Cybersecurity Law and Policy: What Are the Top Issues for 2019?

Cybersecurity Law and Policy: What Are the Top Issues for 2019?

Articles, Blog , , , , , , , 3 Comments


SHANE STANSBURY: All right. I think we’re going
to get started. There’s what I call
the Chick-fil-A delay. So a few people might be coming
in late, but let’s go ahead and get started. I know some of you. My name is Shane Stansbury. I teach at the law
school, and I’m a fellow in the Center for Law
Ethics and National Security, which is one of the
sponsors of today’s event which is titled
Top Issues for 2019 in Cybersecurity,
Law, and Policy. That’s both a very descriptive
title and also a very ambitious title. And we have. I think, less than an
hour now to cover it. So I’m anxious to get started. But before I do, just a few word
of thanks first of all to our sponsors. Apart from lens, we have the
Triangle Privacy Research Hub, the Duke Center on Law and
Tech, and Intel, all of which helped sponsor today’s event. So we thank all of them for
helping to put this together. And a special thanks to
David Hoffman from Intel. As many of you know,
Professor Hoffman teaches here at the
law school, and he helped organize today’s event
and helped bring these three esteemed panelists down. And so we owe him a
very special thanks. So a few introductions. First, I’m going to
start at the far right. First we have Ari
Schwartz, and Ari is really a nationally recognized
leader in cybersecurity law and policy. He wears many hats. He is the managing director
of cybersecurity services for Venable the law firm. So he leads their cybersecurity
consulting services and helps organizations develop
cybersecurity risk management strategies. Before he was at Venable, he
was a member of the National Security Council
at the White House, and he served as
special assistant to the president and senior
director for cybersecurity. So he coordinated all
of the network defense cybersecurity policies
and led the White House’s legislative and policy outreach. A pretty big job,
as you can imagine. He also coordinates
the Coalition for Cybersecurity
Policy and Law, of which our other
members here on the panel are also board members. And this is a group of leading
cybersecurity companies dedicated to educating
policy members on cybersecurity issues. So Ari has also worked in
the Department of Commerce in a senior capacity and
also in the nonprofit sector. So he has decades of
experience in this field, and we are very
lucky to have him. Next to Ari, we
have Jen Ellis, who, again, is a board member on
the Coalition for Cybersecurity Policy & Law. She is vice president of
Community and Public Affairs for Rapid7, which is a
leading provider of analytics for cybersecurity and
information technology operations. Jen is a frequent
speaker on these issues and a true thought
leader in the field. She spends much of her
time helping others outside the security community
understand these issues and helps technologists
and others communicate with policymakers. She’s testified before Congress
and lectured all over the world really on these issues. And so we are very lucky
to have her as well. To my immediate
right is Sam Curry. And Sam, again, brings
decades of experience in a different capacity. He is currently chief
product and security officer at Cybereason, which is a
leading cybersecurity company specializing in endpoint
detection and response software. Cybereason is very well-known. I’m sure a lot of
you have heard of it. But I love this, the
one interesting fact, which is that the company
started in Tel Aviv, right? SAM CURRY: It’s a Boston
headquartered company, but the three founders
are from Tel Aviv. SHANE STANSBURY: And I
believe some of the founders were a member of the
Israeli military, correct? SAM CURRY: Yeah, Unit 8200. So there’s [INAUDIBLE]
under here. I think they’re listening. [LAUGHTER] But, no, the president of the
company was also with Mossad– SHANE STANSBURY: Amazing SAM CURRY: –quite famously. SHANE STANSBURY: So Sam was
previously chief technology officer and chief security
officer at Arbor Networks and has held leadership
roles at MicroStrategy, RSA, and other name brand companies. He has founded at least two
successful startups that I know of, is on multiple boards
apart from the one I mentioned. He frequently comments
on cybersecurity matters in various media outlets. You can see him on Forbes online
pretty much weekly, right? And if I have it correctly,
he holds multiple patents. SAM CURRY: 24 of them, yeah. SHANE STANSBURY:
So– just an aside. So I think it’s safe to say
if you want to know anything about cybersecurity, you
can find it at this table. And if you want to
know about patents, you can find it right here. [LAUGHTER] SAM CURRY: But I’m not a lawyer. [LAUGHTER] SHANE STANSBURY:
So please join me and giving them a warm
law school welcome. [APPLAUSE] So to kick things
off, I’m going to ask a few open-ended questions to
get the conversation started. And I obviously want to
leave plenty of time for you all to ask questions as well. But I think the title of today’s
panel sort of lends itself to the first question. And that’s one of the top
issues in 2019 in cybersecurity. But I want to phrase it
a slightly different way for everyone. And we can take
whatever order you want. But in this room, we have
primarily lawyers or soon to be lawyers. And one of the most
important roles I think that lawyers serve
is helping their clients both identify and manage risk. And so with that
in mind, if we’re thinking about risk in
the cybersecurity space, I’d like for each of you to
talk a little bit about what you think are the top issues
that the folks in this room should be thinking
about right now. SAM CURRY: You
want us to go down? SHANE STANSBURY: Sure. So I will go a slightly
technical bent here. As you interact
with companies, I would recommend you look at
two different types of risk. And I promise this is
the most math you’ll get. Think of it as first order
chaos and second order chaos. First order chaos systems
are ones where how you act doesn’t affect the system. So if a hurricane is
coming, the weather system, how you decide to take
shelter from the storm doesn’t affect the storm. It’s still coming, right? Second order chaos
systems are like crime, where if you decide to put
police officers on street corners, it affects which
stores get robbed, right? So when you interact
with a business, you will find there are
only two places that have intelligent, adaptive
opponents that affect risk. And I would highly recommend
that you deal with the two kinds of risk very differently. In the case of the
first, you will be able to easily deploy
