Cyber News

“Most notably, companies must be clear that they will neither permit back doors in products nor withhold patches, either of which would leave technology users exposed,” the paper states. “They will also address attacks ' whatever their source ' to protect customers. These norms, like government defensive norms, are meant to increase confidence in the global ICT supply chain, and to send a clear message to governments that global ICT providers will not help exploit ICT users, but will only help protect them.”

In a blog, Microsoft in-house attorney Scott Charney further explained the document: “Our goal is to contribute to the development of frameworks and practices that protect people and companies from the effects of state-sponsored cyber operations.” Charney is a former federal prosecutor with the U.S. Department of Justice (DOJ) and served as chief of the DOJ's computer crime and intellectual property section in the Criminal Division. His title is now Microsoft vice president for trustworthy computing, where he leads the securities strategies group.

As Charney explains it, Microsoft is proposing a three-part organizing framework for the current cybersecurity norms dialogue: Offensive norms (stressing government self-restraint), defensive norms (for both government and industry) and industry norms (focusing on industry's role in mitigating cyberrisks).

“While there is a strong complementary structure for nation-state norms and industry norms,” Charney writes, “they vary in two important instances: Nation-states possess the ability to create mass effects through offensive cyber activities; and the global ICT industry has the ability to patch all customers, even during conflicts between and among governments.”

The paper comes amid a backdrop of Microsoft's ongoing legal battle with the U.S. government to, among other things, be permitted to tell its customers when authorities access their data.

Besides issuing security patches to any user and not enabling back doors for government use, Charney lists four other actions that the ICT industry should take under the norms:

1. Coordinating disclosure practices for handling product and service vulnerabilities.
2. Not trafficking in cyber vulnerabilities for offensive purposes nor embracing business models that involve proliferating cyber vulnerabilities for offensive purposes.
3. Proactively defending against nation-state attacks and remediating the impact of such attacks.
4. Assisting public-sector efforts to identify, prevent, detect, respond to and recover from events in cyberspace.

The norms are needed, Charney argues, because governments are committing increasing resources to offensive cyber capabilities. “We must continue to raise the bar in our defensive capabilities to deter nation-states from targeting technology users,” he concludes.

' Sue Reisinger, Corporate Counsel

China's Proposed Data Localization Cybersecurity Law Catches Eye of U.S. Tech Companies

U.S. tech companies are among the businesses watching the progress of a proposed cybersecurity law in China, which was recently submitted to the National People's Congress (NPC) Standing Committee for a second reading.

Bing Maisog, an attorney with Hunton & Williams in Beijing, says the law is still not in final form and “anything could change.” But he is scrutinizing its data localization provision.

“Assuming that its current form constitutes a suggestion on what the final form of the law will be, right now one of the most significant issues is a potential data localization provision that will require 'operators of key information infrastructure' to maintain personal information collected and produced during their operations within China, or comply with a security evaluation procedure,” Maisog told our ALM sibling Legaltech News.

“What impact this will have will depend on how this provision is interpreted and enforced,” he predicted. “It does have the potential to at least increase the costs of doing business in China for companies that can be classified as 'operators of key information infrastructure' ' by requiring them to undergo what appears to be an inspection and certification, or qualification, process.”

But it could even have a greater impact. “At worst, it could make cross-border operations involving China practically unworkable, and force companies to establish entirely on-shore operations and facilities within China solely for purposes of what they do in China,” Maisog said.

He points out that some tech companies might not be affected because they do not count as an “operator of key information infrastructure.” But they “could still be materially affected because an important supplier, service provider or business partner does” count as an “operator of key information infrastructure.”

In response to the draft law, the state-run Xinhua news agency reported that Zhang Haiyang, deputy head of the NPC Law Committee, said that the government “should encourage businesses and institutions to certify and evaluate their cybersecurity regime.” See, “Draft Law Strengthens China's Cybersecurity” (June 27, 2016).

The draft also calls for big data applications to anonymize information and define appropriate use of citizens' personal information, the report said. In addition, “operators must comply with social and business ethics and accept supervision by both government and the public,” the report adds.

Moreover, the draft law “stipulates that Chinese citizens' personal information and other data collected in China should remain in the country,” according to Xinhua.

The second reading of the draft law comes as Xu Lin has been named as a replacement for Lu Wei to head up China's Office of the Central Leading Group for Cyberspace Affairs.

The change in cybersecurity leaders does not appear to signal a change in policy by Chinese regulators toward foreign companies, such as Facebook or Google. These and some other online services, have been blocked in China.

For China's large population of about 1.38 billion people, there is major potential for increasing the number of internet users in the nation. It is estimated there are over 700 million users who can access the internet from their residences.

' Ed Silverstein, Legaltech News

Brown University Offers New Graduate Program In Cybersecurity Leadership

A new midcareer graduate program in cybersecurity at Brown University is attracting several attorneys in its first class.

Some three or four students expected to enter the master's degree program in October have legal backgrounds. The first class is likely to have between 20 and 25 students with diverse backgrounds. The common thread is that they want to be leaders in the emerging field of cybersecurity and have background in technical and policy areas.

The interdisciplinary program, formally known as Brown's Executive Master in Cybersecurity, is designed to produce leaders in the field of cybersecurity with a cutting-edge curriculum developed after extensive planning.

Over 16 months, students will study technology, such as network and application security; law and policy, both in the United States and globally; human behavior and human factors, such as the motivation of hackers; and leadership skills, such as team building, communications, negotiations and conflict resolution.

Because it is aimed at working professionals with five to 15 years of experience, the program is part time. Much of the instruction is online, with four residential weeks at Brown, and one week in the San Francisco region, to meet with those in the cybersecurity field.

Also, as part of the requirements for the degree, students will complete a “critical challenge project.” It is similar to a thesis and independent study and may relate to an issue of concern at a student's workplace.

Among those teaching in the program are several attorneys. One is Timothy Edgar, who now teaches at Brown but earlier was the first director of privacy and civil liberties for the White House National Security Staff. Another is Linn Freedman, who is the chairwoman of the data privacy and security practice group at Robinson & Cole. She formerly was assistant attorney general and deputy chief of the Civil Division at the Attorney General's Office in Rhode Island.

Faculty for the program include those affiliated with Brown's Department of Computer Science and the Watson Institute for International and Public Affairs, as well as practitioners in cybersecurity.

Also, because the students in the program have their own experiences with cybersecurity, there “will be opportunities for sharing,” Alan Usas, the program director, told our ALM sibling Legaltech News . Many of the students have experienced cyber incidents at their own workplaces. The real-life experiences will help all the students in the program learn from each other, he added.

Technologies that will be examined in the program include such evolving topics as Big Data, cloud, mobile, Web 2.0, and the Internet of Things.

After completing the program, students will be equipped to explain cybersecurity issues to members of a C-Suite or board members. Cybersecurity and data breaches have become concerns to boards of directors nationally. The reality is most organizations have already experienced cyber incidents. “It's going to happen, if not already,” Usas said.

There is a limited amount of space left in the first class, and applications are still being accepted from midcareer professionals.

' Ed Silverstein, Legaltech News