Just what is the cybersecurity “standard of care”?
In the medical sector, “standard of care” refers to the level at which an average, prudent provider in a given community would practice; but, in the cybersecurity sector, “the short answer is, we don’t really have one,” said April Doss, partner and chair of cybersecurity and privacy practice at law firm of Saul Ewing, as well as former associate general counsel for Intelligence Law at the National Security Agency (NSA).
“Medical malpractice lawsuits have been going on for so long, there is a set of doctrine for what leads to legal liability,” she said. “In cybersecurity, we really don’t have that.”
Doss spoke at a Feb. 23 forum organized by the Howard Tech Council (HTC) and held at the Universities Space Research Association (USRA), in Columbia. At the heart of Doss’s candid discussion of policies and trends was the premise that cybersecurity is a concern for nearly any businessperson these days, not just encryption wonks.
Bearing out her theory, the audience was composed of cybersecurity providers, but also federal workers, information technology employees, entrepreneurs, financial service executives, commercial real estate brokers, lawyers and others, most of whom were curious — if not downright concerned — about cybersecurity.
When one adds the recent media focus on cybersecurity, due in part to the political impact of the 2016 Democratic National Committee email leak and to national security adviser Michael Flynn stepping down after less than a month on the job, many people have cybersecurity on their minds more than ever.
The Task Force
On Jan. 12, President Donald Trump announced that former New York City Mayor Rudy Giuliani would serve as a cybersecurity adviser for the incoming administration. At that time, Trump’s transition team, in a statement, indicated Giuliani would coordinate a series of meetings to obtain information about the private sector’s challenges in warding off hacking threats and cyberintrusions.
Since, Doss said, “now it’s been twice that draft versions of an executive order (related to cybersecurity) have been leaked out and pulled back.”
While the draft executive orders call for cooperation between the government and the private sector, they have not included any discussion of any norms around cyberwarfare or cyberattacks, Doss said, whereas “the previous administration was trying to get some consensus around what international law should be.”
Writing cybersecurity laws is complicated by the seemingly simple fact that electrons travel the globe in a nongeographically bound way.
“If a government, U.S. or Russian or wherever, is doing intelligence gathering, when does it cross the line and become an actual intrusion into sovereign territory?” Doss queried. “If soldiers crossed into the border of Iran, that would be considered an act of war. But if you do it at a desktop, is that considered an act of provocation?”
So far, Trump’s executive orders related to cybersecurity don’t try to tackle a set of international norms on this issue. “That will still be happening,” said Doss, “but it doesn’t seem to be a priority of this administration.”
Section 702
Policy debates concerning whether our nation is striking the right balance between privacy and security are heating back up because certain cybersecurity laws are set to expire in December.
Section 702 of the Foreign Intelligence Surveillance Act, passed in 2008, facilitates the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States, creating a new, more streamlined procedure to collect the communications of foreign terrorists.
The law was created during the post-9/11 era, when many in the intelligence community believed they didn’t have the necessary agility to collect information on terrorists. It’s set to expire in December.
“Congress is looking at whether or not, in today’s world, as a nation we think this strikes the right balance,” said Doss. “Is it too easy to collect information under 702? Should it be harder?”
Since 2013, when former NSA contractor employee Edward Snowden leaked documents about the agency’s surveillance methods, the nation has seen what Doss described as “this huge backlash that we need better privacy of individual people’s data.”
The conversation around whether to reauthorize 702 sees a heavy crossover between general privacy and cybersecurity — and it’s hard to tell which tide will win out.
Complex Questions
While keeping one eye on cybersecurity regulations, many local companies keep moving forward with technology that requires working remotely in a high-security environment.
At the USRA, Jason Matthews, facilities manager, said he has been able to host several IT-related meetings at its Columbia headquarters and “get to know our neighbors.”
In the course of the conversation at the USRA, many questions had, as of yet, no real answers: How can we legislate to the technology when technology moves so fast? How can we ensure our customers believe their information is secure? Are we striking the right balance between privacy and protection?
But businesspeople drew a sense of camaraderie that crossed sectors and levels of experience as they acknowledged that, while they’re unsure of what cybersecurity policy will hold, at least they can be uncertain together.
Brian Dykstra, president and CEO of Atlantic Data Forensics, said, “It’s an ever-changing environment.”
Tracy Turner, director of the HTC, smilingly agreed. “When we get together and talk like this, I always feel smarter. I’m not sure I feel safer, but I do feel smarter.”