controls, monitor them, advise the business, track
the measure risk, and reduce its
theoretical impact. That’s like the weather,
so things like nature, failed parts, failed supply
chains, redundancy, legal risk, operational risk, finance risk. Most of it falls into that. The second category– and
this is the most important for cyber, because we have
intelligent human opponents– is when just deploying
a control isn’t enough. You have to think
move, countermove, counter-countermove. And I would advise you to
become very good friends really with two different groups. One is those that
understand the business climate as competition. What risk do you face
as a company from those that you do business against
if you’re in business? Or, if you’re in a
government agency– those who would oppose the
government or enemies and so on, spies, what have you. And the second one is the cyber. Because cyber in itself
is a domain for conflict, and it affects
all other domains. And I encourage usually the
security side of the company to get to know the chief
legal counsel, the lawyers in a company, and to
form a bridge there. Because one of the biggest
problems in our industry is that they don’t know
how to speak to each other. So I would encourage you to
think of risk in those two buckets and really
focus on programs that address the second kind. The first kind we know how
to do as businesses, right? You set up processes. You improve them. You track it. You get KPIs or Key
Performance Indicators, and you improve that over time. And you guys will
get good at that. But the only way to deal with
the intelligent, adaptive opponents is to form
new relationships. And I would encourage
you to think about that. JEN ELLIS: Awesome. Hi. Thank you for
having us in today. And thank you for feeding us. As somebody who
lives in Boston, it was very exciting
to get Chick-fil-A, although I’m told that it’s not
actually pronounced that way. [LAUGHTER] I’m British. I get away with a lot that way. So I like audience
participation. So I’m going to ask
you guys a question. Show of hands, how many people
are familiar with the term IoT or Internet of Things? OK. Thankfully, most
people in the room. Excellent. Thank you for playing. So for me when I think
about how risk is changing and how we think about new
trends that are developing, IoT is one of the most
interesting areas, because of a number of factors. But one of the key ones,
one of the most critical, is that we are bridging the
divide between the physical and the virtual worlds. Traditionally, the way that
we’ve thought about security is we’ve thought
about it in terms of the Confidentiality,
Integrity, and Availability of data. We ironically call that CIA. And now, today, we’re moving
into this whole new category where security has become
about more than just data. It’s become about safety. So we have this
thing that we now think of as cyber safety, which
sounds really sexy if you live in my world, probably
not very sexy at all if you live in your world. And so what that
means is that when we have a lot of
connected technologies that operate traffic
control towers, or when we have a lot of
connected technologies that control the brakes and
the steering in your car, or when we have internet
connected or RFC, Radio Frequency Connected,
or Bluetooth connected implantable medical devices that
we’re putting in human beings, like insulin pumps,
then when we start to think about risk in
cybersecurity terms, what we can actually
be thinking about is things that can result in
physical harm or even death. And that changes how
we think about security pretty dramatically. It changes the scale,
the scope, the stakes. And so as, you know, future
lawyers or current lawyers, understanding how that
affects ideas of liability, understanding how policymakers
are trying to get ahead of this risk and what
they’re thinking about, these are key areas of focus. And for me part of what makes
that so interesting other than the whole death aspect,
which is kind of interesting, is that the stuff that
we’re talking about is where there is so much really
exciting innovation happening. I was talking to
somebody the other day. The FDA just ran a
workshop on guidance that they’ve put out that
is on how medical device manufacturers should think
about cybersecurity when they’re in the development stage
of making products. And so I was there. And I was talking
to a lot of people who make medical devices. And I was talking to a guy. And I said, like, hey, so
I’m super interested in– sorry, this is very nerdy. But I’m super interested in
contact lenses that will do things like auto-zoom or
that like would have– SAM CURRY: [INAUDIBLE] JEN ELLIS: Right. Like they would go to
infrared, because apparently I want to be a spy. I really look the part. And then the thing that
horrifies me about this is that as they’re developing
these technologies, these highly advanced
contact lenses, they’re thinking about
things like cameras in them. So now you’re going to
be talking to people, and won’t know if
they’re filming you. And I’m sorry if anyone
had ever had Google Glass, but I hate you. And so this is like
a strange new world that we’re developing where
innovation is actually moving faster than we’re
able to keep up with. And policymakers
are sort of jogging along behind, like
trying to catch the bus and trying to think about
how they respond to this. And you know, as future
lawyers or policy people, you can play an
enormous role in that. And it’s exciting, because a lot
of the innovation has really, really, profoundly, positively
impactful elements to it. But it also has
really also profoundly impactful scary elements to it. SHANE STANSBURY: Jen,
before we get to Ari, can I just follow
up on one thing? It’s really interesting
what you said. Are there specific
sectors, whether it’s automated vehicles– JEN ELLIS: Yes. SHANE STANSBURY: –or medical
devices in which the lawyers and policies are
particularly far behind– JEN ELLIS: Right. SHANE STANSBURY: –or
is it across the board? JEN ELLIS: Yeah. That’s an excellent question. Yeah, so there’s a sort of
grassroots volunteer group that started in the
security community called I Am The Cavalry. It’s a stupid name,
but the idea is– SAM CURRY: That’s great. JEN ELLIS: –the
cavalry’s not coming. You are the cavalry. We are the cavalry. And the idea is to put deep
technical expertise together with policymakers and
manufacturers and other people who influence the sphere of
how we think about making this stuff more secure. And that group, when it was
founded almost six years ago, specifically focused
on four main areas– automotive, which has
