. With this one: The plot below ... shows the size of the biggest individual spots in each year between 1900 and 2000. Notable spots include the Great Sunspot of 1947, which was three times larger than [a 1991 sunstorm]. Continue reading
Posted Jan 11, 2015 at Skating on Stilts
From an op-ed for the New York Daily News: there are widespread reports that North Korea launches its cyberattacks from the luxurious Chilbosan Hotel in Shenyang, China. Perhaps a previously unknown cyberarmy should simply take down the hotel's power and telephone service and threaten worse. There's a risk that such tactics would lead to conflict between the U.S. and China, but China can avoid that by closing the haven it has provided for attacks on America. These are not easy options to contemplate. But flinching from such conflicts will lead to escalation of another kind, as every tin-pot dictator in the world discovers that Americans can be intimidated on the cheap. Like it or not, history is calling. Continue reading
Posted Dec 20, 2014 at Skating on Stilts
From my op-ed in the Hollywood Reporter: North Korea is one of two countries that have pioneered the use of hacking not for spying but for punishment. The North's attack on South Korean banks was aimed at destroying data, not just stealing it. In addition, Iran is suspected of using malware to destroy Saudi oil industry computers and of using botnets to bring down the websites of American banks. To be blunt, these two countries are testing how far they can go in harming U.S. companies without provoking American retaliation. If the attack on Sony is connected to them and goes unanswered, companies and groups whose speech offends these countries — and, soon, Russia and China — will face the same treatment. It's a serious dilemma for the Obama administration, which is still largely paralyzed by lawyers and diplomats arguing that the U.S. cannot act against these regimes' cyberattacks, either because we don't have proof beyond a reasonable doubt or because a counterattack would be "asymmetric" — a fancy way of saying North Korea can get along without computers a lot better than we can. Even so, we can't shrug off the Sony attack. Once the evidence is collected and... Continue reading
Posted Dec 11, 2014 at Skating on Stilts
I’ve spent the last couple of days meditating on the mistakes that web journalists make, and how those mistakes differ from mainstream media's errors. The reason for the meditation is a weirdly escalating cycle of misquotation that I experienced last week. In general, I don't obsess about the mistakes that journalists make when I talk to them. If you get quoted a lot, you can expect to be misquoted a lot too, and it's best to let it go. Reporters are in a hurry; or their editors lack context; mistakes happen. Complaining feels a little whiny, and in any event, readers are likely to forget the story before a correction hits the wires. But I was struck by the way this particular misquotation bounced around the web, acquiring authority by repetition without ever being verified, and I suspect it tells us something troubling about where the press is going, even for those of us who celebrate the breaking of mainstream media's narrative monopoly. First, the background. I'm a skeptic about the Silicon Valley movement to increase the use of communications encryption that even the supplier can't undo. I think it's bad policy, and not particularly good business, for reasons I... Continue reading
Posted Nov 9, 2014 at Skating on Stilts
The chill in the air reminds me that it’s time to open the floor to nominations for the annual awards for Dubious Achievements in Privacy Law -- the Privies for short. The prizes are an opportunity to consider why privacy laws, always enacted amid proclamations of the best motives, nonetheless turn out so badly so often. Last year we nominated candidates in three categories: Privacy Hypocrite of the Year Worst Use of Privacy Law to Protect Power and Privilege Dumbest Privacy Case of the Year You can read all the nominations for 2014 here. The winners, chosen by privacy professionals and the public, can be found here. To start things out, it’s hard to find a better candidate for Dumbest Privacy Case of the Year than the recent decision by a Quebec judge, Alain Breault, who awarded a woman $2250 for a Google Street View photo of her sitting on her front stoop in a skimpy top. Maria Grillo claimed to have suffered shock and embarrassment when she saw just how much cleavage Google had caught on camera. Embarrassing? Maybe. Worth $2250? You be the judge. The before and after clips from Google Street View are from the Journal de... Continue reading
Posted Nov 2, 2014 at Skating on Stilts
