Hacked Opinions: The legalities of hacking – James Socas

James Socas talks about hacking regulation and legislation

James Socas, from iSheriff, talks about hacking regulation and legislation with CSO in a series of topical discussions with industry leaders and experts.

Hacked Opinions is an ongoing series of Q&As with industry leaders and experts on a number of topics that impact the security community. The first set of discussions focused on disclosure and how pending regulation could impact it. Now, this second set of discussions will examine security research, security legislation, and the difficult decision of taking researchers to court.

hacked opinion small Thinkstock

CSO encourages everyone to take part in the Hacked Opinions series. If you would like to participate, email Steve Ragan with your answers to the questions presented in this Q&A. The deadline is October 31, 2015. In addition, feel free to suggest topics for future consideration.

What do you think is the biggest misconception lawmakers have when it comes to cybersecurity?

James Socas, Executive Chairman, iSheriff (JS): The biggest misconception lawmakers have about cybersecurity is that U.S. legislation can do anything to solve the problem.

Cybersecurity is an international problem, with much of the damage caused by criminals, who are often operating outside of U.S. borders, or by state-sponsored actors, who could care less about U.S. law. How will legislation in the US address a problem caused by a hacker in the Ukraine that is using servers in China, Malaysia, and South Africa to attack a US company data file that resides in Germany? What laws will be effective?

Who has jurisdiction to enforce the laws? The problem is akin to narcotics trafficking, and will require a coordinated and cooperative international police effort, not legislation. Lawmakers should provide appropriate levels of funding to police efforts as well as to groups like the National Center for Missing and Exploited Children, which is helping fight the proliferation of online child pornography.

What advice would you give to lawmakers considering legislation that would impact security research or development?

JS: Efforts like last year's the Cybersecurity Enhancement Act are well intentioned, but given the pace of innovation in security and security threats, a centralized, government-sponsored research effort in cybersecurity may not turn out to be effective. For example, one of the sources of tremendous security innovation today is the Dark Web; shadow networks that use the Internet architecture but are inaccessible to the public, areas like these may be better advanced through funding that encourages smaller, more nimble private sector innovation and defense efforts.

Legislation could be beneficial in encouraging security standards in new areas, specifically in the emerging category of Internet of Things devices and systems, which we are seeing emerge as a new area of focus for bad actors.

If you could add one line to existing or pending legislation, with a focus on research, hacking, or other related security topic, what would it be?

JS: The current law known as Children's Internet Protection Act (CIPA) has had a positive impact, but has a major flaw. CIPA mandates that many public entities must use web filtering for the safety of children or they will lose e-Rate funding, which provides funding to cover Internet access costs. However e-Rate funding cannot be used to pay for web filtering solutions or any other security services that are a required component of Internet access.

This makes no sense, particularly with access and security being combined in cloud-based security services. CIPA should be changed to allow eRate funding to be changed so that it can be spent on those services that are mandated by CIPA.

Now, given what you've said, why is this one line so important to you?

JS: It is just common sense. If we are going to require schools and libraries to put security in place, let's give them the funding mechanisms to pay for it.

Do you think a company should resort to legal threats or intimidation to prevent a researcher from giving a talk or publishing their work? Why, or why not?

JS: Let's take the Jeep hacking story. What would Chrysler have preferred? That researchers publish their results or that a family is gravely injured or killed through a malicious hacker? Putting aside the moral question, what would do more damage to Chrysler?

We are seeing exponential growth in the amount of malware and cybercrime, and the idea that researchers could disclose something that is not already known - or will not soon be known - by bad actors is out of touch with reality. Companies that have developed products with major security flaws would be far better off working with researchers to find ways to solve the problem quickly instead of trying to avoid bad news.

What types of data (attack data, threat intelligence, etc.) should organizations be sharing with the government? What should the government be sharing with the rest of us?

One of the most important actions the government could take is to require immediate public notification of a breach of unsecured data. This is the case in healthcare, through the HIPAA Breach Notification Rule, and it should be mandated in other industries dealing with sensitive information.

If a major utility is breached, shouldn't customers be immediately notified? Why should a company allow months go by before the public is notified? We will do a much better job at addressing the scourge of cybercrime when everyone has the same set of facts about what is going on.

Join the CSO newsletter!

Error: Please check your email address.

Tags Hacked Opinions

More about CSOQ

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place