Interactive Courses + DFIR NetWars Available During SANS Cyber Security Central in June. Save $300 thru 5/12.

Thought Leaders

Table of Contents

Maury Shenk, TMT Advisor, Steptoe & Johnson

Stephen Northcutt - January 31st, 2010

Maury Shenk, TMT Advisor at Steptoe and Johnson, working with a focus on intellectual property, information security and encryption issues, has agreed to be interviewed for the Security Thought Leadership project. Maury has also recently embarked on a consultancy business to build on new approaches for realizing value in technology and intellectual property He has agreed to be interviewed for the Security Thought Leadership project, and we certainly thank Maury for his time.

Maury, can you please give us the basic background information, do you have a short bio we can post?

Maury attended Harvard and Stanford Universities and earned his J.D. degree in 1992, then joined Steptoe & Johnson in Washington, DC and now London, fulfilling a number of positions, including London Managing Partner from 2002-2006 and currently TMT Advisor. Maury is a dual-qualified US/UK lawyer, with practice focusing on international aspects of technology and telecommunications. He has extensive experience on information security, data protection and encryption issues, as well as technology transactions, regulation and disputes. He also has broad general experience with international legal issues, including export/import, trade sanctions, anti-corruption and anti-money laundering, and trade negotiations and disputes.

Maury is also a founder and managing director of Lily Innovation Advisors, a consultancy assisting companies and investors to realize value from technology and intellectual property through innovative transactions and strategies.

Thanks, Maury. And, if readers want to learn more about your work, are there URLs of papers or presentations you have written that are available on the web?

Maury Shenk, Informationology: A New Framework for Understanding the Roles of Digital Information, Privacy & Data Security Law Journal (Oct. 2009), also available on Social Science Research Network at

Maury Shenk, Social Networking: Security Risks in the Business Environment, Infosecurity Europe podcast,

Maury Shenk, Information security: Who can you trust?, Computer Weekly (24 April 2007, p 28), also available at

And, still in the vein of sharing knowledge, tell us where we can find some papers on the Internet that you consider a "must read":

Jonathan Zittrain, The Future of the Internet: And How to Stop It (2008),

The SecDev Group & Munk Centre for International Studies, “Tracking GhostNet: Investigating a Cyber Espionage Network” (Mar. 2009),

U.S. Government Accountability Office, “Cybersecurity: Continued Efforts Are Needed to Protect Information Systems from Evolving Threats” (Nov. 2009),

Now let's hear about you, how did you become interested in the field of information security?

In 1999, as a senior associate at global law firm Steptoe & Johnson, I was asked to take over management of our leading encryption export controls practice. I took it upon myself to really learn the technical details of encryption technology, rather than just the relevant law. Over time, I branched out into other areas of information security and privacy law and technology.

It seems to me that the law is racing to catch up with technology especially in the areas of encryption, unified communications and of course, the cloud. What do you predict the end game will be? How will the legal system adjust their process to move faster and embrace technology?

There is no “end game” – change is constant. It is nothing new for the law to need to adapt to huge change. Think about the discovery of the New World or the Industrial Revolution. The attractive version of what happens in such cases is that courts and legislators gradually adapt existing legal rules to the new reality, while maintaining enough flexibility to deal with difficult cases. So the legal system does not need to move as fast as technology. But there are a couple of qualifications. First, unfamiliar facts do reduce legal predictability (which is essential to effective functioning of the economy) and inevitably lead to some bad decisions. Second, massive change does usually require at least a few fundamental changes in the law. The biggest area where I see legal change being required to address technological change is the law of privacy and data protection. But others areas like intellectual property law and communications law are requiring some major changes too.

Have you worked on security products before the product you are working on today? If so, please list them and describe the highlights of some of these products.

I have advised on export control and other legal issues associated with hundreds of software and hardware products incorporating encryption-based information security features over the past 10 years. The list of the products on which I have worked is confidential, but these involve a very wide range of products for both core information security applications and wider applications (including in sectors like financial services, oil & gas and biomedical).

OK, we will not ask for specific products but what are the two biggest "gotchas" when it comes to software and hardware products involving encryption? What are the mistakes you just do not want to make?

The biggest liability risk is promising more security than you can deliver – a fairly obvious point. The way to avoid this risk is to think carefully about what your product can deliver, and to work with a good lawyer to make sure your terms of service or sale make this legally clear.

The biggest regulatory risk that I see is a bit more complicated. Many or most encryption products these days use widely-available or open source libraries to provide encryption functionality, and such libraries are typically available and legally exportable on a fairly global basis. But this does not mean that products using such libraries are free from export controls. We see a lot of companies that create a regulatory problem for themselves by missing this point. The most common case is browser-based applications that use the native encryption functionality provide by all major browsers, but that can face much stricter export controls than the browsers themselves. This often is discovered in the mergers and acquisitions context, where sophisticated buyers often discover that less sophisticated target companies have encryption regulation compliance problems – this can complicate and delay some acquisitions.

