BSidesCharm - 2017 - Jeff Kosseff - Understanding the Cybersecurity Act of 2015

okay okay we're going to get started my name is jeff kossoff and i'm a professor at the united states naval academy cyber science department and i'm presenting with midshipman dennis devi who is a first class meaning he will be graduating next month and we will be talking about the cyber security act of 2015 and the related laws involving monitoring information sharing and operating defensive measures um before we start uh full disclosure i'm a lawyer so as most lawyers i have a list of disclaimers that i have to present uh first everything that we say only represents our own personal views they don't represent the views of the naval academy the department of navy department of defense possibly each

other just our own personal views also i am a lawyer as i said so i will be providing you a lot of information about laws and legal issues but that does not substitute for legal advice i understand there was a presentation yesterday about maryland law which is great because you have to always consider not just federal law but state law local laws the laws of all other countries so uh this is just one aspect to sort of look at one some legal issues involving monitoring information sharing defensive measures so uh with that we just wanted before we started on the substance of the cyber security act we wanted to talk a little bit about us why we're doing this why you're

having people from the naval academy talk about both public and private information sharing i'm on the faculty of the naval academy cyber science department which was created a few years ago and we have we basically have two approaches to educating our midshipmen about cyber every midshipman is required to take two classes in cyber security regardless of their major so a history major a mechanical engineering major they all take two classes that gives them a broad education on both the technical and policy aspects of cyber we also have a cyber operations major where midshipmen who are particularly interested in cyber take a wide range of classes on both the technical side uh legal policy social factor side to

give them a really wide-ranging view of cyber so we're really trying to take all approaches to educate our midshipmen i will put in a very brief plug our department is growing we have a few tenure track openings available so if anyone here has a phd in computer science or related field and would love to have one of the coolest jobs i think at least in cyber in this area please come and speak with me because it's a really great and cool opportunity so a bit of my background i am a lawyer as i said i before coming to the naval academy i represented mainly large companies both helping them plan for information technology plans but also

more frequently after they had a data breach helping with the mad scramble to figure out what we can do and minimize the chances of being sued now at the naval academy i teach cyber security law cyber security ethics and cyber security policy and i write about similar issues i recently wrote a book about the first textbook about cyber security law which was published in february of this year and is already becoming outdated because there have been so many developments like what we're going to talk about today which i find really fun before i was a lawyer i was a technology journalist at the oregonian covering mainly technology policy so i have a real interest in talking about

these issues and writing about them uh now i'll let michigan devi talk a little bit everyone i'm dennis devi so i am a michigan academy i'm graduating next month and then i'm gonna go drive boats in san diego for a couple of years i'm not a lawyer so i don't have a large disclaimer anything i say is my opinion only hi folks red team blue team uh shout out to members of my security team who are here right now the reason i got into the policy side of things is i've been doing the technical for long enough and i i wanted to figure out how it actually worked and make sure that the policy guys aren't making all the rules

with that and i just will add uh mitchum and dv he's um he's probably more modest than i am about his accomplishments uh this pat in addition to work being on the successful cdx team uh last fall he also was on a team at the nyu cyber security awareness week policy competition there were more than 90 participants mainly law school participants and dennis and his teammate placed second nationally so um i i can brag a little bit about that uh so anyway enough with the introductions what we're here to talk about today is the cyber security act of 2015. this it was about 136 pages so i'm not going to post every single bit of it on the slide but i just wanted

to show you what it is it was passed in late 2015 and if you see on the top of it it says 1728 that is not a typo it was page 1728 of a bill that was well over 2000 pages which was the budget that was necessary to have the government running this was something that had been debated for a very long time and as we'll talk about was fairly controversial for some provisions related to information sharing and like most legislation it ends up getting passed when it's folded into a much larger bill that needs to pass at the last minute so uh the this is the bill and uh when i say that it had been contentious

the main issue that had arisen uh for years and years had been that the department of homeland security through us cert had been really encouraging companies to share information about cyber threats that they'd been facing and successful ways that they had been able to defend against them now from a sort of social point of view that sounds great you want to have as much sharing so the government knows what's happening that could help companies respond to these threats because the government cares not just from an economic perspective but from a national security perspective as we saw for example with the sony hack so for years and years dhs had been saying please share more information with us

