International Trade Today is a Warren News publication.
Deference to Law Enforcement

Joint Federal Cybersecurity R&D Push Takes Up Carrier Freedom

BERKELEY, Calif. -- Loosening legal restrictions on carriers and other service providers to take cybersecurity actions is a study goal under a unified federal research and development effort, a Department of Homeland Security official said. Research into improving economic incentives -- one of three broad priorities that the administration has set for funding cybersecurity research -- will include consideration of how the Electronic Communications Privacy Act (ECPA) and other laws can be changed to give providers, broadly defined, increased protection from liability and wider freedom of action before they must defer to law enforcement, said Douglas Maughan, the official in charge of cybersecurity research at the department. He spoke late Wednesday at an event to publicize the broader effort for a federal research agenda and invite ideas from technologists. It was held by the federal National Coordinating Office for Networking and Information Technology Research and Development (NITRD) in connection with the IEEE Symposium on Security and Privacy.

Sign up for a free preview to unlock the rest of this article

If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.

A goal regarding incentives is to empower “cyberspace service providers (e.g., Internet Service Providers, Application Service Providers, registrars, registries, banks, countries, nation-states, etc.) to reduce abusive or criminal behavior and to provide the means to better defend services and systems against abuses and exploitation, while offering the appropriate legal/regulatory framework (e.g., exemptions, legal protection) and law enforcement support,” said recommendations last week by NITRD’s interagency working group on Cyber Security Information Assurance. One of the challenges is to decide “the scope of action allowed by service providers and the boundaries between service provider empowerment and law enforcement involvement, within the context of their global legal capacities and partnerships,” they said.

The R&D effort seeks answers about how “legal frameworks” should change “to allow service providers to be more active in the defense of their networks and systems,” Maughan said. He told us, “Some of these boundaries are pretty fuzzy and could use some specificity.” On the timing of law changes, Maughan said only, “We need to move pretty fast here. ... The bad guy’s ahead.” The question about changing ECPA already has been posed, because of the efforts of people such as Deirdre Mulligan, a professor at the University of California, Berkeley, concerning other points of the law, he said.

Another goal is figuring out incentives for vendors to develop and install good security solutions, Maughan said. The effort seeks to identify “opportunities to change government regulatory and acquisition laws” and guidance to vendors “for both safety and cyber security impacts,” the working group recommendations said. “We haven’t really specifically talked about” imposing liability for inadequate protections, Maughan told us. The incentives being pursued for vendors that develop or implement software could include sticks as well as carrots, he said. Proposals would be based on the creation of a “a scientific framework to incentivize vendors of cyberspace-related technologies (e.g., encourage use of secure software engineering and analysis practices, software vulnerability detection, security incident forensics)” through federal purchasing, “regulation, and standards,” the recommendations said.

There’s discussion in the Obama administration of getting government representatives more involved in the work of standards groups, said Patricia Muoio of the Office of the Director of National Intelligence. It might make sense to get help from academics in that work, she said. Other goals concerning incentives involve figuring out what personal data includes and who can be held accountable for handling it and what information collection about cyberspace is legal and ethical and how to protect the data and distribute them to those who need it, Maughan said. “We don’t have data that would actually allow someone to provide cyberinsurance,” he said.

The government is trying to make information about attacks on its systems available to researchers whenever it can, said Carl Landwehr of the National Science Foundation. But “the data about attacks in many cases includes a lot of other data that’s sensitive,” he said. The foundation is funding efforts to anonymize the sensitive information, but “we should be having an infrastructure that separates that data in the first place,” he said.

Incentives for cybersecurity were one of three themes chosen as priorities for R&D funding from the National Cyber Leap Year effort in 2009, said Jeannette Wing of the National Science Foundation, which she called “one of the biggest investors in NITRD.” Also chosen as “Game-Change Research and Development” recommendations are efforts called “Moving Target,” for technologies to increase uncertainty, complexity and diversity of targets for attackers, and “Tailored Trustworthy Spaces,” to develop infrastructure to accommodate the large differences in security considerations for various activities on the Internet.

Wing encouraged researchers to take part in a forum about the effort, http://cybersecurity.nitrd.gov. So did Aneesh Chopra, the federal chief technology officer, and Howard Schmidt, the White House cybersecurity coordinator, on the Office of Science and Technology Policy blog: “Also, stay tuned as we will be looking for your advice on how to continue the game-change process to stay ahead of those who would abuse the system.” A formal comment period ends June 18.