CONDUCTING CYBERSECURITY RESEARCH LEGALLY AND ETHICALLYBy Aaron J. Burstein;

Presented by David Muchene

Objectives

Explain the areas of law that are most applicable to cyber security research.

Offer general guidelines for various ethical issues that may arise while doing research.

Introduction

There are several cyber security research activities that have legal considerations associated with them Collecting real network data Running malware in test beds Disrupting or mitigating attacks Publishing certain results

Obtaining Network Data

Obtaining network data is sometimes critical to a researchers work.

Communication and Privacy laws limit access to traffic on networks

Wiretap Act: Prohibits real-time interception of ‘contents’

of electronic communication Pen Register/Trap and Trace Statute:

Prohibits interception on ‘non-content’ of electronic communication

Obtaining Network Data

Stored Communication Act Prohibits providers of electronic communication

to the public from disclosing customers’ content Providers are given an exception to the

Wiretap Act and the Pen/Trap statute Researchers should be granted similar

exception since Could potentially protect the researcher’s

institution’s network Researchers do not pursue criminal investigation

nor seek to embarrass anybody.

Sharing Network Data

Sharing data could be useful to the research community

The Stored communication Act limits the sharing of this data. Generally only applies to providers of

electronic communication to the public Researchers working within a

university/private network setting do not have to worry about the disclosure provisions

Infected Hosts

It’s often necessary to allow attackers to exploit a host or to run malware in a controlled environment to understand behaviors of attacks

Researchers must make sure that malicious software does not make it beyond their test-beds The computer Fraud and abuse act holds

them liable otherwise They must also be careful not to hold

any illegal material on their system.

Mitigating Attacks

Researchers may be in a position to disrupt an attack. However before doing so they should: Determine if they break any laws Consider the institution’s reputation

Publishing Results

Researcher are for the most part protected by the first amendment

They are not however protected if their results somehow conflict with the DMCA

They should consider whether their results could help adversaries attack the researcher’s network

Conclusions

Lots and lots and lots of legal considerations when doing cyber security research

Privacy is important and researchers must realize this as they conduct their work