and the companies had a pretty valid reason of why they didn't want to do that and that is we don't want to be sued we don't want to start giving first we don't want to give the federal trade commission which we'll talk about in a little bit information about possible security vulnerabilities that we should have noticed and also a lot of the information about cyber threats may very well contain personally identifiable information and all other sorts of uh private matter that would be that the company could be sued for if it provided it to the government so the companies have been saying we want immunity from uh being sued for these sorts of things there was a big spirited and pretty

well-informed debate between the sort of electronic civil rights groups corporate america the federal government and that's what that's really what had held up this this law from passing there were a lot of debates about exactly how to word it but they actually eventually after years and years came up with a final draft that was a compromise and we'll talk about how they compromise but it's basically putting some privacy protections in some requirements for removing unnecessary personal information but that so that's what the cyber security act uh basically the debate history was the ultimate version of the cyber security act it's often talked about as the information sharing bill uh which it is i mean it does allow

information sharing it encourages information sharing but there are two other provisions that are not as commonly discussed and they received actually very little coverage in the media after this bill passed and those were involving monitoring and defensive measures so there are provisions in there that we're going to talk about that allow that at least encourage and depending on how you interpret it allow companies to take certain steps to monitor their networks for cyber security threats and take defensive measures so it's um but to understand sort of the scope of what they allow and how it change changes the existing legal landscape we have to first look at what laws currently apply and what restrictions there are

so like i said at the beginning of the presentation this is just mainly at the federal level almost all of the laws that i'm talking about have state analogs and frankly we just don't have enough time to go over them but i want to just at least talk about the landscape as it existed when the cyber security act passed and then discussed whether the cyber security act actually [Music] changed anything and before i do that i just also want to encourage everyone if you have any questions along the way please questions comments please raise your hand throughout i want this to be interactive and again these are these can be fairly complex subjects so the main issue for monitoring often

comes up with the wiretap act so the wiretap act prohibits the interception of the content of wire oral and electronic communications for cyber this is mostly involving electronic communications there's not a very clear definition in the statute as to what interception means but the way the courts have interpreted it they say that it has to be contemporaneous so it's basically data in transit being intercepted can be prohib uh prohibited by the wiretap act now um the some courts have gotten a little more expansive on it there was a case a few years ago where an irs employee he was concerned that his supervisor had been noticing that he wasn't in the office all that much

because he wasn't in office all that much so his solution rather than talk to a supervisor was to set up an auto forward rule on his outlook that auto forwarded all of the supervisor's received emails to his own personal account i i will just say as a lawyer i highly recommend against doing this and also just a matter of hr policy not a great idea but uh he was charged with violating the wiretap act and his his um argument was this was not contemporaneous because there was the email had arrived in his supervisor's inbox before it was forwarded and the judges unfortunately for him said we're not going to buy that it was close enough to contemporaneous that it

is a violation of the wiretap act uh the wiretap act carries significant criminal and civil penalties so it's very good not to be in violation of it so um but again it really does have to do with data and transit there if data is stored for a while there's another law we'll talk about in a little bit but there are some exceptions to the wiretap act one is consent so i'm sure many of your employers when you log on there's some banner that you don't read typically that is consenting to allow your data to be monitored you need very explicit consent burying it in an employee handbook more and more is not seen as explicit consent bearing it in terms

of use for a service you really have to go out of your way to make sure that the that the person's providing consent uh there's a wiretap order which is basically like a warrant that a court issued that requires demonstration of probable cause of a crime uh providing the communications to the intended recipient obviously that's not going to violate the wiretap act the most common exceptions to the wiretap act is rendition of service and this is really especially for cyber security purposes so if there's an act that is necessarily incident to the rendition of service or to the protection or rights of or property that can be seen as an exception to the wiretap act

in the cyber security community it's always been kind of a little unclear as to whether that can be applied to just general cyber security monitoring the and so that's one thing that the cyber security act may actually help clarify there's also the trespasser exception and what that basically says is that if you know there's a trespasser on your network and you consent to the government the police the fbi um getting onto your network to monitor that activity that also can be an exception to the wiretap act um briefly we i want to talk about stored communications so wiretap act again is data in transit or really close to being in transit stored communications act involves data

