Post on 05-Aug-2020
ApproachingCybersecurityLawAGuideforInformationSecurityProfessionals
DavidJacksonNovember20,2018
ISSANationalCapitalChapterMeeting
Biography
Mr.JacksonisamemberoftheISSADCandNOVAchapters,andheholdsCISSP,CEH,andCIPPcertifications. HeworksasaregulatoryattorneyforagovernmentcontractorintheWashingtonDCarea,andheisaregularcontributortotheISSAJournal. Mr.JacksonhasaJ.D.fromtheUniversityofKansas,andanLL.M.fromtheUniversityofArkansas.
Abstract
ApproachingCybersecurityLaw- AGuideforInformationSecurityProfessionals
Cybersecuritylawisaconfusingsubject. Therearemanydifferenttypesoflaws,whichaffectdifferentorganizationsindifferentways. Thispresentationprovidesinsightinhowtoconsidercybersecuritylawasadiscipline,anddispelsthenotionthatlawasatoolisallpowerful. Infact,lawcanbequitelimited,slow,andbackwardlooking.Finally,thepresentationendswithadiscussionofthefutureofcybersecuritylaw,andhowtoidentifythecomingtrends.
TonightWeWillCover:
• HowtoViewCybersecurityLaw
• LawisNotAllPowerful– It’sImperfect
• FutureofCybersecurityLaw
Topic1HowtoViewtheCybersecurityLawLandscape
MostCybersecurityLawisLearnedfortheCISSPExam• CISSPDomain1– Law• Cybercrime• IntellectualProperty• Privacy• DifferentLegalSystems
ChallengesinUnderstandingtheLawinCISSPDomain1• It’sconfusing.Ahodgepodgeoftopics.• It’soverwhelming.Alotofforeigninformation.• Itneedssomeorganization.Aroadmap.
BettertoViewCybersecurityLawbyWhoisImpacted
Individuals
International
GovernmentBusinesses
IndividualsBusinessesGovernment
U.S.
LawsthatImpactIndividuals
• 2CategoriesofIndividuals• GeneralPublic• Criminals
• CybersecuritylawsaredesignedtoseparatetheCriminalsfromtheGeneralPublic• Butalso,perhaps,toencourageE-Commerce
Individuals
LawsSeparatingIndividualsandCriminals
• HackingGovernmentsorBanks• OrganizedCrime• SellingTradeSecrets• IdentityTheft• SellingPasswordstoAccounts
LawsEncourageE-Commerce?
• WhyE-Commerce• ReducesCosts• ImprovesAccuracy• Faster
• WhyEncourage• FrameworkforGlobalElectronicCommerce(90s)• Don’twanttokillthe“GoosethatLaystheGoldenEgg”
• NotExplicitlyStated• MoreofanInference– I’msuggestingthatthelawencouragese-commerce.
LawsthatImpactBusinesses
Notallbusinessesareaffectedbyallcybersecuritylaws– OnlyCertainBusinesses…
• Telecom• HealthCare• GovernmentContractors• Banks
Businesses
LawsthatImpactBusinessescon’d
… AndonlyCertainTypesofData
• HealthInformation• FinancialInformation• VideoRecords(BlockbustertoNetflix)• SchoolRecords• GovernmentData
BusinessandGovernmenthaveaBifurcatedRelationship• Partnership• ShareData• WorkTogetheronInvestigatingThreats
• Regulation• EnforceRegulations• PenalizeViolations
• Thelinescangetblurred!
LawsthatImpactGovernment
• SpecificGovernmentAgencies• LawEnforcement• Military• ExecutiveAgencies
• HowlawsimpacttheGovernment• LimitpowerwithintheUS• DefendUSInterestsinternationally
Government
WhichPartsofGovernmenthavetheirPowerLimited• LawEnforcement• Surveillance
• Military• DomesticOccupation
• GovernmentAgencies• PrivacyAct• AdministrativeProceduresAct
HowdoesInternationalfitintothismodelofCybersecurityLaw?• Inaglobaleconomy,andinanelectronicworld,thebordersarelessrestrictive.
