CONDUCTING CYBERSECURITY RESEARCH LEGALLY AND ETHICALLY By Aaron J. Burstein; Presented by David...
-
Upload
stephen-morton -
Category
Documents
-
view
213 -
download
1
Transcript of CONDUCTING CYBERSECURITY RESEARCH LEGALLY AND ETHICALLY By Aaron J. Burstein; Presented by David...
CONDUCTING CYBERSECURITY RESEARCH LEGALLY AND ETHICALLYBy Aaron J. Burstein;
Presented by David Muchene
Objectives
Explain the areas of law that are most applicable to cyber security research.
Offer general guidelines for various ethical issues that may arise while doing research.
Introduction
There are several cyber security research activities that have legal considerations associated with them Collecting real network data Running malware in test beds Disrupting or mitigating attacks Publishing certain results
Obtaining Network Data
Obtaining network data is sometimes critical to a researchers work.
Communication and Privacy laws limit access to traffic on networks
Wiretap Act: Prohibits real-time interception of ‘contents’
of electronic communication Pen Register/Trap and Trace Statute:
Prohibits interception on ‘non-content’ of electronic communication
Obtaining Network Data
Stored Communication Act Prohibits providers of electronic communication
to the public from disclosing customers’ content Providers are given an exception to the
Wiretap Act and the Pen/Trap statute Researchers should be granted similar
exception since Could potentially protect the researcher’s
institution’s network Researchers do not pursue criminal investigation
nor seek to embarrass anybody.
Sharing Network Data
Sharing data could be useful to the research community
The Stored communication Act limits the sharing of this data. Generally only applies to providers of
electronic communication to the public Researchers working within a
university/private network setting do not have to worry about the disclosure provisions
Infected Hosts
It’s often necessary to allow attackers to exploit a host or to run malware in a controlled environment to understand behaviors of attacks
Researchers must make sure that malicious software does not make it beyond their test-beds The computer Fraud and abuse act holds
them liable otherwise They must also be careful not to hold
any illegal material on their system.
Mitigating Attacks
Researchers may be in a position to disrupt an attack. However before doing so they should: Determine if they break any laws Consider the institution’s reputation
Publishing Results
Researcher are for the most part protected by the first amendment
They are not however protected if their results somehow conflict with the DMCA
They should consider whether their results could help adversaries attack the researcher’s network
Conclusions
Lots and lots and lots of legal considerations when doing cyber security research
Privacy is important and researchers must realize this as they conduct their work