"What can we do individually that makes us collectively more secure?"
Recent data hacks of corporations using software like SolarWinds and Microsoft Exchange, as well as of critical infrastructure like Colonial Pipeline, have taken cyber-attacks to a new level, demonstrating the vulnerability of our public and private networks and the ability of hackers to cripple society with the stroke of a key. The cybersecurity industry is booming and demand for legal professionals with knowledge of the field is high.
To help us better understand the role law plays in the protection of our information systems, we sat down with University of Arizona James E. Rogers College of Law Professor Derek Bambauer, who specializes in internet and intellectual property law.
Bambauer is a co-author the new textbook, “Cybersecurity: An Interdisciplinary Problem,” which discusses the challenges of securing complex systems and the legal concepts needed to understand cybersecurity law and policy.
Why did you want to write this book?
It’s been a couple years in the making. When we were first starting out there really weren’t any textbooks on cybersecurity, and in fact, it was kind of new as an object of study for legal scholars. Lawyers were just beginning to realize that they had an important role to play. The difficulty, as we saw it, was that you have two groups – lawyers on one hand and, broadly speaking, engineers on the other – that really needed to be interacting and cooperating with one another in order to solve this serious social problem. Each group has its own language, its own norms, its own customs, and each group is frankly intimidated by the other.
Our hope was that this book was something that could, at a minimum, give people a common lingo and understanding of the way that the other group thought as a means of promoting collaboration and greater coherence.
This book approaches cybersecurity from an interdisciplinary point of view. Why is it important for those in the legal field (and others) to view this topic from an interdisciplinary framework?
I think probably the most important thing is that it will make them more effective at their jobs.
A lot of the solutions for cybersecurity are either going to originate from or be implemented by engineers, network administrators, IT helpdesks, and so forth. Having the ability as a lawyer to understand the set of concerns that IT has and to be able to translate that both to other lawyers and to businesspeople, in an intermediary function, I think is what will make people marketable and desirable attorneys in the field of security.
Additionally, at least cybersecurity as a social problem has all these different facets. It has economic facets, it has information facets, it has facets that lie in the basics of computer design and computer engineering and realizing that security itself is a larger set of problems that spill over into not just legal doctrines, but different disciplines. I think this approach will also help us when we have lawyers who begin to become policy makers and who can hopefully frame more effective solutions for the country as a whole.
What are some of the legal concepts this book explores?
The book covers a broad array of legal topics—everything from the various tort standards (negligence, strict liability, etc.) to regulatory capture to the role of insurance in dictating precautions to the relative institutional competencies of courts, legislators, administrative agencies, etc.
Is there one field (legal, technical, business, economic, etc.) that shoulders more of the responsibility for managing cybersecurity?
I think lawyers aren’t the most important, but lawyers are probably going to get the first phone call when something goes wrong.
There are all sorts of business considerations, technical considerations, but there’s also the fear of, “are we going to get sued? Are the regulators going to come down on us?” And so, in that sense, lawyers are the first line of response. They also have the advantage that just by dint of the profession, people in the C-suite listen to them. Leadership feels that they must listen to their general counsel because this is not just something that affects quarterly profits; the company could also face shareholder lawsuits, or a lawsuit from the FTC, for example. That means that lawyers are well positioned to push whatever entity they’re working with or working for in a direction that improves security in a way that will be listen to and considered.
What are the key distinctions between privacy and cybersecurity?
Privacy is really a set of social determinations about who should know what and under what circumstances. I think of security as the mechanism that implements those choices and makes them effective.
To a certain degree, security can have an interactive effect with privacy because it can help to determine what’s possible when there are certain limits we might like to set. For example, the music industry would love to make it much more difficult to share music, but we don’t really have the technology to do that. So, in that sense there is this sort of back-and-forth interaction between privacy and security.
Has current law caught up to the realities of cybersecurity challenges and threats? Are there any gaps that have the potential for exploitation?
I think it clearly has not kept pace. I have some sympathy because if you’re a regulator, you’re dealing with an area that has seen extraordinarily rapid technological change.
If we were to think about what changes might be most useful, one would be to think about security in terms of regulation more broadly. In the U.S., each area gets its own set of regulations, but there are relatively few overarching regulations. This means that cybersecurity in the U.S.—or at least regulations—are a patchwork, and we don’t really have a single national enforcer that’s responsible. We have the Federal Trade Commission, but its role is contested, and it has limited resources.
I also think cybersecurity could benefit from more substantive regulations in some areas. There are circumstances where we should be saying, “You ought to do this.” But it is hard in the U.S. to begin to impose substantive regulations because there are worries about cost and because of the sheer interest group lobbying that takes place.
Are there any major federal regulations that are being worked on currently?
One of the questions is, “Are we going to have a federal regulation that pre-empts the laws in places like California, Virginia, Vermont, and so forth?” These are largely privacy regulations, but they do have a security component built into them.
I think it's likely that if we got some federal privacy law, it would have some sort of security component to it. The hope is that everyone will see that having 50 different regimes for privacy in the U.S. would be a bad idea. It would be costly, and it would be ineffective. So, if we could come to an agreement that regardless of what the privacy decisions are, there would be some sort of sensible minimum for implementing them, that would be enormously useful.
But we’re in a political moment where it’s very difficult to do big things and this is a big thing.
What are the most challenging aspects of managing cybersecurity?
One is that the attackers always have the advantage. They have advantages in time and resources and the fact that once you know how to break into something, it's easily shared, and it can often be weaponized.
So, even if you are a company like Microsoft that is extraordinarily good at security, you have a finite amount of time, resources, and creativity, but when it's out in the world every single person can begin to explore Windows to see if they can find a way in. Even once Microsoft learns about an attack, they’ll have to figure out how to fix it.
The people who are playing defense are always at a disadvantage. That’s an important piece.
A second challenge, and this is why we felt it was important to have an interdisciplinary approach, is that there's some quirks to the software market. For example, if you have a dominant platform, that platform becomes more and more valuable as more and more people use it, but that also increases the value of it to attackers. Another one is you can say we have industry-leading software in terms of security, but how do I know that’s true? That’s hard to verify and it’s hard to demonstrate.
This seems like an area where many organizations, from private corporations to government agencies, are still quite vulnerable. Is that the reality?
It is, and what we see is even sophisticated organizations are being hacked. Someone in the security community said, “It's not whether you have been hacked, it’s whether you know it or not.”
The second thing is that when we think about “hacks,” we’re using that as a shorthand for a wide variety of threats. On the one hand we have high school students who are learning computer programs for the first time and are trying to break into things. On the other hand, you have sophisticated nation-state actors who are capable of breaking into anything with enough time.
So, all organizations are vulnerable, it's really a question of relative risk. How much effort does it take? Because if you can make that effort high enough, it deters everybody except a nation-state adversary who is going to be very difficult to defeat in any case.
One thing we’ve started to learn through such things as data breach notifications laws is that it has helpfully disillusioned all of us. We all thought we were safe, and we really aren’t.
Stories in the media about the latest cyber security breach are becoming increasingly common. From a public perspective, how should we feel about the integrity of our public and private information systems/networks today? How can the legal field help to repair any damage to public confidence?
Law has a valuable role, but it is a limited role. Typically, what we think of is law is either commands or penalties. You either have to do this, or if you fail to do something reasonable, then we’ll penalize you. We could do with more of that in cyber security. Because especially if you look at things like tort law, cyber security is essentially a free-fire zone: the usual rules of tort liability just don’t apply. If I’m running Windows at my dental practice and it crashes and I can’t get access to a patient’s record, I have no hope of suing Microsoft. That might make sense from a policy perspective, but it also might mean that we are getting the balance between software that might be innovative and software that is more secure wrong.
The second thing I think has been neglected in terms of cybersecurity research is, we spend an extraordinary amount of time, and so far with mixed success, thinking about preventing bad things from happening. We don’t spend much time thinking about how to recover from them or how to mitigate their effects. This concept of resilience, which is how do we create systems that are resilient to disruption, has not been studied enough.
The example that has gone around lately is ransomware. At least in theory, ransomware should never work because all organizations are supposed to back up their data. But it turns out that even organizations that do have backup policies rarely test them. And the ones that test them rarely test them under realistic conditions. And so, this seems like an area where law is perfect because we can put in place things like requirements for backups relatively easily. That’s a zone where if you have a market failure, where you have a negative externality, it’s a classic case for legal regulation.
What do the next five years in cybersecurity law look like?
If we think about just in the U.S., I suspect what we’ll see starting to emerge is the beginnings of cybersecurity professionals.
I think what we’ll see both for lawyers and for engineers is the emergence of some sort of body of knowledge that if you can show you’ve absorbed it and are proficient with it, we will find a seal of approval that lets you go out and show the world that you’re a cybersecurity lawyer. That will be immensely valuable because that prevents the problem of people passing themselves off as experts when they’re not.
I think the other thing that we will start to see is nation-states very publicly using cybersecurity failures against one another, and what I suspect will emerge is either a formal or informal set of understandings about how that works.
Stealing each other's information is about as old a practice as there is, and nothing will ever stop espionage. I think that the worry is what happens if it moves beyond that into something that has physical effects in the real world. So, I suspect there will be a set of understandings about what is considered acceptable practice between sophisticated nation-state actors.
In some ways cyber security is a fractal which is that at every level you see a pattern. And so, there are some things that someone who reads the book can’t control. You can’t control how the U.S. and China spy on each other, but you can find some of the same challenges in our own lives and I think that’s part of what we’re hoping to impart in the book. What can we do individually that makes us collectively more secure? Even things as basic as using as password manager or not re-using passwords. For each of us it’s a small thing to do, but collectively it makes us stronger. And that is the virtuous cycle as opposed to the vicious cycle.