now expanded more broadly into other areas of
transport, medical, critical infrastructure, by
which we mean things like the electrical grid
and that kind of stuff, and then home security,
which I would say is like a bit more
of a back leg thing, but at some point will
become more critical. Really, today, the
areas that we’ve seen take up the most activity
has been medical, the FDA. There are a couple of
people who champion this at the FDA, Suzanne
Schwartz and Seth Carmody who are phenomenal. And as a result, the FDA has
this pre-market guidance. They actually have post-market
guidance, which basically means you’re a medical
device manufacturer, and your product is
out on the market. And you get told that there’s
a security issue with it. How do you respond
to that situation? And previously, what
happened was medical device manufacturers would say,
well, if we make changes to the product,
we’re going to have to go through certification
again, authorization again with the FDA. And they would use
that as an excuse not to update the product
and fix the issues. The FDA recognized this
and said, hang on a second. We’re being used
as a justification for putting patients at harm. And so they responded. They had these two
phenomenal internal champions who got really into it and
who drove the discussion. And as a result, now we
have this great guidance. And they’ve changed the
way things are done. The FDA is by far and away
the leading light on this. So NHTSA, who regulate the
roads and cars and trucks and all that kind of
stuff, [INAUDIBLE].. SHANE STANSBURY: Not so much. JEN ELLIS: They had
guidance they came out with. It was OK as a starting point. And then it wasn’t really a
starting point, because they’ve not touched it since. And they are the second leading. So then you have this
long tail of like- SHANE STANSBURY: Right. JEN ELLIS: –you know,
what’s the FAA doing? Because, you know, airplanes,
that’s kind of scary, and boats. And so like there’s
a sort of long tail. SAM CURRY: Right. Before we move down, I
have to add one thing. This may not be visible
to you, but there’s a war among the nerds, right? There’s at least two
groups of technical folks. There’s those that are rushing
to produce new products and services and slow
down for nothing. This is entrepreneurism. Whoever gets there first has
millions of devices rolled out. And we are faced
with the equivalent of a digital pollution, right? So has anybody,
by a show of hands here, know the Mirai botnet? JEN ELLIS: Oh, oh, me, me. SAM CURRY: I would be surprised
if– a few of you, yeah. So this was cameras that
shipped so quickly that they were compromisable
in batch and usable for attacks against the general
public and to spy on people. Now, that company, what if
it’s only around three years? Now, there’s millions of cameras
out there not patchable, not recoverable, not
built correctly, because the technologists
rushed to get out there as entrepreneurs. On the flip side are those of
us who are security people who say, slow down. You have to build
security in right early. We can’t have these devices
like 20, 30 years forming digital pollution. It’s a lot like if
you were to go back in time to catalytic converters
and smog in cities, right? Rush to get the
vehicles out, and then deal with the
consequences after. That’s what we’re faced with. And I Am The Cavalry is great. They picked four
areas out of dozens– JEN ELLIS: Yeah. SAM CURRY: –of areas and
all the consumer products. Everything that can be
connected will be eventually. It’s just a question of when. So how many of those
can be abused and used against and will persist
in a dirty state? And that’s a major issue. So I just wanted to add that. Because it’s not that all
the technologists agree. ARI SCHWARTZ: That
actually flows into what I’m going to say anyways. And also, I wanted to
point out something which is what we’re
talking about now actually falls into
your first order– SAM CURRY: Yeah. ARI SCHWARTZ: –of
concerns, right? And I see a lot of
companies in the companies that I work with who they get
scared by the second order– SAM CURRY: Yeah. ARI SCHWARTZ: –which I
agree with you is the harder discussion to have. SAM CURRY: Which follows. ARI SCHWARTZ: And
if you are going to be truly able to
deal with the risk, you need to deal with
the second order. But the first order– SAM CURRY: [INAUDIBLE] up front. ARI SCHWARTZ: –everyone
should be able to deal with. It’s a way we deal with risk
all the time as you said. And not enough companies
right now think about it as– you know, we deal with
financial risk in a way. We can deal with cybersecurity
risk basically the same way, right, by figuring
out how we are putting policies and
procedures in place that regularize things. That doesn’t mean
something strange isn’t going to pop up, that there’s
going to be some anomaly that’s going to come along, that the
Russians might hack us, right? But it does mean that
we have the ability to go about figuring out how to
address the daily concerns that are going to come anyway. So I think that that is a key
point, especially for emerging lawyers. There is a way to
deal with this. Don’t let people say to you,
oh, we can’t do anything, because the Russians
might hack us. Because there’s this
nation-state hacking against us. There are things that you can
do on the regular daily basis for– SAM CURRY: Giving
less options, yeah. ARI SCHWARTZ: –kinds of things,
especially for insider kind of issues. And that’s really where I wanted
to go which is following up on this IoT discussion. There’s also we’re taking
that a step further. So, you know, the focus has
been on all these devices connecting. But beyond the
devices, you know, all the devices have components. And all those components today
connect independently as well and send stuff back
to their home base. And those components
in the future, we’re going to see a lot
more connections and the more complicated components
in these kind of devices that we see out there. So, today, we deal
a lot with kind of, you know, why is
this water system for this entire metropolitan
area hooked up to the internet? That makes no sense. We should do something
about that, right? But it’s a lot different when
every light bulb every, alarm, you know, every camera has
different pieces that are then connecting to the internet. And part of the move here is
this move to 5G mobile, right? So we’re seeing the
real benefit that’s coming out of the
next generation mobile is you can have
this mesh connection where everything will
be connected, including all of the components, right? And so that makes
the issue not just what happens to this device and
