Embed Size (px)
Citation preview
“Keynote:
Key Policy and Legal Issues for
CISOs”
Peter Swire
Huang Professor of Law & Ethics
Adhesive and Sealant Council¹s Spring Convention
April 5, 2017
Overview
Attacks seemingly everywhere
Swire background
Cybersecurity: from the Hacker, White House, Boardroom, and
CISO perspectives
NIST Cybersecurity Framework as a strategic asset for the CISO
EU as important current issue for CISOs
GDPR
Litigation about cross-border data flows
Increasing demand from law enforcement for data held by
companies in a different country:
Mutual legal assistance
Encryption
Banking
Government
Botnets – Internet of Things
Botnets, Internet of Things, & Denial
of Service Attacks
Swire background
Law professor, writing on Internet law since 1993
Book US/EU data privacy 1998
Chief Counselor for Privacy, OMB (1999-2001)
HIPAA, GLBA, Safe Harbor, encryption, cyber
Many writings on cybersecurity & privacy, including textbook
to be certified as a US privacy professional
U.S. National Economic Council, 2009-2010
At Georgia Tech
Came to Georgia Tech 2013
Appointments in Business, College of Computing, Public Policy
Teach:
Information Security Strategies and Policy
Privacy Technology, Policy & Law
Policy Director, Institute of Information Security and Policy
IAPP Privacy Leadership Award, 2015
Member, National Academy of Science/Engineering Forum on
Cyber-Resiliency
Top secret information about cybersecurity as Member, President
Obama’s Review Group on Intelligence and Communications
Technology, 2013
Swire is Senior Counsel at Alston & Bird LLP
Consults, consistent with university rules
Major focus: new European Union General Data Protection
Regulation (GDPR)
Stricter than current EU Directive
Goes into effect May, 2018
If you have EU business or clients, there may be significant
compliance issues
President Obama’s Review Group on
Intelligence and Communications
Technology
Snowden leaks of 215 and Prism in June, 2013
August – Review Group named
Report due in December
5 members
December 2013: The Situation Room
Our assigned task
Protect national security
Advance our foreign policy, including economic effects
Protect privacy and civil liberties
Maintain the public trust
Reduce the risk of unauthorized disclosure
Our Report
Meetings, briefings, public comments
300+ pages in December, 2013, republished Princeton
University Press
46 recommendations
Section 215 telephone database “not essential” to
stopping any attack; recommend government not hold
phone records
Pres. Obama speech January 2014
Adopted 70% in letter or spirit
USA FREEDOM Act 2015 passed by Congress
Pro-privacy reforms, and effective surveillance under
the rule of law
Cybersecurity: from the Boardroom, the
Hackers and the White House
The Board’s perspective:
What should we worry about? How do we get a handle on our
cyber-risk?
How does the Board make a good decision when there are no
cyber experts on the Board?
Can we (please) just hope the attackers go against other, more
tempting targets?
The CISO’s perspective
We’ll return to this below
You don’t want to be the one who gave assurances that it would
all be ok
How “manage up” to top management and the Board?
Cybersecurity: The Hacker Perspective
Let’s do a SWOT (strength, weakness, opportunity, threat) analysis
for hacker criminal group or nation state attackers
Strengths: why hacking is attractive
Physical location:
“There are no good neighborhoods in cyberspace”
The attackers are next door to every victim – can attack from
anywhere to anywhere
No oceans to protect the U.S. from attack
Big contrast with the challenge of making an inter-continental
missile
Hacker strengths
Attacks are cheap and plentiful
Physical world – burglary is risky
Attacker can get caught
Can only attack at night and at the right moment
One attack is a big deal – only Santa Claus can go to every
house in one night
Cyber world – sitting behind a keyboard is not risky
Attacker hides behind multiple hops – hard to do attribution
Can attack 24/7
Can attack thousands or millions of times – attacks scale, the
equivalent of testing each window to see which ones are
open
Attacks can mutate – if one virus is blocked, can change the
signature and now have software to do that at scale
Hacker Weaknesses
Generally, have seen few “kinetic” attacks
No real-world attacks on cars (yet)
No real-world attacks on pacemakers (yet)
Can “only” achieve cyber attacks in cyber
Hacker Opportunities
Cybersecurity “CIA”: confidentiality, integrity, accessibility
Confidentiality:
Data breach: so many possible targets, exfiltration
Credit card and other PII
Trade secrets
Business plans
National security information
Integrity: what if you don’t trust your accounting system?