that's stored on a server now the caveat here most of these computer laws uh these computer crime laws were written in the mid 80s and it shows um so there there's one section that uh prohibits the intentional access without authorization of data that's in electronic storage there's a very arcane definition of what actually it means to be in electronic storage but that's basically essentially hacking into stored communications section 702 then prohibits service providers from disclosing communications to third parties with a number of exceptions uh i won't go through all of them one of them involves consent so again clicking on a banner saying that you do agree to doing this they also have something in

a similar exception for being incident to the rendition or service of the provider and protecting the property of the provider um there's also a court order issue i don't know if any of you have heard about the 180 day debate that's gone on but basically the the bottom line is again this was written in the 80s and there's a rule that says that if email is unopened and on a server for less than 180 days the government needs to get a warrant to access your stored communications if it's older than 180 days are opened they just need a subpoena or a court order which is much lower standard congress is trying to address that and to make require

warrant no matter how old the information is and there are other exceptions as well computer fraud and abuse act i'm hope that everyone knows about what the computer fraud and abuse act uh criminalizes its uh it's seven different types of activities uh committing espionage so basically any bad acts involving classified information um hacking to obtain information trespassing a federal government computer doing something fraudulent on a network causing damage on a computer trafficking in passwords or other access issues and just threatening to hack which basically are threatening to not uh provide information back which is essentially like ransomware so all of these involve uh acts that are without authorization or in excess of authorization and the courts are really divided as to

what that means briefly i'll just say there's also privacy and data security laws there's a prohibition under the federal trade commission act of unfair and deceptive trade practices basically meaning you can't lie about your data security or privacy practices and you also just can't really be reckless with your personally identifiable information what companies worry about most are common law claims of privacy and inadequate data security uh under a variety of claims that have existed for hundreds of years like negligence breach of contract and uh really i i'll state my bias here i'm not really a fan of plaintiff's lawyers because they will try to come up with anything after a date of breach or some sort of

accident a loss of personal information to bring a lawsuit against companies so it's something to be really careful about they file class action lawsuits that can cause damages in the tens of millions of dollars we also have industry specific laws that require data security and privacy protections hippa which covers health and health providers the gram leech bliley act that covers financial institutions a video privacy protection act which there's a long history involving a supreme court nominee's video rental records being disclosed but that covers video viewing information the securities and exchange commission requires companies to disclose certain cyber security vulnerabilities and there's a california law called calapa which requires companies to post their privacy practices so now we're

going to get that's the background what i want to do now is talk about how the cyber security act may change that landscape and the caveat i have here is we're not entirely sure uh as of this morning there's not a single court opinion that has interpreted the cyber security act it was passed about a year and a half ago so um there may be some cases in the pipeline but right now it's really all we have is basically the the text of the law we don't have court saying how to approve it how how to um implement it but um the monitoring provision again did not get very much attention partly because nobody knows what it

means so it starts off with notwithstanding any other provision of law does anyone have any guess as to what that might mean not with yup so basically as long as there's not a lot another law barring yeah that's what that's definitely one one interpretation yep

yes and that's uh that's how some interpret it and there's a whole other school of thought and court opinions that say not withstanding any other provision law of law means that if the cyber security act conflicts with the wiretap act that you would then ignore the wiretap act but the two interpretations that you had say otherwise basically there's no settled definition of why not withstanding any other provision of law is in any statute because it confuses every judge and every lawyer i refer to it as one of the sort of terms that's the full employment for lawyers act because it justifies us billing hundreds and hundreds of dollars an hour to make our arguments about it so um

what it could mean let's at least what companies are trying to say is this takes priority over other laws so if it does then a company may for cyber security purposes monitor and what it basically says they can monitor their own systems they can monitor the systems of the federal government or another company if they get written consent and they can monitor information stored on all of those things so let's just say that that notwithstanding is the interpretation that companies would like to go with so it's only for a cyber security purpose so what the statute defines cyber security purpose as is the purpose of protecting an information system or information that is stored on

processed buyer transiting an information system from a cyber security threat or security vulnerability excellent what are cyber security threats or cyber security vulnerabilities what the statute says here is that a cyber security threat and i won't read the whole thing but it could adversely impact the security availability confidentiality or integrity of an information system okay so that's pretty broad it's not just violating the terms of use but cyber security threat seems to be something that you can make an argument that so many different things constitute cyber security threats it's not a small discrete list it also applies to security vulnerabilities any attribute of hardware software processor procedure that could enable or facilitate the defeat of a security control