how do we control this device, but how do we decide
every component that goes into this device and to
make sure that they’re all secure as well. And you see this battle
being fought out right now on the front pages
of the newspaper. They don’t do a great job of
explaining it in the press. But this is what
the Huawei arrests are about is that Huawei is
sort of ahead or equal to US companies and European
companies now in the technology that they’re bringing
to the 5G space. In the past, they were
a little bit behind. In either case, their
products are cheaper, right? So they’re putting their
products in the space. For a long time,
national security experts have been concerned
that Huawei’s going to put components
into the telecom networks, and it’s going to phone home. It’s going to send
information back. So today, it looks like
it’s just a router switch. But tomorrow, they make
some slight change to it and all the
information goes back. Any information that touches
that router goes back to China, right? That’s the concern, right? Now, can they do that today? Is there a smoking
gun out there? That’s up for debate. But it is possible
that they could do it. So that’s the
national discussion for this and the reason we’re
seeing it on the front pages. But there’s an underlaying
discussion about this as well, which is every manufacturer that
is buying components now has to worry about every
component they’re buying, what they connect to, what
the rules are for those connections, what
the contracts– here’s the legal part, right– look like for all
those agreements. Anybody that’s now purchasing
anything into a company has to worry about what does
this thing that I’ve just bought do. What are all the component part? Who’s liable for it? How do we make sure
that the liability falls on the people we bought
it from and not on us or on the people
that are servicing it and not on us, right? That’s the legal and the
risk part of this discussion. It’s a lot more complicated
than it used to be. It used to be,
you know, just who is providing the service
would have the liability. Then it became now, you
know, in the FDA world, it’s sort of the focus
is on the device. Bringing that down
one level, now we’re talking about the component
pieces of that as well. So it’s a lot to take in
I think on these issues. But that’s sort of
the future as I see it from the risk management
space for lawyers. JEN ELLIS: Can I
just– sorry y– ask a question of the audience? Has anybody in the room
ever tried to write code? A few people. Awesome. So one of the things that we
hear about from people who are doing this– and, you know, our
companies both make software– is that today it’s less about
sort of building from scratch, and it’s more about compiling. There’s so many shared services
and pieces of technology that companies use. I mean, why reinvent the
wheel if you don’t have to? So when there are these
sort of shared libraries and these component pieces
which is part of the challenges, you know, a lot of what
Ari just talked about is where you have somebody that
is providing component that might be acting maliciously. But there’s also another
element where there’s like high degree of complexity. Because if you’re
building something and you’re using
shared services, there’s a question of who
owns the responsibility of maintaining and updating
those shared services. Who even like provides real
sort of clarity on what’s involved in those shared
services, or known security issues, or
other issues with them, or best advice on how to
configure them properly? And so what that means
is that you end up with, in your environment, in
your technology environment, you have layers and layers
and layers of technology. And you don’t even really
have full visibility into what you have there. So when there’s a sort of
a major news cycle that comes around that
says, hey, there’s this terrible security
issue, the first thing– SAM CURRY: [INAUDIBLE] JEN ELLIS: –that you have to
figure out is what of my stuff does that affect? And the first thing
that the person who found the issue
has to figure out is who am I supposed to even
disclose this to to tell them? Because who owns updating it? And how do you manage the
dissemination of information, so the people who make
the technology that uses it can fix it to protect
their users without providing lots of opportunity
for attackers in that sort of window that
it takes to do the fixing? So it’s hugely,
hugely complicated. And at the moment, this is,
again, one of the things that regulators
are really trying to struggle with is how
do you get around this. How do you address this? So one of the really
big topics at the moment is around something called
a bill of materials. The idea is that when you
sell a piece of technology, whether it’s hardware
or software based, you would provide a full
list of all the components that go into it along
with potentially any known vulnerabilities or
security issues. That then becomes like a
whole challenge of like, well, how granular do you go? And how frequently do
you have to update it? And are you updating
that publicly, in which case are you giving
opportunity to attackers? So there’s just so much
complexity around these topics even when you’re not talking
about malicious actors. And then you throw
into on the top of that the fact that you could have
component manufacturers who have very different
goals to the goal that you have as a
hardware maker or whatever. SAM CURRY: So I would like
to add two points to that. There are two trends that
happen in all natural systems. It happens in linguistics. It happens in
nature and genetics. It happens in business. It happens in software. The first is you get increased
specialization over time. So you wind up with more and
more specialized functions in a supply chain. So somebody says, I
just do this piece. We even see it in the dark side. We see the attackers
have those who write the software, those
who carry out attacks, those who do cash outs. So the first trend
is you’re going to find this increase
of number of players. And specificity
of what each does in supplying your bill of
materials is going to increase. The second is
globalization, which is each of those pieces becomes
commoditized and available from a global market. And so now we’re
talking about who affects my suppliers of things
in my bill with materials. So you might think I’ve
got it all worked out. I’ve got my bomb, as
it’s called, worked. I’ve got all my suppliers. I know them. And you’re going to find
that over very short periods of time, you’re getting
single points of failure. There are new players
you didn’t expect. And they’re breaking
up into pieces. So I would say the rate
of change of these things is increasing. So we’re talking about 2019. The future is getting
closer in a sense, right? The rate at which the
technology is advancing and these trends are
affecting you is increasing. So make sure that you have
processes when you actually are looking at these contracts
and suppliers that revisit them regularly. You can’t just say,
dealt with, move on. I don’t have to look
at it for five years. SHANE STANSBURY:
If I can go back to this issue of critical
infrastructure– and this relates to some of what
we’ve been talking about. Sam, I’m going to pose
this to you first. And I’ll let others chime in. And I’m picking on
you, because you wrote about this I saw recently. SAM CURRY: Hopefully,
I remember it. [LAUGHTER] SHANE STANSBURY: But this idea
of critical infrastructure vulnerability, when
I was in government we spent a lot of time
thinking about this along two vectors, both
sort of attribution whether there was
nation-state involvement and what are the probabilities
for critical infrastructure however one wants
to define that. And I think that I’m right, that
apart from the financial sector and sort of, you could
argue, the communications industry, that there
hasn’t been a large scale critical infrastructure attack– SAM CURRY: Not here. SHANE STANSBURY: –here. SAM CURRY: There have been
in places like the Ukraine. SHANE STANSBURY: There have. ARI SCHWARTZ: Saudi
Arabia, Ukraine. SAM CURRY: Saudi Arabia. ARI SCHWARTZ: Yeah. SHANE STANSBURY: So my
first question is, why not? My second question relates
to I think you called it a bull’s eye on our back. SAM CURRY: Yeah. SHANE STANSBURY: You know,
why does that bull’s eye still exist? And what do we need
to be thinking about? SAM CURRY: Yes, there’s a lot
of FUD, Fear, Uncertainty, and Doubt that’s used in
marketing and politics around cyber. There’s also a lot of hyperbole,
just exaggeration– weapons of mass cyber
destruction, for instance. So you’ll find it moves– JEN ELLIS: Cyber Pearl Harbor. SAM CURRY: Yeah, Cyber Pearl
Harbor, for instance, right? You’ll hear those terms. They move attention. They motivate people
on the basis of fear. The possibility of
attacks like that exist. Now, I believe that
we as a society tend to respond to
those things, right? A Pearl Harbor, a
9/11, we respond to. We take steps. It would be the same
in the cyber world. But let’s be clear. Nation-states do
stockpile attacks, right? Our nation does. Other nations do, right? The VEP here in the US,
and the NCIC in the UK, said that they will keep
certain vulnerabilities and develop exploits
against them. So they do stockpile these
things for use in war. But more importantly,
they actually use them for smaller objectives. But critical infrastructure
will be in the public eye. If there’s a failure,
politicians will fail, right? Motion will be called
for at high level. And it’s big bang for the buck
for those that have an agenda. So in the case of Saudi Arabia,
in the case of the Ukraine, we actually saw belligerent
nation-states or interest groups use these things, take
up critical infrastructure. And in the Ukraine,
it was in combination with physical warfare,
with kinetic warfare. SHANE STANSBURY: Right. SAM CURRY: It was done to
create chaos and disrupt command and control loops
and get inside the opponent. So this happened between Russia
and the Ukraine specifically and to embarrass and cause
failure on an economic scale. I think I would make
two points here. One is we are seeing a
convergence among actors. Like cyber actors, the actual
people who do the hacking, are not lone wolves in
their basement, right? These are companies,
organizations, and government departments. And we literally have the
current administration talking about a space force. That is an escalation in
a very expensive arms race that limits who can play to
five or six nations, right? But at a poor man’s
equivalent to that is cyber. You can play in the
great game of nations if you have a cyber arm. So absolutely,
expect that to act as an equalizer
among nation-states. But we’re also in a
multipolar situation right now, which means there are
many, many different countries, many, many different
interests all of which gain through disruption
and visibility. Think hacktivism. Think terrorism. Think criminal organization,
laundering money. By the way, why do people
attack banks, the misattribution to Willie Sutton? It’s because it’s
where the money is. So critical infrastructure
is where the attention is. It’s where the effect is. Expect it to be targeted. Expect it to be in
the political eye. And expect it to
get an awful lot of hyperbole and exaggeration. So that’s why I think it has
a bull’s eye on its back, especially this year. SHANE STANSBURY: Other thoughts? ARI SCHWARTZ: I
would say, I mean, we have seen attacks against
critical infrastructure beyond just those big ones
in Saudi Arabia, Ukraine, and Estonia kind of
at the big scale. But they’ve been smaller things. So like you had, you know,
the Bank of Bangladesh. SAM CURRY: Oh, yeah. North Korea. ARI SCHWARTZ: There
was a huge robbery that has been attributed
to North Korea. And they were asking
for a billion dollars, but fortunately someone
caught basically a misspelling in the request. SAM CURRY: [INAUDIBLE] right. ARI SCHWARTZ: That was the only
thing that stopped it, right? We’ve had the example like the
Atlanta and the San Francisco, you know, rapid
transit, where there have been ransomware
attacks against the systems. I consider that
to be pretty heavy critical infrastructure there. You also see other
ransomware attacks like the British health system. Maersk, right, got hit
by ransomware attacks. We had an LA hospital that
was literally shut down over a $12,000 ransom, right? SAM CURRY: The Maersk attack
was almost a billion in damage– ARI SCHWARTZ: Right. SAM CURRY: –to Maersk. Yeah. That was [INAUDIBLE]. ARI SCHWARTZ: And those are
all critical infrastructure systems. I mean, if you’re waiting
for the big catastrophe, you know you’re going to miss
the trees for the forest there. So I think we’re
seeing it already, but you know there
will be bigger ones. But, you know, they’re
happening all the time. SAM CURRY: Yeah. If you play the game of
being a bad guy or gal, you have options of which
attack vectors to use. And cyber is
cheaper, less risky, reaches everyone,
and very little chance of ever
holding you guilty and trying you in a
court of law, right? So it is the logical path
in the sort of choices that these the
opponents have to make. It’s the logical path for
them to take every time. And that’s why we’re
