Privacy and Security a Pedagogic Cybersecurity Framework a Proposal for Teaching the Organizational, Legal, and International Aspects of Cybersecurity

viewpoints

DOI:10.1145/3267354 Peter Swire V• Carl Landwehr, Column Editor Privacy and Security A Pedagogic Cybersecurity Framework A proposal for teaching the organizational, legal, and international aspects of cybersecurity.

“ EAL” CYBERSECURITY TODAY devotes enormous effort to non-code vulnerabilities and responses. The Cybersecu- rity Workforce Frameworka Rof the National Initiative for Cyberse- curity Education lists 33 specialty areas for cybersecurity jobs. Ten of the specialty areas primarily involve cod- ing, but more than half primarily involve non-code work (15 areas, in my estimate) or are mixed (eight areas, per my assessment). This column proposes a Pedagogic Cybersecurity Framework (PCF) for categorizing and teaching the jumble of non-code yet vital cybersecurity topics. From my experience teaching cybersecurity to computer science and other majors at Georgia Tech, the PCF clarifies how the var- ied pieces in a multidisciplinary cybersecurity course fit together. The framework organizes the subjects that have not been included in traditional cybersecurity courses, but instead address cybersecurity management, policy, law, and international affairs. The PCF adds layers beyond the the “user layer.”b The framework pro- framework would benefit cybersecuri- traditional seven layers in the Open posed here adds three layers—layer ty students, instructors, researchers, Systems Interconnection model 8 is organizations, layer 9 is govern- and practitioners. Layers 8–10 clas- (“OSI model” or “OSI stack”). Previ- ments, and layer 10 is international. sify vulnerabilities and mitigations ous writers have acknowledged the This column explains how the new that are frequently studied by non- possibility of a layer or layers beyond computer scientists, but are also seven, most commonly calling layer 8 b Varying previous definitions of higher critical for a holistic understand- layers of the OSI Model are available at ing of the cybersecurity ecosystem by

IMAGE BY UNCONVENTIONAL BY IMAGE a https://bit.ly/2McPRB3 https://en.wikipedia.org/wiki/Layer_8. computing professionals.

OCTOBER 2018 | VOL. 61 | NO. 10 | COMMUNICATIONS OF THE ACM 23 viewpoints

Table 1. Vulnerabilities at each layer of the expanded OSI stack. The Abstraction Layers of the OSI Model As discussed in the column, for layers 8–10, “A” refers to vulnerabilities The PCF builds on the Open Systems and risk mitigation arising within the organization or nation; “B” refers Interconnection model (OSI) stack fa- to vulnerability and risk mitigation in relation with other actors at that miliar to most computer scientists. It level; and “C” refers to other limits created by actors at that level. treats the stack primarily as a concep- Layer Vulnerability tual framework for organizing how we 1. Physical Cut the wire; stress equipment; wiretap understand computing systems, par- ticularly in the security domain. The 2. Data link Add noise or delay (threatens availability) OSI model describes abstraction layers 3. Network DNS and BGP attacks; false certificates that enable the student or practitioner 4. Transport Man in the middle to focus on where a problem may exist, such as the physical, network, or 5. Session Session splicing (Firesheep); MS SMB application layer. While retaining the 6. Presentation Attacks on encryption; ASN-1 parser attack abstraction layers from the OSI model, 7. Application Malware; manual exploitation of vulnerabilities; SQL injection; buffer overflow the PCF does not emphasize the role

