1 / 38

How Public Policy Drivers Converge through Deployment of Cyber Forensics to Balance Privacy and Security

How Public Policy Drivers Converge through Deployment of Cyber Forensics to Balance Privacy and Security. John W. Bagby College of IST Penn State. Problem Statements & Policy Questions. Security & Privacy Decreasingly Addressed Exclusively through Technical Solutions

mirari
Download Presentation

How Public Policy Drivers Converge through Deployment of Cyber Forensics to Balance Privacy and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How Public Policy Drivers Converge through Deployment of Cyber Forensics to Balance Privacy and Security John W. Bagby College of IST Penn State CyberForensic Policy Drivers

  2. Problem Statements & Policy Questions • Security & Privacy Decreasingly Addressed Exclusively through Technical Solutions • Increasingly Resolved thru Public Policy • Is Security vs. Privacy a traditional trade-off/conundrum or Complement? • It Depends! • What Role Does CyberForensics Play to Resolve these Questions? CyberForensic Policy Convergence

  3. Conundrum: Privacy vs. Security • Irreconcilable, Zero-Sum Tradeoff • Strong privacy rights externalities • Privacy compromises security • Intruders/terrorists enjoy excessive anonymity • Strong security requires limited privacy • Intrusion/attack deterred by ltd. privacy • Security enhanced with liberty limitations CyberForensic Policy Convergence

  4. Complement: Privacy w/ Security • Privacy-security conundrum too simplistic • Elevates law enforcement over liberty • Liberty enables security (flight averts injury) • Isolation protects prey • self-imposed seclusion & anonymity • Privacy diminished w/ insecure PII • History of predator misuse of public databases • Social Engineering, e.g., pretexting, impersonation, CyberForensic Policy Convergence

  5. Hand/Posner/Bagby Model Privacy Is their a trade off between Privacy & Security? Security CyberForensic Policy Convergence

  6. Hand/Posner/Bagby Model Security Is their a trade off between Privacy & Security? Privacy CyberForensic Policy Convergence

  7. Law & Economics of Intrusions into Personally Identifiable Info (PII) • Prof. (Judge) Posner’s model would protect privacy or permit intrusion for search & seizure depending on a balancing of: • Usefulness to society of PII acquired from the intrusion • Repugnance of the intrusion • Applied to Judge Hand’s formula: Protect Privacy if B>P*L Intrude on Privacy if B<P*L B=intrusion costs; P=probability of discovering useful info; L=societal losses CyberForensic Policy Convergence

  8. Regulation of Private Data Management • Fundamental Architecture & Mechanics of Private Data Activities • PII Distribution Chain of Custody & Data Management Sequence: • Data Acquisition • Information Analysis • Use of Knowledge CyberForensic Policy Convergence

  9. PII Supply Chain: Custody & Data Management Direct Use: by Data Manager Activity Occurs & Subject Individual is Identifiable Data Collection: Sensing, Observation Capture Data Analysis Association Aggregation Organization Interpretation Data Storage: Made Available Secondary Use: PII Sold or Shared with 3d Party CyberForensic Policy Convergence

  10. Fair Information Practice Principles • Origin: 1973 HEW Advisory Com. Rpt. • Notice and/or Awareness • Choice and/or Consent • Access and/or Participation • Integrity and/or Security • Enforcement and/or Redress • Spreading throughout government regulations and into self-regulation • Actively opposed by most of data industry, much of law enforcement, many in counter-terrorism/security because … • Underlies the EU Private Data Directive CyberForensic Policy Convergence

  11. Integrity and/or Security • Collector/Archiver/Custodians • Reasonable steps to assure accuracy of PII • Administrative & technical security measures • Standards: • Prevent unauthorized access • Prevent unauthorized disclosure • Prevent destruction • Prevent misuse • Relationship to Internal Control as Component of Data Security/IA CyberForensic Policy Convergence

  12. Enforcement and/or Redress Mechanism(s) of Privacy Practices Enforcement • Self-regulation • Standards • Private rights of action • Regulatory enforcement • Criminal Sanctions • Market Discipline CyberForensic Policy Convergence

  13. Sources of Privacy Law • Constitutional Rights • 1st, 3rd, 4th, 5th, 6th, 9th, 10th, 14th Amendments • Torts • Appropriation, private facts, intrusion, false light • Property Rights • Information is property • Protective Regulations • Children, Financial, Workplace, Health, TeleCom • Contract • NDAs, website policies, privileges • Criminal Procedure • Intelligence Reform & National Security • International Law (e.g., EU) CyberForensic Policy Convergence

  14. US Privacy Law is Sectoral • US is sectoral: narrowly drawn to particular government methods & industry sectors • Enacted following experience with activities that the public finds abusive • Financial services further sectioned by G/L/B FFR • EU is omnibus: comprehensive & uniform covering most industries & governments, strong privacy rights • Sets fundamental policy for individuals CyberForensic Policy Convergence