Episode 40 of the Steptoe Cyberlaw Podcast is done. Our guest this week is Bob Litt, the General Counsel of the Office of the Director of National Intelligence. Bob has had a distinguished career in government, from his clerkship with Justice Stewart, his time as a prosecutor in the Southern District of New York and at Main Justice, and more than five years in the ODNI job. This week in NSA: The latest fad in news coverage of the agency is a hunt for possible conflicts of interest in its leadership. And it’s having an effect. Two high-ranking NSA seniors, the CTO and the head of signals intelligence have recently left positions that drew scrutiny for getting too close to private industry. I ask him whether we should be pleased or worried about the trend toward individual converts to Islam carrying out random attacks with whatever weapon comes to hand. Prudently, he refuses to be drawn into my comparison of Islamists to the Manson Family. We debate whether the USA Freedom Act has a chance of passage in the lame duck Congress – and whether it should, focusing among other things on how the act’s FISA civil liberties advocates would... Continue reading
Posted Oct 28, 2014 at Skating on Stilts
As I mentioned, I have been doing a weekly podcast on security, privacy, government and law with a couple of my partners, Michael Vatis and Jason Weinstein. This week, in episode 39, our guest is Tom Finan, Senior Cybersecurity Strategist and Counsel at DHS’s National Protection and Programs Directorate (NPPD), where he is currently working on policy issues related to cybersecurity insurance and cybersecurity legislation. Marc Frey asks him why DHS, specifically NPPD, is interested in cybersecurity insurance, what trends they are seeing in this space for carriers and other stakeholders, and what is next for their role in this space. He is forthcoming in his responses and even asks listeners to email him with their feedback. This week in NSA: The House and Senate Judiciary chairs call for action on USA Freedom Act. And nobody cares. We conclude that the likelihood of action before the election is zero, and the likelihood of action in a lame duck is close to zero. But next week we’ll be interviewing Bob Litt, one of the prime negotiators for the intelligence community on this issue, and he may have a different view. The Great Cable Unbundling seems finally upon us, as several content... Continue reading
Posted Oct 23, 2014 at Skating on Stilts
I've spent much of this year doing a weekly podcast on security, privacy, government and law with a couple of my partners, Michael Vatis and Jason Weinstein. (The RSS feed is here.) I thought readers of this blog might like a taste of the podcast, which has attracted a substantial audience in Washington. This week, in episode 38, our guest is Shaun Waterman, editor of POLITICO Pro Cybersecurity. Shaun is an award-winning journalist who has worked for the BBC and United Press International; and an expert on counterterrorism and cybersecurity. We begin as usual with the week’s NSA news. NSA has released its second privacy transparency report. We’ve invited Becky Richards, NSA’s privacy and civil liberties watchdog, on the program to talk about it, so I’m using this post to lobby her to become a guest soon: Come on in, Becky, it’s a new day at the NSA! Laura Poitras’s new film about Snowden gets a quick review. We question the hyped claim that there’s a “second leaker” at NSA; most of the leaked information described in the film was already pretty widely known. Two more post-Snowden pieces of litigation are also in the news. We dig into the Justice... Continue reading
Posted Oct 15, 2014 at Skating on Stilts
Jonathan, It's true that the IT department should still have access to the contents of emails that go through the corporate email server, in the absence of end-to-end encryption. But an employee doesn't have to use the corporate email server to do business. He can send text messages, or he can use 3d party messaging or emailing apps. The company probably can't get access to the contents of those messages without access to the phone. If an employee wants to use texts on an iPhone to do business with customers, then, Apple or the employee needs to provide access to those texts. That's just one example. I suspect there are more, because letting an encrypted email hook to the network in any way makes it more likely that the phone will be used in ways the company doesn't like. Stewart