Accessibility
Denial of Service attacks
Ransomware
Threats to Hackers
Hacker attacks come from overseas (safer)
Hacker attacks come from havens where local authorities don’t mind
the attacks (safer)
They know - don’t annoy your friends
Attacks that don’t hit Cyrillic machines.
Some progress against attackers:
Attribution may be improving
All sources (not just cyber) for attribution & response
Indictments, diplomacy, possible counter-attacks
Not such a threatening list of threats
Summary of SWOT for Hackers
Strengths: attack multiple times, from anywhere
Weakness: only cyber
Opportunities: data breach, ransomware, etc.
Threats: not so much
Cybersecurity: the White House
Perspective
Strengths: numerous
US has state-of-the-art technology and experts
US military, Cyber Command, NSA
Public-private partnerships
Allies
Lots of practice being attacked ;-)
Compartmentalization – despite concerns of “digital Pearl
Harbor” we have not seen widespread contagion across the
entire system
White House: Weaknesses for US
The problem of being on defense
A “target-rich environment”
“If you defend everywhere, you defend nowhere”
“We have to be right every time; they only have to be right once”
Little history of permissible or effective cyber-attack (Stuxnet an
exception)
Reliance on private sector for critical infrastructure
No military-style command and control
Each private sector actor has its own goals and incentives
Attacks from safe havens, where US has limited leverage
White House: Opportunities for US
Develop best practices for classified and unclassified government
systems
Lead public and private sectors toward those best practices: NIST
Cybersecurity Framework
Criminal enforcement against attackers
Economic sanctions and diplomatic measures
Credible threats of US cyber-attacks, in the right circumstance
Cyberattack recently against Korean missile test?
Some apparent diplomatic progress
Chronology to Indictments against PLA
Hackers: Mix of Strategies to Deter
Mandiant study with attribution to People’s Liberation Army
Homeland Security released attacking IP addresses
Obama repeatedly raised the issue with Xi — in Sunnylands,
Calif., in June 2013; in St. Petersburg, Russia, in September of
that year; and again in The Hague in March 2014.
In April, Obama signed an executive order establishing the
power to impose economic sanctions on individuals and
entities that take part in or benefit from illicit cyber-activities such
as commercial espionage.
May, 2014 – indictments against five named Chinese hackers
Attacks got better on companies
AG Holder: “Success in the global market place should be based
solely on a company’s ability to innovate and compete, not on a
sponsor government’s ability to spy and steal business secrets”
Opportunities for Deterrence
Joseph Nye (famous international relations expert) – 4
ways to achieve deterrence
Punishment
Denial - increasing
Entanglement - increasing
Norms - increasing
Perhaps more hope for deterrence going forward, at
least against the worst, nation-state attacks
White House: Threats to US
Asymmetry: we’re a big target, and the attackers may not be
Nation states: what are their maximum capabilities?
Hacker groups: whack-a-mole: close down one hacker group, and
others pop up, low-cost attacks
No perimeter defense
Our companies cannot be safely behind the national border
SWOT Summary for US
Strengths: good at IT
Weaknesses: lots of attack surface
Opportunity: all-sources response, not just cyber
Threats: nation state, hackers
View from the Boardroom and the CISO
Start with your threat model
What are the biggest threats for your industry/company?
