Georgetown Cybersecurity Law Institute, Part 2
DAY 1, WEDNESDAY AFTERNOON (5/22)
Cybersecurity Policy Update. The Wednesday afternoon session at the Georgetown Cybersecurity Law Institute began with a policy update led by Stewart Baker. He led off with the statement that the biggest thing in cybersecurity policy was the issuance of the Executive Order. Jessica Herrera-Flanigan followed on with the observations that the framework is the key piece, but that it has an aggressive timeframe (240 days).
One significant question is how ‘voluntary’ is the framework? As Stewart characterized it: Would it be at all possible to get out of a negligence argument if you don’t follow the framework? He went on to say that if companies don’t do what’s required, they could wind up with FTC-type oversight. He further noted if you DO meet the requirements that evolve from the framework, it’s almost as if you can make a prima facie case that you WEREN’T negligent.
The conversation then turned to the broader issue of privacy. Stewart pointed out that “obviously there is going to be legislative action on these issues, but the privacy community is the biggest roadblock to that.” This led to the question of “Where are we on CISPA?” The panelists provided a variety of views, including that:
- it puts in place an information sharing program between government and the private sector
- it raises questions of:
– What information can be shared?
– With whom can it be shared or should it be shared?
– What can be done with it?
– Does the last minute amendment by Rep. McCaul adding liability protection make it too broad
– Will the privacy community ever be happy?
- the Senate will likely come out with something somewhere between CISPA and what the Senate had last year
The panel wrapped up with a look at the hacking done by China and them being called out on it. It seems to raise question about what else can/should we be doing, particularly with better attribution. Sharon Franklin noted that under CISPA, no clear language exists allowing hacking back but there are some that are concerned that the broad immunity provision (with a good faith standard) might protect some “cowboy” actions. In particular, what if dealing with an “innocent third party”? [Note my use of quotes here, in that a party that has allowed an attacker to infiltrate their system in almost all cases can’t be entirely blameless.] Sharon went on to note that if we do get language to allow countermeasures, we need to be careful that it doesn’t cause problems for the unintended targets. Stewart countered by asking “So we give up privacy of the people’s information on the [command and control (C2)] computer in favor of protecting the C2 company itself?” and then stating that “I don’t think DOJ has the kahunas to take action against the user of active defense measures.” Needless to say, much more needs to be fleshed out on this issue, which our panel did on Thursday. More on that later.
Working successfully with the Board of Directors. Jody Westby led a panel that began with a review of a survey of corporate boards about cybersecurity. The survey showed that 57% of boards are not paying attention to cybersecurity insurance and 35% of surveyed companies do not have a CSO. John Dempsey pointed out the Ponemon Institute shows average data breach exposure of $7M/breach and $194/record. Steven Walker noted that boards are undergoing greater scrutiny. The biggest problem with boards, though, is not enough direct contact with or reporting from those in the C-Suite, particularly the GCs.
The panel then came up with a “to do” list for boards:
- Put infosec on the board’s agenda
- Assign infosec to a key committee
- Identify infosec leaders
- Ensure effectiveness of the corporation’s policies
- Communicate the board’s commitment to infosec clearly
- Ask management to give specific reports on infosec
- Devote more audit committee time to infosec
DAY 2, THURSDAY (5/23)
Ethics panel. Tina Ayiotis led off day two with an ethics discussion involving Mike Papay, Judge Facciola, and Ben Powell. One of the first topics involved engagement letters. The group noted that “[we are] at the very early stages of having any type of [infosec] language in engagement letters” involving legal services. Because the Defense Industrial Base (DIB) recognized this problem at least 5-6 years ago, they are further along than rest of world and now often have language in their engagement letter.
Judge Faciolla reminded the group that contracts between lawyers and companies have judicial oversight. Under model rules of professional conduct, a judge can strike down anything that he finds unconscionable (e.g., a lawyer can’t avoid ethical responsibility just because of language in their engagement letter).
Mike Papay the explained wireless network risks and dangers. This prompted Judge Faciolla to say that maybe we’ve hit the point of “negligence per se” with regard to use of wireless networks (because of the lack of security). He also has a problem with situations where companies pretend that you don’t know they are hacked. In such cases, misprision of a felony could occur.
Switching gears somewhat, Judge Facciola said he was “stupefied” by how many lawyers (and others) have not read the terms of service of their cloud provider. Bankruptcy court is hitting this problem every day, with some entities finding out too late that data has been deleted per the terms of service (e.g., after 30 or 60 days). Tina noted that one way to deal with cloud issues would be to leverage FedRamp and its associated due diligence process.
Litigation/Judicial panel. David Bodenheimer next moderated a panel consisting of Cristin Goodwin, Shane McGee, and me. The group touched on a number of different issues, including:
SEC Cybersecurity Guidance. The panel noted that the SEC guidance on breach disclosure has caused at least some companies to be more transparent. They also indicated that although the SEC’s breach disclosure initiative is considered guidance, many folks consider it to be mandatory.
Regulatory Pitfalls. The regulatory ‘patchwork’ in the U.S. (and the lack of international harmonization) has proven difficult for companies looking for a way to become compliant. With perhaps a somewhat of a misdirected focus on prevention, the group talked about the various ways that regulation could actually go wrong in the cyber area.
NIST Framework. Building on what other speakers and panels had said about the NIST framework that will emerge from the EO, the panel looked at existing requirements for critical infrastructure companies and how those requirements could be possibly supplemented by the NIST framework. The group also discussed the various risks and challenges with information sharing, including the idea that information sharing can’t be forced. The government can foster environments and mechanisms where it can be useful but information sharing only succeeds when it happens amongst people who desire successful outcomes.
Active Defense & Botnet Issues. The group spent a few minutes trying to sort through the issue of active cyber defense (ACD), including (a) discussing the various subtleties associated with different mechanisms and (b) why a blanket proclamation that all active cyber defense is bad may be misleading. We noted that attribution remains a significant challenge but that some techniques actually work to solve that issue.
Closing keynote. Deputy Attorney General James Cole closed out the Cybersecurity Institute with a keynote that led off with the observation that cyber attacks are becoming (if not already) the #1 threat to our country. These attacks take numerous different forms and know no borders. Consequently, critical Infrastructure requires protection. Mr. Cole emphasized one point: government can’t fight this alone. Unless the two work together, “we’ll never fix things.”
Mr. Cole then provided a list of things that companies can do to protect themselves: implement proactive prevention (including the well-known techniques of firewalls, training, strong passwords, multiple layers, and threat intelligence) and reactive response (including knowing how to respond to an attack and refinement of policies and procedures).
In the area of congressional action, Mr. Cole stated that action is still needed in this area. In particular, Congress needs to give law enforcement the clear ability to stop cybercrime, instead of having to piece together theories from existing law. At the same time, the legislation that gets passed to address cybercrime must also respect privacy and civil liberties. We need to cooperate globally and work together to define what is ok and what is not. Finally, restating what was said earlier, the responsibility for protecting all of this rests not just with government but also with individuals and companies.