seeing so much of it. And on the flip
side, you’re really a stupid criminal if you’re just
holding people up with a gun, right? You’re not a very
bright nation-state if your focus is on buying
the next four jets, right? You’d do much better to
buy a room full of hackers at fraction of the cost. JEN ELLIS: So the only
thing I would add to that is when you think about the
dynamics of the sort of threat landscape in cyber
attacks, you have to understand what your
specific risk model is. So for example, your
average diabetic who has an insulin
pump attached to them is probably not going to
be a target for an attacker to hack that unless
they are, for example, the President of the United
States of America, right? And so– understanding
what your risk profile is. However, your average
car owner might be somebody that gets
targeted with people who want to just steal
cars, like boost cars and thinks hacking them is
a good way of doing that. So when you look at the topic
of critical infrastructure, what Sam and Ari were
highlighting was that the attacks that we’ve
seen that have affected the US and major global leaders
on critical infrastructure have been driven
primarily by profit motivations, ransomware
attacks, attacks against banks. Because the risk model
there is that they are subject to attackers who
are driven by profit rather than being subject to
attacks by governments who are leery of declaring war. And make no mistake,
if Russia was to take out part of the
national grid in the US, that is an act of war I think. I think there would be some
pretty serious discussion based on the response to
the Sony breach. And so you will see Russia
do that against the Ukraine. You won’t see Russia
do that against the US anytime soon, which leaves as a
potential category, yeah, yeah, yeah, absolutely, never
dare Russia, which leaves the potential
category, terrorism. And so I think the question
that you hear a lot– SAM CURRY: And activism. JEN ELLIS: –is why hasn’t
terrorism done this? And I think the
reality is terrorists aim to create behavioral change. And so if you go out
into a crowded area and you shoot a lot of people,
that makes people really scared to go out into crowded areas. And that creates a
behavioral change. If you knock out the power grid,
that creates a lot of chaos. And people will
definitely suffer for it. But how do your average
people change their behavior around that? Do they say, I’m not going to
rely on electricity anymore? So you have to think about
what is the goal that they’re trying to achieve to understand
what the risk models are to think about where is the most
likelihood that attackers are going to apply their attention. But I want to make one
thing quite clear, that– and this is going to
sound really funny. And I’m sorry. SAM CURRY: No, do it, do it. JEN ELLIS: But
the reason that we haven’t had a major attack
against our critical infrastructure isn’t because
our critical infrastructure is bulletproof. It is not the case that we have
systems that are just perfectly designed and impenetrable. The reality is actually that
most critical infrastructure is based on systems that were
designed to last decades. And they were never
really designed to be connected to the internet. SAM CURRY: And be
bomb proof, yeah. JEN ELLIS: Right. And so they were
designed to last through other kinds of change. They were designed to keep
going like worker bees. And now, people come along and
they’re like, you know what? We should connect
this to the internet. That will make
everyone’s lives easier. And, you know, it’s the reality
of the world we live in. ARI SCHWARTZ: The
tester doesn’t have to get up from his
desk over there and go all the way over there. JEN ELLIS: Yeah, yeah. SAM CURRY: I have to
tell a short story. So I live in a part of
Massachusetts that recently had houses exploding, right? I don’t know. How many of you heard of that? So I live in literally
the town, North Andover, where a natural gas mishap
caused them to explode. And I got a call as I was being
evacuated from the governor, because I’m on his
Cybersecurity Council. And he said, is
this a cyber attack? It was the first thing
he thought about. JEN ELLIS: Yeah. SAM CURRY: And the answer is no. We’re perfectly capable
of screwing up 100 houses and blowing up
businesses without cyber. [LAUGHTER] Right? JEN ELLIS: Yeah. SAM CURRY: But guess what is
now in the minds of people that [INAUDIBLE]? ARI SCHWARTZ: I was on the
National Security Council the other day when Delta’s
computer systems went down. The NASDAQ went down. JEN ELLIS: Oh, jeez. ARI SCHWARTZ: And there
a third thing, too. And they called us and said,
is a this cyber attack? SHANE STANSBURY: I
remember this as well. ARI SCHWARTZ: So we’re making
all these calls figuring out a cyber attack. You remember why the
NASDAQ went down? SHANE STANSBURY: Yeah. ARI SCHWARTZ: Because a
rat ate through the cable. SHANE STANSBURY: Exactly. [LAUGHTER] ARI SCHWARTZ: So if
someone was attacking the– [INTERPOSING VOICES] JEN ELLIS: So actually, I will
say in the security community we have a joke that squirrels
are the best hackers. ARI SCHWARTZ: Right. SHANE STANSBURY: Right. SAM CURRY: That’s good. JEN ELLIS: Because
every time there’s something in the national grid
that gets blamed on hackers, it’s actually squirrels
chewing through cables. There’s a whole New
York Times article. And it’s fascinating. It’s all about squirrels. I highly recommend
you check it out. SHANE STANSBURY: So I have
a lot of questions for you. But I want to leave
time for everyone else, because this is
really about them. So let me open it up. And I can chime
in along the way. Do you have questions? We have one right there. AUDIENCE: Yeah. I wanted to get a
sense of when you expect the next big
wave of regulation to actually take place. It does seem as if
it is inevitable. And given the scale
of development with the Internet of Things
and potential insecurities that may exist, I wanted
to get a sense of where– ARI SCHWARTZ: So
Europe’s moving faster than we are in regulation. And they actually
have a new process that just passed over
there that hasn’t got much attention
for IoT where they’re going to start certifying– SAM CURRY: [INAUDIBLE] ARI SCHWARTZ: Well, they
have a standards body that has the ability to start,
to certify a new product. And their first focus
is going to be on IoT. So I think that that is
going to get the most attention in the IoT space. I think otherwise, most
of the security stuff is kind of tagged
on to the privacy bills that are moving forward. I’m still skeptical that one
is going to pass very quickly. But if they did, I think they
