Redefining Cybersecurity Policy: An Interdisciplinary Approach to Addressing Systemic Failures

Date/Time
Date(s) - 11/04/2016
12:00 pm - 1:00 pm

On November 4, the Center will be joining with the UNC School of Information and Library Science (SILS) to present a talk by internationally-recognized cybersecurity law and policy expert Dr. David Thaw.  Thaw’s talk, titled “Redefining Cybersecurity Policy: An Interdisciplinary Approach to Addressing Systemic Failures,” will take place at 12:00 p.m. in Manning Hall, Room 208. For more information, please visit the SILS website.

Abstract:
Notwithstanding substantial attention in recent years to cybersecurity issues, the overwhelming volume of public discourse suggests a widespread belief that society is failing at protecting information and computing assets.  Theories for this failure vary widely, ranging from operational misfeasance to attacker superiority.  The response to these incidents usually faults the failure to implement some solution X, where X is a constantly shifting variable specific to a given context.  Yet after years of policy and technological experiments integrating these retrospective, “checklist compliance” approaches, attacks still occur with alarming frequency.  Traditional explanations of cybersecurity failures, seeking a technological “silver bullet” or rigid “lockdown” of systems, remain unsatisfying when very sophisticated and mature organizations continue to be compromised.

Cybersecurity is a broadly-used yet poorly-defined term.  References to terms such as “cyber,” “privacy,” “data protection,” and “computer/network security” in the context of discussions about “cybersecurity” further complicate scoping the problem.  This project proposes a risk management-based framing of cybersecurity which differentiates it among these concepts and contextualizes it within existing legal and policy frameworks.

Cybersecurity failings — and solutions — are systemic in a policymaking sense.  Current policy frameworks treat cybersecurity as an exercise in risk prevention, overwhelmingly focusing on checklists of “good” security practices.  This viewpoint pervades all levels of policy, influencing cyber hygiene recommendations to individuals, driving organizations’ security practices, and even being codified in regulatory and statutory frameworks.  Such an approach results in policies oriented toward “checklist compliance,” where security measures are a function of implementing specific steps.  Yet this choice fundamentally misunderstands the concept of security, which involves a process of risk management that balances the costs of mitigation techniques against the costs of compromise.  Furthermore, specifying exactly what is done also implicitly specifies what is not done, effectively providing attackers with a list of potential attack vectors.  Directive regulation and checklist-driven models of compliance are ill-suited to the heterogeneous nature of complex systems and the low-transaction cost nature of cybersecurity attacks.

This talk discusses the success of previous risk management-based frameworks and argues for reframing cybersecurity policymaking using flexible regulatory solutions based on empirical evidence.  Empirical study of attacker methodology helps overcome the limits of applying theoretical models “in the wild.”  Flexible regulatory approaches are better-suited to the heterogeneous nature of modern information systems and the interdisciplinary nature of systems involving human usage.  The interdisciplinary nature of cybersecurity, both in policy and in implementation, helps explain the limitations of prior policy approaches.  A comprehensive interdisciplinary approach to policymaking, therefore, not only is superior to existing approaches, but also is necessary for success that ensures cybersecurity policy does not inadvertently provide adversaries a roadmap for attack.

Bio:
David Thaw is an Assistant Professor of Law and Information Sciences at the University of Pittsburgh and an Affiliated Fellow of the Information Society Project at Yale Law School. An internationally-recognized expert on cybersecurity law and policy, David’s work uses computing and information empirical methods to understand the nature and character of cybersecurity risks.  He uses scientific data in his legal and policy scholarship to examine how regulatory frameworks drive cybersecurity practices “on the ground.”  David’s other areas of research include privacy, cybercrime, legal issues of cyberwarfare, and administrative law and regulatory theory.

Prior to joining the Pitt faculty, David taught at the University of Connecticut and the University of Maryland.  He also practiced cybersecurity and privacy regulatory law at Hogan Lovells (formerly Hogan & Hartson) and was previously a Postdoctoral Fellow at Yale Law School. David holds a Ph.D. from UC Berkeley’s School of Information, a J.D. from Berkeley Law, a M.A. in Political Science from UC Berkeley and a B.S. in Computer Science and a B.A. in Government & Politics from the University of Maryland.