  15. Multiple Internal Control Imperatives • Government & Market Pressures for Information Assurance (IA) Controls are Generally Consistent • Reinforcing - Not Conflicting • Considerable Persistent Unawareness • Opposition to Control Confluence & Harmonization • Results are Wasteful Duplications, Unfortunate Opportunity Costs & Advocacy Harmful to Sound Policy CyberForensic Policy Convergence

  16. Four Drivers of Internal Control • Sarbanes-Oxley Internal Control Regime • Particularly SOX §302 & §404 • Data Security Requirements under Various Privacy Laws • Trade Secrecy • National Security, Cyber-Terrorism & Counter-Terrorism Duties Others: sectoral regulations, fiduciary duties, contractual requirements, standards … CyberForensic Policy Convergence

  17. Comparison Framework: Internal Control Impetus Control device Beneficiary Objects Underlying (In)tangible Protected • CPA • FAS • Financials • Market • Integrity • Books • Record- • keeping Internal Controls Investors USA Patriot Nat’l Security Infra- structure Security People Institutions • Rest & UTSA • Caselaw • EEA Trade Secrets IP Reasonable Secrecy SH Privacy PII Security GLB, HIPPA State laws, etc. Subject Individuals CyberForensic Policy Convergence

  18. SOX Externalities: Other Impacted Entities • Publicly-Traded Companies in 3 tiers: • Accelerated ($75 mil float), non-accelerated, foreign cos • Closely-Held Companies • Government Agencies • Educational Institutions • Nor-for-Profits, SROs, NGOs • Critical Infrastructure Authorities • And of nearly all of these entities: • Suppliers, ASPs, Software Vendors, Network Providers, Consultants, Auditors, Employees, CIOs, CFOs, CSOs … • SAS 70: Service Organizations (Outsourcing, Offshoring) CyberForensic Policy Convergence

  19. Externalizing SOX’s Impact • Apply Audit-firm Specific Practices to all • IT & Service Provider General Practices • Directors Bring form other Boards • D&O Insurance best practices • Suppliers/Customers- SAS 70 • CxO’s- information sharing, professionalism • New Laws Forthcoming • EX: Not-for-profits • Sectoral control standards resembling SOX CyberForensic Policy Convergence

  20. Internal Control Regime • Pre-FCPA • Reasonable prudence to safeguard assets • Accounting & Auditing Standards • Foreign Corrupt Practices Act (FCPA) • §13(b)(2)(B) • Treadway Commission (COSO) • Management Report • Sarbanes-Oxley (SOX, SourBox) • §§302, 404 CyberForensic Policy Convergence

  21. Privacy Security Duties • GLB • HIPAA • State Laws • CA’s S.1386 • International Law • EU Data Protection Directive CyberForensic Policy Convergence

  22. Trade Secrecy • Valuable Intellectual Property under laws: • Common Law & Rest. of Torts §757 & §758 • Uniform Trade Secrets Act • Economic Espionage Act 1996 • Generally Requires: • Information • Reasonable Secrecy Efforts • Independent Economical Value CyberForensic Policy Convergence

  23. Internal Control Valuation Methods • Discounted Cash Flow • Options Valuation • Money Damages: • Economic vs. non-economic; compensatory; special/consequential; lost profits; punitives • Scoring Methods, ordinal rankings … • Actuarial, Stochastic, Empirical • Decision Analysis • Game Theoretic CyberForensic Policy Convergence

  24. Internal Control Valuation Methods • Heurestic Techniques • Best Practices &/or Professional Duties, Reasonably Prudent Functional Management • Market Impact: event study, security prices • Information Markets: personal stakes consensus estimation pools – the “G”-word • Simulation • Materiality CyberForensic Policy Convergence

  25. Links Among SOX, T/S, Privacy, National Security • Legal duties for securing financial information are fragmented • Would be less costly if harmonized • PIFI links to various financial accounts • Receivables • Banking-customer transaction “experience” info • Payables & Liabilities • Consumer credit • Wholesale EFT CyberForensic Policy Convergence

  26. Links Among SOX, T/S, Privacy, National Security • ID Theft • Costs: $800 avg. to cleanse, opportunity • SSN conversion costs • Quick financing requires robust PIFI Indus. • Financial mgmt methods are T/S (BMP) • Vulnerabilities to terrorist financing • Financial System is THE Key infrastructure • Maintains national economic security • WTC attack was symbolic, physical target of financial system CyberForensic Policy Convergence

  27. Links Among SOX, T/S, Privacy, National Security • Trade secrets include: • Customer lists, Market opportunities, Financial event history, Data broker PIFI data • HIPPA • PIFI links to healthcare payment, billings, PII, credit cards, ssn, Insurance: private & Medicare/Medicaid, ER write-offs/overhead & grants CyberForensic Policy Convergence

