U.S. Cybersecurity Laws and Regulations - An Overview of Key Cybersecurity Legislation

have that protection in case somebody does access any of these systems and abuses their privilege so you know early I talking throughout modeling so what we talk about if somebody gets in there who is authenticated and has a certain level of authorization if they get that elevation of privilege then they can be charged under this act okay so it's a legal Act computers and networks without permission how many of you well I was at RSA this year was really cool cuz Matthew bradrick did the keynote talking about hackers all right and he relayed the story about how he got called into the White House and had to talk to Ronald Reagan about hacki and he's like

I don't know I'm just an actor I don't know what any of this stuff means you know but uh it was kind of interesting to watch him talk about that but that's what spurred a lot of this information to be taking place because it's like you're seeing it in the media in the culture and stuff like that hacking has become mainstream all right so we have that out there so they decided we better make laws on how to protect ourselves from these hackers and how can we prosecuted because you know you had a lot of people say you know information should be free information should be shared and if you're old like me you remember the old days of

darpet and when you got on at your University and arpanet and you could connect to different schools get in their Library grab their information borrow some of their processing time you know I'm so old I remember I had to do programs on Punch Cards yeah yeah some people like remember that but uh thanks Bob uh so we had that but I mean I remember first time I got on there and I was like cool I'm on UCLA's Network computer looking up stuff and paper in their Library you know and oh wait I can run an econometric model on their stuff so I was able to do some cool stuff and I thought that was really neat and then

I'm like I've got an AOL account I can tell that to it h from my home and I remember the IP address and so I just tell and I'm like oh my God I can connect to Us's Network for my home computer and I just had to enter the same credentials I entered from school lo and behold you know I remember that little username password we're supposed to use because it was the same username password for everywhere and I could get in so it was really kind of cool to do that kind of stuff now if I was not allowed then I could be prosecuted under this law and that's where you get the guys like the FBI or Department of

Homeland Security these days coming in and knocking at your door uh you know it prevents you know they to they'll charge you with the crime this is why most of the hackers end up in jail like the free Kevin mmck movement that happened back in the early 2000s uh a lot of these hackers you know would get caught and stuff like that if you ever listen to any of the 2600 uh book magazines or any of that they would talk about how that stuff should be legal and all that it you know opinions vary but it did allow for civil and criminal penalties to be created and finance imprisonment and all that happened so the next one is Electronic

Communications Privacy Act okay how many of you ever heard how many of you ever watched movies and you see those like mob movies especially wiretapping okay you know you see that be like it's on the TV show the rookie they're like listening in on the Columbian drug cartels from some hospital room or something something like that you know have yall seen those shows or or like uh Good Fellas or any of those you just see all these things where they have these wir Taps well this is the law that allows that so the law was actually expanded to where the government can actually you know law enforcement can actually extend that to electronic communications all right what do we mean

by electronic communications well if you read this it's very freaking vague all right it's very broad on what electronic communications can be this could be cell phone traffic you know because it's digital nowadays right this no longer an analog signal it could be your emails it could be any sites you're visiting all right if they have a warranted tap okay so the store Communications act actually lets him go and look at what data you have stored and now this is particularly important because how many of you store data in the cloud how many you have a one drive or Google Drive you could get penned you know if they do a pen trap test and decide to

take a look at your data they can go to Google or Microsoft not even tell you and actually look at your data if they want okay so the of course you have the uh pen register act and that governs these devices you know the dialing routing information they can go in there and grab all that from there and so one of the things is though the wir tap act it does limit the thing to the scope of whatever the warrant says it is all right so if they're finding things that are not pertain to the scope of the warrant then you have to look and see you know they have to kind of Disconnect and

kind of move somewhere else especially if it's a voice communication and all that uh so this applies to like private Communications emails phone calls stored electronic data and the violations can result in criminal charges fines and civil liability so in the course of business remember anything you put online uh if it might be illegal reconsider doing it that's the mo as a thing so like like well that wouldn't deal with me you know I'm just a network administrator here well if somebody's doing something like insider trading or something like that that could bring you in culpability wise okay so just consider that or if somebody is doing something illegal on your network and I'm not you know we're not

