Steve Durbin, from the Information Security Forum, talks about hacking regulation and legislation with CSO in a series of topical discussions with industry leaders and experts.
Hacked Opinions is an ongoing series of Q&As with industry leaders and experts on a number of topics that impact the security community. The first set of discussions focused on disclosure and how pending regulation could impact it. Now, this second set of discussions will examine security research, security legislation, and the difficult decision of taking researchers to court.
CSO encourages everyone to take part in the Hacked Opinions series. If you would like to participate, email Steve Ragan with your answers to the questions presented in this Q&A. The deadline is October 31, 2015. In addition, feel free to suggest topics for future consideration.
What do you think is the biggest misconception lawmakers have when it comes to cybersecurity?
Steve Durbin, Managing Director, Information Security Forum (SD):
One of the biggest challenges for anyone with cybersecurity is that it is a quickly evolving space where there are multiple points of entry and exit for the information that is shared in an open environment facilitated by a non-regulated infrastructure - the internet.
Lawmakers are at their best when there is precedent, where they have time and where they can manage and regulate in a planned and ordered fashion. Contrast that with cybersecurity and you have a lawmaker's worst nightmare.
What advice would you give to lawmakers considering legislation that would impact security research or development?
SD: Recognize that what has gone before may not be an appropriate model for the future. Collaborate. Communicate. Seek input from industry, from regulators and from experts. Understand that the legislation that is put in place is temporary and will need to be amended regularly to keep pace with the evolving nature of cybersecurity.
If you could add one line to existing or pending legislation, with a focus on research, hacking, or other related security topic, what would it be?
SD: I think the most important thing is for lawmakers to understand that they do not operate in a vacuum. Let's take the recent Safe Harbor issue as an example.
So the European Court of Justice outlaws something that has been in place for 15 years and affects not just many service providers but also individuals without a solution or an alternative. And then we hear from some MEPs that it was a bad law anyway. That to me is irresponsible.
We operate in such an interrelated manner worldwide that we need to consider all aspects of our legal actions before they take place and offer solutions to problems that are potentially created. Now lawmakers will no doubt say that isn't their role, but that reinforces my point about collaboration being needed. Without collaboration, we have uncertainty and uncertainty is not good for business.
Now, given what you've said, why is this one line so important to you?
SD: Cyberspace is a constantly morphing and changing environment. It is unrealistic to expect lawmakers to be able to hand down legislation without significant collaboration and interaction with government, industry leaders and other regulators.
Do you think a company should resort to legal threats or intimidation to prevent a researcher from giving a talk or publishing their work? Why, or why not?
SD: No, absolutely not.
I do not believe that legal threats or intimidation are ever justified in this regard. I prefer persuasion and a healthy and open debate. The last thing we want to do is to push these kinds of research underground, we want a free flow of the latest brightest research and thinking that may be used to improve products and approaches to tackling the challenges of operating in cyberspace.
Some might think that a naïve approach but the reality is that we live in a world where it is easier to exchange ideas than to prevent them seeing the light of day. We have generations that are growing up as true digital natives for whom collaboration and sharing is the de-facto approach.
Given all the challenges of cyberspace and cybersecurity, it is unrealistic in the extreme to imagine that we can somehow prevent researchers expressing themselves. Rather, we should make it easier for them to do so that we may all benefit - and if the research highlights product vulnerabilities, then fix those vulnerabilities!
What types of data (attack data, threat intelligence, etc.) should organizations be sharing with the government? What should the government be sharing with the rest of us?
SD: The two way flow of information between the private and public sectors, government agencies and industry is essential if we are to get close to combating the challenges that cybercrime and nation state espionage present to all of us as we operate in cyberspace.
Whilst it is unrealistic to expect issues of national security to be shared openly, there is significant scope for us to share threat intelligence, attack data and defensive approaches. We do not see enough of this, although we are making progress in this area, particularly in Europe and the UK specifically.