• Samegroupofparticipants• Individuals• Businesses• Government
• PrimarilyUSGovernmentfacilitatedrelationship
• Canbedifficulttoenforceacrossborders
WhatTypesofLegalIssuesImpactInternational?• Individuals• Extradition
• Businesses• ExportControlledTrade• TradeSecretTheft
• Governments• Cyberwar• Cyberterrorism• Cyberespionage
PuttingitalltogetherintoaCybersecurityLawLandscape
Individuals
International
GovernmentBusinesses
IndividualsBusinessesGovernment
Extradition ExportControlCyberwar
U.S. SurveillanceProtectData
PartnershipRegulation
Topic2Thelawisn’tAllPowerful– It’sImperfect
Lawisn’tAllPowerful– Let’sDispelsomeMyths
Myths• Lawcanapplyeverywhere
• Lawappliestoanynewsituation
• Lawkeepsupwiththechangesofthetimes
Actuality• Lawislimited
• Lawisbackwardlooking(atfirst)
• Lawisslowtochange
TheLawisLimited – HowisitLimited?
• Thelawislimitedtocertainpeopleandcertainsituations
• Forourpurposes,thejournalismquestionsmaybemoreusefultounderstandthoselimitations:
• Who – theparty/partiesinvolved• What – theactionsinquestion• Where – thejurisdiction• When – thecircumstancesaroundtheactions• How – theenforcementmechanism• Why– thepolicyreasons
Let’susetheComputerFraudandAbuseActasanExample• ComputerFraudandAbuseAct(CFAA)wasthefirstbigcybersecuritylaw.(18U.S.C.§ 1030)• Criminalizesunauthorizedaccesstogovernmentandfinancialinstitutioncomputers.• TheDOJhasapracticemanualonCFAAtoprovidemoreguidanceonpriorcaselaw.• Theactuallawissomewhatconvoluted,soI’mabridgingthelawslightlyforourdiscussion.
Here’stheCFAAinSimplifiedForm
• Whoever,intentionallyaccessesacomputerwithoutauthorization,orexceedsauthorizedaccess,• andtherebyobtainsinformationcontainedinafinancialrecordofafinancialinstitution…• orinformationfromadepartmentoragencyoftheUnitedStates,…
• shallbepunished …byafineorimprisonment…• TheU.S.SecretService,theFBI,theSecretaryofTreasuryandtheAttorneyGeneralshallhavetheauthoritytoinvestigate.
HowtheCFAAcanbeanalyzedwiththejournalismquestions• Who – Whoever
• NaturalPerson(versusalegalperson– Corporation)• What –IntentionallyAccessesaComputer
• Withoutauthorization• Exceedsauthorization
• Where – Federal(implied– 18USC)• When – obtaininformationfrom:
• federalgovernment• financialinstitution
• How – FinesPrison/SecretService,Treasury,FBI/AG• Why – notrelevant– policyargumentsareweaker
• 1980s- movieWarGames
WhereistheCFAALimited?
• TheCFAAappliesonlytocertainsituations• FederalGovernment/FinancialInstitutioncomputers• WithoutAuthorization/ExceedsAuthorization• FederalLawEnforcementInvestigates
WheretheCFAADoesNotApply
• Notyourneighbor’scomputer.• (notafederalorbankcomputer)
• Notfilingyourstatetaxreturn.• (authorized)
• NotmistypingaURLintoyourwebbrowser.• (notintentional)
LawisLimited- InConclusion
• Onlycertain:• People• Locations• Activities• Circumstances
• Policy– the“Why”Doesn’tReallyMatter.• KeyisUnderstandingtheLimits.
LawLooksBackward(beforeitlooksforward)• Ourlegalsystemisbasedonprecedent – whatdecisionscamebefore– “StareDecisis”(letdecisionstand)• Thisforceseverylegalanalysistostartwithwhatlawcamebefore.• Howdoesthisnewsituationfitwithapriorlegalissue?