talking about the free transmission like for an ISP uh I worked for a software company a very large one in which somebody on their lab system set up a for-profit server showing pictures of people in compromised POS well willingly being in compromised exposed positions wink wink you know counter rhymes with corn back in those days all right so he was had a side job and he was using the company's lab machines at his desk with the direct wire tap out and he was making a little e-commerce cash on the side now could the company be held liable for that especially if it was somebody you know who might happen to be underage or something like that yes this employee

eventually got discovered and terminated all right so how many of you work for a federal contractor or a federal agency I I'm not playing spot the FED all right I promise but if you work for a federal contractor uh you you should be familiar with fsma okay and this is what causes you to have to adhere to government standards so if you work for a company that does Federal contracts uh a lot of people do that and they don't realize it uh a lot of times you have to understand what is required by this that's just going way off the screen there I'm sorry uh you know in my Prem monitor it showed perfectly rendered so uh US law

aims to enhance you know Federal you know basically it's a modernization act you have standards set requires continuous monitoring out there it establishes responsibilities for managing and Reporting security risks out there uh it applies to any federal agency and all of their contractors out there so this is why I mentioned this a lot of people who do business or have a company that does business with the government and we see a lot of that out there um it emphasizes the protection of data and uh any of the systems along around the federal government government too so this is the law trying to say hey we need to Beef It Up we don't want to have any supplier vulnerabilities

basically and uh you have to do regular Audits and all that with that so doesn't sound like many people here work for anybody who sells to the government now here's one that's near and due to my heart the child online privacy protection act otherwise known as Copa all right so how many of you have information like that does public in has any kind of public website or anything like that anybody have a website that's public or anybody have a e Commerce site where you sell stuff online all right so yeah so this might affect you whether you know it or not okay uh this basically says you cannot basically uh basically it says you cannot collect

information on children under the age of 13 online all right how many kids will go ahead and check that yeah I'm 13 or above or whatever or I'm 18 or over all right legally they have to stop you know they're not allowed to keep and maintain that data okay so this can get you in trouble even if the kid lies all right if the parents find out you know they're on a site listening like uh well I have a one of my students uh what's that uh website that does all that anime for that's a Sony thing H I can't think of it heun huh crunchy roll that's the he works all right he does security for them this is

one of his biggest worries because all these kids want to watch all these anime shows and you know you cannot be under underage but you know you have all these 10 12 eight nine year olds clicking I'm 13 sure and if they start tracking them that can get them in a lot of hot water all right so if you're Amazon or you have a different site I mean even if it's something that is no you know unrelated these are some things you got to worry about and the agency that's going to come after you is not going to be the FBI or anything like that it's going to be the Federal Trade Commission all right those are the guys you do not

want to mess with if you ever meet them they no sense of humor all right that that's the thing so these are things you have to make sure you have safeguards for uh you have to have data deletion policies and pro you know all these kind of things where you make sure that these things get audited and validated and verified okay now how many of you might work for a Healthcare Company okay so you're going to hear this one thrown out there a lot Hippa right now I am by no means an expert at Hippa but this is one of the laws you're going to have to deal with out there and what does this maintain is the Privacy

aspect in cyber security okay we have the gram Leach blly act out there oh Hippa is enforced by what group what part of the government would do the enforcement of that department huh office of civils depart Depart of Health and Human Services actually has the authority to do that to actually do prosecution of

that yeah we we're talking high level departments all right so also we have the Graham leech blyly act okay so how many of you work for a company that's public publicly traded stock all right so this is something you got to worry about these are your financials how they have to be kept secret and all that all right who enforces this Department of Commerce SEC all right so you have the SEC out there and cbin Oxley act another one enforced by the SEC they will come after you they love coming after these folks and this controls stuff for uh public companies like there other things it's very similar uh the same controls for glbh and and Sir B zley but uh glbh is

mainly uh finra regulations also for uh publicly traded companies and their Banks and all that so a lot of banks would have to do this not Credit Unions but mainly any kind of federally registered Bank uh how many of you heard of Dora I'm throwing I know it's said us regulations but how many of your companies do business in Europe that are American did you know that European apply to you shocker isn't it you know what do you mean I have to abide by a company by a bunch of you know bean eaters over in the you know you know beans and toast people you know whatever over there in Europe you know Luxembourg I've had some interesting

