gsps discussion jan. 27, 2015 cybersecurity and the search for global ‘cyber peace’ prof. scott...
TRANSCRIPT
GSPS Discussion
Jan. 27, 2015
Cybersecurity and the Search for Global ‘Cyber Peace’
Prof. Scott J. Shackelford, JD, PhD
Outline
I. Conceptualizing the Cyber Threat and Defining “Cyber Peace”
II. Businesses and Cyber Peace
A. Polycentric Governance
B. Corporate Social Responsibility
C. Cybersecurity Best Practices
III. Toward a Law of Cyber Peace
A. National Cybersecurity Strategies
B. Exploring the Applicable Law
IV. Classroom Implications
1.1 Defining “Cyberspace”
1.2 The Internet Governance Question: Internet Sovereignty vs. Internet Freedom
• Internet Sovereignty– Definition(s)– Ex: China?– Concern of Internet Balkanization
• Internet Freedom– Caveats– Ex: USA?– Statutes (COPA, SOPA, CISPA, etc.)
*Source: perry4law.org
*Source: freedomhouse
1.3 Nations Signing WCIT 2012
*Source: techdirt
To Companies To Countries
• Theft of IP is Costly – by
some estimates (McAfee)
more than $400 billion
annually
• Widespread – at least 19
million people in 120 nations
• Easy –more than 30,000
websites offering malware
• Fear of “Electronic Pearl
Harbor” (overblown?)
• Protecting critical infrastructure
6
1.4 Defining the Cyber Threat
*Source: KAL’s Cartoon, Economist, May 7, 2009
7*Source: McAfee In the Dark (2010)
Number of Cyber Attacks Cataloged by CERT from 1995 to 2011
1.5 Unpacking the Cyber Threat Cyber War
Cybercrime Many Types
Ransomware
True Extent Unknown
Global Nature
Response
Cyber Espionage Legal “black hole”
Cost
Cyber Terrorism Why relatively rare?
New Cyberwarfare
*Source: The War Room
1.6 Defining “Cyber Peace” Vatican’s Pontifical Academy of Sciences Erice Declaration on Principles for Cyber Stability and
Cyber Peace 1. All governments should recognize that international law guarantees individuals the free flow of
information and ideas; these guarantees also apply to cyberspace. Restrictions should only be as necessary and accompanied by a process for legal review.
2. All countries should work together to develop a common code of cyber conduct and harmonized global legal framework, including procedural provisions regarding investigative assistance and cooperation that respects privacy and human rights. All governments, service providers, and users should support international law enforcement efforts against cyber criminals.
3. All users, service providers, and governments should work to ensure that cyberspace is not used in any way that would result in the exploitation of users, particularly the young and defenseless, through violence or degradation.
4. Governments, organizations, and the private sector, including individuals, should implement and maintain comprehensive security programs based upon internationally accepted best practices and standards and utilizing privacy and security technologies.
5. Software and hardware developers should strive to develop secure technologies that promote resiliency and resist vulnerabilities.
6. Governments should actively participate in United Nations’ efforts to promote global cyber security and cyber peace and to avoid the use of cyberspace for conflict.
2.1 Polycentric Institutional Analysis
• Central Issue• Applied to Cyberspace• Insight: Smart small and local,
but start somewhere!• Potential Problems
– Fragmentation– Gridlock– Ethical and Political Pitfalls?
2.2 Businesses as Peacebuilders?
• Corporate Social Responsibility (CSR)– Reemergence– Application to Cybersecurity
• Mediating Institutions• Contributions to Peace
– Economic Development– Rule of Law– Community Engagement (CSR)
*Source: UN Global Compact
2.3 Applying Lessons from the Sustainable Development Movement
• Birth of the Sustainability Movement• Tragedy of the Cyber Commons?• Some Applicable Tools
– Integrated Reporting– Certificate Programs– Common Heritage of Mankind
*Source: www.keepoklahomabeautiful.com
2.4 Managing Cyber AttacksTechnical Vulnerabilities
– Hardware• Secure Supply Chains• “Trust but Verify”
– Protocols• Ex: DNS• Importance of DNSSEC
– Code• Improving Accountability• Liability Issues
– Users*Source: www.techbyte.pl
*Source: www.aronsonblogs.com
2.5 Private-Sector Cybersecurity Best Practices
• Summary: Be proactive and invest in built-in cybersecurity best practices from the inception of a project.