Let’sReturntothe1990sforanExample– AOLand“Spam”• AOLwasamajortargetfor“spam”(nowknownasunsolicitedcommercialemail).• In1990s,AOLsuedspammersaspartofitsanti-spamstrategy.• Itwasdifficultbecausethelawsdidn’teasilyaddressthisnewphenomenon.• ExpensivetoProsecute.• BTW,IworkedatAOLfightingspaminthe1990s.
AOLWonLawsuitsinPartUsing“TrespasstoChattels”• Definitions
• Tort– civilwrong– intentional- OldCommonLaw(fromEngland)• Chattelsarethings.• Trespassinthiscase=Interference (“damagessufferedbyreasonofthelossofitsuse.”)
• Seee.g.,AmericaOnline,Inc.v.IMSet.al.,24F.Supp.2d548(E.D.Va.,1998)
• So,thelawthatwasviolatedwas• Someonehadinterferedwiththeuseandenjoymentofsomeoneelse’sthingsthatcauseddamagethatcouldbecalculated.(thisishighlysimplifiedlanguage)
• ForAOL–• SpammershadinterferedwithAOL’suseandenjoymentofitsmailserverstoserveemailtoitsuserbase,andcostAOLtimeandmoneytoprocesstheextraemails,and”burdenedtheirequipment”(mailservers)
ChallengestothisLegalTheory
• Spamemailisjustemail.Youprovidetheserviceofemailtoyourusers,itgoeswiththeterritory.• 1st amendmentviolation?Nostateaction.• Increasedcostofmailserverscouldbeattributedtotheincreaseinmembership- moreusers,moremailservers– notthisemail.• Interferencerequiredshowingvolumethatdamagedbusiness– whatcausedtheburdentotheequipment?
TheLawLooksForwardandPassesCAN-SPAM• Afewyearslater,CongresspassesCAN-SPAM(Pub.L.108-
187,2003).
• Changesthelegalquestionfrominterference tounsolicited.• DropstheVolumeanalysisrequirement.• Unwantedisenough.• Damagesquantifiedbyemailasaunitandnotinaggregate.• But,Lawlooksbackwardbeforeitcanlookforward.
TheLawisSlowtoChange
• Oneofthebiggestchallengestoaddressingcybersecuritylawneeds,isthatthelawmakingprocessissoslow.• Cybersecuritythreatsarisequickly,anditcanbefrustratingtoseeklegalactiononlytofindthatthereisnoeasyfix– noapplicablelawforasituation.• Inordertotalkaboutwhythelawisslowtochangeweneedtolookathowlawsaremade.
HowLawsareMade– aCivicsReview• U.S.Constitution:ThreeBranchesofGovernment
• There’saBalanceofPowers
CongressMakesthelaw
PresidentEnforcesthelaw
CourtsInterpretsthe
law
HowtheLawsAreMadeamongtheThreeBranches• Butitisaserialprocesstoo:
• Ofcourse,theprocessisnotstrictlyserial- Courtscanreviewstatutes.• Thepointisthatmakingalawisajourneythroughthethreebranchesandtheirlawmakingprocesses.
CongressLegislativeStatutory
Makesthelaw
AgenciesAdministrativeRegulatory
Enforcesthelaw
CourtsJudicial
Interpretsthelaw
CaseorControversy
AuthorizingStatute
LegislativeProcess– WhyAreTheresoManyLawsinCongress?• Let’sreviewthenumbersbasedon“cyber*”inthiscurrentCongressionalsession.• BillisproposedinHouse(491)• Committee(132)
• Hearing• Report• Vote
• FullFloorVote(98)• SameProcessSenate(27)• Presidentsigns(19)– thenitbecomeslaw.• Manybillsareproposed,butveryfewbecomelaw!
RegulatoryProcess– HowGovernmentAgenciesMakeLaws• FederalRegisterasPaperofRecord(www.federalregister.gov)• Theprocesstocreateanewregulation:
• UnifiedAgenda(www.reginfo.gov)• NoticeofProposedRuleMaking• NoticeandCommentPeriod(www.regulations.gov)• FinalRule
• Therearesubsteps withinthisprocess.Thenumbersvarydependingontheissueandhowmanycommentsarereceived.• Commentsfromthepubliccanaffecttheregulation.• OnlytheFinalRulesmatter!Andonlyaftertheireffectivedate!!
