Hacked Opinions: The legalities of hacking – Steve Durbin

The ISF's Steve Durbin talks about hacking regulation and legislation

Steve Durbin, from the Information Security Forum, talks about hacking regulation and legislation with CSO in a series of topical discussions with industry leaders and experts.

Hacked Opinions is an ongoing series of Q&As with industry leaders and experts on a number of topics that impact the security community. The first set of discussions focused on disclosure and how pending regulation could impact it. Now, this second set of discussions will examine security research, security legislation, and the difficult decision of taking researchers to court.

hacked opinion small Thinkstock

CSO encourages everyone to take part in the Hacked Opinions series. If you would like to participate, email Steve Ragan with your answers to the questions presented in this Q&A. The deadline is October 31, 2015. In addition, feel free to suggest topics for future consideration.

What do you think is the biggest misconception lawmakers have when it comes to cybersecurity?

Steve Durbin, Managing Director, Information Security Forum (SD):

One of the biggest challenges for anyone with cybersecurity is that it is a quickly evolving space where there are multiple points of entry and exit for the information that is shared in an open environment facilitated by a non-regulated infrastructure - the internet.

Lawmakers are at their best when there is precedent, where they have time and where they can manage and regulate in a planned and ordered fashion. Contrast that with cybersecurity and you have a lawmaker's worst nightmare.

What advice would you give to lawmakers considering legislation that would impact security research or development?

SD: Recognize that what has gone before may not be an appropriate model for the future. Collaborate. Communicate. Seek input from industry, from regulators and from experts. Understand that the legislation that is put in place is temporary and will need to be amended regularly to keep pace with the evolving nature of cybersecurity.

If you could add one line to existing or pending legislation, with a focus on research, hacking, or other related security topic, what would it be?

SD: I think the most important thing is for lawmakers to understand that they do not operate in a vacuum. Let's take the recent Safe Harbor issue as an example.

So the European Court of Justice outlaws something that has been in place for 15 years and affects not just many service providers but also individuals without a solution or an alternative. And then we hear from some MEPs that it was a bad law anyway. That to me is irresponsible.

We operate in such an interrelated manner worldwide that we need to consider all aspects of our legal actions before they take place and offer solutions to problems that are potentially created. Now lawmakers will no doubt say that isn't their role, but that reinforces my point about collaboration being needed. Without collaboration, we have uncertainty and uncertainty is not good for business.

Now, given what you've said, why is this one line so important to you?

SD: Cyberspace is a constantly morphing and changing environment. It is unrealistic to expect lawmakers to be able to hand down legislation without significant collaboration and interaction with government, industry leaders and other regulators.

Do you think a company should resort to legal threats or intimidation to prevent a researcher from giving a talk or publishing their work? Why, or why not?

SD: No, absolutely not.

I do not believe that legal threats or intimidation are ever justified in this regard. I prefer persuasion and a healthy and open debate. The last thing we want to do is to push these kinds of research underground, we want a free flow of the latest brightest research and thinking that may be used to improve products and approaches to tackling the challenges of operating in cyberspace.

Some might think that a naïve approach but the reality is that we live in a world where it is easier to exchange ideas than to prevent them seeing the light of day. We have generations that are growing up as true digital natives for whom collaboration and sharing is the de-facto approach.

Given all the challenges of cyberspace and cybersecurity, it is unrealistic in the extreme to imagine that we can somehow prevent researchers expressing themselves. Rather, we should make it easier for them to do so that we may all benefit - and if the research highlights product vulnerabilities, then fix those vulnerabilities!

What types of data (attack data, threat intelligence, etc.) should organizations be sharing with the government? What should the government be sharing with the rest of us?

SD: The two way flow of information between the private and public sectors, government agencies and industry is essential if we are to get close to combating the challenges that cybercrime and nation state espionage present to all of us as we operate in cyberspace.

Whilst it is unrealistic to expect issues of national security to be shared openly, there is significant scope for us to share threat intelligence, attack data and defensive approaches. We do not see enough of this, although we are making progress in this area, particularly in Europe and the UK specifically.

Join the CSO newsletter!

Error: Please check your email address.

Tags Hacked Opinions

More about CSOQSeek

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts