Cyber Security and Cyber Espionage: A CCCA Panel
These are notes from a panel discussion by Ron Deibert, Professor of Politcal Science and Director of the Canada Centre for Global Security Studies and the Citizen Lab at the Munk School of Global Affairs, University of Toronto, David Lashway, Partner, Baker & McKenzie, Washington, DC, John Woods, Partner, Baker & McKenzie, Washington, DC and moderator Theo Ling, Partner, Baker & McKenzie, Toronto on April 15, 2013 at the Canadian Corporate Counsel Association National Spring Conference 2013 in Toronto. Note: these are my selected notes from this session; any inaccuracies or omissions are my own and not the speakers’.
Cyber Espionage, Attacks and Security: A Risk You Can’t Afford to Overlook
What are the key threats related to cyber security facing companies today?
Deibert:
There are at least 6 big forces shaping the environment today and shaping highly turbulent conditions. Risks are getting higher:
- Technological shift in last 3-5 years: we have seen a fundamental change in our communication, including social media, cloud computing and mobile technology. An amount of personal data that was previously hidden is now entrusted to third parties.
- Demographic revolution: 46% of all Internet users come from Asia and that is only 1/6 of that population so far. Their culture, religion and autocratic government is shaping the Internet.
- Rise of cyber crime: the number of exposures and vulnerabilities is increasing. There is little or no repercussions for those perpetrating these crimes.
- Blurring of cyber crime into espionage and warfare. These techniques are indistinguishable from cyber security breaches.
- Sea change in the way governments approach this domain. Very recently this was not addressed by governments at all; now it is getting to the top of policy agendas.
- Arms race: political economy dimension. A huge cyber security complex has risen to feed into the arms race.
These are creating highly turbulent conditions and affect the private sector.
Lashway:
One characteristic common among to all these points is that the threat is evolving. There is an evolution that is non-static with respect to these risks. Counsel must break these risks down in a pragmatic way so that they can be addressed with respect to policy, PR and business perspectives.
With respect to the threats themselves, Baker & McKenzie plugs these into a risk framework. While difficult for lawyers and the C-suite to understand the rapid evolution of these threats, it is of utmost importance that policy be informed by these issues. Companies are facing very significant risk.
Need to take a pro-active position on managing the threat. Parse what has been a conflated threat analysis. One concern is the state actor as a threat e.g. Chinese, Iranian threats. This raises the issue of cooperation; complicates doing business here as well as abroad. There is organized crime here and abroad:
- fraud activities and theft of information then sold in the marketplace
- hactivist activities including Anonymous
- threat of insiders – balancing the protection of privacy with threat posed by insiders who may take the ‘keys of the company’ and use them outside.
Woods:
Business and non-profits have been moved to the front line of conflict and have not been in this position before; they fill in as proxy for the government. Companies may be subject to attacks based on discussions they don’t even know are going on.
E.g. In Saudi Arabia, 30,000 computers stopped working inside an organization.
Business is being placed in positions they have never before had to confront. Need to de-couple the rhetoric from the actors.
Deibert:
Downloading controls to private companies is definitely a shift that is happening. Our conceit in the West is that no one is in charge of the Internet. 95% of it is in private sector hands. Companies are finding that demands are being placed on them in areas that they have no capability to meet and no guidance to meet.
E.g. During the Google-China dispute, Google was experiencing a breach of its systems, seemingly coming from China. Meanwhile they were having a hard time meeting the fuzzy demands of Chinese government on day-to-day issues. (Google saw these as separate issues).
Lashway:
Business is now global business, creating more risk than in the past. Organizations need to think about third party contractual relationships. Even if your business is very secure, threat actors are very aware of who you are connected to. They have very tactical plans of attack, looking not just at you, but also everyone connected to you.
What policies can be put in place?
Deibert:
With respect to threats from state and non-state actors, he urges everyone to look at the Transparency Reports put out by Google. How often do you comply with law enforcement/government forces to take down information? Over the last few years the Transparency Reports show that the number of these requests have skyrocketed. Requests not coming from the “usual suspects”; they are coming from liberal, democratic governments. Google differentiates between those requests that come with a court order or not. The other requests outnumber those with court orders. Remarkable the lengths that governments are going to deal with cyber threats.
Lashway:
The number of threats from individual actors is also increasing. Regulating around that and developing law, where technology has advanced so fast but policiy has not yet been developed and laws have not yet been created, is challenging. Have a look at your policies, including employee related issues. Ensure you take into account the new risks even if laws are not in place.
The biggest risk is uncertainty. The threats are evolving.
There are insufficient Rule of Law doctrines in Canada, the US and around the world. We have conflicts and geographic neutrality i.e. threats that do not rely on geography. The other threat is liability: give your audit committee and C-suite standards to follow. Liability has yet to be significantly defined because Rule of Law has not been sufficiently developed. However, there are things companies can do to be more aggressive in setting standards.
Most legislation promotes information sharing, but is not a stick.
Woods:
In the past the primary concern was names and social security numbers; if these data elements went out the door, they would do investigations. If intellectual property went out the door, this was secondary. Investigations are very expensive to run.
You would expect that the forensics would be important, have them in a timely manner to act on them. One would expect the government would lead this. However, the role has flipped: the company often now tries to find out how the activity occurred, and this data is then being used by the government.
Deibert:
Described a situation where the Cyber Lab could pinpoint fraudsters in St. Petersburg, Russia down to cell phone number and photos. They went to the RCMP, but this went nowhere because the RCMP would not be able to work with Russian authorities to catch them. Russia tolerates a certain amount of cyber crime.
Facebook has been known to publicly “out” attackers, posting their names. There is a situation where companies are now in a position of defending themselves against other companies.
Lashway:
Affirmative defense: technology tools in addition to policy tools. In US they have a statute they use aggressively, the Computer Fraud and Abuse Act. It is highly controversial in the US as an offensive tool by government as well as defensive tool by companies. Its use raises constitutional questions: it limits third parties from using information from your website. The “attack back” scenario raises the same questions. Receiving information or even direction from the government is not always enough to allow a company to act.
Woods:
Your own IT department may be taking actions to protect your company that you are not aware of. For example, if an attack is coming from India by attacking back you may not be breaking Canadian or US law, but breaking Indian law. If you have business in India, this could create problems. You need to be aware of what your computer securities professionals are doing.
Lashway:
The Canadian government is developing a framework Cyber Incident Management Framework. They ran a test scenario with water system and power company going down. Key takeaways from the exercise: it is unclear what the role of the Canadian government is supposed to play. What the roles are, what the standards are have to be developed. Companies have to have plans and policies. Liability questions are so significant.
Another recent development that overlaps Professor Deibert’s comments: creation of an Internet Society chapter for Canada.
http://www.internetsociety.ca is both the parent to the technical body that sets Internet standards and an advocate for individual users of the Internet. Security, access (sometimes overlapping with “access to justice”) and privacy are among the society’s concerns.
The Canadian chapter was announced Monday at MaRS (the discovery district, not the planet) in Toronto.
I’m a supporter of ISOC, as you might guess, and think it is a body which should address the concerns Dr. Diebert raises, and make technically credible recommendations to our various governments.
–dave
Interesting report, thanks, Connie. My next Technology column here will explore aspects of the ‘active defence’ (hacking back) option.
I am not sure what Mr. Lashway means in saying ‘There are insufficient Rule of Law doctrines in Canada, the US and around the world.’ Does he mean insufficient actual laws, i.e. statutes and regulations – insufficient rules? Did he give examples of rules that would be helpful?
The Cybercrime Convention aimed to provide a catalog of criminal rules that countries should have to support prosecution of cyber-criminals. Not all states have adopted them. Would Mr. Lashway or his colleagues on the panel advocate re-opening that Convention to add to the list?
Dave: thank you for the note about the new society.
John: I believe Mr. Lashway did explain his Rule of Law comment further but I didn’t note that detail. I do believe this would include legislation, but I welcome clarification from fellow audience members or Mr. Lashway.
The US House of Representatives just passed unanimously (how often does that happen these days?) an amendment to the Federal Information Security Management Act to require every federal agency to do continuous monitoring of their systems for cyber-threats, and to require the agency’s Chief Information Security Officer to have the appropriate qualifications, including security clearances.