JudicialProcess– HowCourtsDetermineWhetheraLawisGood?• Inordertosue- needacaseorcontroversy• Therearethreelevelsofreview:
• DistrictCourt• CourtofAppeals• SupremeCourt
• StartatDistrictCourt,thenappeal,andappeal.• ThisthreelevelsystemsappliestoStateCourtsandFederalCourts• Note:StateSupremeCourtdecisionscanbereviewedbytheU.S.SupremeCourt.Mirandav.Arizona forexample.
JudicialProcesswithNumbers
2409Federalcasesinvolvingcyber(approximately)• DistrictCourt(1,610)67%• CourtofAppeals(562)23%• SupremeCourt(237)10%
• OnlyafewgototheSupremeCourt.
• Thekeyisthatthecasedecisiononlyappliestothejurisdictionofthecourt.
LawMakingisaSlowProcess
• Legislative– 2yearcycle• NewCongress– startsover
• Regulatory– 4-8yearcycle• NewAdministration– startover?
• Judicial– 6– 15years• Eachcasecantakemonths/yearstobedecidedateachlevel.
• Very,Veryslow.10to20yearsintotal.• Alotofproposals,veryfewnewlaws.• Verypoliticaltoo.
InConclusion:TheLawisNotAllPowerful.• TheLawisImperfect:
• TheLawisLimited– certainpeople,certainsituations• TheLawLooksBackward– precedent– whatlegalissueshappenedprior?
• TheLawSlow toChange– thelawmakingprocesscantakeyears
• Therealityisthatthelawisoftentheantithesistotechnology• TechnologycanApplyBroadly• ItLooksForward• ItisVeryQuicktoChange
• ThisdichotomybetweenLawandTechnologycreatestensionbetweentheLegalandTechnologycommunities
Topic3WhatistheFutureofCybersecurityLaw
TheFutureofCybersecurityLaw–WheredoWeBegin?• Inordertounderstandthefutureofcybersecuritylaw,westartwiththerelationshipbetweentechnology,business,andlaw.
• AsImentionedtechnologychangesquickly.Thelawslowly.• Thereareactually2lagsbetweenlawandtechnology.
Technology Business Law
Law
1st Lag– IfChangeweretoStartSimultaneously,LawwouldLagBehind
TechnologyBusiness
• Technologychangesquickly– Moore’sLaw18mo.• Businesschangesabitslower– 5– 10yearstostartanewbusinessandachievescale.
• Lawchangesveryslowly– 10– 20yearsaspreviouslydiscussed.
Law
2nd Lag– ChangeisalsoSerial
Technology
Business
• Youhavetohavetechnologicalinnovationfirst.Sothelagiscumulative.• Cybersecuritylawdevelopmentlagsfarbehindtechnologyinnovation.
ThefutureofCybersecurityLawisintheNexusofBusinessandLaw• Betweentechnologyandbusinessistheideaofwhatcanbemonetizedorcommercialized.WhatisScalable.
• WhatproblemsarisefromscalingthatBusinessescan’taddressthroughtechnology?Whatarethesurprises?• That’sthefutureofcybersecuritylaw.Howtoaddressthesurprises.• Emailasanexample- RFC822(1980),ISPs(1990s),Spam(late90s),CAN-SPAM(2003).
Technology Business Law
Scalable Surprises
NewCybersecurityLawstoKnow
ByJurisdiction:
• California• SupremeCourt• FTC• RegulatoryAgencies• Europe• Congress
California– PushingtheFederalEnvelopein2018• InternetofThingslaw(SecurityofConnectedDevices,SB327,Cal.Civ.Code,Title1.81.26,§ 1798.91.04et.seq.)
