Laws of the cyber-land
Legal expert addresses recent developments and trends in cybersecurity
11:48 a.m., March 18, 2016--In its battle with Apple over access to an iPhone used by the gunman in the San Bernardino shootings, the FBI has invoked the 227-year-old “All Writs Act,” which broadly gives federal courts the right to ask third parties for assistance in law enforcement.
Although the outcome of the tug-of-war over the locked device is still unknown the two parties will head to federal court on March 22 the case could set a precedent regardless of which side wins.
Reviresco June run
It also exemplifies what cybersecurity expert Rajesh De referred to as a “misalignment between law, policy, and expectations” in an invited lecture at the University of Delaware on March 16.
“The law moves slowly, and technology moves fast,” he said. “That’s part of the problem underlying the Apple case.”
De, who served as general counsel for the United States National Security Agency from 2012 to 2015, is now is a partner in Mayer Brown’s Washington, D.C., office and leader of the firm’s global cybersecurity and data privacy practice.
Evolution of the threat
Cyber threats have evolved over the past few years, De said, emerging in layers from exploitation to disruption to destruction to manipulation.
Initially, most cyber threats involved exploitation or the “theft of stuff,” including personal identity information and intellectual property.
Beginning four or five years ago, banks began to experience disruption in the form of DDOS (distributed denial-of-service) attacks, which bring down websites by flooding them with traffic from multiple sources.
“These attacks didn’t result in a lot of damage, but they were very rattling,” De said.
Activity escalated to the level of destruction in 2012 and 2013, when attackers began to target systems on a large scale, such as the 2012 Saudi Aramco hack, in which 35,000 computers were partially wiped or totally destroyed within just a few hours.
Current concerns focus on manipulation of data. “The only thing worse than having your data stolen is having it manipulated, which compromises its integrity,” De said.
Manipulation can also target the growing “Internet of Things,” with objects like cars and kitchen appliances now being controlled electronically.
“Cars now have more processing power than many older computers,” De said. “A car is effectively a computer on wheels.”
Legal, regulatory, and policy trends
In the area of litigation, De said that until recently, most lawsuits filed by the victims of data breaches have been thrown out of court on the grounds that the plaintiffs can’t allege any actual injury from the theft of their data.
However, in July 2015, a three-judge panel decided to allow a class-action lawsuit against Neiman Marcus to proceed, based not just on demonstrated harm, but also on potential future harm arising from the store’s 2013 data breach.
“We could see sweeping changes in what happens legally after a breach as the result of this decision,” De said.
The issue of regulation has become more complex as multiple agencies, from the SEC and FTC to the FDA, become involved with cybersecurity. Concerns include the potential for agencies to take disparate approaches to cybersecurity and for companies for example, automakers to be regulated by several agencies.
In terms of policy, a major development was the October 2015 passage of the Cybersecurity Information Sharing Act, which clears the field for companies and the government to share information without fear of legal liability.
De pointed out that most boards of directors are now cognizant of cyber threats and are beginning to fold cybersecurity into their overall risk management plans.
He also predicted that as new tools are developed, the cyber-insurance industry, which is currently “woefully immature,” will “blossom and prompt collective action.”
Overall, De said the public needs to change expectations from prevention to detection and mitigation.
“It’s impossible to be 100 percent successful at prevention, but we can reduce the time it takes to detect a breach, which currently averages about 200 days,” he said. “If we could bring that down to two days or two hours, we could save ourselves a lot of heartache.”
About the series
The final lecture in the series, “Machine Learning Techniques and Applications for Text, Imagery, and Video Processing,” will be delivered on April 6 by James Nolan, vice president for analytic technologies at Decisive Analytics Corporation.
The series is sponsored and hosted by the UD Cybersecurity Initiative.
Article by Diane Kukich
Photos by Duane Perry