experiences in Luxembourg but uh I digress that'll be a story for another day so uh it's the digital operational result Ian act it's a European regulation uh that creates that binding thing for uh communication technology and all that so we have out that out there that you have to be aware of and apply we also have to apply to Industry standards are these laws no but what happens if you don't comply with these huh they'll get they'll Hammer you because it'll say there might as well be lows these are industry standards and if you don't comply with them you you get kicked out of that so if you're doing pcidss all right guess what you can't

take credit cards if you cannot be compliant with this so that's pretty much a private law okay so the difference between Public Law and private Law Public Law is developed by the government I mean sorry public law is developed by the government private law could be distributed by industry or by contracts okay when you do the contractual agreements with a company like Visa card American Express henceforth you agree to abide by a private law which is up here and other things out there if you're dealing with government and if you ever have to deal with any kind of thing where the FTC is going to come after you any kind of trade or Commerce out there the Federal

Trade Commission always defaults to n standards now if you ever look at this standards what are they always focused on controls and guidance for the federal government only all right everywhere it says this is this but that's why everyone in Private Industry takes n standards because FTC can come after them and they default to their reference which is this standards okay so that's something that you want to be aware of and then we have the state breach notification laws how many states have breach notification laws hint it's up there how many states have breach come on 12 more than 12 all 50 states right are they all the same no hell no all right so here's a link to it governance

USA I only have a breakdown of all 50 states some have these 30-day notices some have 90-day notices some you know and they vary in between some give be 45 days some are wor as fun as as soon as possible or as soon as the breach is or as soon as you're made aware of the breach you have three days to set the notification so how can you be verified that's where all these word play comes into effect define aach huh how do you define a breach exactly so there is no normality but one of the ones that is the most stringent and well- written is the California consumers consumer Privacy Act and data breach notification law now ironically

the state of Texas revised Theirs to pretty much mimic that it's almost like somebody did a copy paste from Cut California paste Texas uh it's pretty much almost identical now somebody decide to do that and a lot of the states are following suit to do the same thing Massachusetts did a very one that's very similar to that also uh except I think in one of their things they left California in there I'm just kidding yeah so yeah it's there for that we also have international regulations like I said are we subject to International laws when we're doing business here in the United States all right what's the big one that everybody was the buzzword B go

like what four years ago gdpr all right and this is a EU law for protecting personal data now you're welcome to go download the law and read it okay it's not actually very long it's like about it's actually very readable the problem is there's been tons of people who' have written papers and articles on it which make it more convoluted than what it is okay they give recommendations based on heck there's even textbooks on this stuff out there so it's all subject to interpretation gdpr laws all right and so you're going to get you're going to get it uh in like two weeks where I have to do a whole lesson on gdpr that's going to be like a

three-hour class so I also teach at a college some of my students are here tonight or today so yeah and I will say this a lot of States including uh the California consumer protection act was based on gdpr and uh that's basically their laws known as gdpr light okay so what are cyber security breach notifications well they're mandatory reporting of breaches to affected individuals how many of you have gotten one of those who has all right seriously if you didn't raise your hand do you not own a credit card have you never been online I mean I have so many of these in there I I ignore them now huh I have lifetime credit monitoring

because I had a uh security violation because of my security clearance so office personnel management got breached and mine was one of the ones taken over so yes it's funny I can see how many people are always pinging me and ask you know I look at my authenticators because my stuff is out there I have complex passwords I have all this stuff but I can see how many people are trying to log in as me all over the world you know to different sites and stuff it's kind of interesting I get these little occasionally somebody like you know if you look in your authenticators your MFA things you can see where login attempts come from I don't know if y'all ever

looked at that but you can see that so what are the legal requirements and somebody already pointed out mly stole my thunder what constitutes a breach can you define it all right and who needs to be notified in the breach just those affected or anybody potentially affected that's the question right all right waslo yeah can you prove it was you know they even looked at it can they prove now I can get into counter measures and say yes how even if it was downloaded it was encrypted using I know but it just depends on how that can be I work for a bank so everything's encrypted or I try to make sure everything's encrypted right either in transit in motion and we

have some challenges of doing it uh in uh use three states of data data in motion data in transit or data data at rest and data at use all right so Texas law requires the business and organizations that experience that data breach uh that effects get this 250 more Texans so there has to be 250 more Texans that are affected okay you could have a thousand people in New Mexico don't care that goes to the New Mexico say or Oklahoma nah so we have 250 Texans or more that has to be affected okay and they have to make the notification to the uh Office of the Texas Attorney General out there within 30 days after

the discovery of the breach all right so again what constitutes a breach and what constitute when they discovered it when the investigation starts or when the investigation is concluded that they conclusively determined that there was actually a breach all right huh inial that's a good question for the lawyers all right and people argue over that because at that time it's like Schroder's cat it seriously is at that point and that's how it's described you know is it or is it not it's that area and so until it's really kind of my opinion is until it's conclusively determined because what if you prematurely say I got breached what would be the reputational damage to my company but it turns out oh

my bad I wasn't breached it was just you know a glitch you know and nothing really happened my bad you're still going to have the reputation slap right okay so it's like that Schroder's cat moment some it just depends on the ethics of the person pulling the trigger all right

[Music]

correct that's actually really good example he was talking about they had an email called breach company.com the lawyer said no because that's pretty much confirming that there is a breach and somebody admitting to it therefore they changed the name to incident all right because if somebody did say hey there's a breach but it turned out to be a not qualifying for a notification or you know something along those lines you know it could be but incidents happen right you know stuff happens and what constitutes an incident it's like beauty is in the eye of the beholder okay so what do we do about all these LW well that's where I come in and play as a security architect I create the

Frameworks for which you know we can operate Within These parameters all right and then I have to also make it so we have that fun thing called checkbox security how many of you heard of checkbox security don't you all love it all right you get that Auditor in there with the clipboard going yep uh dude I I've had so many Auditors when I was in operations ask me something and I'm like like I don't think that really pertains here well then no it's not I'm like not saying it's not implemented I don't think you understand what you're asking all right and that's a lot of times I remember I had one auditor spent too much time with me and his supervisors

came over and like what's going on he goes this guy's telling me about how all this stuff works and I had no idea and he's like you don't need to understand that you just need to check the boxes that's actually what this lady said to this kid who was like three weeks out of college all right you know he was an auditor for one of these accounting or one of these big agencies you know and he had his actually was a notebook a file book paper and he was asking me questions and I was explaining them countermeasures and all that kind of stuff so yeah and so what we have to do is make sure you

know as part of our shb security everything has the acceptable use policy security rule Audits and all that happen uh we have to make sure you know things are encrypted we have to make sure employees are trained and understand the access controls we have to have that incident response plan and all that favor in out there now my role does not make sure it just it's there I have to make sure there's quality along with that so it can be effective because we are serious about security where I work because it's trillions of dollars it's a very large bank so what we try and do is we make sure that there is substance along with that and we try and enforce

these controls that are actually of measured value but we have to also do it in a manner that it has to be easily explain an auditor to understand so they can check that box okay all right well I'm actually done so the key takeaway is compliance with cyber security is critical for data protection all right that's basically what it is you have all this you need to know the laws because I always ask her why in the hell are we doing it this way anyway all right and now if unfortunately that guy no longer works with us and I went and I got a 4.0 in this damn degree spent 50k and said you know what I can now answer why we do

this thing this way I can connect those dots hey it's only only three month salary so what you know so what so you know what it's been a long I'm old I don't do on call anymore and I've worked my way up there okay so all right so we have a c security strategy now we have to include our legal and we have to understand it from all our levels so I want to evangelize if you do not understand the law and you understand why are we doing it this way go out and start reading some of the laws related to cyber security there's plenty of resources out there this way it'll give you an

understanding this way when you're talking to your higher level management you can articulate the reasons why this is done and you can communicate it to other team members out there this will give you an advantage in your career just by understanding the reasons of why certain things have to done why we have to have this stupid checkbox security because we're always like I want to architect something that's really strong really fortified you know that was my main goal is you know build a security why do I have to do this with all this you know logging in there because it's the law you know I can just drop all these you know packets that are rejected you know no certain