• Manufacturers(notdistributors)• Connecteddevices(IPorBluetooth)• Reasonablesecurityfeature(natureandfunctionofdevice)
• CaliforniaConsumerPrivacyAct(AB375,Cal.Civ.Code,Title1.81.5,§ 1798.100et.seq.)• Effective1/1/2020• Consumerscanrequestthatbusinessdisclosethepersonalinformationcollectedandwhathas
beendonewiththatinformation.GDPRlike.• InresponsetoCambridgeAnalytica (FacebookisinCalifornia)
• NetNeutralitylaw(CaliforniaInternetConsumerProtectionandNetNeutralityActof2018,SB822,Cal.Civ.Code,Title15,§ 3100et.seq.)
• Unlawfultoblock,impair,ordegrade,lawfulInternettrafficbasedoncontent,application,service,ordevice
• Forbothfixed(broadband)andmobileInternetserviceproviders
Afewoverallthoughts:• CaliforniatendstobeProgressive– embracingchangesfirst.• AlltechnologyroadsleadtoCalifornia.(SiliconValley)• InferredPoliticalFightbetweenCaliforniaandtheU.S.Government.
SupremeCourt
• Carpenterv.U.S.(No.16-402,2018)• CellSiteLocationInformation(12,898locationpointsover127days)
• Question– reasonableexpectationofprivacy- cellphonesaselectronictrackersinyourpocket
• CourtRuled:LawEnforcementneedsawarrantforcelllocationdata
• Surveillance– 4th Amendmentand”new”technology• CareFirst,Inc.v.Attias (No.17-641,2017)
• CertDeniedFeb.20,2018• LowerCourtRulingstands(Attias v.CareFirst,Slip.Op.16-1708,DCCt.App.,2017)
• Courtheldthatdamagescouldbeawardedforthreatoffutureidentitytheftresultingfromadatabreach.
• Unusual– courtsHATEtospeculateaboutfutureharm- the“maybes”• So,whatdoesthismeanforCybersecurityInsuranceclaims/databreach
costs?
FTCandCybersecurity• UnfairorDeceptiveActsorPracticesinorAffectingCommerce isabroadumbrellaofauthorityunder§5.
• FTCv.Wyndham(3rd Cir.No.14-3514,2015)• FTC– haspursuedcasesagainstcompanieswithdeficientcybersecurity
practices• Wyndhamhadthreedatabreaches– itfailedtousereadilyavailablesecurity
measures(likefirewalls)– claimedtobethevictim• WyndhamclaimedFTCdidn’thavetheauthoritytoregulatecybersecurity
matters.• Businessesmustprotectcustomerpersonalinformation,andFTCcanpursue
caseswherethebusinessesdon’t.• LabMD v.FTC(11th Cir.,No.16-16270,2017)
• Factsofthiscaseareodd– billingmangerforalabwithafilesharingprogram/securitycompanydownloadedpersonaldataof9,300consumers/senttheinformationtotheFTC
• FTCclaimedabroadfailureofLabMD toprotectpersonaldata,buttheclaimwastoobroad.Theceaseanddesistordermustbespecifictothecaseinpoint.
• Takentogether,FTChaspowertoregulatecybersecurityindatabreaches,butthatpowerisproportionaltotheincident.
RegulatoryAgencies
SEC• CommissionStatementandGuidanceonPublicCompanyCybersecurityDisclosures(83FR8166,Feb.26,2018)• Mustinforminvestorsaboutcybersecurityincidentsandrisksbasedon:• Materialityofriskand• Importanceofcompromisedinformation
DOD• DODGuidanceforReviewingSystemsSecurityPlansandtheNISTSP800-171SecurityRequirementsNotYetImplemented(83FR17807,Apr.24,2018)
• DODdraftedguidanceforcontractorstouseinimplementing800-171andisseekingcomments.Admissionthattherearechallengeswithmeetingtheserequirements?Frombothsides?
• ConsiderthebifurcatedroleofGovernmentandBusiness– sharinginformationasapartnershipandregulatoryenforcement.
