Rewired: Cybersecurity Governance

Examines the governance challenges of cybersecurity through twelve, real-world case studies Through twelve detailed case studies, this superb collection provides an overview of the ways in which government officials and corporate leaders across the globe are responding to the challenges of cybersecurity. Drawing perspectives from industry, government, and academia, the book incisively analyzes the actual issues, and provides a guide to the continually evolving cybersecurity ecosystem. It charts the role that corporations, policymakers, and technologists are playing in defining the contours of our digital world. Rewired: Cybersecurity Governance places great emphasis on the interconnection of law, policy, and technology in cyberspace. It examines some of the competing organizational efforts and institutions that are attempting to secure cyberspace and considers the broader implications of the in-place and unfolding efforts—tracing how different notions of cybersecurity are deployed and built into stable routines and practices. Ultimately, the book explores the core tensions that sit at the center of cybersecurity efforts, highlighting the ways in which debates about cybersecurity are often inevitably about much more. Introduces the legal and policy dimensions of cybersecurity Collects contributions from an international collection of scholars and practitioners Provides a detailed "map" of the emerging cybersecurity ecosystem, covering the role that corporations, policymakers, and technologists play Uses accessible case studies to provide a non-technical description of key terms and technologies Rewired: Cybersecurity Governance is an excellent guide for all policymakers, corporate leaders, academics, students, and IT professionals responding to and engaging with ongoing cybersecurity challenges.

Table of Contents:
Notes on Contributors xi Acknowledgments xv Introduction xvii 1 Cybersecurity Information‐Sharing Governance Structures: An Ecosystem of Diversity, Trust, and Trade‐offs 1 Elaine Sedenberg and Jim Dempsey 1.1 Introduction 1 1.2 Taxonomy of Information‐sharing Governance Structures and Policies 4 1.2.1 Government‐centric Sharing Models 4 1.2.2 Government‐Prompted, Industry‐Centric Sharing Models 8 1.2.3 Corporate‐initiated, Peer‐based Groups 10 1.2.4 Small, Highly Vetted, Individual‐based Groups 10 1.2.5 Open Communities and Platforms 11 1.2.6 Proprietary Products and Commercialized Services 12 1.3 Discussion and Conclusions 13 1.3.1 Trust and the Trade‐offs 13 1.3.2 The Ecosystem and the Role of the Federal Government 14 Acknowledgments 15 Notes 15 2 Cybersecurity Governance in the GCC 19 James Shires 2.1 Introduction 19 2.2 Why the GCC? 20 2.3 Key Cybersecurity Incidents 21 2.4 Government Organizations 22 2.5 Strategies, Laws, and Standards 24 2.6 The Cybersecurity Industry 26 2.7 Conclusion 28 Acknowledgments 29 Notes 29 3 The United Kingdom’s Emerging Internet of Things (IoT) Policy Landscape 37 Leonie Maria Tanczer, Irina Brass, Miles Elsden, Madeline Carr, and Jason Blackstock 3.1 Introduction 37 3.2 The IoT’s Risks and Uncertainties 39 3.3 Adaptive Policymaking in the Context of IoT 41 3.4 The UK Policy Landscape 42 3.5 The IoT and its Governance Challenges 46 3.6 Conclusion 48 Notes 49 4 Birds of a Feather: Strategies for Collective Cybersecurity in the Aviation Ecosystem 57 Emilian Papadopoulos and Evan Sills 4.1 Introduction: The Challenge of Ecosystem Risk 57 4.1.1 Aviation Is a National and Global Target 58 4.1.1.1 The Cyber Harm 59 4.1.1.2 Economic Harm 