excellent we have this incredibly broad cyber security purpose so if you're monitoring for a cyber security purpose you can monitor your own networks or get the consent of another company or government agency to monitor their networks so i will turn it over to mitchum and dv to talk a bit more about what this might mean in practice so in practice this might not actually change all that much because a lot of these companies have been doing it internally and have just assumed that they're never going to get sued so it's going to internally it's going to be logging as much as possible for the sock capturing as much network traffic in case you have to do incident response

logging all the metadata just so you have something you can easily search or one of the big things that this might allow you to do is some of the more interesting things like say reading the content of your employees emails ordinarily that requires a pretty large consent form you have to be able to prove there's consent with this there's a reasonable chance that as long as you're monitoring strictly for defense for defensive purposes and you're only using the information for defensive purposes you're totally covered and don't even have to prove that the employee consented to the monitoring of their communications um the primary change is that it eliminates the liability under the existing statutes if we're

interpreting interpreting notwithstanding the way that we are and the way that it's likely to be pushed another big thing for monitoring is the ability for third party to monitor network previously that was a slightly unsafe scenario because there's a chance that you wind up sharing pii and wind up becoming liable for this security breach this act is made to make it slightly more difficult for you to get sued and will act as an insulating factor next you're just going to go to the defense measures where things are a little bit more interesting because it's authorizing a lot of things because of the very broad sweeps of what a cyber security purpose is so what this is saying is

notwithstanding again a private entity may operate a defensive measure for any information system that they own any information system that they have received written consent to operate on and and on any federal entities systems as long as they have consent so what kind of defense no that doesn't mean hackbacks sorry booze sorry raytheon uh it's going the defensive action while an action device procedure signature it's mitigating a known or cyber security threat or security vulnerability but the key thing is that it is a measure that does not destroy render unusable or provide unauthorized access to which means that it's very unlikely that you are going to ever be able to make a successful case for hacking back

under the cyber security act or using the cyber security act as your authorization so what are examples there's all the boring examples ids ips anything that's doing intrusion detection intrusion protection firewall rules but and the things that we've been doing forever some of the more interesting things that are on the cutting edge and some companies might not have felt comfortable doing uh one first example is honey tokens and honey files so the idea of a honey token is an embedded url that's unique that allows a organization to monitor access to a file so just like a web bug every time this resource gets loaded it's going to make a hit in the log and record the ip that came from maybe

some more information so you can hide these tokens in anything from documents to web pages to inside databases so you can actually put it inside a sql database so if that database gets read it's going to make a call to that and log that so using internally to detect intrusions is something that a lot of companies have been starting to do but external is a little sketchy because you're winding up running having a callback from someone else's domain and there's a very good chance that under previous laws someone could get upset when they see your word document peaking back to them under the cyber security act of 2015 there's a very good chance that you could embed a token in a

document send it out and it or put it on your network and if it gets taken by an attacker once they bring it back to their network and open it back it'll make a request that ip will get logged and you have a pretty reasonable place to start your investigation as well as being notified that you have had a breach so that's not hacking back in any way that is that there's absolutely no access it is them making a request and that is a very safe move now and just a quick pitch for canarytokens.org it's a free service it's absolutely incredible and will allow you to download all the images you need to open that up for your

own organization so you don't have to use their infrastructure can be all your own infrastructure and you can start doing this so the more exciting bit of this what what if you took that idea of having a document that was stolen call back to you to the extremes so you have to remember the defender cannot adversely affect the attacker's network and the defender must not gain authorized unauthorized access so there is a very fine line between the cfaa and the cyber security act there's a reasonable chance and again this is something that is going to have to get worked through by the legal side but there's a reasonable chance under the cur our current interpretation of

the cyber security act that mirroring the honey file concept you could put a piece of basically a word macro malware inside of a document so that one gets stolen it gets opened on the on the on the attacker's box and that piece of malware runs a system profiler collects as much information about the system as possible sends it back to the defenders organization and then delete itself now that's a bit of a stretch it's very it's it's something that is going to have to get worked through but there's a very reasonable chance that we will start seeing that the next few years as long as the code is proven to be completely safe it's it's the effects are localized