• Technology– Encrypt Data (at rest and in transit)– Biometrics & Deep Packet Inspection
• Investments– Average: >5% of IT budgets– Cybersecurity as CSR
• Organization– CISO Savings Average 20%– Audit Training Programs & Penetration Testing
*Source: www.wizilegal.com
2.6 Ex: Cyber Risk Insurance
• Growth of Market– 2003: Approx. $100m– 2011: Approx. $750m?
• Benefits– Lifeline– Sample Plan
• Costs– Reactive– Hard to Quantify Risk
Growth of Cyber Risk Insurance Industry
*Source: Betterley Risk
3.1 Evolution of U.S. Cybersecurity Law & Policy
• Obama Administration– Cyberspace Policy Review– International Strategy for Cyberspace– Executive Actions
• Directive• Executive Order
• Critiques– Lack of Real Reform– Exec. Orders *Source: NIST
*Source: news.softpedia.com
3.2 State Responses: NIST Cybersecurity Framework
• 2013 State of the Union Address– Focus on cyber threats to nation’s critical
infrastructure– Made case for governmental role
• Executive Order 13636: Improving Critical Infrastructure Cybersecurity– Increase information sharing– Ensure privacy and civil liberties protections– Develop a voluntary Cybersecurity Framework
*Source: welivesecurity.com
3.3 Critical Infrastructure Dimension Summary Chart
3.4 Regulating Cyberspace
• Governance Spectrum
• Voluntary vs. Regulatory Approach
Suffered Cyber Attack in Past 12 Months?
Approach Favored in Managing Cyber Attacks?
3.5 Role of International Law• Camps
– IL should apply– New treaty– No hope– Some hope, but state-centric
*Source: CCDCOE
• Toward a Law of Cyber Peace?– Countermeasures– State Responses– Analogies
• Nuclear War• Outer Space• Antarctica
– Other Applicable Accords• Mutual Legal Assistance
Treaties• Vienna Convention on
Diplomatic Relations• Bilateral Investment Treaties
• Summary: It’s a patchwork, but it’s a beginning!
*Source: ITU
SummaryNext Steps for Businesses Developments
• Proactively invest in
enhancing cybersecurity
• Assess current insurance
coverage
• Seek out partnerships to
share threat information
• Ongoing treaty
negotiations & norm
building
• Defining corporate
responsibility for
safeguarding critical
infrastructure
• National best practices
20
Classroom Relevance
• Relevant Courses– L580: Cybersecurity Law and Policy
• MSITM• Certificate Programs
– L302: Sustainability Law and Policy– L272: Sustainability Down Under
• Hallmarks– Comparative/international focus– Interdisciplinary– (International) service learning
Thank you!Questions?
Contact Info: [email protected]
Proactive Cybersecurity: A Comparative Industry Analysis in the Global Legal EnvironmentSustainable Cybersecurity: Applying Lessons from the Green Movement to Managing Cyber AttacksToward a State-Centric Cyber Peace? Analyzing the Current State and Impact of National Cybersecurity Strategies on Enhancing Global CybersecurityManaging Cyber Attacks in International Law, Business and Relations: In Search of Cyber Peace (Cambridge University Press, 2014). Toward a Global Standard of Cybersecurity Care?: Exploring the Implications of the 2014 Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices, __ Texas Journal of International Law __ (forthcoming 2015) (with Andrew Proia, Amanda Craig, & Brenton Martell).Using BITs to Protect Bytes: Promoting Cyber Peace and Safeguarding Trade Secrets through Bilateral Investment Treaties, __ American Business Law Journal __ (forthcoming 2015) (with Eric Richards, Anjanette Raymond, & Amanda Craig).Risky Business: Lessons for Mitigating Cyber Attacks from the International Insurance Law on Piracy, 24 Minnesota Journal of International Law Online __ (forthcoming 2015) (with Scott Russell).