New Legal & Regulatory Developments Impacting the IT Professional Community by Kurt Sanger

[Music]

[Music] hear me back there though right all right and then are there any attorneys in the room other than me no oh I can tell you guys the truth this is going to be awesome all right so um wanted to do this because I think that people in The Information Technology field are at certain risk uh it could be legal risk could be regulatory risk it could be your organizations or it could be us and our individual capacities for what we do it's not because we're doing anything intentionally it's we're doing our jobs and there's just too much uncertainty in the legal and Regulatory fields not without good reason but uh for certain reasons we'll get into today but we're

at some risk and we need to figure out what that risk is so that we can play the percentages a little bit better uh we can't get to everything today I looked at my slides yesterday and I said I could have replaced everything and talked about completely different subjects still wouldn't have scratched the surface even for the topics we're discussing today there are other aspects of them that could have taken up this entire period so there's a lot going on and a lot developing quickly uh just as it is for uh everything in technology so we'll scratch the surface today but hopefully what we'll do is uh at least give you a way to think about some of

the issues that are coming up and how to play the percentages to reduce our risk uh on my bio slide there's a bunch of things on it about I was in the Marine Corps for 23 years had somewhat ordinary legal career at first but really the slide reads blah blah blah cyber command uh retired in 2022 got to do a whole bunch of cool things in at Cyber command uh if any of you are thinking of joining the military or the it Community uh I would love to talk about it with you uh and highly encourage it if any of you are thinking of going to law school is anyone doing that or willing to admit it

yeah I I won't try and talk you out of it but I will give you a couple warnings if you are thinking about but uh if the slides do come up my contact information is on there and if you ever need advice on anything thinking about with your careers especially I'm happy to help um so we'll discuss the developments that might affect people in this room uh have you all heard everyone in here heard of the solar winds incident and aware of the SEC Action Security and Exchange Commission okay we'll talk about it a little bit uh the nist cyber security framework everybody's heard of that it looks like a bunch of yeses uh new developments

regarding that volt typhoon everyone familiar with the Chinese thread actor group that uh is doing a number of different things to uh put America at risk we'll talk about that as well and then everyone's heard of artificial intelligence right no you know I I was trying to stay out of it but you can't uh this guy's ceso for the state of con Connecticut he said if you put it off for six months you're just going to be six months behind everybody who's investing time in it so unfortunately I got in it there's a lot of legal issues coming up in that regard um so we'll talk about it real briefly uh hopefully we'll get to questions we

started a little bit late but um we'll uh I'll try and cut it short go fast through through the issues but the main thing here is to help everyone spot issues early uh that is a coste effective way of dealing with issues spotting them before they turn into crises so not only for the types of topics we're talking about today but also for the um the way to think about crises that come up hopefully Will Come Away with something from this so to set the stage with some things that you might have heard before or might have heard a thousand times before we all know technology is evolving faster than Society can keep up faster than

lawmakers can keep up faster than lawyers can keep up faster than just about anyone can keep up and so the rules are behind uh if there should be rules at all for some of these Technologies U but we're just not digesting them fast enough to deal with them in the way that society would want to um other thing to note is that laws and regulations can shape this field more than a can others feel just by the nature of the domain think about we have speed limits on the highway that limit how fast cars can go but I'm going to guess most of the people in this room to include myself went above the speed

limit on the way here at some point did you okay all right well you know so the law is not restraining us but if we were in cyberspace certain rules could be put into the domain that would limit the speed at which information moves so the the best example of this I ever heard was written in the year 2000 by a jent named Lawrence lesing who's a professor at Harvard highly recommend uh anything that he's written about cyberspace we said was you don't need a rule or you don't need a law to prevent skyscrapers from being stolen but you do need a rule for automobiles being or a law for automobiles to prevent them from