Data breach and trade secrets (confidentiality)
Ransomware (availability)
Nation state attacks – Sony, Saudi Aramco, banks
New technology lacking security: IoT, Big Data (and big data
breaches)
If can agree with top management on the threat model, then can
implement what follows from the threats
Do you have it under control?
Boss asks CISO: do you have it under control?
CISO concerns include:
Need effective technical, physical, and administrative measures
Insider risk – what do we know about our employees, including
the systems administrators (Snowden)?
All of the threats: numerous attacks from anywhere in the world,
mutating constantly, at low cost to the attacker
Can never seem to patch and address the known attacks, not to
mention zero days and unknown risks and attacks
CISO budget request: enough to cover the range of things the
CISO worries about every night
Top management budget approval: enough to meet our risks, but
has to be a limit somewhere
Cyber Metrics for Top Managers
Goal for Board and top managers to assess overall cyber risk
management
Many available metrics, such as how many intrusions/month
Not tightly linked to actual risk or response
Target CISO told top management of long list of risks, including
vulnerability from POS systems
They had the data but weren’t able to manage it
A better way can be the NIST Cybersecurity Framework, as a way to
“manage up”
Goals of the NIST Cybersecurity
Framework, under Executive Order
“Enhance the security and resilience of the
Nation’s critical infrastructure and to maintain a
cyber environment that encourages efficiency,
innovation, and economic prosperity while
promoting safety, security, business
confidentiality, privacy, and civil liberties.”
Not a Regulation – not binding by law
“The resulting Framework, created through
collaboration between government and the
private sector, uses a common language to
address and manage cybersecurity risk in a
cost-effective way based on business needs
without placing additional regulatory
requirements on businesses.”
Framework
The Framework provides a common taxonomy and mechanism for
organizations to:
1) Describe their current cybersecurity posture;
2) Describe their target state for cybersecurity;
3) Identify and prioritize opportunities for improvement within the
context of a continuous and repeatable process;
4) Assess progress toward the target state;
5) Communicate among internal and external stakeholders about
cybersecurity risk.
Five Functions in Framework
P. 7 NIST framework
Identify
Protect
Detect
Respond
Recover
A Key Focus for Decision:
Risk Tiers and Program Maturity
Risk Management Process
Integrated Risk Management Program
External Participation
Cyber Supply Chain Risk Management
Goal – get top management to sign off on the
correct risk tier
Tier 1: Partial
Cyber Supply Chain Risk Management – An
organization may not understand the full
implications of cyber supply chain risks or have
the processes in place to identify, assess and
mitigate its cyber supply chain risks.
Tier 2: Risk Informed
Cyber Supply Chain Risk Management – The
organization understands the cyber supply chain
risks associated with the products and services
that either supports the business mission
function of the organization or that are utilized in
the organization’s products or services. The
organization has not formalized its capabilities to
manage cyber supply chain risks internally or
with its suppliers and partners and performs
these activities inconsistently.
Tier 3: Repeatable
Cyber Supply Chain Risk Management – An organization-wide
approach to managing cyber supply chain risks is enacted via
enterprise risk management policies, processes and procedures.
This likely includes a governance structure (e.g. Risk Council) that
manages cyber supply chain risks in balance with other enterprise
risks. Policies, processes, and procedures are implemented
consistently, as intended, and continuously monitored and reviewed.
Personnel possess the knowledge and skills to perform their
appointed cyber supply chain risk management responsibilities. The
organization has formal agreements in place to communicate
baseline requirements to its suppliers and partners.
Tier 4: Adaptive
Cyber Supply Chain Risk Management – The organization can
quickly and efficiently account for emerging cyber supply chain risks
using real-time or near real-time information and leveraging an
institutionalized knowledge of cyber supply chain risk management
with its external suppliers and partners as well as internally, in
related functional areas and at all levels of the organization. The
organization communicates proactively and uses formal (e.g.
agreements) and informal mechanisms to develop and maintain
strong relationships with its suppliers, partners, and individual and
organizational buyers.