would have security components tied to them that would have
pieces like this tied mostly around protection of personal
information and money, but other things as well. SAM CURRY: A big part of that’s
more of a political question as well. I’m met with a
bank back in 2002. And I remember asking the
chief security officer, how’s your data? And he said, great. I said, how’s your security? He said, terrible. I said, do you want to fix it? He said, no. He said, because
if I know about it, then I have to deal with it. And he said Sam, I would love
to buy your products, right? Because I could do
some amazing things from a security perspective. But I have a lifespan on
Wall Street of 18 months. And if I haven’t
established what my program is going
to be about, they’re looking for my
replacement in nine. And he goes, your product,
let’s assume it works, is going to take me four years
and cost $40 million to do. I don’t have that kind of money. So FFIEC came out
with an update in 2004 saying you must manage all
the logs in your organization. Suddenly, everybody bought
a log management system. They were terrible. They still don’t work
very well, right? But it forced companies to do
what they wouldn’t otherwise do. ARI SCHWARTZ: But this is
also why lawyers are important and also I’m at a law firm. Because if you bring
in outside counsel, it allows you to do it under
legal privilege exactly for the reason that
he’s talking about. I mean, look, you know, some
of Shane’s friends at DOJ always push back on me when
I talk about legal privilege. But it’s for this reason, which
is people don’t want to look. Because if they look,
then they have to fix it. SAM CURRY: Same thing
happened with [INAUDIBLE].. ARI SCHWARTZ: But
that’s the reason that legal privilege
exists is to say, we have a lot of liability. But you need to be able
to look and prioritize what comes first. And so lawyers play a
very key role in this. And in a lot of places
that we see that actually are fixing the problems and the
main problems, it comes from– SAM CURRY: But it
took a political– ARI SCHWARTZ: –the board or
the legal team pushing for it. SAM CURRY: But in
the macro scale for regulations coming about,
it took a political series of events and embarrassments. Another one happened around
strong authentication. Banking used to be just
username and passwords, period. ARI SCHWARTZ: But I think
even the regulations don’t make people do it until
they start getting enforced. SAM CURRY: Right. Well, so then they
turn up with that. ARI SCHWARTZ: And then
the lawyers come in or the board comes in and says– SAM CURRY: Right. ARI SCHWARTZ: –we have
to do something about it. Or the regulator
comes in and then they do something about it. SAM CURRY: Gen one is
usually a slap on the wrist. And everyone tries to get– JEN ELLIS: Not me. SAM CURRY: –grandparented
down– wrong gen, wrong gen. But HIPAA
violations used to be $25,000. The program to fix
it was $5 million. Until they turned up the
fines, nothing happened– NERC, FERC in the atomic space. I remember going to PG&E to meet
with fairly low level people. And the CIO turned up. And I’m like, why are you here? He said, oh, because
those guys are on the plane closing incidents. It’s a $1 million
per day per incident. And there’s 17 open. Yeah. They got the company jet
to go fix that, right? So suddenly, it
changed behavior. But even then the goal
is just to avoid fines. You’re still not getting
to good security, which is what do
you do with that. JEN ELLIS: So in
terms of regulation actually passing
in the US, you’re going to see it move much
faster on the state level than on the federal level. SAM CURRY: It’s
happened in California. It started. JEN ELLIS: There is
absolutely enormous resistance and lots and lots of very
well-paid associations that have lots of big companies
behind them pumping money into lobbying against
regulation in these areas. SAM CURRY: Companies
don’t like to be told how to behave, right? JEN ELLIS: Right. SAM CURRY: I mentioned
catalytic converters earlier. Buyers of cars like their cars. Sellers like to sell them. But until you couldn’t
breathe in cities, nobody forced unleaded
gasoline regulations in catalytic converters. It did take someone stepping
in and saying, enough. But that’s a political thing. JEN ELLIS: Yeah. So there’s a common theory that
until there is provable death or catastrophe– there has to be a bigger
catastrophe than NotPetya, which led to the incredibly
expensive situation that they just talked about
with Maersk and with Merck and has been labeled the
most expensive cyberattack of all time. Until there’s something that
people can point to and say, that catastrophe– And then what will
happen, unfortunately, is there’ll be a
knee jerk reaction. And it’ll probably go
in the wrong direction. SAM CURRY: But here’s
the scary thing. And we talked about
this last night. And I mentioned,
hinted at it earlier. The time for innovation
is getting faster. JEN ELLIS: Yeah. SAM CURRY: The impact of
every wave or generation of technology and its ability
to cause death and havoc is increasing. JEN ELLIS: Hurray. [LAUGHTER] SAM CURRY: You know, what’s
an internet generation? It’s about two years
before, trust me, we’ll all have different
phones, different laptops, different Wi-Fis, and
new devices in them. ARI SCHWARTZ: Well,
but technology to save lives is saving
lives faster rate, too. JEN ELLIS: Yeah. ARI SCHWARTZ: So on average– SAM CURRY: Great, so we’ll– [INTERPOSING VOICES] SAM CURRY: The potential
for damage is faster. JEN ELLIS: Yeah. SHANE STANSBURY: If I could
just piggyback off of a point that both Jen and Ari made
in different ways, which is the role of
lawyers and law firms, as we see this sort of wave of
regulation at the state level and also as we see law firms
stepping into this space– I think a lot of law
firms are setting up cybersecurity practices
without really knowing what they’re about. You work for a law firm that
has a particularly unique model, I think, that has a
sort of consulting arm as well as a legal arm. I’d like to just ask
Ari for a second, where do you see law firms
moving in this space? ARI SCHWARTZ: Yeah. Well, I think there are
a lot of clients asking for security and privacy help. I mean, sorry, a lot of clients
ask for security and privacy help. So law firms feel as though
they need to have a privacy and security practice. Usually, it’s both together,
privacy an security practice. Ours is separated, although
we work with the privacy team. And our privacy practice
is 20 years old. So they get a lot
of data breaches in there, which I think feeds
our practice a good deal. One thing that they found,
