James Socas, from iSheriff, talks about hacking regulation and legislation with CSO in a series of topical discussions with industry leaders and experts.
Hacked Opinions is an ongoing series of Q&As with industry leaders and experts on a number of topics that impact the security community. The first set of discussions focused on disclosure and how pending regulation could impact it. Now, this second set of discussions will examine security research, security legislation, and the difficult decision of taking researchers to court.
CSO encourages everyone to take part in the Hacked Opinions series. If you would like to participate, email Steve Ragan with your answers to the questions presented in this Q&A. The deadline is October 31, 2015. In addition, feel free to suggest topics for future consideration.
What do you think is the biggest misconception lawmakers have when it comes to cybersecurity?
James Socas, Executive Chairman, iSheriff (JS): The biggest misconception lawmakers have about cybersecurity is that U.S. legislation can do anything to solve the problem.
Cybersecurity is an international problem, with much of the damage caused by criminals, who are often operating outside of U.S. borders, or by state-sponsored actors, who could care less about U.S. law. How will legislation in the US address a problem caused by a hacker in the Ukraine that is using servers in China, Malaysia, and South Africa to attack a US company data file that resides in Germany? What laws will be effective?
Who has jurisdiction to enforce the laws? The problem is akin to narcotics trafficking, and will require a coordinated and cooperative international police effort, not legislation. Lawmakers should provide appropriate levels of funding to police efforts as well as to groups like the National Center for Missing and Exploited Children, which is helping fight the proliferation of online child pornography.
What advice would you give to lawmakers considering legislation that would impact security research or development?
JS: Efforts like last year's the Cybersecurity Enhancement Act are well intentioned, but given the pace of innovation in security and security threats, a centralized, government-sponsored research effort in cybersecurity may not turn out to be effective. For example, one of the sources of tremendous security innovation today is the Dark Web; shadow networks that use the Internet architecture but are inaccessible to the public, areas like these may be better advanced through funding that encourages smaller, more nimble private sector innovation and defense efforts.
Legislation could be beneficial in encouraging security standards in new areas, specifically in the emerging category of Internet of Things devices and systems, which we are seeing emerge as a new area of focus for bad actors.
If you could add one line to existing or pending legislation, with a focus on research, hacking, or other related security topic, what would it be?
JS: The current law known as Children's Internet Protection Act (CIPA) has had a positive impact, but has a major flaw. CIPA mandates that many public entities must use web filtering for the safety of children or they will lose e-Rate funding, which provides funding to cover Internet access costs. However e-Rate funding cannot be used to pay for web filtering solutions or any other security services that are a required component of Internet access.
This makes no sense, particularly with access and security being combined in cloud-based security services. CIPA should be changed to allow eRate funding to be changed so that it can be spent on those services that are mandated by CIPA.
Now, given what you've said, why is this one line so important to you?
JS: It is just common sense. If we are going to require schools and libraries to put security in place, let's give them the funding mechanisms to pay for it.
Do you think a company should resort to legal threats or intimidation to prevent a researcher from giving a talk or publishing their work? Why, or why not?
JS: Let's take the Jeep hacking story. What would Chrysler have preferred? That researchers publish their results or that a family is gravely injured or killed through a malicious hacker? Putting aside the moral question, what would do more damage to Chrysler?
We are seeing exponential growth in the amount of malware and cybercrime, and the idea that researchers could disclose something that is not already known - or will not soon be known - by bad actors is out of touch with reality. Companies that have developed products with major security flaws would be far better off working with researchers to find ways to solve the problem quickly instead of trying to avoid bad news.
What types of data (attack data, threat intelligence, etc.) should organizations be sharing with the government? What should the government be sharing with the rest of us?
One of the most important actions the government could take is to require immediate public notification of a breach of unsecured data. This is the case in healthcare, through the HIPAA Breach Notification Rule, and it should be mandated in other industries dealing with sensitive information.
If a major utility is breached, shouldn't customers be immediately notified? Why should a company allow months go by before the public is notified? We will do a much better job at addressing the scourge of cybercrime when everyone has the same set of facts about what is going on.