Lisa Berry-Tayman, from IDT911 talks about hacking regulation and legislation with CSO in a series of topical discussions with industry leaders and experts.
Hacked Opinions is an ongoing series of Q&As with industry leaders and experts on a number of topics that impact the security community. The first set of discussions focused on disclosure and how pending regulation could impact it. This week CSO is posting the final submissions for the second set of discussions examining security research, security legislation, and the difficult decision of taking researchers to court.
CSO encourages everyone to take part in the Hacked Opinions series. If you have thoughts or suggestions for the third series of Hacked Opinions topics, or want to be included as a participant, feel free to email Steve Ragan directly.
What do you think is the biggest misconception lawmakers have when it comes to cybersecurity?
Lisa Berry-Tayman, Sr. Privacy and Information Governance Advisor, IDT911 Consulting (LBT):
That sharing is the solution. While sharing information related to cybersecurity risks is a crucial early step, this sharing of cyber threat indicators and defensive mechanisms won’t solve the problem. It will allow for detection and defense of cybersecurity risks (maybe). But sharing is a start, not an end. Legislation needs to include proactive—not just reactive—steps.
To put forth proactive steps, we need to learn from our mistakes. We must delve into why the cyber threat happened, to dig deeper at the causes, not just the symptoms. Prevention should be the goal, not sharing.
What advice would you give to lawmakers considering legislation that would impact security research or development?
LBT: Lawmakers need to set standards for basic security and privacy. And, those standards must be enforced. Without standards, companies will continue to ignore this issue, with the consumer paying the cost. Without enforcement, the standards will be ignored.
If you could add one line to existing or pending legislation, with a focus on research, hacking, or other related security topic, what would it be?
LBT: Let’s talk about the Cyber Information Sharing Act (CISA) since this stalled bill may be making a comeback.
CISA, as written, allows for the sharing of personal information along with cyber threat indicators and offers corporations lots of protections for doing so. Fortunately, it seems the amendments to CISA are working towards that goal of limiting the personal information that may be shared along with the more relevant technical data.
If for some reason, a corporation cannot remove personal information from the data set to be shared with the government, lawmakers need to require the cleansing of the information so it cannot be correlated with other information to permit re-identification. Respect the individual’s right to privacy as they did not contemplate this sharing with the government when they gave their personal information to the corporation.
Data sharing activities should be very specific as to the planned use of the information. Demonstrate compliance with those plans. Transparency and respect for individual privacy needs to be a priority in the U.S.
Now, given what you've said, why is this one line so important to you?
LBT: One reason it’s important is because the U.S. was deemed inadequate for privacy protections from the get-go. This view spawned the creation of the self-certifying U.S.-EU Safe Harbor framework. With the discovery of spying by the NSA through Edward Snowden’s actions, the U.S. has recently been deemed unsafe for data by the EU Court of Justice, and the U.S.-EU Safe Harbor that allowed the flow of EU citizen data to the U.S. is no longer valid. This is not only bad for individuals whose privacy may be at risk under the current language, but it’s also detrimental in a broader business sense. Without more rigorous privacy protections, domestic firms may no longer be able to compete for overseas customers due to privacy concerns.
Do you think a company should resort to legal threats or intimidation to prevent a researcher from giving a talk or publishing their work? Why, or why not?
LBT: Researchers should be allowed to disclose their findings. And, companies should protect their intellectual property and proprietary information. That is the issue – where should the disclosure of findings end and intellectual property rights begin. That was the rub in the FireEye case.
So, the answer to this question: It depends (my good lawyer answer.) Coming to a consensus on exactly what to disclose is the best solution.
What types of data (attack data, threat intelligence, etc.) should organizations be sharing with the government? What should the government be sharing with the rest of us?
LBT: The most useful data in the threat intelligence sector is actually impersonal technical information. These data sets—not the personal information that’s so often shared—are the necessary ingredient in identifying potential threat vectors, detecting existing risks and active attacks, and defending against emerging cyber threats.
As for cybersecurity threat indicators and defense mechanisms, share the highlights but specific data should remain private unless circumstances warrant more granular information. The government should provide transparency on how data is being collected, how it is being shared, specifically which agencies received with information and what purpose any shared data will serve. Businesses and individuals alike increasingly want better accounting of where their data is being shared and why.
Moreover, protect shared personal information. The government is obviously not immune to data breaches. Government breach events have been the most damaging. OPM victims are exposed to damages far beyond credit risk and for the rest of their lives. They were “compensated” (or insulted) with the offer of a year of credit monitoring.