Palo Alto Networks' Ryan Gillis talks about hacking regulation and legislation with CSO in a series of topical discussions with industry leaders and experts.
Hacked Opinions is an ongoing series of Q&As with industry leaders and experts on a number of topics that impact the security community. The first set of discussions focused on disclosure and how pending regulation could impact it. Now, this second set of discussions will examine security research, security legislation, and the difficult decision of taking researchers to court.
CSO encourages everyone to take part in the Hacked Opinions series. If you would like to participate, email Steve Ragan with your answers to the questions presented in this Q&A. The deadline is October 31, 2015. In addition, feel free to suggest topics for future consideration.
What do you think is the biggest misconception lawmakers have when it comes to cybersecurity?
Ryan Gillis, Vice President, Cybersecurity Strategy and Global Policy, Palo Alto Networks (RG): Fortunately, I think a growing number of lawmakers are dispelling the long-held misconception that the government has the primary solutions or ability to overcome our national and global cybersecurity challenges.
Over the last decade, Congress has increasingly realized that the private sector has unique insight and experience to defend the networks and critical infrastructure that is overwhelmingly owned and operated in private hands around the world.
These networks, systems, and assets are operated by individuals and multinational corporations across international boundaries. Consequently, they require dramatically different cybersecurity solutions than the classified networks of the U.S. military and intelligence community.
The security researcher community also plays an essential role in identifying vulnerabilities and malware, as well as the remediation necessary to address those problems. Security and IT companies are innovating to produce new technologies that more effectively prevent, detect, and respond to cyber attacks.
Undoubtedly, governments have unique authorities to prevent and mitigate threats, prosecute cyber criminals, establish international norms through diplomacy, and pass legislation that explicitly allows responsible activities. However, cybersecurity involves inherently distributed responsibilities and capabilities of individuals, organizations, companies, and governments.
What advice would you give to lawmakers considering legislation that would impact security research or development?
RG: Lawmakers should be acutely aware of the potential for legislation to stifle security research and development, and ensure that any bills in this area are crafted with the full spectrum of input and support from independent researchers, academic institutions, and companies who primarily drive security innovation. The Federal government can look for ways to convene and facilitate dialogue among security researchers, and provide grants to academic institutions.
Congress also has a responsibility to direct and oversee productive action by Federal R&D institutions – National Science Foundation, National Labs, Department of Homeland Security Science and Technology Directorate, Defense Advanced Research Projects Agency, and In-Q-Tel. Congress should ensure that each of these entities is leveraging each others work for the good of the entire ecosystem, and maximizing the investment of taxpayer money.
If you could add one line to existing or pending legislation, with a focus on research, hacking, or other related security topic, what would it be?
RG: Candidly, I don’t believe that the complexity of cyber legislation lends itself to tangible accomplishment through any single line. As we have seen with several of the cybersecurity bills over the last few years, beneficial lines of text can be weakened or invalidated in a different section of the same legislation. For example, strong privacy protections can be undermined by exceptions in other provisions. As such, these bills need to be read and understood in their entirety.
Now, given what you've said, why is this one line so important to you?
RG: To elaborate upon the point above, I would encourage lawmakers and citizens alike to understand that privacy protections cannot be a standalone provision or section in legislation.
Cybersecurity should inherently enhance privacy; secure networks lead to better protected health care information, confidential communications, financial data and personal wealth, and corporate intellectual property. Cybersecurity legislation must be meticulously crafted to ensure that relationship between privacy and security is accomplished.
Do you think a company should resort to legal threats or intimidation to prevent a researcher from giving a talk or publishing their work? Why, or why not?
RG: It is incumbent upon companies to develop relationships and engage with the research community to foster responsible disclosure of vulnerabilities and threats. There should be a mutual interest among vendors and researchers to make the ecosystem more secure by identifying and remediating issues as they are discovered.
This process includes a responsibility for vendors to secure their products throughout their lifecycle, and acknowledge that researchers have an understandable interest in being recognized for the innovative contributions they make.
While it is probably unwise for a company to absolutely rule out any mechanism of defense or recourse against an individual who is acting irresponsibly and maliciously, legal action should not be a tool to stifle legitimate research.
What types of data (attack data, threat intelligence, etc.) should organizations be sharing with the government? What should the government be sharing with the rest of us?
RG: Any sharing of sharing cyber threat information should be done on a voluntary basis, with responsible privacy protections, for the purpose of identifying, preventing, mitigating and responding to cyber threats, vulnerabilities, and malicious campaigns.
In the current environment where public trust is tenuous in the government’s ability or interest to adequately protect and responsibly utilize personal information, organizations interested in working productively with the government should consider sharing threat intelligence and campaign data that reduces threats without identifying individuals.
Conversely, the government should continue to improve upon its efforts to rapidly share cyber threat indicators, campaign information, and context that enable organizations and individuals to protect themselves and others.
Because the government has unique missions — such as law enforcement investigations, and defending government networks — it has access to incredibly valuable information that could benefit the broader ecosystem. The government is rightly working to more efficiently share this information quickly, and in a way that doesn’t identify individual victims.
To be most useful, the government will continue to scale its ability to share unclassified information in an automated format whenever possible.