being stolen that's just because of the physics of skyscrapers and Automobiles cyberspace makes the impossible or the once impossible possible or much easier so uh there may need to be new laws new rules to reevaluate how those new possibilities might affect the world one other thing to set the stage is that laws and regulations in our space are going to create winners and losers it costs money to comply with regulations it costs money not only to comply but to demonstrate compliance when there is a uh a regulator that you're going to have to answer to in DC no matter where you are when you're dealing with an incident that's going to be reportable it's like having that

regulator in the room because you're not only going to be answering to your bosses in your organization but also to that regulator and that costs money to the extent that you can make a compliant system and demonstrate compliance before an incident you're going to reduce your cost significantly I I know a lot of folks in this space they put off thinking about that crisis because it's not cost effective in the beginning and you always have the chance that the crisis is never going to arise but there is a risk that comes attached with that not that it's not understandable but there's a risk that comes attached with not preparing for the crisis and that is greater costs

later on one thing about to set the stage about the rul making environment uh we have ourselves who can make the rules it could be the organizations that say okay we're going to use this Tech technology for this even it's if it's possible to do certain things we're only going to let it do a certain specified number of things so we can regulate ourselves that's usually dictated by the market it's dictated by money so we tend to regulate ourselves in accordance with the rewards we're seeking Congress has not been able to make widespread law to implement required cyber security across the board not without good reason there is political dysfunction as we all know the

latest Congress has created less laws than than most uh and definitely most in recent times but in this category in particular I think they are just as befuddled and some of them of are of a generation or from communities that don't understand this space very well and and there is political risk and a lot of money behind keeping things the way they are so I don't really fault Congress for not coming up with uh the best system although I read yesterday that something has advanced with regard to a federal data Privacy Law which might make things easier and less costly because You' then have to comply with one data Privacy Law all one in the

United States international is a different story but one in the US instead of 50 across the 50 states plus territories in DC so um don't blame Congress they do understand the problem uh but it is a difficult one for all of us to handle including them because Congress doesn't make rules or or does make laws to address these issues Federal Regulators take it upon themselves to make rules for different communities to uh to uh fulfill they don't have the same Powers as Congress does unless they have a um enumerated power to regulate a certain indust they can't regulate it recently there has been a re-evaluation of the Regulatory Field in its entirety the Supreme Court just took up a case where

basically what the regulatory regime is right now is that if Congress said hasn't said you can't do something to The Regulators then they're probably able to do it if it's within the scope of their their mandate now what Congress is considering is that they're going to have to have something more specific to enable your their powers so if they're going to make a rule in a certain category certainly in fields where cyber security hasn't traditionally been where they regulated they would uh potentially not be able to regulate in that area is everyone familiar with we're going to talk about it later but everyone familiar with what's happened with the Environmental Protection Agency and their efforts to regulate water

utilities yeah we'll discuss a little bit but that's a good example of where uh us Regulators can't fill in where the law law can't either and then you have all those States international and even private standards uh associations um you know International and and us-based associations of different industries that have standards most of which are voluntary uh the state laws are not uh some of the international laws aren't even for countries that or organizations that work solely in this country but uh there are a whole bunch of different standards that the it Community might be expected to live up to so first topic that's given us trouble SEC the security Exchange Commission and solar winds solar winds a

publicly traded company software company um that makes products that hopefully make the rest of it uh compliance easier it activities easier they have tens of thousands of clients to include the federal government in late 2020 it was revealed that one of their products had been compromised by Russian actors and when their product was compromised and they sent an update thousands of their com uh customers got compromised as well and there were access into all these organizations that weren't properly prepared for that type of threat last year the SEC filed a civil action against solar winds and by name against the Chief Information Security Officer and said that they had both uh implemented poor cyber security

practices but perhaps more importantly had made false statements regarding their cyber security this is important for a public company because when you buy a share of a stock these days you're not buying just what the company does and what its profit potential is but you're also becoming a partner in their risk because as we all know some of these risks are existential so no matter how great a company's product is if their cyber security is poor and their systems go down or if the Chinese steal their intellectual property and Chinese are probably listening hello how are you um we we'll find you someday anyway um you know that that's the end of the company potentially or certainly in in

the shape that it is at the moment that that that breach happens um so the SEC wants to know about these things because they're they're going to affect they're protecting the stockholders right and they want to protect that share price from they want included in the share price the risk of a cyber security incident in that organization so the misleading statements were maybe the bigger deal uh I think it's going to be hard for the government to demonstrate that they harder at least to demonstrate that solar winds had poor cyber security practices because the standards are still all over the place the false statements though may give them more trouble the lesson learned out of solar

winds for cesos and everybody in the it Community is particularly one with regard to communication one of the big SEC complaints was that the communications inside the organization were much different than the communications that were going to customers shareholders and and the SEC uh there were Insider acknowledgements that cyber security was poor but outside statements that it was just fine and that of course is something that would have affected the uh the share price of solar winds so a whole number of cesos I know there's a couple in here and maybe you did it yourselves but I'm guessing that a number of cesos went back when they saw this this complaint against this solarin ciso and read all their emails for the

past couple years to see what they had said internally is it possible um because they're going to be well at least in the Solar wind's case the sea being held accountable for them and comparing them to the public statements so that's something to keep in mind going forward and that's not just your statements leadership statements but also those of everyone in the organization that has something to do with the it systems that you're working on uh what you would want ideally is to have consistency of messaging you'd want to address [Music] the the questions of your IT workers uh if they're challenging something if they they're alerting you to something you'd want them to get the right message you'd

want to engage them so that if somebody looks at those discussions later on it you can demonstrate that you took These Warnings seriously and uh and did something about them this is potentially going to radically change the CES so's job and the entire organizations within that organizations function because I would imagine that can become a full-time job merely the communication you've also got to find a way to get the attention of your CEO when only the CEO is the one who can influence the organization in the way that it needs to move because the CEO obviously is more empowered than anybody else in the organization you got to have transparency with your different communities as well uh these things that

might come up from the rank and file the problems that they identify you may not be able to address them all but you at least want to acknowledge them and what you mostly want to do is be able to give a reason why some things were prioritized and others weren't it's probably the safest way uh to to cover yourself as a ceso and uh underlying all that is keeping Good Records which again I understand is potentially uh going to become a good portion of a cis's day if they're thinking about demonstrating what happened that day to a regulator 34 four or five years down the road or even more I

don't yeah

yeah so we could spend the rest of or actually we could go back to the beginning and spend the whole time on this question Alone um there's a number of risks you're talking about transparency before the incident but there's also the issue of transparency after the incident the problem I think before the incident is that there was a a lexicon of vernacular that became very quickly the acceptable language between the government and uh cesos or or those making filings that related to cyber security issues and that was pretty boilerplate everyone knows what I mean by that it was just everybody was saying the same thing or something similar and it didn't reveal too much information um and apparently the

government didn't object too much to that I think one of the interesting things that's going to come out of this case is that that boiler plate is going to be put to the test and I think the government is at least somewhat at fault by not objecting to it not to mention the fact and this goes across the board for every cyber security issue that the government was the one who developed the Internet in the first place or at least the one were working on and uh or partially at least and legally maybe morally definitely responsible for some of the vulnerabilities that all of us face today they're the ones who created the system to be as open as it is they

didn't anticipate everything but I I don't know I would love to discuss that with anyone who sees that a different way but let me just finish this one I'll get to you um there's going to be a level of transparency that's required coming out of this case whether it still looks like boilerplate or it has to be something more specific to an organization's situation I don't know yet uh but I would imagine that it's going to have to be something more specific than what's gone on to date and I don't know if anyone in this room has adjusted anything because of the solar winds case but I'm imagining that some folks are taking the complaint as a road

map and using it to guide what Communications they they have going forward yes sir

are you sure you didn't go to law school you're welcome to come on but yeah no that's what I would encourage as well yeah well you you remember it well yes sir one of concerned around theion

after

I think it goes back to what I was saying about Congress I don't think the government has the expertise to give clearer guidance that's another issue I'd love to discuss if anyone disagrees with it but uh I don't think they can do a sarban Oxley sarban Oxley uh gives certain accounting requirements for publicly traded organizations right and uh there could be something like that developed for cyber security but I just don't think people know accounting uh in the government they don't know cyber security um back to your question though about boards and I don't think I'm going to be able to cover all of it but uh boards they're covering their Cy security responsibilities in two ways

they're getting folks on the board that have expertise or they're potentially having creating panels or cyber security advisory boards that help them fulfill their requirements for having access to expertise uh don't know what's going to be required of them as uh a standard care Mark not sure that that's going to be the standard for cyber security anyway but um it's another one of those things where I just think there's just too much uncertainty out there which is what the law and regulations are supposed to do is give us all certainty into how to conduct our lives without uh getting in trouble something back here on the aisle yes

ma'am e

yeah and some of it has to be guided by realities right you leave laws a little bit vague I mean you want them to be certain enough that we can follow them but you also want them to be vague enough that or or flexible enough that they can withstand new developments uh my my issue with the way the government is handling things right now is that they're leaving it too vague um

yeah and so some organizations are over reporting which not only Pardon Me Not only absorbs their time but absorbs the government's time and now you've created this pile of needles in which you're going to throw the one report that is a worthwhile one on top of and we don't know if the government's going to be able to find it or respond to it or distinguish it from all the other ones that don't matter as much um let me move on to the next topic because we could talk about this one we've only got 13 minutes left anyway but um so for nist CSF and the FCC Internet of Things labeling program everyone knows nist C CSF right this the

cyber security framework all right the FCC Internet of Things uh labeling program everyone familiar with that yes sir we're not yeah unfortunately I didn't come up but um I I I will get them to you and I'm going to find a way to make up for some of the stuff we're not going to get to today and I you gave up your Saturdays to see this I want you to get all of it I'm G to find a way to get it to you um yeah the labeling program is basically going to be a brand that the uh F uh CC the Federal Communications Commission is going to put on certain products meeting certain cyber security

standards basically for both of these things they are not required they are voluntary however they may create standards that we all have to live by whether we volunteer to participate them in them or not because one if you do volunteer to participate uh you are basically committing yourself to those standards if you don't there's still going to be standards that courts and regulators and others uh you know with contract actions even are going to ask have you conducted your cyber security program in a reason able manner that's that's kind of what the when there's nothing else to guide you that's what the legal question is going to be and so these things may become the reasonable

standard not because they represent actual good practices but it's because it's the one it's the name that everybody knows um so that's one thing to look out for as these standards develop that uh you may be beholden to them even if you're not following them one different path that's developing right now is that water utility I was talking earlier about the EPA they tried to regulate it um cyber security for water utilities Wastewater utilities uh a number of these companies objected and then the EPA was sued by a number of uh state attorney generals and basically in the face of that litigation the EPA withdraw withdrew the rot Rule and issued voluntary guidance instead what's developing now potentially is

that the water utility industry is going to create a organization where they create their own standards I understand they do this in the electricity industry which I'm not as familiar with their cyber security practices but this is another thing that may develop that may be promising because there's going to be more expertise available that that organization although it may be private it's going to be in close touch with the EPA so you may be satisfying or they may be incorporating what are the epa's expectations but then you also have a bunch of experts that are in indust that are also going to be the ones not only who create the rules but going to have

to comply with them so hopefully it would come up they would come up with a better system whatever standard they come up with May set the example for other Industries as well there are a number of other benchmarks that we could look towards uh from the European Union from other uh Federal organizations uh DHS CA uh whatever your sector risk management agency is if you're in a regulated industry chances are your regulator no matter what their level of cyber security expertise is is going to be setting standards for that or that industry um and you may be end up being beholden to a number of different standards uh by virtue of where you sit you know if you're in

transportation you know you're part of critical infrastructure you're part of the transportation uh industry critical infrastructure there may be multiple standards that that they have organizations are objecting to this because will be costly and probably needlessly so so uh there will be some changes from what the government is expecting in this uh role all right one thing that I hope is a remote possibility but I think we all need to be aware of is the law of arm conflict and information technology professionals your head just snapped up um and it is something we need to worry about because what's at stake so we are getting lessons learned out of the Ukraine conflict right now that is the first

armed conflict that includes both kinetic activity violent physical activity with large scale cyber operations being conducted by both sides and what we're seeing is the possibility that uh well first of all I should say the rule for the uh law of arm conflict is that civilians can't be targeted however they can lose their protection as civilians as not on combatants uh by taking part in certain activities the standard is are you directly participating in hostilities and that doesn't mean just are you a trigger puller if are you as a civilian dress like this you pull out or you grab somebody's rifle and you start shooting you are directly participating in hostilities But it includes other things

if you are a lookout that is pointing and you don't have a weapon you're pointing where troops are going that are attacking that potentially makes you there's arguments from the international Committee of the Red Cross and the militaries of certain Nations on how to handle these things but basically there is a way a civilian can lose their protection one of the things that's come up because of the Ukraine conflict is that we're seeing more and more folks involved who either intentionally or unintentionally are influencing what's going on in Ukraine with regard to the uh armed conflict where an information technology professional might be crossing the line into directly participating in hostilities uh we don't know

yet is it merely supporting the networks that support the government like you're just handling the EPA of Ukraine or their Department of Transportation if you're supporting their networks would that be crossing the line probably not if you are enabling the networks that enable their military operations possibly if you are turning off the lights uh in a a a Target area while someone else in the military is running a raid using violence you probably are participating in hostilities I would imagine those folks are few and far between but for the microsofts and the um apples and anybody else that uh isn't some way supporting one side or the other and their networks there is a question that needs to be asked

the rule would apply whether you're direct directly participating in hostilities whether you're in Kiev in country in krackow the next country over or in Kansas the internet enables us to have influence across the globe and one of the things we can influence and have influenc through the uh Ukrainian it volunteer army people across the world have influenced operations in Ukraine uh if you're in Kansas you're probably not going to be targeted by the Russians if you're in Kiev you may be whether you're participating or not if you're in Poland though you are closer to the danger and the closer you are to that danger and you're in the it Community that's something that I think organizations

need to be worried about um I hope I didn't ruin your Saturday um all right we've got five minutes left just real quick on vault typhoon uh and this is more for us as Americans than it professionals although certainly it could affect us as well basically the Chinese are are alleged to be prepositioning capabilities that could disable our critical infrastructure the thinking is that if we ever if they ever went to war over Taiwan we wanted to participate they could make it much more difficult for us to conduct operations in part but then also make Americans lives more difficult uh they not only the Chinese not only infiltrated critical infrastructure in order to carry out these operations but

also the devices of ordinary American individuals are routers uh a lot of them were were Cisco routers apparently anyone from Cisco in here good yeah it was a lot of Cisco routers uh but they were end of cycle weren't being updated whatever um and so they when the FBI responded to it they was like all right if we're going to take down the prc's botn net we're going to have to go into the devices of first of all we're going to have to find which devices they're in and then we're going to have to do something to affect those devices what they did successfully was made the uh botnet essentially kill itself but they did this on devices that could have been

in our homes um so now the government has a proof of concept on and and a tool a technical capability that they can go into Americans homes who haven't committed any crime uh may be completely unaware of how their system is being used and affecting those systems deleting code from those systems that's one thing when it's the PRC or or Russia everyone knows what I mean by PRC that's China um it's it's one thing when it's an intelligence threat or a national security threat but they could do the same thing for what they consider criminal uh and this could include uh going into certain systems to see if people have visited certain sites or if

they've got a certain application if certain endtoend encryption gets outlawed um they would be able to go into the system and determine if if we had an application that had endtoend uh encryption so they are now capable this affects our fourth am or implicates our fourth amendment rights um there is a mechanism now to do it in law for something like China or or Russia on multiple devices but essentially because of that the government has scaled a it is potentially a surveillance mechanism but certainly a cyber effect system that could be used at scale and one of the ways that I think our adversaries defeat us is not just by beating us physically or in cyberspace

