This episode of An InfoSec Life
is made possible by the generosity of our sponsors:
By Sean Martin
Welcome to a new episode of An InfoSec Life on ITSPmagazine! Today’s topic looks at the life of a hacker and the challenges they face from both a liability and legal perspective. We also look at how organizations deal with the research activities they encounter from both cybercriminals and ethical hackers alike.
To help me have this conversation, I am delighted to welcome Amit Elazari, Lecturer at UC Berkeley School of Information, and Leonard Bailey, Special Counsel for National Security at the U.S. Department of Justice, Criminal Division where he is Head of Cybersecurity Unit for the DOJ’s Computer Crime & Intellectual Property Section.
There are laws to protect companies from cybercriminals. However, those laws — when interpreted as such — also block ethical hackers from researching and looking for exploitable weaknesses. Changes in the acts and laws over the years have made it better, if not easier, for ethical hackers to perform their research and engage in responsible disclosure. The question is: do these changes also make it "better" and/or “easier” for the cybercriminals?
During our chat, we dig into the many yin yang elements of this topic as we explore some of the details behind responsible disclosure and vulnerability disclosure programs, the related language and frameworks available from the DoJ and Disclose.io, and how those interact with — and often counteract — the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA).
There’s a lot of work being done to help establish a safe environment for vulnerability research and responsible disclosure to take place. Formal rules surrounding responsible vulnerability are critical in both the legal landscape as well as with ethical business operations — these rules need sorting out quickly if we are going to function in a safe cyber society.
Listen in and enjoy!
Computer Fraud and Abuse Act: https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
New trends and lessons on CFAA extortion following recent indictment: https://techcrunch.com/2018/10/25/uber-hackers-indicted-lynda-breach/
Digital Millennium Copyright Act (DMCA): https://www.copyright.gov/reports/studies/dmca/dmca_executive.html
Standardization of contractual landscape including safe harbor.
About Amit Elazari
Director, Global Cybersecurity Policy at Intel Corporation, Intel Corporation
Amit Elazari Bar On is a Director of Global Cybersecurity Policy at Intel Corporation and a Lecturer at UC Berkeley’s School of Information Master in Information and Cybersecurity. She holds a JSD from UC Berkeley School of Law and graduated summa cum laude three prior degrees. Her research in information security law and policy has appeared in leading technology law journals, presented atn conferences such as Black Hat, USENIX Enigma, USENIX Security, BsidesLV, BsidesSF and DEF CON, and featured at leading news sites such as The Wall Street Journal, The Washington Post and the New York Times. In 2018, she received a Center for Long Term Cybersecurity grant for her work on private ordering regulating information security, exploring safe harbors for security researchers. She practiced law in Israel.
About Leonard Bailey
Special Counsel for National Security in the Criminal Division’s Computer Crime and Intellectual Property Section
Leonard Bailey is Special Counsel for National Security in the Criminal Division’s Computer Crime and Intellectual Property Section. He has prosecuted computer crime cases and routinely advised on cybersecurity, searching and seizing electronic evidence, and conducting electronic surveillance. He has managed DOJ cyber-policy as Senior Counselor to the Assistant Attorney General for the National Security Division and then as an Associate Deputy Attorney General. He has also served as Special Counsel and Special Investigative Counsel for DOJ’s Inspector General. Bailey is a graduate of Yale University and Yale Law School. He has taught law courses at Georgetown Law School and Columbus School of Law in Washington, DC.
Find Leonard on LinkedIn