Why NIST Framework Can Help
Board and top management can make decisions about which risk
tier to be in, for main components of cybersecurity program
Don’t say “more is always better”, but adapt to threat model
CISO/CIO can then implement, with benchmarks for the life cycle to
address threats: identify, protect, detect, respond, and recover
If the bad moment comes, there has been a common decision about
the organization’s level of risk
Conclusion On the Three Views
View from the hackers – many attacks, at low cost
View from the US/White House – start to confine the
largest risks, many strengths, but can’t define a border
for the US that is safe for private sector
View from the Boardroom – do your threat model, set
your risk tiers, and implement
Phew! A plan!
EU/US Data Flows
Why this is important:
Since 1998, the EU Data Protection Directive has set strict rules
for “personal data”
Within EU, free flow of personal data
Outside EU, can only flow if “adequate” privacy protection
Issue 1: the General Data Protection Regulation (GDPR)
Goes into enforcement May, 2018
Issue 2: Does NSA surveillance make (almost) all personal data
flows to the US “inadequately” protected and thus illegal?
EU Issue 1: General Data Protection
Regulation
A “regulation” that applies across the EU, not a “directive”
instructing member states to pass national laws
Potentially helpful, if harmonizes the law
Challenging, because harmonizes in a more regulated way
I will highlight five areas most important to CISOs
Compliance updates at alstonprivacy.com and through webinar
series on “Roadmap to the GDPR”
Led by Jan Dhont, former official in Belgium Privacy Authority
and head of Alston’s Brussels office
GDPR Key Issues
Data breach requirements. Notice due in very fast 72 hours.
Right to be forgotten. Companies beyond the original search
engines will have to have procedures to take down data found to be
irrelevant or disparaging about individuals.
Data Portability: Right to data portability, so individuals can easily
transfer their data out of company's computer systems. Regulators
this week says applies to B2B as well as B2C systems.
Broad Jurisdiction: EU jurisdiction applies broadly. The GDPR has
a "long arm" provision that states that its rules apply to any
companies selling to an EU citizen or with employees in the EU.
Large Fines: Massively increased fines. To date, fines in Europe
have usually been lower than the cost of FTC consent decrees or
plaintiff class actions in the United States. The GDPR authorizes
fines up to 4% of global revenue for violations.
GDPR and CISOs
If you operate in EU, sell to any EU customers, or have any regular
EU employment, then you need to comply with GDPR
In my experience, effective compliance is IT-intensive
Inventory and map data flows involving EU
Privacy impact assessment for each system that has EU
personal data
How to mitigate compliance risk
How to do this consistent with company’s security goals and
requirements
IP logs are “personal data” in the EU, and thus regulated
Need documentation and mitigation measures for core IT
security functions
EU Issue 2: Litigation May Cut Off Data
Flows from the EU
2000: Safe Harbor agreement
October 2015: ECJ strikes down Safe Harbor in Schrems decision
One concern – strict enough commercial privacy rules
Major concern -- scope of US surveillance activities; may not
be “adequate” if NSA and other surveillance takes place
once the data gets to the US
December 2015: Swire testimony about safeguards and reforms in
US surveillance law
July 2016: final approval of EU/US Privacy Shield to replace Safe
Harbor
Privacy Shield
The hope with Privacy Shield:
Creates a legal basis for data transfers, post-Safe
Harbor
Shows political will in EU and US for a strong
relationship
Manageable, stricter commercial privacy rules
Some US government statements about legal limits
on “bulk” surveillance
The Legal Challenges
European Court of Justice in Schrems did not (quite) find that US
surveillance made transfers “inadequate”
It did strike down Safe Harbor, expressing detailed concerns that
NSA surveillance is so pervasive that EU citizens data cannot be
safe in the US
Current Schrems v. Facebook case:
Current challenge in Ireland to “standard contract clauses” that
are used as lawful basis to send data to US and elsewhere
Irish privacy commissioner – SCCs seem as legally weak as
Safe Harbor, refer on appeal toward ECJ
Five-week trial, I testified two full days on US law governing
foreign intelligence surveillance and legal protections
What If SCCs are Struck Down?