8. Organization A: Insider attacks; poor training or policies of the OSI model as a standardizing B: Sub-contractors with weak cybersecurity; lack of information sharing model. Instead, it broadens students’ C: Weak technical or organizational standards understanding by focusing attention 9. Government A: Laws prohibiting effective cybersecurity (for example, limits on encryption); on the critical domains that introduce weak laws for IoT or other security well-documented and well-understood B: Badly drafted cybercrime laws (for example, prohibiting security research) C: Excessive government surveillance risks from management, government, and international affairs. I provide 10. International A: Nation-state cyberattacks B: Lack of workable international agreements to limit cyberattacks supplemental materials online that C: Supranational legal rules that weaken cybersecurity further discuss the relationship of the (for example, some International Telecommunications Union proposals) PCF to the OSI model and expand other points made in this column.c As a conceptual framework for understanding computer systems, the Table 2. The pedagogic cybersecurity framework. seven traditional layers apply intuitively to cybersecurity risks, as discussed A: Risk Mitigation by Glenn Surman in his 2002 article Layer of the Within an Expanded OSI Organization or B: Relations with C: Other Limits Protocol “Understanding Security Using the OSI Stack Nation Other Actors from This Level Data Unit Model.”2 Surman concluded: “The most 8: Organization 8A: Internal 8B: Vulnerability 8C: Standards and Contracts critical thing you should take from this policies or plans management in limits originating paper is that for every layer there are at- of action to reduce contracts with from the private tacks being created, or attacks awaiting risk within an other entities, sector (for organization (for like vendors (for example, PCI DSS activation as a result of poor defence.” example, incident example, cyber- standard, led by Bob Blakley from Citicorp assisted with response plans). insurance). the PCI Cyber these illustrations of vulnerabilities Security Standards that exist at each of the seven layers, Council). and I have added vulnerabilities exist- 9: Government 9A: Laws that 9B: Laws that 9C: Government Laws ing at layers 8, 9, and 10. govern what an govern how limits on its individual or organizations own actions (for As a way to introduce layers 8 through organization can and individuals example, Fourth 10, each horizontal layer highlights im- or must do (for interact (for Amendment, portant types of cybersecurity vulner- example, HIPAA example, limits on illegal abilities. At layer 8, organizations face Security Rule). Computer Fraud searches). and Abuse Act). a wide range of cyber-risks, and take many actions to mitigate such risks. At 10: International 10A: Unilateral 10B: Formal 10C: Limits on Diplomacy actions by one and informal nations that layer 9, governments enact and enforce government relationship come from laws—good laws can reduce cyberse- directed at one management with other nations curity risks, while bad laws can make or more other other nations (for example, the nations (for (for example, United Nations and them worse. At layer 10, the interna- example, U.S. the Budapest international law). tional realm, no one nation can impose Cyber Command Convention’s its laws, but treaties or discussions with launching a provisions about Russia and China, for instance, may im- cyberattack on a cybercrime and hostile nation). Mutual Legal prove cybersecurity. As shown in Table Assistance). c Supplementary materials on the framework are available at https://bit.ly/2MJCrZq