What product are you working on today? What are some of its unique characteristics? What differentiates it from the competition?

In the traditional sense of “product”, through Golden Orb Networks, in which I am an investor and non-executive director, I am working on patent pending “half-circuit” encryption technology / applications. This involves communications that use a secure protocol on the half-circuit from one endpoint to a central server, with the other half-circuit optionally using the same protocol, a different protocol, or cleartext (on either a secure or insecure line).

In a broader sense of “product”, I am helping the SANS Institute build its legal curriculum in Europe. We have been discussing a new course tentatively called “Legal Issues for Information Security Professionals”.

I also work on a wide variety of other projects in the technology sector, both legal and non-legal.

Fascinating, I recently did an interview with Paul Henry about the lack of awareness of security when it comes to VoIP and now Voice over Private Internet as well. Do you think Golden Orb will be able to enter the commercial marketplace, I think they primarily focus on law enforcement in the UK now. Where do you think they will be two years from now?

We are rolling out a commercial product now. The vision for the product is that we can become an “encryption agnostic” provider who can link together users of the various different end-to-end encryption solutions now appearing on the market, and also link those users with those who use current mass-market (and usually unencrypted) wireless and wireline services. This vision could be realised to a reasonable extent within two years, if things go right for us.

And, looking forward, what do you think the security products in your space will look like in two years, what will they be able to do?

There will be a continued increase in voice encryption products for commercial applications, including because of concerns over native GSM and later generation wireless encryption. Existing end-to-end solutions will achieve wider market penetration. The average user of the Internet will become a lot more familiar with encryption, both for confidentiality and authentication. This is already happening.

Please share your impression of the defensive information community. Are we making progress against the bad guys or are we losing ground?

We are losing ground. Significant changes to the basic protocols of the Internet and to the law (e.g. restrictions on anonymity) are likely to be required to provide an acceptable decree of information security in the future.

Can we get more specific? If you were making a change to a protocol on the Internet, which one would you start with and what would you change?

I would start with email protocols – SMTP, and related protocols like POP and IMAP. We need to make the average Internet user less vulnerable to phishing, including by making it more difficult to spoof email addresses and by supporting simple, robust authentication.

Would you be willing to share your thoughts concerning the most dangerous threats we will be facing in the next year to eighteen months?

I see the two most dangerous threats as (1) highly-targeted social engineering attacks using information from social networks and similar sources and (2) increasingly rapidly mutating malware that continues to overwhelm the capabilities of both list-based and heuristic-based anti-malware applications.

I hear this concern about even more dangerous malware a lot. In the United States there are legal protections for malware authors, there are legal rootkits. By that I mean the software is legal and has copyright and trademark protection, although the use of it may not be legal, an example is divorceware. In the United Kingdom, if you author malware, do you have Intellectual Property rights for your invention?

Sure, a malware author could certainly assert UK copyright and trademark protection, and maybe even patent protection in certain cases (although that would be easier in the United States). But I don’t find this too worrisome, because it seems to me that the situations in which malware authors could enforce their IP rights would be fairly limited.

What is your biggest source of frustration as a member of the defensive information community?

I am not frustrated. In challenges lies opportunity.

Okay, I will rephrase the question; what do you see as an example of the defensive information community having our hands tied behind our backs?

Moore’s law works against us. Rapid increases in processing power and bandwidth favor the attackers more than the defenders, because the bad guys only need to find one vulnerability while we need to defend everything. I don’t see any obvious way to solve this problem given current network and system architectures.

We like to give our interview guests a bully pulpit, a chance to share what is on their mind, what makes their heart burn, even if it is totally unrelated to the rest of the interview. Please share the core message you want people to know.

10-15 years ago many thought that fundamentally new law would be needed for the evolving Internet and information society, although I personally never really bought into this point of view. Then most changed our minds – since about 5-10 years ago the consensus has been that existing law can mostly be adapted to the needs of information society. But, recent changes in the online environment (primarily related to social applications and security challenges) now suggest that major changes are needed in core areas of law, including privacy / anonymity and liability / responsibility associated with information security threats. I am now convinced that legal change is needed to reduce online crime, espionage and fraud and ensure confidence in the Internet.

Can you tell us something about yourself, what do you do when you are not in front of a computer?

I am an avid sailor, both competitive (racing my Laser in the Thames) and recreational (bigger boats in warm places). I also founded my own business Lily Innovation Advisors early this year, which has given me a job I would describe as “a portfolio of technology-related business that Maury finds interesting”.