  28. U.S. v. Gibson (W.D.Wa.8.19.04) NO. CR04-0374RSM, 2004 U.S. Dist. LEXIS 20445 • ID Theft by technician of leukemia patient during 1st bone marrow transplant @ Seattle Cancer Care Alliance 9.03 • 1st HIPAA Conviction, plea bargain: • 16 mos prison & $15,000 restitution • Despite U.S. Sectoral Approach, Privacy Sectors Frequently Linked • Healthcare workers enabled to ID & abuse vulnerability, Health Ins primary payor of healthcare expense CyberForensic Policy Convergence

  29. Links Among SOX, T/S, Privacy, National Security • Money Laundering Duties & Controls • Protects financial services, national security, anti-smuggling goals, terrorist financing • Private Standards for ePmts • VISA’s revised 6.30.05 compliance deadline • But NOT … EX: Coke formula on paper has weak Nat’l Security link CyberForensic Policy Convergence

  30. Impact of the Reconcilation • There are Synergies in Control Investment • SourBox benefits are long term • Some Argue: • Most low hanging (efficiency) fruit already picked • EX: JIT, supply chain, IT efficiency, outsource, finance, QC • Now Internal Control is in the Limelight • Lobbying to Weaken SourBox is Highly Counter-productive to Privacy, Nat’l Security & IP CyberForensic Policy Convergence

  31. CyberForensics is Battleground for Resolution of Privacy vs. Security Conundrum • Must Supply eData in Most Litigation • Non-Responsiveness is Punished • Ignoring “Smoking Gun” is Failure • Venue (tribunal) often Determinative • Criminal prosecutions, civil suits, ADR, regulatory investigation/hearing, internal investigation, 3d party sleuths • Evidence Gathering Constraints • Litigation hold, chain of custody, authentication, foundation, spoliation, obstruction, cost balancing (Zubulake), adverse inference CyberForensic Policy Convergence

  32. Litigators’ Vision of EDD • “As a litigator, I will tell you documents are just the bane of our existence. • Never write when you can speak… • Never speak when you can wink.”† • Could update to: • Never email when you can write • never write when you can phone • never phone when you can meet face to face • Never speak when you can whisper • Never wink when its understood † Statement of Jordan Eth, Sarbanes-Oxley: The Good, The Bad, The Ugly, Nov.10, 2005 panelist, hosted by the National Law Journal and Stanford Law School’s Center on Ethics, reprinted in Nat.L.J. at p.18 (Dec.12, 2005) CyberForensic Policy Convergence

  33. Incentives to Conceal Evidence • Incentives of Litigating Parties to Produce Docs • All parties have a disincentive to produce incriminating documents or reveal proprietary info or strategy • Conflicting email incentives: • Erase if sensitive, erase to lower archiving costs, erase to avoid embarrassment, erase with higher archival costs • Save if exculpatory, save if potentially useful against others, save if legitimate business purpose to use later, save if easier than implementing regular & pervasive review for erasure policy under doc retention program; save with lower archival costs • Justice system effectiveness & fairness increases with access to all facts • Expansive discovery arguably inefficient • Litigation rules, spoliation sanctions & criminal obstruction penalty risks realign incentives to retain & produce docs CyberForensic Policy Convergence

  34. The Cost of EDD in US Court Cases US Millions CyberForensic Policy Convergence

  35. Consider HP’s Current Difficulties • Board or other leaks framed as security leaks • Unlawful security leak of truthful, exculpatory, whistle-blowing, reveal fraud or wrongdoing? • “Security” excessively vague: interpret more narrowly • Illegal or unethical investigatory means • Pretexting under G/L/B vs. telecom privacy laws • Internal Investigations Proliferating • Third Party Service Providers • Will their methods be imputed to principal? CyberForensic Policy Convergence

  36. Obstruction of Justice EX: Nixon • Nixon investigated for obstruction • Alleged role in cover-up of Watergate hotel break-in,1972 re-election • It appears he was aware after the fact & planned to pay hush money • Woods goes down in history as responsible for erasure of 18 1/2 minutes of crucial evidence before transmitted to Watergate investigators of Nixon impeachment effort CyberForensic Policy Convergence

  37. Obstruction of Justice: AA/Enron • AA was indicted, tried, convicted for obstruction when, as Enron collapsed, AA re-distributed document policy & employees proceeded to shred two tons of documents but conviction reversed, 9-0, but too late • “‘Document retention policies,’ which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business. It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances.” Arthur Andersen LLP v. US, 125 S. Ct. 2129, 2135 (2005) (Rehnquist, C.J.) • Its OK to trigger shredding through a reminder enforcing document retention policy • Not “corrupt” w/in Fed obstruction if doc destruction pursuant valid document retention policy. CyberForensic Policy Convergence

  38. Obstruction of Justice: Martha • 6 mos in W Va but not for insider trading • Instead: obstruction of justice: • Falsifying trading & phone records • Heard from friend Sam Waksal, CEO of Imclone • Martha allegedly sold Imclone stock on tip • Falsification of documents was intended merely to create an explanation for what was a suspicious trade • Martha’s actions made it more difficult to prove Waksal had also sold his stock in anticipation of negative news of the lack of FDA approval for Imclone's product. CyberForensic Policy Convergence

More Related