toward a culture of cybersecurity research aaron burstein trust & accurate research fellow...
TRANSCRIPT
Toward a Culture of Cybersecurity Research
Aaron BursteinTRUST & ACCURATE Research Fellow
Samuelson Clinic & BCLT, Boalt Hall
UC Berkeley
Overview
• Why cybersecurity matters
• Why cybersecurity is a hard problem, and why research is crucial
• How communications privacy law inhibits research
• A better balance between privacy and cybersecurity
Why Cybersecurity Matters
• Attacks target infrastructure– Internet is the “nervous system”– Transportation, energy, water, banking
connected by Internet– Example: Massive cyber attack against
Estonia, May 2007
• Potential for devastation is growing– Pervasive networked devices (think home
thermostats and building materials)
Why Cybersecurity Is Hard• Attacks are cheap and easily disguised.
Attacker
ISP 1
ISP 2
ISP 3
Victim(e.g., military system
or small country)
A “distributed denial of service” attack
• It’s hard to distinguish innocuous from malicious traffic until it’s too late due to lack of coordination.• Defense involves many open research questions.
Tension Between Privacy and Research
• Electronic Communications Privacy Act (ECPA) regulates acquisition, disclosure
• Scenario: UC Berkeley researcher seeks network logs (IP addresses only) from commercial ISPs. – ISP voluntary disclosures regulated by ECPA– Addressing info and contents (e.g., e-mail bodies)
protected under ECPA– Stored record disclosure vs. “real-time” interceptions– Disclosures to a “governmental entity” (UC Berkeley)
more restricted– Consent is unworkable– No research exceptions
ECPA almost certainly bars disclosure
We need a cybersecurity research exception to the
ECPA.
Properties of a Research Exception
• Tailored– For research only– Excludes law enforcement access
• Comprehensive– Applies to communications contents and real-time
interception
• Protective– Prohibits further disclosures (voluntary or compelled)
• Controlled– Institutional review is integral
Would a Research Exception Work?
• Legislative action would give legitimacy to uses of data that are already analyzed, collected
• Exception would allow efficient data-sharing institutions to develop
• Exception’s institutional framework could extend to diverse data types (not just communications, e.g. passwords)
Conclusion
• Coordinated threats are potentially devastating.
• Urgent need for more coordinated defenses
• ECPA reform needed to make this happen