60 4.1.1.3 Political/Governmental Harm 60 4.1.1.4 Reputational Harm 60 4.1.1.5 Physical Harm 61 4.1.1.6 Psychological and Emotional Harm 61 4.1.2 Domestic and International Challenges of Aviation Governance 61 4.2 Progress So Far 63 4.2.1 The AIAA’s Decision Paper, “The Connectivity Challenge: Protecting Critical Assets in a Networked World” (August 2013) 64 4.2.2 The Aviation Information Sharing and Analysis Center (A‐ISAC) (September 2014) 66 4.2.3 The Civil Aviation Cybersecurity Action Plan (December 2014) 66 4.2.4 Connecting the Dots on Connectivity (2015) 67 4.2.5 Hackers Allege Aircraft Vulnerabilities (2015) 67 4.2.6 United Airlines Opens Bug Bounty Program (2015) 68 4.2.7 Aviation Security World Conference (2015) 68 4.2.8 Conferences and Organizations Mature (2015 and Beyond) 69 4.2.9 Industry Takes the Lead (2017) 70 4.3 Aviation’s Tools for Cyber Risk Governance 70 4.4 The Path Forward 71 4.4.1 Collective Third‐Party Risk Management 71 4.4.2 Secure Design 72 4.4.3 Information Sharing, “Plus” 73 4.4.4 International Norms and Standards 74 4.5 Conclusion 75 Notes 75 5 An Incident‐Based Conceptualization of Cybersecurity Governance 81 Jacqueline Eggenschwiler 5.1 Introduction 81 5.2 Conceptualizing Cybersecurity Governance 82 5.3 Case Studies 84 5.3.1 RUAG 84 5.3.1.1 Background 84 5.3.1.2 Events 85 5.3.1.3 Learnings 86 5.3.2 The Conficker Working Group 86 5.3.2.1 Background 86 5.3.2.2 Events 86 5.3.2.3 Learnings 88 5.3.3 Symantec’s Cybersecurity Practices 89 5.3.3.1 Background 89 5.3.3.2 Events 89 5.3.3.3 Learnings 89 5.4 Utility and Limitations 90 5.5 Conclusion 92 Notes 92 6 Cyber Governance and the Financial Services Sector: The Role of Public–Private Partnerships 97 Valeria San Juan and Aaron Martin 6.1 Introduction 97 6.2 Governance, Security, and Critical Infrastructure Protection 98 6.3 Financial Services Information Sharing and Analysis Center 100 6.4 Financial Services Sector Coordinating Council 104 6.5 Financial Systemic Analysis and Resilience Center 108 6.6 Lessons for Cybersecurity Governance 109 6.6.1 Lesson One: Affirmation of PPP Model, but Focus and Clarity Needed 109 6.6.2 Lesson Two: Addressing Systemic Risk Requires more than Just Information Sharing 110 6.6.3 Lesson Three: Limitations of PPPs in Regulated Industries 111 6.7 Conclusion 111 Acknowledgments 111 Notes 112 7 The Regulation of Botnets: How Does Cybersecurity Governance Theory Work When Everyone Is a Stakeholder? 117 Samantha A. Adams, Karine e Silva, Bert‐Jaap Koops, and Bart van der Sloot 7.1 Introduction 117 7.2 Cybersecurity 119 7.3 Botnets 121 7.3.1 Preventing New Infections 122 7.3.2 Mitigating Existing Botnets 122 7.3.3 Minimizing Criminal Profit 123 7.4 Governance Theory 124 7.5 Discussion: Governance Theory Applied to Botnet Mitigation 127 7.6 Conclusion 132 Acknowledgment 133 Notes 133 8 Governing Risk: The Emergence of Cyber Insurance 137 Trey Herr 8.1 Introduction 137 8.2 Where Did Cyber Insurance Come From? 139 8.2.1 Understanding Insurance 140 8.2.2 Risk Pool 140 8.2.3 Premiums 140 8.2.4 Insurer 141 8.2.5 Insurable Risk 141 8.2.6 Comparisons to Terrorism 142 8.3 Security Standards in the Governance Process 143 8.3.1 Government‐Developed Standards 144 8.3.2 Private Sector Standards 145 8.4 The Key Role of Risk 146 8.5 Enforcing Standards: Insurance Becomes Governance 147 8.5.1 Model of Modern Market Governance 148 8.5.2 Cyber Insurance: Governing Risk Through Standard Setting and Enforcement 149 8.6 Conclusion and Implications 151 Notes 153 9 Containing Conficker: A Public Health Approach 157 Michael Thornton 