Steptoe Cyberlaw Podcast, Episode #25: An Interview with Ralph Langner

This week in NSA: The House passes an NDAA amendment to regulate “secondary” searches of 702 data, and the prize for Dumbest NSA Story of the Month Award goes to Andrea Peterson of the Washington Post for exposing NSA’s shocking use of “Skilz points” to encourage its analysts to use new tools to do their jobs.  And GCHQ defends its view that sending email thru Yahoo and Hotmail is an “external” communication. Good news for LabMD is bad news for the FTC: Darryl Issa raises questions about the FTC’s investigation and asks for an IG investigation.  Maybe the FTC did nothing wrong, but once it’s in the crosshairs that may not matter; the IG is bound to find something to criticize.  Of course, LabMD probably feels exactly the same way. The rest of us just want more popcorn. Privacy campaigners in Europe lose another round against US companies obeying national security orders, an Irish court backs the Irish data protection authority’s decision not to investigate Facebook for cooperating with NSA.  But now the issue is moving to a body where anything can happen, no matter how wacky: the European Court of Justice.  Who are those guys?  Maury Shenk explains. Michael Vatis and the Eighth Circuit give banks a tutorial on how to avoid liability to customers for weak security.  Just keep giving your customers more security choices until they turn one down.  It’s the miracle of choice! I explain why I’ve always been leery of the Senate Intelligence Committee’s information sharing bill: It purports to legalize private-private information sharing that is already legal, and then to impose privacy requirements as the price for legalizing the already legal.  But that risk is much diminished in Chairman Feinstein’s latest draft.  Unamended, it would likely be fine, but it won’t take much amending to turn it into “back door” privacy regulation again. Michael Vatis explains how to beat privacy class actions, building his lesson on the recent deflation of lawsuits against Hulu and Linkedin. And our guest for the week is the man who decoded Stuxnet – and opened our eyes to a whole new realm of warfare -- industrial control system sabotage.  Ralph Langner heads the Langner Group, which specializes in industrial control system security.  He is also a nonresident fellow at the Brookings Institution. Ralph talks about how he unpacked Stuxnet.  I ask whether attacks on commercial industrial control systems could cause mass casualties among civilians.  Ralph is not comforting.  I ask whether all the talk about cyberattacks on water, power, refineries, and factories has at least produced concrete steps to improve their security.  Ralph is not comforting.  I ask about prospects for future improvement.  Ralph is, well, you know the rest.  Really, have a drink before you listen to this one.