If ECJ says SCCs are illegal, no good way to over-rule that
Binding legal effect of ECJ decision
No mechanism for constitutional amendment
Would require change to Lisbon Treaty
Intelligence effects
Big risk to US/EU intelligence sharing, including for cybercrime
and anti-terrorism
Litigation and Risks to Your IT Systems
Concerning the Dublin case, risk of major disruptions between
European operations and those in the rest of the company.
Could see a “great firewall of Europe” – strict limits in many
settings
Planning for the possibility of these disruptions:
Some companies might decide that their limited operations in
Europe are not worth continuing.
Companies may also consider what measures will be required to
segregate their European operations, at least when it comes to
flows of personal data.
HR especially problematic – can’t require consent to export data
for EU employees
A Bit About Government Access to Data
and Effects on Your Companies
Research project – mutual legal assistance, when police in one
country (France, India) want evidence in another country (US)
The problem:
Data at rest – emails, social network, other content held in the
cloud, often in the US, so local legal process doesn’t work
Data at transit – emails, SNS, other content now encrypted, so
local wiretaps don’t work
The Technology of Cross-Border
Requests: Law Enforcement Perspective
Data at rest:
Email, social network information, and many other kinds of
content are stored in the cloud
Often in a different country – local legal process doesn’t work
Data in transit:
Increasing encryption for that content, since Snowden, for email,
social network, and other content
Wiretaps don’t work to get content
Where no local legal process or local wiretap: “From Real-Time
Intercepts to Stored Records: Why Encryption Drives the
Government to Seek Access to the Cloud” (2012)
Every routine case can become an cross-border data request
“Going Dark vs. the Golden Age of
Surveillance” (2011)
As law enforcement encounters these obstacles, it is simultaneously
the “Golden Age of Surveillance”:
Orders of magnitude more recorded communications, such as
texts, emails, SNS, with at least meta-data available to law
enforcement;
Location information, due to smartphones;
So many other databases – financial, web history, data brokers,
etc.
Tim Cook in Time: cameras everywhere, as leading edge of
pervasive sensors in the IoT
Net: law enforcement more often seeks evidence overseas,
especially for content, while also enjoying unprecedented
advantages
Both law enforcement and privacy perspectives – possibility of
severe changes for the worse
Who cares about MLA Going Forward?
Swire & Hemmings, “Stakeholders in the Reform of the Global
System for MLA” (2015)
Law enforcement
Privacy supporters
Tech companies – the requests come to them
Other government/public interests, such as the future of the
Internet & avoiding localization
April 18 Conference at Georgia Tech
Panel 1:Intersection of law enforcement, intelligence, and military for
Mutual Legal Assistance
Keynote: “Achieving Individual Privacy and International Security
Cooperation in a Shifting Landscape”
Panel 2: Hacking, Attribution, Technology, and MLA
Panel 3: The US/UK Agreement as a Model for Reform
Panel 4: Long-term Proposals for International Data Requests
Online symposium later this month on Lawfare
Videos soon at http://www.iisp.gatech.edu/cross-border-data-project.
Conclusion on Government Access
Shifting technology means law enforcement and privacy protectors
are worried about losing traditional access and protections
New pro-surveillance initiatives in China, India, Russia
Possible data localization rules pervasively
An issue to watch
Conclusion Today
CISOs facing a more complex non-technical set of challenges
The Boardroom
Europe
Law enforcement
Other policy changes
What to do:
NIST Framework as a tool for managing up
Recognize the intersection of the technical and the
policy/political, both in and out of your company
Build allies, including privacy team
Appreciate the critical role you play
Thank you