9.1 Introduction 157 9.2 The Conficker Infection 158 9.3 A Public Health Alternative 162 9.3.1 Populations, Not Individuals 162 9.3.2 Shared and Overlapping Problems 163 9.3.3 Balancing Efficacy and Individual Rights 166 9.4 A Public Health Approach to Conficker 169 9.5 Conclusion 171 Notes 171 10 Bug Bounty Programs: Institutional Variation and the Different Meanings of Security 175 Andreas Kuehn and Ryan Ellis 10.1 Introduction: Conspicuously Absent 175 10.2 Scope and Aims 176 10.3 A Market for Flaws: Bug Bounty Programs 177 10.3.1 Case I, Microsoft: Rethinking the Market for Flaws 178 10.3.2 Case II, Google: Matching the Wisdom of Crowds and the Wisdom of Experts 180 10.3.3 Case III, Facebook: Transaction Costs and Reputational Benefits 183 10.4 Conclusion 185 Notes 188 11 Rethinking Data, Geography, and Jurisdiction: A Common Framework for Harmonizing Global Data Flow Controls 195 Jonah Force Hill and Matthew Noyes 11.1 Introduction 195 11.2 The Challenge of Extraterritorial Data 197 11.2.1 The Challenge to Law Enforcement 197 11.2.2 Alternative Approaches to MLATs 201 11.2.3 The Challenge to Regulators 203 11.2.3.1 Content and Speech 203 11.2.3.2 Privacy and Data Protection 205 11.3 The Threat of Data Localization 206 11.4 A New Approach to Data Flow Controls 207 11.4.1 Control Points Analysis 208 11.4.2 A Common Framework for Data Flow Controls 209 11.5 Recommendations 212 11.5.1 Recommendation One: Establish a Common Framework for Data Flow Controls Through the Development of International Standards, Norms, and Principles 212 11.5.2 Recommendation Two: Formalize Agreed‐upon Standards, Norms, and Principles Through the Adoption of Voluntary and Treaty‐Based International Agreements 214 11.5.3 Recommendation Three: Reform Domestic Law and Policy Frameworks Consistent with Agreed‐upon Standards, Norms, and Principles 215 11.5.4 Recommendation Four: Focus First on Specific Policy Matters of Broad International Consensus, Then Move on to the more Contentious Issues 216 11.6 Additional Challenges 217 11.7 Conclusion 218 Acknowledgments 218 Notes 219 12 Private Ordering Shaping Cybersecurity Policy: The Case of Bug Bounties 231 Amit Elazari Bar On 12.1 Introduction 231 12.2 Are Bug Bounties Operating as a “Private” Safe Harbor? Key Findings of the Legal Terms Survey 234 12.2.1 The Bug Bounty Economy Anti‐Hacking Legal Landscape 234 12.2.1.1 The CFAA 234 12.2.1.2 The DMCA 235 12.2.1.3 The Department of Justice Framework for a Vulnerability Disclosure Program for Online Systems 235 12.2.2 Bug Bounty Legal Terms: General Structure 236 12.2.3 The Bug Bounty Catch 22 238 12.2.4 Safe Harbor Language Matters 240 12.3 Policy Recommendations: Toward a Private Safe Harbor 242 12.3.1 Increase of Terms Salience 242 12.3.2 Clear Safe Harbor Language 243 12.3.3 Standardization of Bug Bounty Legal Terms Across Platforms, Industries, and Sponsors 244 12.3.4 Improved Disclosures and Educational Efforts 245 12.3.5 Individual Hackers as Collective Bargainers 246 12.4 Conclusion 246 Acknowledgments 247 Notes 247 Bibliography 265 Index 315

About the Author :
RYAN ELLIS is an Assistant Professor of Communication Studies at Northeastern University. His research and teaching focuses on topics related to communication law and policy, infrastructure politics, and cybersecurity. VIVEK MOHAN is an attorney in private practice based in Northern California. Before entering private practice, he was associated with the Privacy, Data Security, and Information Law group at Sidley Austin LLP and the Cybersecurity Project at Harvard University.