The Non-Code Aspects of Cybersecurity & The Globalization of Criminal Evidence

1. The Non-Code Aspects of Cybersecurity & The Globalization of Criminal Evidence Professor Peter Swire Scheller College of Business IISP Friday Lecture October 4, 2019

2. A case study • Suppose you work with the CISO of Sony Pictures • Your task – what cyber threats does the company face? • Query: do you review what movies the studio is releasing? Is that a responsibility of the CISO’s job?

3. A case study (2) • Suppose you work with the CISO of Sony Pictures • Your task – what cyber threats does the company face • Query: do you review what movies the studio is releasing? Is that a responsibility of the CISO’s job? • Answer: Sony makes a picture that mocks the North Korean dictator • Result – nation-state attack on Sony, with severe damage • One moral of the story: cyber threat models include much more than writing code

4. Overview for today • Swire background • Non-code aspects of cybersecurity, a ”Pedagogic Cybersecurity Framework” • Globalization of criminal evidence • Technical and market shift to the cloud • The criminal evidence is suddenly stored in a different country • Law enforcement can’t get the evidence • To try to fix this, new US/UK treaty signed last night

5. Peter Swire Background • Princeton, Yale Law School • Law professor, first article on law of the Internet in 1993 • President Clinton’s Chief Counselor for Privacy • HIPAA, financial privacy rules • Chaired WH Working Group on Encryption • Chaired WH Working Group on how to update wiretap laws for the Internet • One of first law professors to teach law of cybersecurity (2003) • President Obama’s Review Group on Intelligence and Communications Technology (“NSA Review Group”) • Assoc. Director of Policy, GT Institute for Information Security & Privacy

6. December 2013: The Situation Room

7. Published 9/26/18

8. http://peterswire.net/cacm2018faqs-html Emphasis today: beyond pedagogy - the Framework in support of cybersecurity research and practice

9. The Non-Code Aspects of Cybersecurity • CACM paper and this project proposes a new conceptual framework • Organizes numerous, important, & non-technical cyber-issues • Presents the curriculum and issues in ways that make sense to both technical and non-technical audiences in cybersecurity

10. Theme of New Article: Growth in Non-Code Cybersecurity • “Real” cybersecurity today devotes enormous effort to non-code vulnerabilities and responses. • The Cybersecurity Workforce Framework of the National Initiative for Cybersecurity Education lists 33 specialty areas for cybersecurity jobs. Ten of the specialty areas primarily involve code, but more than half primarily involve non-code work (15 areas, in my estimate) or are mixed (eight areas, per my assessment).

11. The Genesis of this Project • MGMT/CoC/PubPol 4726/6726 “Information Security Strategies and Policy” • I am now teaching this course for the sixth time • Required for Masters in Information Security • How do all the pieces of this course fit together? Now – 3 parts of the course • Corporate cybersecurity policies and governance – e.g., draft ransomware policy for a hospital group • Government laws/regulations – e.g., proposed state legislation to require corporate cybersecurity minimums • Nation state and international – draft National Security Council memo on cyberthreats from Russia and policy options to respond • Similar set of issues for MGMT/CoC/PubPol 4725/6725 for “Privacy Technology, Policy, and Law’

13. Seven Layers of the OSI “Stack” In my experience, these seven layers are well known to knowledgeable computer people who work on cybersecurity. Intuitively, they also know that cyber-attacks can happen at any of these 7 levels.

15. Layers 8, 9, and 10: Natural Language

16. Layer 8: Cyber within Organizations:Management & Business Schools

17. Layer 9: Government Layer: Law Schools & Public Policy Schools

18. Layer 10: International Layer: International Relations Schools

19. Where do Users fit? • A user is not a government or an international actor • I suggest part of Layer 8 • Private sector actors range from individual users/sole proprietorship to modest size to large organizations • Users lack an IT department, a general counsel, and face lots of risks • 8A: “Within the household” – how individual/family manages • 8B: “Relations with other actors” – Terms of service, identity theft insurance, hire Geek Squad • Users likely a big concern at 9A (government regulation of business), such as HIPAA, GLBA, and consumer protection

