PROACTIVE CYBERSECURITY: A COMPARATIVE INDUSTRY AND REGULATORY ANALYSIS Amanda N. Craig, JD*, Scott J. Shackelford, JD, PhD**, & Janine S. Hiller, JD*** ABSTRACT This Article analyzes recent business realities and regulatory trends shaping the proactive cybersecurity industry. To provide a framework for our discussion, we begin by describing the historical development of the industry and how it has been shaped by the applicable law in the United States and other G8 nations. We then catalogue the proactive cybersecurity practices of more than twenty companies, focusing on four case studies that we consider in the context of polycentric “global security assemblages.” Finally, we assess the emergence of proactive cybersecurity norms, both within industry and international law, and consider the implications of this movement on contemporary Internet governance debates about the role of the public and private sectors in regulating cyberspace. Ultimately, we maintain that proactive cybersecurity, especially if pursued with improved legal clarity and global cooperation, demonstrates an opportunity for polycentric partnerships to result in better protected IT assets. 1 Electronic copy available at: http://ssrn.com/abstract=2573787 TABLE OF CONTENTS INTRODUCTION ................................................................................................................................................. 3 I. A SHORT HISTORY OF PROACTIVE CYBERSECURITY: CONCEPTS, IMPLEMENTATION, AND LEGALITY ....................................................................................................... 8 A. THE EVOLUTION OF ACTIVE CYBER DEFENSE ....................................................................................................... 9 B. LEGAL UNCERTAINTY AND THE COMPUTER FRAUD AND ABUSE ACT ........................................................... 11 C. A COMPARATIVE ANALYSIS OF PROACTIVE CYBERSECURITY REGULATION ................................................ 13 1. In-Depth Comparative Case Study: Comparing the U.S. and UK Experiences with Proactive Cybersecurity ........................................................................................................................................................................ 14 2. Regulating “Unauthorized Access” Across the G8 ...................................................................................... 18 3. Understanding Singapore’s New Approach .................................................................................................... 22 D. THE PRIVATE SECTOR PUSHES FORWARD: A NEW ERA IN PROACTIVE CYBERSECURITY ....................... 25 II. THE PRIVATE SECTOR PROACTIVELY DEFENDS .................................................................. 29 B. SURVEY OF THE PROACTIVE CYBERSECURITY INDUSTRY ................................................................................. 32 C. ENTER CROWDSTRIKE ................................................................................................................................................ 35 D. FOCUSING ON FIREEYE ............................................................................................................................................. 36 E. HATCHING HAWKEYE ................................................................................................................................................. 38 F. STARTING STRONGARM .......................................................................................................................................... 39 G. SUMMARY ...................................................................................................................................................................... 43 III. GOVERNANCE TRENDS IN INTELLIGENCE-DRIVEN ACTIVE DEFENSE ................... 43 A. THE GROWTH OF POLYCENTRIC CYBERSECURITY ASSEMBLAGES ................................................................. 44 B. THE INTERSECTION OF PROACTIVE CYBERSECURITY AND INTERNET GOVERNANCE ................................ 47 C. AN EMERGING NORM OF PROACTIVE CYBERSECURITY? ................................................................................. 51 D. SUMMARY AND IMPLICATIONS FOR BUSINESSES AND POLICYMAKERS ......................................................... 54 CONCLUSION .................................................................................................................................................... 55 APPENDIX A: SAMPLE OF NON-G8 NATIONAL ACTIVE CYBER DEFENSE LAWS ............. 56 APPENDIX B: “PROACTIVE” CYBERSECURITY PRODUCTS AND SERVICES INDUSTRY MATRIX ............................................................................................................................................................... 61 2 Electronic copy available at: http://ssrn.com/abstract=2573787 INTRODUCTION In January 2015, as Sony Pictures struggled to revive its computer network after The Interview reportedly prompted a massive hack,1 cybersecurity firm FireEye demonstrated that the sorts of breaches that Sony experienced likely are not preventable with conventional network defenses.2 Indeed, while experts said that “Sony’s reputation is suffering” due to the hack, they also agreed that Sony “is hardly the only company at risk . .”3 Rather, FireEye likens traditional network defense tools, on which Fortune 500 companies spent much of their $71 billion information technology (“IT”) security budgets in 2014,4 as something akin to France’s pre-World War II “Maginot Line”—good in theory, but relatively easy to bypass in practice.5 Recent news headlines may seem evidence enough, as Target, Home Depot, and J.P Morgan Chase all announced major breaches in 2014.6 But FireEye’s January 2015 report goes much further, noting that a whopping 96 percent of the 1,600 computer networks that it monitored—from behind traditional network defenses—were breached in 2014.7 As such, FireEye argues, “organizations must consider a new approach to securing their IT assets . [they] can’t afford to The authors wish to thank Professors Amy Zegart, Larry Kramer, and Tiny Cuellar for their invaluable comments on this Article, as well as the research support of Scott Russell and Jonathan Brown. Scott in particular took the lead in developing the UK and Singapore case studies, for which we are indebted to him. The views expressed in this article are solely those of the authors and do not necessarily represent or reflect the position of Microsoft Corp. * Senior Cybersecurity Strategist, Microsoft Corporation. Disclaimer: The views expressed in this article are solely those of the author and do not necessarily represent or reflect the position of Microsoft Corporation. ** Assistant Professor of Business Law and Ethics, Indiana University; W. Glenn Campbell and Rita Ricardo- Campbell National Fellow, Stanford University. *** Professor of Business Law, Richard E. Sorensen Professor in Finance, Pamplin College of Business, Virginia Tech. 1 Thomas Halleck, Sony Corporation: Network is Still Down Following ‘The Interview’ Hack, INT’L BUS. TIMES (Jan. 8, 2015), http://www.ibtimes.com/sony-corporation-network-still-down-following-interview-hack-1778344; Dara Kerr and Roger Cheng, Sony CEO: We were the victim of a vicious and malicious hack, CNET (Jan. 5, 2015), http://www.cnet.com/news/sony-announces/. 2 Maginot Revisited: More Real-World Results from Real-World Tests, FIREEYE (2015), https://www2.fireeye.com/rs/fireye/images/rpt-maginot-revisited.pdf [hereinafter Maginot Revisited (2015)]. 3 John Guadiosi, Why Sony Didn’t Learn From its 2011 Hack, FORTUNE (Dec. 24, 2014), http://fortune.com/2014/12/24/why-sony-didnt-learn-from-its-2011-hack/. 4 Seth Rosenblatt, Modern Security Tactics Fail to Protect Against Malware, Study Finds, CNET (Jan. 8, 2015), http://www.cnet.com/news/modern-security-tactics-fail-to-protect-against-malware-new-study-finds/. 5 Maginot Revisited (2015), supra note 2; CYBERSECURITY’S MAGINOT LINE: A REAL-WORLD ASSESSMENT OF THE DEFENSE-IN-DEPTH MODEL, FIREEYE (2014), http://www2.fireeye.com/rs/fireye/images/fireeye-real-world- assessment.pdf. France created the Maginot Line during World War II to impede Nazi Germany’s invasion, but German forces bypassed the Maginot Line and invaded France from Belgium. See MARC ROMANYCH ET AL., MAGINOT LINE 1940: BATTLES ON THE FRENCH FRONTIER 27 (2012). 6 Sharon Tobias, 2014: The Year in Cyberattacks, NEWSWEEK (Dec. 31, 2014), http://www.newsweek.com/2014- year-cyber-attacks-295876. 7 Maginot Revisited, supra note 2, at 3. 3 passively wait for attacks. Instead, they should take a lean-forward approach that actively hunts for new and unseen threats.”8 But what constitutes a lean-forward approach, and why are more organizations not already taking one? The emerging field of proactive cybersecurity is complex, encompassing a range of activities also referred to as “active defense.” While “hacking back” is often a highly visible point of contention when discussing the role of private sector active defense,9 it is just one facet of the larger proactive cybersecurity movement, which includes technological best practices ranging from real-time analytics to cybersecurity audits promoting built-in resilience.10 Along with confusion about the range of activities that could be considered forward-leaning proactive cybersecurity, there remains ambiguity regarding the legality of some active defense techniques, including not only “hack back” but also “honeypots” and information sharing, two methods that have even been acknowledged
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages63 Page
-
File Size-