Hacked Opinions: The legalities of hacking – Rodney Joffe

Rodney Joffe, from Neustar, talks about hacking regulation and legislation

Hacked Opinions is an ongoing series of Q&As with industry leaders and experts on a number of topics that impact the security community. The first set of discussions focused on disclosure and how pending regulation could impact it. Now, this second set of discussions will examine security research, security legislation, and the difficult decision of taking researchers to court.

hacked opinion small Thinkstock

CSO encourages everyone to take part in the Hacked Opinions series. If you would like to participate, email Steve Ragan with your answers to the questions presented in this Q&A. The deadline is October 31, 2015. In addition, feel free to suggest topics for future consideration.

What do you think is the biggest misconception lawmakers have when it comes to cybersecurity?

Rodney Joffe, SVP, Neustar (RJ): I have been talking to Senators and Representatives about cyber issues since 2008 and I can tell you that they, like the general public, have a much better understanding of the nature and complexity of the threats we are facing now than they did five, or even two, years ago.

I think some lawmakers now understand the challenges faced by industry when trying to protect against the most advanced, nation-state threats. Unfortunately, some of these attacks are unavoidable because of zero-day vulnerabilities and it is not right to blame the companies, who are truly victims.

There simply is no “silver bullet” piece of legislation that they can pass which will end all of the threats. On the other hand, this doesn’t mean that they should do nothing. Passing legislation, which would provide companies with a safe harbor for information sharing and encouraging all companies, perhaps through tax incentives or some other means, to employ basic, cyber hygiene practices would go a long way to lessening the volume of successful attacks that we have seen recently.

What advice would you give to lawmakers considering legislation that would impact security research or development?

RJ: I would advise them to create more programs to encourage young people to study computer science and engineering at every level of education. In fact, the earlier we start, the better our chances of developing a world-class workforce.

Also, I would encourage them to create and expand work/study partnerships between large local employers and area community colleges. We simply must get more young people into the pipeline to meet tomorrow’s jobs. And, more than all, we have to start teaching digital responsibility in grade school. Kids need to understand from the outset what the impact of their activities in cyberspace can have.

If you could add one line to existing or pending legislation, with a focus on research, hacking, or other related security topic, what would it be?

RJ: I would amend procurement laws, both military and civilian, to place a greater emphasis on security. All too often, the lowest-cost bid wins. We need to be looking for best value with a strong positive weighting for those companies willing and able to provide the highest level of security in their products, services and systems.

Now, given what you've said, why is this one line so important to you?

RJ: After the record number of hacks we have seen in the past year or two, I think it is obvious why I think all levels of government, as well as the private sector, need to focus on security. And, with more and more devices being tied into the Internet every day, the security threat will continue to expand to new industries and areas. As such, there needs to be a core focus on security practices, before any other. If it isn’t secure, we shouldn’t purchase it.

Do you think a company should resort to legal threats or intimidation to prevent a researcher from giving a talk or publishing their work? Why, or why not?

RJ: Most researchers will give a company ample time to fix a vulnerability before disclosing it.

If a researcher is presenting controversial information, most reporters and scholarly journals will seek out all points of view to ensure the topic is being covered impartially. When the disclosure happens, I think it’s appropriate to address the alleged findings and respond in a timely manner to articulate the company’s viewpoint and resolution plans.

What types of data (attack data, threat intelligence, etc.) should organizations be sharing with the government? What should the government be sharing with the rest of us?

RJ: With the proper legal protections in place, I support sharing anonymized threat data with the government and others within the private sector. Keep in mind though that threat data quickly goes “stale” so the sharing arrangements must be automated and real-time. The DIB (Defense Industrial Base) cybersecurity and information assurance program is a good example of a collaborative environment where this occurs, as are the ISACs.

Join the CSO newsletter!

Error: Please check your email address.

Tags Hacked Opinions

More about CSOQ

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts