Live from the Georgetown Cybersecurity Law Institute
Today, the Georgetown Law School launched the first day of its two-day inaugural Cybersecurity Law Institute. I am involved in the sessions today and will be speaking tomorrow on a panel at 10:50A.M. addressing various new developments, including talking through some of the potential exposure a company might face when using active cyber defense techniques. Here are my ‘live notes’ from the morning session.
Morning keynote. Judy Miller from the ABA Cybersecurity Task Force led off the Institute with a discussion of what GCs, in-house counsel, and private practice attorneys need to know about cybersecurity. At the outset, she said cybersecurity should be on the agenda of counsel. Interestingly, it’s one area where the government has traditionally been ahead of private sector, from a technology perspective.
The ultimate question: why little progress? Judy pointed to at least two factors. First, playing defense is a losing game. The “deck is stacked against companies” who are constantly in a reactive mode. Second, a significant lack of sharing continues to occur, in some part because most of the useful information remains classified. Currently, there isn’t a good way for lawyers, technology experts, policy folks, and other entities to talk to each other. Even if there were, however, a lack of common understanding exists about the problems and a lack of common vocabulary makes talking about the issues difficult.
Despite the lack of pervasive solutions, some things that companies should do:
- Perform basic cyber hygiene
- Put cyber at the board level and provide regular updates
- Have GCs work as “conveners” with the CIO and CSO; neither one of those entities should be the sole owner of the problem
- Ask suppliers for baked-in security and demand certifications/standards
Beyond that, what are some of the things we can we do as a country? First, we need to overcome barriers to sharing information, including creating better authorities for sharing of that information. We also need to address attribution challenges (e.g., if a company is under attack and government has useful information, it should be ok to come right out and say so). Finally, improving cyber hygiene will go a long way toward avoiding legislation and bettering security.
Cybersecurity attack simulation. The rest of the morning (and early afternoon) was spent acting out a simulated cyberattack on a large global company. With a stellar cast (including Ret. Gen. Charlie Croom, Craig Silliman, Harriet Pearson, Trent Teyema, Shawn Henry, and several others), the group walked through a very entertaining and thought provoking incident response simulation. It involved a number of twists and turns, including presence of PII, the appearance of FBI and DHS at the doorstep of the company, tensions between the CIO and CSO, and information sharing with other agencies.
Lunch keynote. Tony Sager, Director at SANS and former NSA analyst, talked about the importance of information governance and the challenges facing companies today. One of the most interesting observations (which has been echoed by others, including several of us who were part of the Commission on Cybersecurity for the 44th Presidency), was that “information sharing is overrated.” My view is that while we do want people to be aware of threats, trying to synthetically manufacture a structure for doing that is difficult to do and you simply can’t force it.
Tony went on to note that we can’t have a discussion about liability (and other issues) until we have a reasonable set of data on which to base conclusions. That data isn’t necessarily available. We can, however, agree to the concept of a catalog of criteria/controls/mechanisms across a large number of ranges (including abstraction, baseline/comprehensive, prioritized/’up to you’, required/recommended/voluntary, process/action/outcome, demonstrated/conceptual, dynamic/static, and tech/neutrality). The SANS Top 20 can be a useful mechanism for coming up with that catalog. The goal is to get to root causes and establish basic hygiene. Ultimately, we have an information management problem, i.e., it may be a situation with a known solution to a known problem, but it may not be known to the victim company.
More to come. The Institute continues this afternoon with additional sessions (including one focused on a ‘Cybersecurity Policy Outlook’) and tomorrow.