issues you have to log everything right and keep it for how long certain amount of time all these regulations come into play so the more you understand about the regulations that control your industry and cyber security the more Advantage you have in advancing your careers because you'll be able to articulate the reasons why some of this has to be done okay

yes well yeah the this cybercity framework is one of the best things where any cyber security student should start that's the one that controls the idea of the concepts that's where most architectural Frameworks are derived from whether you're talking about privacy of data or actually security controls and counter measures that enable us to set up our actual defenses where firewall Network perimeter and all that uh as you read through other things like that you're great uh stay away from ISO 27,1 nobody wants to spend that money and I've never found anybody who's actually read that

yesin the Del's European laws US federal or state you know that's a great opportunity out there for somebody okay it exists it's called if you go to secure controls framework okay there they have the comprehensive list of 270 n so I just calculated it different Frameworks regulations and stuff but that that's controls that are mapped to those regulations yeah and but but this spreadsheet is about I I have one of those spreadsheets too I get one of those emailed to me every three weeks where I work huh uh it is yeah it's still on Excel but there's uh it it's map to Confluence Wiki too you can just download and copy it into an Excel so I can do

filtering but it you can it's in a Confluence the SEC controls framewor to what applies to you and determining

whatever right so yes the security criminal framework that website is good for those mappings but are you saying that it's anything like a website that has a listing of every cyber security law that could be out there I I have to search on different websites to get that level information his thing like what he refers to I I am familiar with your site but you know it's kind of like a mapping of n 800 SP 853 along with that uh with references to laws it doesn't actually contain all those laws does it does that actually if you click on it or it just takes you a link they got the along the top the notes yeah

they include a link to it's the link to the thing so there's no really a comprehensive site where everything is it just links other things but yeah and one thing is is probably the best thing to do uh because laws are constantly changing and regulations are constantly changing they update every quarter yeah that's why I get one I think every couple of weeks based on different laws thing I noted that I have I bought one several years ago for several hundred dollars but I haven't been updating it but Walter Walter's clure yeah has I don't know back when I bought it years ago

a yeah they will charge you a fee but you also have cornell.law doedu or law. cornell.edu which has a lot of the different laws out there that you can download for fre free uh especially us regulatory laws and all that uh Anda also has a lot of the European laws uh there's certain like data breach laws for like Brazil uh South Africa New Zealand and all those places New Zealand also is a good website for that collects a lot of laws I cannot remember that their website is but they cover a lot of cyber crime laws ISO on are expens which ones the iso ISO ones are standard uh and they're they're more of a

framework there don't really I don't consider those laws there are suggestions and you know they're in Swiss Franks but they uh you can go to ansy uh here in the United States and get the thing priced in dollars and I think it's actually a few dollars cheaper than converting into Swiss Franks yes what are the laws and regulations that you would keep

that is a loaded question in what context wouldn't Computer Fraud and Abuse apply to that well of course that applies to any electronic device whether it be a phone or uh any kind of thing even your car computer technically can can apply to that but for the AI one um see the one that's different things because AI has offers challenges about like privacy because it ingests a lot of things and it won't discern you so a lot of the privacy laws are what would be more concerning for me on those so uh you know Copa would be one if it takes something from kids but then there's a lot of any kind of pii considerations if

it's Gathering Health Data then definitely hippo would be in come into play if we're Gathering financial information uh that's not public like that would be something that could be a concern uh for me also yes the next AI risk management framework is going to be probably your best source right but that's for risk management that doesn't directly indicate any legislative uh laws now the thing is though I will say this laws lag behind technology be about 10 years or more okay uh some of the laws get amended to adopt and I don't think any laws are really applicable to AI at this time specifically to AI unless it could be a data Privacy Law some of those data

privacy laws out therey int people answ realiz it stays in there and it's ingested and can be used yeah and that would be that could come under private law under acceptable use policies and contractual laws for that matter you know but at that point that could be even considered a breach by somebody voluntarily exposing information into a publicly available AI yeah your code all right I've been given the stop sign thank you for coming I hope you I hope it didn't P you to sleep