Europe
GeneralDataProtectionRegulation(GDPR)(EU)2016/679• ImplementationDate:May25,2018• PrivacyShield– CurrentU.S.DataSharingScheme-beingsuedinEuropeanCourt– likeSafeHarbor?• DataSecurityConcerns
• Processing– broad• Pseudonymized/AnonymizedData– assumestraceability• GeneralSecurityRequirement– Art32,CIATriad• MonitoringandProfiling(AI)
CongressionalActions
• InthisCongress– NoBIGchanges• NISTSmallBusinessCybersecurityAct(Pub.L.115-236,Aug.14,2018)
• CongressdirectsNISTtodevelopCybersecurityFrameworkforSmallBusinessesoutofexistingfunding
• DHS- CybersecurityandInfrastructureSecurityAgencyActof2018(H.R.3359,Pub.L.115-TBD,Nov.16,2018)• ReorganizetheDHSCybersecuritydepartments(internalchangeinoperations)
• InthepreviousCongress– afewchanges• CybersecurityInformationSharingAct2015(Pub.L.114-113)
• CreatesframeworkforbusinessestosharecyberthreatswiththeGovernmentwhocanreportbacktothewholesubscribership
• TradeSecretsAct2016(Pub.L.114-153)• Createsafederalrightofactionfortradesecrettheftcases.
• Point– lawschangeslowlyandinfrequently.
NewBusinessRisksontheHorizon–LookingintoaCrystalBall• CEHArmy
• Risk- HackBack?• Privateindustrywithoffensivecapability
• Botnets• Howtoassessliability– Masters,Bots,Networks?• DOJGuidance2015easierprosecution– subpoenascanbefiledcentrally
• IoT• RiskofInsecurity– Californiaaheadoftime,orrightontime?• Wearabletech– timeandlocationinformation– cellphonesashomingdevices– whataboutFitbits?
• Blockchain• Bitcoin- FinancialRegulation- inadecentralizedenvironment?• Supplychain/e-contracts– puttingattorneysoutofbusiness?• Traceability/Integrity- Riskofunplannedforking?
RevisitingtheCybersecurityLawLandscape
Individuals
International
GovernmentBusinesses
IndividualsBusinessesGovernment
Extradition ExportControlCyberwar
U.S. SurveillanceProtectData
PartnershipRegulation
PerennialIssuesthatAriseintheCybersecurityLawLandscape• Individuals
• Surveillance– 4thAmendment– Warrants?• E-CommerceEncouragement– Riskofdatabreach
• Business• Regulation– howfartogotoincreasesecurity• Partnership– howmuchsharing,whatcanchangeovertime• InternationalBusinessTransactions– exports,foreignpolicy
• Government• InternationalCriminalEnforcement– extradition,internationalsurveillance,protectingtradesecrets
• JustWarinCyberTimes– borderlessconflict- atimebeyondthenationstate?
InConclusion
• Cybersecuritylawcanbeorganizedbywhoisimpactedbythelaw– Individuals,Businesses,Government,International• Lawasacybersecuritytoolisnotallpowerful– it’slimited,backwardlooking,andslowtochange.Theoppositeoftechnology.• ThefutureofCybersecurityLawliesinthenexusbetweentechnology,business,andlaw.Wediscussed:(1)thenewlawsin2018,(2)thewhat’scomingnext,and(3)thewhat’salwaysatissue.
AdditionalResources
• HabeasData,Privacyvs.RiseofSurveillanceTech,CyrusFarivar,MelvilleHousePublishing,2018.• CybersecurityLaw,JeffKosseff,JohnWiley&Sons,2017.• FederalLawsRelatingtoCybersecurity:OverviewofMajorIssues,CurrentLaws,andProposedLegislation,EricA.Fisher,December12,2014,CRSReportR42114,CongressionalResearchService.• Websites
• www.congress.gov (AllLegislativeActions)• www.federalregister.gov (DailyNewspaperforAgencies)• www.ncsl.org (CybersecurityResearchatStateLevel)
ThankYou!DavidJacksondavjackson@mindspring.com202-423-6237