there's no chance of it spreading there's no chance of authorize of access continuing after the initial profile so that's just something to look out for and if you want to try and argue that in a longer document definitely a place to be another thing that we're starting to see are integrated defenses so this is hardware manufacturers operating system developers so seeing seeing things right now like integrated anti-malware windows defender is one of the best examples of this the ability for a company that makes these systems to puts put something on not worry about monopoly laws not worry about trust laws and be able to take action without the user's consent on a machine that they own or on

an operating system that they developed another interesting possibility is for a organization that makes perhaps internet of things devices to have their own access tool to retain some sort of access to it so that they are able to reach back in and remove malware anytime that's anytime that they detect it affecting the things whether or not vendors actually implement that sort of thing is up for the up for them and so it's unlikely to be seeing that in webcams but microsoft's already seeing it and i expect to start seeing it across other devices in the future so the third prong of the cyber security act is the information sharing provision and again as i discussed earlier this is

what's gotten the most attention had gotten the most controversy because there's this concern that companies will be sharing highly sensitive private customer information with the government with other companies so this final negotiated version attempted to strike a balance between those concerns so the one really important point to remember is that this is voluntary so it says that if you're a company you and you have cyber threat information or defensive measures that have been successful you're allowed to share the them with the federal government and other companies uh there's no duty to share so even if you see the just a really terrible threat and you've you've been participating in this program before you have no obligation to tell dhs to

tell other companies that's going to be a business decision that you're going to have to make also if you're receiving information through this u.s cert run program you have no duty to warn anyone based on that information the cyber security act both in this section and also in other provisions that really aren't part of this talk really further centralized cyber security cyber security civilian defense to the department of homeland security including responsibility for administering this information sharing program and dhs has a lot of discretion a lot of leeway in determining what are adequate safeguards for these programs so if you're going to participate in this program and try to seek immunity from any liability you need to make sure

that your part that you're complying with dhs's guidelines and policies dhs over the past year has released a number of guidance documents that really help companies figure out how to participate in this so this is actually the provision from the law it says that if you're a non-federal entity basically if you're a private company private association for a cyber security purpose and protecting classified information you can share receive uh any both with other private companies or the federal government a cyber threat indicator or defensive measure okay so we talked about defensive measures but what's a cyber threat indicator so um i apologize for uh how small this print is that's because this is actually from the statute and

they went the dhs went to great lengths to make this as broad as possible so basically because they want as much information shared that companies feel willing to give so it's anomalous patterns of communications a method of defeating a security controller exploiting us security vulnerability the actual security vulnerability including any anomalous activity that indicates the existence of a security vulnerability a method of causing a user with legitimate access to a system to unwittingly enable the defeat of a security control malicious command and control actual and potential harm caused by an incident and any other attribute of a cyber security threat if the disclosure is not otherwise permitted by law or any combination thereof so this is basically lawyer's way of saying

you can justify pretty much anything being a cyber threat indicator i want to go on record in a brief on that but i mean that's basically what the what congress was intending when they drafted this uh now mitchum and divi will talk about some examples of cyber threat indicators so while the lawyers made the threat the definition for threat indicators as broad as humanly possible in terms of what's actually useful it winds up being pretty narrow so it's going to be anything that you're going to be trying to put into your intrusion detection system anything you're putting into your intrusion protection system so you could say in ip addresses really any sort of exploit discovered vulnerabilities malware

hashes malware families domain names ips and just straight up threat intelligence and again of course of varying use but the point of the legal side was to make it so you could share whatever was whatever was deemed necessary um on this on the technical side there's it winds up being a lot less that actually winds up getting shared so just the mechanisms that uh there have been many attempts at creating different ways to share information and finally one has really taken hold and that's the stixx cybox taxi and that's really heavily backed by the department of homeland security and us cert and that's really going a long way towards making it so that intelligence can get shared and in a

usable manner and be used in a timely fashion um there are definite concerns so there are technical safeguards and that's basically based off of the design of these things there's there's no mechanism for sharing of logs there's no mechanism for sharing of documents as well as legal safeguards so there's a mandatory removal of personally identifiable information if you know that there is personally identifiable information in there so that is a major caveat there is a slight chance that you could wind up sharing one of these indicators that could have personally identifiable information um but really the main takeaway from this is it is very difficult to trample on people's rights with sticks rules so just going through it i mean xml

