Hacked Opinions: The legalities of hacking – Lisa Berry-Tayman

Lisa Berry-Tayman talks about hacking regulation and legislation

Lisa Berry-Tayman, from IDT911 talks about hacking regulation and legislation with CSO in a series of topical discussions with industry leaders and experts.

Hacked Opinions is an ongoing series of Q&As with industry leaders and experts on a number of topics that impact the security community. The first set of discussions focused on disclosure and how pending regulation could impact it. This week CSO is posting the final submissions for the second set of discussions examining security research, security legislation, and the difficult decision of taking researchers to court.

CSO encourages everyone to take part in the Hacked Opinions series. If you have thoughts or suggestions for the third series of Hacked Opinions topics, or want to be included as a participant, feel free to email Steve Ragan directly.

What do you think is the biggest misconception lawmakers have when it comes to cybersecurity?

Lisa Berry-Tayman, Sr. Privacy and Information Governance Advisor, IDT911 Consulting (LBT):

That sharing is the solution. While sharing information related to cybersecurity risks is a crucial early step, this sharing of cyber threat indicators and defensive mechanisms won’t solve the problem. It will allow for detection and defense of cybersecurity risks (maybe). But sharing is a start, not an end. Legislation needs to include proactive—not just reactive—steps.

To put forth proactive steps, we need to learn from our mistakes. We must delve into why the cyber threat happened, to dig deeper at the causes, not just the symptoms. Prevention should be the goal, not sharing.

What advice would you give to lawmakers considering legislation that would impact security research or development?

LBT: Lawmakers need to set standards for basic security and privacy. And, those standards must be enforced. Without standards, companies will continue to ignore this issue, with the consumer paying the cost. Without enforcement, the standards will be ignored.

If you could add one line to existing or pending legislation, with a focus on research, hacking, or other related security topic, what would it be?

LBT: Let’s talk about the Cyber Information Sharing Act (CISA) since this stalled bill may be making a comeback.

CISA, as written, allows for the sharing of personal information along with cyber threat indicators and offers corporations lots of protections for doing so. Fortunately, it seems the amendments to CISA are working towards that goal of limiting the personal information that may be shared along with the more relevant technical data.

If for some reason, a corporation cannot remove personal information from the data set to be shared with the government, lawmakers need to require the cleansing of the information so it cannot be correlated with other information to permit re-identification. Respect the individual’s right to privacy as they did not contemplate this sharing with the government when they gave their personal information to the corporation.

Data sharing activities should be very specific as to the planned use of the information. Demonstrate compliance with those plans. Transparency and respect for individual privacy needs to be a priority in the U.S.

Now, given what you've said, why is this one line so important to you?

LBT: One reason it’s important is because the U.S. was deemed inadequate for privacy protections from the get-go. This view spawned the creation of the self-certifying U.S.-EU Safe Harbor framework. With the discovery of spying by the NSA through Edward Snowden’s actions, the U.S. has recently been deemed unsafe for data by the EU Court of Justice, and the U.S.-EU Safe Harbor that allowed the flow of EU citizen data to the U.S. is no longer valid. This is not only bad for individuals whose privacy may be at risk under the current language, but it’s also detrimental in a broader business sense. Without more rigorous privacy protections, domestic firms may no longer be able to compete for overseas customers due to privacy concerns.

Do you think a company should resort to legal threats or intimidation to prevent a researcher from giving a talk or publishing their work? Why, or why not?

LBT: Researchers should be allowed to disclose their findings. And, companies should protect their intellectual property and proprietary information. That is the issue – where should the disclosure of findings end and intellectual property rights begin. That was the rub in the FireEye case.

So, the answer to this question: It depends (my good lawyer answer.) Coming to a consensus on exactly what to disclose is the best solution.

What types of data (attack data, threat intelligence, etc.) should organizations be sharing with the government? What should the government be sharing with the rest of us?

LBT: The most useful data in the threat intelligence sector is actually impersonal technical information. These data sets—not the personal information that’s so often shared—are the necessary ingredient in identifying potential threat vectors, detecting existing risks and active attacks, and defending against emerging cyber threats.

As for cybersecurity threat indicators and defense mechanisms, share the highlights but specific data should remain private unless circumstances warrant more granular information. The government should provide transparency on how data is being collected, how it is being shared, specifically which agencies received with information and what purpose any shared data will serve. Businesses and individuals alike increasingly want better accounting of where their data is being shared and why.

Moreover, protect shared personal information. The government is obviously not immune to data breaches. Government breach events have been the most damaging. OPM victims are exposed to damages far beyond credit risk and for the rest of their lives. They were “compensated” (or insulted) with the offer of a year of credit monitoring.

Join the CSO newsletter!

Error: Please check your email address.

Tags Hacked Opinions

More about CSOEUFireEyeNSAQ

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place