24 COMMUNICATIONS OF THE ACM | OCTOBER 2018 | VOL. 61 | NO. 10 viewpoints

1, the vulnerabilities in these new layers applies to governments writing and are further organized by institutional enforcing laws about cybersecurity. form—whether the vulnerability arises I have often Layer 10 applies where there is no within the organization (or nation), encountered government to issue laws. Study of between organizations (or nations), or layer 10 thus includes both state from other institutions at that layer. practitioners and non-state actors that have In addition to categorizing vulner- (and researchers) transborder effects. abilities, the PCF builds on another In the matrix, each of the three col- aspect of the OSI model, the “protocol who believe “real” umns refines the sorts of institutions data unit,” such as bits for the physi- cybersecurity making the decisions. For each layer, cal layer, packets for the network layer, column A contains issues arising and data for the application and other involves writing code. within the institution—the organiza- top layers. These protocol data units tion or nation. Each “issue” identifies “describe the rules that control hori- cyber vulnerabilities or mitigating zontal communications,” within a sin- activities. Column B contains issues gle layer of the OSI stack.d defined by relations with other actors At layer 8, for organizations, I sug- The 3x3 Institutional Matrix at that level. Column C contains issues gest the controlling rules come from Universities have traditionally studied where other limits arise from actors at contracts. The much-cited law and eco- the three non-code layers in different the same layer of the stack. nomics scholars Jensen and Meckling departments. In general, business This three-column approach be- have defined corporations as a “nexus schools focus on managing compa- comes clearer as applied to layer 8, the of contracts.”1 Contracts are the gover- nies and other organizations. Law organizational layer. Column A in- nance structure for relations between schools are the experts in law. Inter- cludes cybersecurity activities within corporations, such as data-use agree- national relations programs study a single organization. A company (or ments between an organization and international affairs. These different other organization that faces cyber- its contractors. Less intuitively for non- university departments are organized security attacks) takes numerous ac- lawyers, contracts also govern arrange- based on the institutions they primar- tions to reduce cyber-risk. It develops ments within a corporation, governing ily study: companies, laws, and trans- incident response plans and other the roles and actions of the board of national institutions. internal policies, and trains its em- directors, management, and employ- By contrast, my experience is that ployees. One way to conceptualize cell ees. Contracts are thus the protocol computer scientists often group all 8A is to think of the responsibilities of data unit for layer 8, providing the rules of these issues into the general term a CISO in managing cyber-risk within within that layer. “policy.” Traditionally in computer the organization. At layer 9, the controlling rules science, this soft realm of “policy” is Column B in layer 8 (cell 8B) con- for government—the protocol data the generic term for everything not cerns the organization’s relations with units—are laws. Governments enact expressed in machine language. But other actors. First, a company creates and enforce laws, requiring actions public policy departments do not data-use agreements and other con- from the organizations within the gov- intensively cover all aspects of man- tracts with vendors and other entities. ernment’s jurisdiction. The interna- agement, law, and international re- Flawed management of these rela- tional realm of layer 10 operates where lations, so the computer science use tions can expose a company to risk, no binding law applies. Actors at layer of “policy” creates confusion for the such as if it hires a subcontractor to 10 interact through diplomacy (or lack other departments that increasingly manage systems or data and the con- of diplomacy), such as negotiating a teach and research on cybersecurity. tractor does so badly. Another much- cyber-related treaty, and sometimes The proposed framework matches the discussed aspect of cybersecurity is through declared or undeclared war. typical departmental organization in information sharing between organi- Put another way, the traditional universities, and provides a visual rep- zations, such as through an Informa- seven layers concern protocols ex- resentation of the key dimensions for tion Sharing and Analysis Center. pressed in machine language; layers what computer scientists have often The third column, cell 8C, concerns 8 to 10 concern protocols (contracts, simply called “policy.” other limits that originate in the pri- laws, diplomacy) expressed in natural As an additional way to organize vate sector. The PCI DSS standard is a language. The layers operate in a way the many non-code cybersecurity- well-known example, governing secu- familiar from the OSI stack: organiza- concerns, the PCF employs a 3x3 ma- rity at the point of sale. This standard tions at layer 8 select the applications trix that refines which institutions has a powerful effect on the cyberse- at layer 7. Governments at layer 9 set are involved in each area of cyber- curity of millions of merchants. The laws to govern organizations. Actions vulnerability or response. Table 2 contractual standard originates in the at layer 10 affect the governments at portrays the matrix. In Figure 2, each private sector, led by the PCI Security layer 9, and apply when no single gov- layer (row) is defined by the institu- Standards Council. If the standard is ernment can set the law. tions that make decisions affecting designed and implemented well, then cybersecurity. Layer 8 applies to orga- cybersecurity improves; if done badly, d https://bit.ly/2x40Aoj nizations facing cyberattacks. Layer 9 cyber-risks and costs increase.