formatted the i chose the two examples for sticks and cybox that have the most information you can possibly put in about an about a single person and this is the default example for sharing information about a threat organization and this is one for all the information that you can possibly put on a https certificate so as as great as the concerns are that this does authorize the sharing of documents and perhaps let's one example i've been seeing thrown around is the idea that a document could have a piece of malware embedded in it they share the document that has the malware in it of course that there's that is a valid use case and then

the documents filled with pii right now there's no good mechanism to do that until mechanism is created to do that there's really not too much of a concern about it so we wanted to talk a little bit about both the immunity and the privacy protections that the cyber security act provides both for information sharing and for monitoring because again that's really one of the most controversial parts of this law so um because privacy was really of the most concern there was a lot of discussion about how do what do we do to protect privacy so if it's for example uh a bank that's had a cyber security attack there there needs to to be some way that

the bank doesn't necessarily provide every customer bank record to dhs to other companies because that's highly sensitive personal information and most privacy advocates would say there's no good reason to do that so there are a number of provisions in the law that says both dhs develops its own guidelines for protecting privacy but also that companies before sharing any of the cyber threat indicators with anyone else they have to go through the information and see if there and remove any personal information that's not directly related to the cyber security threat again you could pay a lawyer who charges hundreds of dollars an hour to make an argument about why personal information might somehow be directly related to the cyber security

threat i think given the language in the statute it's very hard i think but there are also some privacy folks who say it's actually much easier than you would think to justify that and they're still very concerned about large lists of consumer names customers emails all that sort of thing being provided under this um so i think right we haven't again we haven't seen any major cases arising from this yet i think eventually we probably will and then we'll be able to get further guidance from the courts and from dhs as to what actual what personal information actually is directly related to the threat so here's the protection from liability this again this was the big sticking point because

there were a number of concerns particularly after the snowden revelations that telecommunications companies and the government would just use this as a way to share any sorts of information um between companies and the government and be completely immune from it if they just say that it's for a private cybersecurity purpose the so the immunity provision actually covers both monitoring and information sharing uh so it says that basically you can't sue a company uh for monitoring an information system and information conducted under the cyber security act so again for cyber security purposes depending on how broadly courts define cyber security purposes that could be a huge deal or it could be not any change at all if cyber security

purpose is defined really broadly this could prov provide much more flexibility for monitoring without companies facing any litigation but again that's just something that we're going to have to find out with time as courts rule on it the information sharing immunity again it basically says you can share these cyber threat indicators or defensive measures as long as you comply both with the any requirements that dhs imposes and also these privacy rules so redacting any unnecessary personal information cybersecurity act also protects companies from regulators one concern that i've heard from companies over the years is why on earth would we want to give the federal government and they frankly see the federal government as one large entity

why would we want to give the federal government vast amounts of information about why we were hacked just for background i mentioned the ftc the ftc will bring enforcement actions against companies that have uh what they would say either deceptive or unfair data security and typically in like 99 of the cases you basically settle with the ftc before they get to sue you the good news is if it's a first time violation and you're not operating under a previous consent decree you don't have to pay any money the bad news is that you do have to agree to what i tell my clients is basically a 20-year root canal by the ftc what they do is they take

they retain the ability to basically oversee your entire data security program require constant audits it's incredibly costly and if you're found in violation you can face vast penalties so you don't want to have to do that so companies say why would i give this information to the federal government if they're gonna dhs just passes it on to the ftc the ftc says hey why did you not require your um all your employees to use anything other than password as their password and uh that so so so that was the concern so to address this the congress said that basically if companies provide any federal agency information through the threat sharing program they don't have this information cannot

be used directly or indirectly against them in a regulatory proceeding however the federal government can basically use the information that learns through this program to develop future regulations so if it's looking to see what sort of cyber security threats are go our companies facing they could develop regulations along those lines uh the final sort of immunity is for antitrust violations so and under antitrust law companies can't collude with competitors so i'm just a free legal tip if you're in a uh if you're talking with a competitor it's friend fine to be friends with competitors never ever talk about what prices you're gonna set if you do that that's a violation of antitrust laws they have criminal

