Thursday, 21 May 2015

DOJ Guidance on Cybersecurity Carrots and Sticks

In a speech yesterday to the annual Cybersecurity Law Institute, Assistant Attorney General Leslie Caldwell showed how far the Department of Justice has come in its dealings with the private sector on cybersecurity. Caldwell praised public-private collaboration on issues like botnet takedowns and highlighted recent outreach the DOJ’s Cybersecurity Unit has done to private sector groups. In particular, one recent event, cohosted by the Center for Strategic and International Studies, involved a discussion with security experts about “active defenses” deployed by companies. This discussion may trigger a very positive outcome: While reiterating that “hacking back” is problematic as a matter of both law and policy, Caldwell announced that DOJ’s Cybersecurity Unit is considering issuing guidance on the legality of various other defensive measures companies might want to take to protect their systems and networks.

Such guidance would be a welcome development. Greater clarity about the scope of the Computer Fraud and Abuse Act (CFAA) as it relates to defensive measures could empower companies to engage in more robust network defenses, consistent with existing law.

However, Caldwell also made clear that the DOJ and its federal agency counterparts are not all about carrots. They’re also retaining the right to use sticks. Caldwell highlighted astatement on the FTC website declaring that as the FTC increasingly flexes its enforcement muscles with respect to data security, it will take into consideration whether a company has cooperated with law enforcement and “likely . . . view that company more favorably than a company that hasn’t cooperated.”

The FTC statement is here, and the full text of Caldwell’s speech is here.

In the key section, Caldwell couples her legal conclusion that the CFAA prohibits hacking back with six policy arguments for why hacking back is officially a bad idea:

After running through the legal analysis and policy arguments against hacking back, Caldwell notes that she is “encouraged by the range of innovative cybersecurity proposals that are currently being considered,” but “would urge practitioners to exercise caution” in considering new techniques. She then concludes by suggesting that, in the “spirit of collaboration,” the Cybersecurity Unit “is considering whether to offer guidance on other types of effective and truly defensive countermeasures that are considered to be beneficial by cybersecurity experts.”

Such guidance could help to ensure that practitioners’ caution is properly calibrated and that innovative defensive measures are not hampered by legal uncertainty.

View the original content and more from this author here: http://ift.tt/1PyOAj5



from cyber security caucus http://ift.tt/1FFh8mr
via IFTTT

No comments:

Post a Comment