Special Section: breaking news from the Georgetown Cybersecurity Law Institute (our regular summary appears below)
Georgetown's Cybersecurity Law Institute opened yesterday with a welcome from Dean William M. Treanor. He was followed by Nuala O'Connor of the Center for Democracy and Technology, who offered an overview of "the promises and perils of cyber security in daily life."
The morning's first panel dealt with enterprise security programs, including a discussion of roles and responsibilities: General Counsel, CISO, CIO, etc. This discussion led naturally to a consideration of cyber frameworks and standards, and their legal implications. The NIST cyber security standard (developed with contributions from several thousand stakeholders) was developed as a tiered system. It is not, panelists stressed, a standard. It is, however, an excellent starting point to structure the conversations an enterprise's key players need to have in preventing, detecting, and mitigating a cyber event. A tiered system as proposed by NIST accommodates the needs of organizations with widely divergent levels of cyber maturity. It is also intended to accommodate rapidly evolving risks.
Frameworks and standards are not legislation, and the panel generally agreed that legislation would be premature. In this area the voluntary will precede law and regulation. NIST's cyber framework will help companies shape governance and prepare for emerging standards. FTC consent decrees, in contrast, were described as high-level "lagging indicators" that amount to binding cyber standards.
Increasingly, the panel observed, we find that sharing cyber information not only mitigates vulnerability, but limits liability. Information sharing appears on its way to becoming part of standards of care. Such sharing should extend outside a business to vendors and partners: a company needs to take reasonable steps to satisfy itself that vendors and partners have the wherewithal to protect what's invaluable to that company. Reasonable cyber security is a continuing process of assessing and managing risk.
Suzanne E. Spaulding, Undersecretary for the National Protection and Programs Directorate in the Department of Homeland Security, delivered the afternoon keynote. She stressed DHS's commitment to sharing information with the private sector. DHS sees itself, in fact, as an advocate for the private sector in the often difficult-to-access Intelligence Community, and DHS works to disseminate cyber intelligence as effectively as possible to stakeholders in the unclassified world. She sees the private sector as having an important role in distributing and circulating cyber intelligence: companies see much that DHS doesn't, and they can contribute to developing intelligence. An interesting note for researchers: Undersecretary Spaulding said that DHS is currently interested in developing machine-to-machine, automated, near-real-time cyber intelligence sharing.
The two afternoon panels were devoted to the role of the general counsel in cyber security, and to the state and prospects of the cyber insurance market. General counsels have come to play a useful mediating role facilitating intracompany cyber security communications. They remain deeply involved in corporate cyber security discussions. They also play a significant role in compliance, acting especially on behalf of the corporate board. Several panelists had considerable experience with the electrical power industry, long a cyber target. They offered an interesting perspective on insider threats. Not all insider risks involve nefarious actors. Consider engineers who circumvent an air-gapped system. Perhaps they put in a backdoor that enables them to troubleshoot a problem from home (say, at midnight, when they'd rather phone it in than visit the plant).
The panel on cyber insurance noted that data breach insurance is relatively more mature than business interruption insurance. The costs of a data breach are better understood than those of business interruption. Although the market for business interruption insurance is about 100 years old, today's cyber risks are sufficiently novel to present poorly understood problems. The market hasn't yet reacted to the reality of cyber business interruption, and there's a lack of credible cyber risk actuarial data. (That risk is analogous to supply chain risks.) There's a robust third-party market, but the first-party market for transferring risk (of business interruption) is still forming.
We'll wrap up our coverage of Georgetown's Cybersecurity Law Institute tomorrow. In the meantime we've included some articles below that address topics relevant to the Institute's discussions.
Today's regular daily summary starts here.
THE CYBERWIRE (Thursday, May 22, 2014) — We hear much about the importance of information sharing, and two stories today illustrate the challenges that surround it. First, ICS-CERT releases more information on the recent attack on a US public utility's industrial control systems. The affected systems were apparently exposed to the Internet with inadequate firewalling. Utilities have so far enjoyed the sort of immunity vintage equipment can confer upon an operation—much of its plant dates to pre-Internet days—but immunity-through-obsolescence (questionably desirable anyway) is temporary.
Second, eBay confirms that it has suffered a data breach (and some journalists question the effectiveness of the company's disclosure of the breach to its customers). The compromised database held customers' names, encrypted passwords, email addresses, physical addresses, phone numbers, and dates of birth.
Anonymous may have been involved in another happy fizzle: reports suggest the hacktivist collective tried and failed to conduct a denial-of-service attack against the .mil domain.
The Sino-American cyber espionage squabble continues to Chinese outrage as US prosecutors hang tough. Observers find it significant that the indictment is directed against specific natural persons, not a unit of the PLA—what former FBI Director Mueller calls "the warm bodies behind the keyboards." The tu quoque issue China raises, however, appears to have legs, as journalists revisit alleged US spying on Brazil's Petrobras.
In industry news, Cisco is buying ThreatGRID to complement last year's acquisition of Sourcefire.
US surveillance reforms advance through Congress to tepid industry reviews.
Weev, for some reason, thinks he deserves compensation for time in prison.
Today's edition of the CyberWire reports events affecting Australia, Brazil, Canada, China, Nigeria, South Africa, the United Kingdom, and the United States.
The CyberWire is published daily, Monday through Friday, except for US holidays. Format and summary copyright Pratt Street Media LLC. To subscribe and to manage your subscription, visit our sign-up page. Follow us on Twitter @thecyberwire.
Cyber Trends (9)
Cyber Events (28)
Dateline Washington, DC: the latest from Georgetown
Cyber Attacks, Emerging Threats, and New Vulnerabilities
Products, Services, and Solutions
Technologies, Techniques, and Standards
Legislation, Policy, and Regulation
Litigation, Investigation, and Law Enforcement
For a complete running list of events, please visit the event tracker on the CyberWire website.