or or however uh but also changing our values or the way our values can be carried out uh one of the things from the 2016 election cycle is that uh Russian were accused of trying to influence United States voters we have a right under the First Amendment it's not spelled out but at Supreme Court has found that we have a right to receive information and it is important that we receive information from foreigners they can't participate in our elections but it is important to know what they think about certain issues how for example Ukrainian war is being carried out and the impact of us support or not supporting them the people in Ukraine know that best so

heing information from those ukrainians they don't have any First Amendment rights but we do and we have a right to hear from them uh whether we have a right to hear from folks who are not genuine about who they are they're obusca who they are that's in question but it's certainly is not unconstitutional at this point so uh it's another thing that as technologists we're going to be closest to the to the playing field on how the government can carry out these activities and they're going to PO po affect what we are used to as the American way of life um one quick thing since we're out of time on artificial intelligence courts it appears judges

and courts are going to treat it as if it is an employee so if it does something wrong it makes a commitment it makes a statement about uh what the company will do if it uses copyrighted materials so far it looks like courts are going to treat that as if an employee did it him or herself um and so you might as well treat your AI capabilities as if they're going to be held accountable like another uh employee and it may even be worse than that because an employee can go a little crazy and do things that are Ultra V meaning uh it's Latin shouldn't use Latin in a um apologies uh that they do

something out of the scope of their their job right and then the company wouldn't be held liable for what they did an AI I don't think it can act Ultra ver as again two Latins um they can't outside the ACT outside the scope of of their job essentially because that's what they were built to do so uh I would treat any AI tool as a uh as an employee in terms of how you're going to be held accountable so uh two things to think about as we wrap it up for any of these issues or any other it issue first is that when rules don't seem like they apply or they may not apply to the situations that technology

brings us to that we haven't dealt with before the thing we always did at Cyber command was we looked at the underlying values when the law of armed conflict did not apply to a relatively peaceful operation in cyers space it wasn't going to kill or hurt everyone we still thought about damage to civilians or inconvenience to civilians didn't mean we had a legal responsibility to avoid certain types of operations that would be inconvenient but it was certainly something that we thought of because it's one of the values that the law of armed conflict is meant to protect other thing I like to do and this takes a lot of energy and it was what separated me I think as a military

lawyer from military commanders military commanders Focus mainly on an enemy's most likely course of action what I always did in my job was uh think about what the worst case scenario was um so I started with the premise that something terrible is going to happen and my boss is either going to be put in the brri or even worse relieved of his job um starting with that premise I could work backwards and say all right like what are the things I want to be able to say to whoever investigates this situation what do I want to be able to say to them that I did now in order to avoid what happened if all that stuff is

reasonable at the time you're making decisions you know what you want to avoid is the Monday Morning Quarterback coming in and say that you didn't think about these issues or you didn't um make the right decision with the information that you had at the time what you want to be able to do is demonstrate as I was talking about earlier that you've made reasonable decisions that you're able to document them you're able to demonstrate them to your Regulators investigators and all those so um that's one way to think about these things where we have no road map is to start with that worst case scenario and build backwards and basically say what is it I would want to be able to

demonstrate to whoever's looking at what happened uh down the road so it's another thing that's going to take up a lot of time uh in your jobs but maybe worthwhile down the road so um we only have one more minute I think I'm happy to stick around for questions I think what I'll do is uh I'll find a way to get the slides they were beautiful by the way um uh get them to you and then add a little commentary some point and maybe even put something on YouTube and uh uh discuss a couple of the issues we didn't get to and and some of the ones we did but thank you so much for being here on

a Saturday especially the students I wasn't even awake by this time when I was a student in college so on a Saturday so thank you for being here and uh my contact information will be in the slides anything yall ever need uh I'm very how many folks are from out of town okay so I'm glad that you're here I'm growing to love the Tampa Information Technology cyber security community and getting more integrated with it and uh I hope I see all of you on the road uh a little more often but uh I am local and uh like being part of this team so see you soon thank you for being here [Music]

[Music]