OCTOBER 2018 | VOL. 61 | NO. 10 | COMMUNICATIONS OF THE ACM 25 viewpoints

Looking at layer 8 as a whole, the and management issues of how to de- simple point is that overall cybersecu- sign and manage cybersecurity con- rity significantly depends on how well The PCF provides a tracts: How should cybersecurity be an organization handles risk within its parsimonious way to treated in outsourcing or insurance organization (8A), its contracts and re- contracts? Cell 9A concerns legal and lations with other actors (8B), and stan- identify and develop a political science issues of how laws dards and norms that come from the response to a growing get drafted and implemented. Cell private sector (8C). 10C calls on international relations Governments, for purposes of the number of non-code expertise to discuss the role of supra- PCF, create laws. Cell 9A contains cybersecurity risks. national institutions. Few individuals laws that govern what an individual are expert in all of this literature. Re- or organization can do. For instance, searchers can develop an issue list for using U.S. examples for illustration, each cell, along with canonical read- the HIPAA Security Rule sets require- ings to assign in general examinations. ments for medical providers. As a dif- For cybersecurity practitioners, I ferent example, consider legislation as the Budapest Convention’s provi- have often encountered practitioners that would prohibit the use of strong sions about cybercrime and Mutual (and researchers) who believe “real” encryption or require a backdoor. I Legal Assistance. More generally, cell cybersecurity involves writing code, have opposed such legislation, but it 10B applies to the range of possible perhaps with some vague acknowl- illustrates how a government law, ap- cooperation with other nations on cy- edgment of the need for “interdisci- plying to each organization, can affect berattack or defense. plinary” study. The sheer volume of cybersecurity risk. Finally, cell 10C applies to limits on issues identified in the 3x3 matrix Cell 9B contains laws that govern nations that come from other nations. emphasizes the growing significance how organizations and individuals For instance, some countries have of non-code issues—bad decisions in interact. Some of the HIPAA require- proposed to set cybersecurity rules any part of the matrix can negatively ments fit here, such as the business through the International Telecom- affect cybersecurity. As with the ex- associate requirements of HIPAA that munications Union, associated with isting seven layers of the stack, orga- govern contracts with outside parties. the United Nations. If such rules are nizations can identify their vulner- An important example in cell 9B is the implemented, then supranational laws abilities by systematically examining Computer Fraud and Abuse Act, the could govern cyber actions that have layers 8 to 10. Organizations can then anti-hacking law that defines when it transborder effects. better identify and mobilize expertise is criminal to access computer systems for these non-code cyber issues. without authorization. Applying the Framework In sum, the PCF provides a parsi- Whereas cells 9A and 9B primar- Adding layers 8, 9, and 10 to the OSI monious way to identify and develop ily concern government laws affect- stack in the PCF brings important ad- a response to the growing number ing the private sector, cell 9C applies vantages to the study and practice of of non-code cybersecurity risks. The to government limits on govern- cybersecurity. I have personally expe- 3x3 matrix visually categorizes and ment action. The limit on illegal rienced the framework’s usefulness in communicates the range of non-code searches in the Fourth Amendment teaching cybersecurity at my own insti- cybersecurity issues. No longer can is one example. More broadly, cell tution: my cybersecurity classes cover “real” cybersecurity refer only to tech- 9C concerns the controversial topic every topic mentioned in this column. nical measures. Instead, a large and of government surveillance. Sur- The PCF provides students with invalu- growing amount of cyber-risk arises veillance sometimes aids security, able context for how all the issues fit from problems at layers 8, 9, and 10. such as when a criminal is detected, together, to ensure they understand Extending the stack to these 10 layers and sometimes hurts security, such the “big picture.” The framework also results in an effective mental model as when government actions create clarifies the scope of a cyber-curricu- for identifying and mitigating the full backdoors or other vulnerabilities. lum. Some classes, for instance, focus range of these risks. The international layer applies to ac- primarily on how a CISO or company tions taken within one nation that are should manage a company’s risks References 1. Jensen, M.C. and Meckling, W.H. Theory of the firm: intended to have cyber effects in other (layer 8). Others are mostly about in- Managerial behavior, agency costs and ownership structure. Journal of Financial Economics 3, 4 (Oct. nations. Cell 10A concerns unilateral ternational affairs (layer 10), perhaps 1976), 305-360. actions by one government, such as with discussion of national cyberse- 2. Surman, G. Understanding security using the OSI model. GSEC Practical Version 1.3 (Mar. 29, 2002); the U.S. The government, for instance, curity laws (cell 9A). The PCF enables https://bit.ly/2BaJGrV. may decide that U.S. Cyber Command program directors and students to con-

should launch a cyberattack on a hos- cisely describe the coverage of a cyber- Peter Swire ([email protected]) is the tile nation. security class or curriculum. Elizabeth & Tommy Holder Chair of Law and Ethics in the Scheller College of Business and Associate Director for Cell 10B involves relations with The 3x3 matrix clarifies a research Policy in the Institute for Information Security and Privacy other nations, which is the main task agenda for those seeking to identify at Georgia Institute of Technology in Atlanta, GA, USA. of diplomacy. There are formal trea- and mitigate non-code cyber prob- ties that affect cybersecurity, such lems. For example, cell 8B raises legal Copyright held by author.

26 COMMUNICATIONS OF THE ACM | OCTOBER 2018 | VOL. 61 | NO. 10