The New York Times asked me to comment on Apple's encryption policy on its Room for Debate page, where op-eds are half the normal size. Here's the link and here's what I said: Apple is a lot like a teenager getting Edward Snowden's name tattooed up her arm. The excitement will die, but the regrets will last. For all of us. Most Americans believe in privacy from government searches, but not for criminals. The Constitution protects a citizen's “houses, papers and effects” only until a judge finds probable cause that the citizen has committed a crime. This year, the Supreme Court ruled that the police need a warrant to search cellphones seized at the time of arrest. But with Apple's new encryption, probable cause and a warrant will be of little help to the police who seize a suspect’s iPhone and want to search it. That decision should not be left to Apple alone. And it won't be. Companies do not want to give their employees the power to roam corporate networks in secrecy. And even if they did, their regulators wouldn't let them. If Apple wants to sell iPhones for business use, it will have to give companies a... Continue reading
Posted Sep 30, 2014 at Skating on Stilts
If you think Edward Snowden and Glenn Greenwald have stopped attacking NSA, you haven't been following them closely enough. While American media have largely lost interest in Snowden and Greenwald, the pair continue to campaign outside the United States against the intelligence agency. Their most ambitious effort was in New Zealand, a member of the “Five Eyes” intelligence alliance with the U.S. and U.K. The center-right New Zealand government has been embroiled in accusations of illegal surveillance of Kim Dotcom, who grew wealthy running a file-sharing site and is now fighting extradition to the United States for copyright violations. As part of that fight, Dotcom dove into New Zealand's national elections, hoping to unseat the two-term government and, in his words, "to close one of the Five Eyes." Snowden and Greenwald dove in with him, joining eagerly in campaign events sponsored by Dotcom. Greenwald used his new Omidyar-funded news site to release a lengthy article in the last week of the campaign; it accused New Zealand of working with NSA to conduct mass surveillance. When the prime minister denied the accusation, Snowden called him a liar. The combination of carefully timed Snowden leaks and Dotcom's millions looked potent. Dotcom even... Continue reading
Posted Sep 20, 2014 at Skating on Stilts
I've done a bit more online experimentation with Google's “famous or not” algorithm, first described here. Unfortunately, one of the risks of experimentation is that it may raise more questions than it answers. That's what happened to me. So I'll simply report the results. In short, the use of quotations in name searches seems to have an effect on when displays the warning tag that it uses for non-famous people. Here are the results so far for several different searches on my name (quotation marks are part of the search). Remember that Google inserts the tag, warning that some entries may have been deleted due to EU data protection law, when it concludes that someone is not famous: stewart baker = no tag (i.e., Google-famous) stewart a. baker = no tag (i.e., Google-famous) “stewart a. baker” = no tag (i.e., Google-famous) “stewart baker” = tag (i.e., not Google-famous) stewart baker steptoe = no tag (i.e., Google-famous) stewart baker nsa = no tag (i.e., Google-famous) “stewart baker” nsa = tag (i.e., not Google-famous) Just to see how Google treats a genuinely famous person, I tried Robyn Rihanna Fenty (aka Rihanna): robyn fenty = no tag (i.e., Google-famous) robyn rihanna fenty... Continue reading
Posted Sep 9, 2014 at Skating on Stilts
Three months ago, I tried hacking Google's implementation of Europe's “right to be forgotten.” For those of you who haven't followed recent developments in censorship, the right to be forgotten is a European requirement that “irrelevant or outdated” information be excluded from searches about individuals. The doctrine extends even to true information that remains on the internet. And it is enforced by the search engines themselves, operating under a threat of heavy liability. That makes the rules particularly hard to determine, since they're buried in private companies' decisionmaking processes. So to find out how this censorship regime works in practice, I sent several takedown requests to Google's British search engine, (Europe has not yet demanded compliance from US search engines, like, but there are persistent signs that it wants to.) I've now received three answers from Google, all denying my requests. Here's what I learned. The first question was whether Google would rule on my requests at all. I didn't hide that I was an American. Google's “right to be forgotten” request form requires that you provide ID, and I used my US driver's license. Would Google honor a takedown request made by a person who wasn't a... Continue reading
Posted Sep 8, 2014 at Skating on Stilts