20. Potential for the Cyber Curriculum • Helps describe what topics are done in which course: • Mostly international relations and cyber norms, and course covers 10A, 10B, and 10C, with some layer 9 • Mostly corporate governance for CISOs, lots of 8A and 8B, with a little bit of the others • An overall curriculum could determine how full the coverage is of the 3x3 matrix • Can also shift from a project course (reacting to new developments) to a lecture course or treatise/manual : • Module on each cell of the 3x3 matrix, with typical vulnerability and governance issues for each cell • For instance, 9A and compare market approaches to HIPAA or GLBA; if govern badly, then sensitive data is breached

21. New definition of cybersecurity “policy” • Computer scientist definition of “policy” = everything that is not code • Public policy, business school, law schools, international relations • Multiple parts of the university, so vague term “policy” does not match the intellectual disciplines that cybersecurity now requires • Hopefully, bring a sense of order and understanding to the current jumble • Which, in turn, would lead to better cybersecurity

22. Research agenda for cybersecurity • Each cell in the 3x3 matrix has characteristic research questions • 8B – uses and limits of cybersecurity insurance (contracts among companies) • 9A – law and political science questions of mix of markets and regulation to achieve cybersecurity • 10C – role of supranational institutions

23. Practitioner implications • Cybersecurity team is used to thinking about layers 1 to 7 • Remember the Sony example • With the expanded OSI stack: • Spot the risks and mitigations for each part of layers 8 to 10 • Define the skill sets needed for your team • Draw on the relevant expertise in organizational behavior, law, and international relations as needed

24. Conclusion on PCF: Contributions of the 10-layer stack • Parsimonious structure to organize the jumble of issues now crowding into cyber law, policy, and business courses • In my class, we discuss every issue in 3 charts • For students, teachers, and practitioners, a way to keep the many issues straight • Attacks can happen at layers 8, 9, and 10, if the company has bad policies, the nation has bad laws, or the international community does not prevent attacks • Vulnerabilities at layers 8, 9, and 10 thus fundamentally similar to vulnerabilities at layers 1 to 7 • Computing & business students, by end of the course, agree that a large part of the current cyber threat is at these layers • In short, we need this new theory of the non-code aspects of cybersecurity, to help students, teachers, researchers, practitioners, and policy-makers

25. The Globalization of Criminal Evidence • In old days, for a murder in London, the evidence was in London • Today, it is very often in the US, on a cloud provider server • Police can’t get data at rest: • US law prohibits FB, Google, MS etc. from turning over the content of communications, except with US court order • UK police can try to use the Mutual Legal Assistance Treaty (MLAT) • If lucky, get the evidence in a year • Police can’t get data in transit: • In old days, police could use local wiretaps • Today, HTTPS to the cloud server, so wiretaps don’t work • Police are therefore sad

26. Insert CBDF page, with 4 goals

28. U.S. CLOUD Act, spring 2018 • Creates new system for “executive agreements” to address the problem • US/UK signed the first one last night, in DC • US/EU being negotiated • Maybe US/India next year • Basic idea: • UK can directly get access to FB, MS, G etc. • If, and only if, a good system in place to protect privacy • Idea of executive agreements first raised in 2015

29. What if we don’t get executive agreements/cooperation? • If we don’t get cooperation to access data at rest, then law enforcement will push harder for other tools to get the evidence • If local wiretaps don’t work in investigations, that supports limits on strong encryption or mandates to break encryption • If police can’t get evidence, then use more “lawful hacking” • Incentive for police to gain access to end-point device, before HTTPS • If can’t get evidence from US, then require localization of data • Russia and China require localization already • India strongly considering it • Hard to have data centers in 200 different countries • Open, global Internet may get disrupted

30. US/UK Agreement Goes to Congress • Text of the new executive agreement likely published next week • Then, Congress gets six months to consider whether to block it • Lots of news coming about how to handle the globalization of criminal evidence

31. Thank you! • Questions?