civil penalties that are not very fun to face so the concern that companies had here is if i'm sharing information about a phishing campaign for example with a competitor is that going to be seen as an anti-trust violation so that's why congress put in this exception saying by participating in the in this program you're not going to be facing any antitrust liability so uh in conclusion and something that i wanted to get that we wanted to get your thoughts on um we in the past year since this has really been active there's not been a tremendous amount of participation from the private sector there's some and it's growing but there have been about a hundred

companies that have participated overall that's not very much or at least that was as of this winter so does anyone have any thoughts about what needs to change based on what you've heard anyone in the private sector would you participate in this do you participate in it

um

about this i think that's a great point i mean maybe only allow companies to receive information if they help out make it communal rather than sort of um take your chances and if you want to be nice and then participate um has anyone else had any experience with the program okay any any other any questions about it yep

litigation

so it depends on what the actual damage was but if it's but typically it would probably be a it would be definitely those negligence breach of contract breach of warranty lawsuits uh especially if there was any physical damage from a malfunctioning device something like that um the again the way that that works is that typically the plaintiff's lawyers will file a class action lawsuit whichever plaintiff actually gets is able to handle this multi-district litigation they basically hit the jackpot because they get a percentage of on behalf of every affected consumer regardless of whether the person is a named plaintiff so i think that would be the most likely the federal trade commission has indicated that it's focusing more and

more on internet of things and security of internet of things devices so i think they're probably going to get more active in filing enforcement actions on

that

individual machines

are you talking about the which which bot note are you two i just want to make sure that i'm commenting on the correct one oh the kilio oh the takedown okay okay i thought you said operating the botnet too okay okay yeah so that actually deals more that that was a very successful fbi operation under the new rule 41 which i'm sure many of you have heard about it was very controversial that allows magistrate judges to issue these uh net these nationwide warrants uh for the kilios botnet so that's that more uh is under sort of the criminal enforcement authority so uh but the legal authority that allowed that was more the change to the

warrants

that the information this information is valuable to understand the threat picture and that as a good corporate citizen or as a citizen of this nation this is a positive contribution to helping that presentation so i think it will take um a some type of messaging campaign and repeating over and to increase corporate compliance for corporate uh participation because it's all longer so you're dealing with the public relations issues so i totally agree and i hate to be that guy to bring medical into it but i kind of see it as like vaccines until you reach a critical mass of people sharing this information it's going to wind up just being a 100 maybe 120 companies at this point

and they're sharing not not enough intelligence to even come close to justifying the huge upfront cost of setting up a full taxi system on your network so it's public it's a public service for now um right now there's no way that somebody can look at it and say this is going to make us money but in the future once you get enough people in the ecosystem sharing information i think that's what's really going to push it over the edge um et cetera et cetera i'm curious where you get the idea that it does so that one is not not the true definition of a honey file that one is i mean it's basically a straight up access tool

but that is one that as i feel that if you work through with the dhs and said this is what we are trying to create these are the specific actions that are going to be taken by this tool and call it something like a defensive investigative tool you would have to work it through legal channels you would have to get approval from them before you start using it but there's a reasonable chance that if you constrain the activity such that there is absolutely no way that it could be viewed as being used for access you'd be able to pull that off legally it's definitely close cfa is a is a beast so honey file is just the idea if you

take the honey token that unique url that when accessed pops up a log for you and a honey file is just any file that you embed that in so that can be something as simple as a word document that has a there are easier examples in there but uh any file that when accessed is going to wind up sending this request out of your network and back yeah i was wondering um what kind of liability is kind of introduced on the cyber security act for companies that might not be able to patch the vulnerabilities that they find and might share with other people so what is that what does that vulnerability come from like an iot

device or they encourage other companies to report

so if the competitor received the vulnerability if it was something that and hopefully they typically they will be alerted to it um as long as it doesn't violate the equities process but um but i uh frankly i think it increases the chances because if you're facing a lawsuit in negligence inadequate data security all sorts of causes of action you really knowledge of a problem that you don't fix if that goes to a jury that's really going to hurt you so i think that's a really good point the chances of an organization having a full taxi set up and not being able to patch enough things to be covered legally is unlikely like what if you had a iot like uh

security camera system and you recorded that vulnerability does the security camera system have hot i'm not a lawyer but uh the the liability is usually gross negligence something along the lines of you really just didn't try okay we're getting the signal that our time is up uh if you have any other questions please uh ask us in person email us happy to talk about this more and thank you so much [Applause]