though, the reason that Venable brought me on was
because they felt as though a lot of
people in the firm were calling themselves
private cybersecurity lawyers. And, well, what does it mean
to be a cybersecurity lawyer? No one knows. It’s not like a field of law
that has been established. So there are some people
that call themselves cybersecurity lawyers that
are privacy lawyers that do data breaches. There are some people
that are actually telecom lawyers
that do ECPA cases or other kinds of
cases that come up every once on a rare while
with a cybersecurity side to them. There are some national
security lawyers that call themselves
cybersecurity lawyers, because they’ve done
some cybersecurity cases. And then, you know,
there’s also people that might do mergers or IP
around cybersecurity, which to me is like the
worst possible version of a cybersecurity lawyer. If you’re doing a
cybersecurity patent, that doesn’t make you
a cybersecurity lawyer. It makes you an IP lawyer. But those people are
all calling themselves cybersecurity lawyers. And one of the
things that we did was when I came in I put some
rigor around our practice. And if people started
just calling themselves cybersecurity
lawyers on their bio, we take it down if
they didn’t really work with our
practice, which I think is a key question for you
when you’re interviewing places and talking
to people that say that they do cybersecurity. Ask what kind of
cybersecurity law they do, what kinds of cases they get. And I think you’ll be
informed by their answer as to whether they’re really
doing the kind of work that you expect them to do
and what you want to do. JEN ELLIS: I’m now
going to contradict everything Ari just said. [LAUGHTER] SHANE STANSBURY: Oh, sorry. Go ahead. JEN ELLIS: So I would
ask you if you can really think of a walk of
life where technology doesn’t play a role these days. And I think the reason that I’m
contradicting Ari is because I think one of the biggest
challenges that we have in security– and it’s
security community’s fault, we did this– is we created this
idea of security as being this niche,
sort of black art. And in reality, that’s not how
it should be perceived at all. Security is just about making
the thing work how you want it to work reliably and safely. And so it should be just
a built-in component of any technology aspect. And since there’s really very
little aspects of our lives now that don’t have a technology
component in some way, I think that
whatever area of law you’re interested in
going into and think you’re going to
focus on, the chances are that you might end
up needing to brush up on security at some point. Because it should just be
the sort of [INAUDIBLE].. ARI SCHWARTZ: That’s fine if
you’re an in-house counsel. JEN ELLIS: Sure. ARI SCHWARTZ: That’s
not fine if you’re a partner at a law firm– JEN ELLIS: Oh, no, no. I agree. ARI SCHWARTZ: –selling yourself
as a cybersecurity expert. JEN ELLIS: I totally get it. And I actually do agree
with everything you said. ARI SCHWARTZ: Yeah. JEN ELLIS: The other thing
I would say is that– even as I’m about to say
the words, I hate this term. But I’m kind of a little
bit of a cyber hippie, so sort of like
peace and love man. ARI SCHWARTZ: That’s true. [LAUGHTER] JEN ELLIS: And so
you probably got that, because I’m all
about saving the world. And we’re all going to
die, but we don’t want to. SAM CURRY: And squirrels. JEN ELLIS: And squirrels, yeah. And so the thing
that I would say is that I think, as the
future of the legal world, you guys have enormous power. You have enormous potential. And so the thing
that I would ask is I come up every day against
basically the impact of lawyers who want to hold on to something
being the way it is today and not recognize that the world
is changing very, very fast. And the impact of that is that
the people who pay the price are users. They’re whoever is
using the technology. And so the thing I would
ask all of you to do is as you go forward,
whichever area you focus on and however you
embrace technology, that you just
think about how you can protect the people who are
your users and your customers. ARI SCHWARTZ: Well, also,
in a technology company, if you start being a lawyer that
says no all the time, people just work around you. JEN ELLIS: Yeah, that’s true. SAM CURRY: Yeah, it’s true. JEN ELLIS: That is
also pragmatism. ARI SCHWARTZ: They
don’t need [INAUDIBLE]—- SAM CURRY: It happens anyway. ARI SCHWARTZ: –in a
technology company. JEN ELLIS: Idealism, pragmatism. SHANE STANSBURY: Other questions
if we could keep them brief? Yes. AUDIENCE: Thank you very
much for coming here. And thank you for
sharing your insights. I wanted to ask you about the
problem of ransomware attacks. As far as I understand, the
victims of ransomware attacks, today they don’t
really have a choice except to pay the
ransomware attackers. And there have been
companies– many companies are forming intermediaries that
pay these ransomware attackers. So I wanted to ask you how
could this problem be solved? Because cyber insurance, even
if a firm has cyber insurance, the cyber insurance doesn’t
cover the ransomware attack. So how could we break this
incentive structure and– SHANE STANSBURY: And we’ve
only got 5 minutes left. If we can do a lightning round– JEN ELLIS: Yeah, I’ll
sit this one out. SHANE STANSBURY: –of
about 30 seconds each? SAM CURRY: Actually,
I’ll do fast. Separate consumers, because
that’s a very different problem from businesses. Businesses should plan to be
resilient against ransomware, so that even if they
get hit, it’s OK. Most ransomware is not used
now for cash extraction. It’s actually used to trigger
IT departments to clean up forensic evidence. So we’ve seen a
lull in ransomware. It’s actually on the decline. Many companies, us included, are
trying to provide any resource to help decrypt or recover. But companies can be
resilient, so that backups can bring things back. They can make sure that it
can’t hurt them that badly and do that ahead of time. My advice to them is to do that. ARI SCHWARTZ: I’d say
even a consumer could use a backup in the iCloud, right? I mean, backing up is the
key to stopping ransomware. Now, we still had a firm
client two weeks ago that was a large medical
practice that got hit. I think that you’re starting to
see lower level criminals start to use ransomware. Because it used to be like
if you paid the ransomware, they would leave you alone. This guy– SAM CURRY: Now,
they up the price. ARI SCHWARTZ: Pay
the ransomware, and he upped the price. He wants 2 more bitcoin, right? So I think that you really
do need to– just backing up is the key. And once it starts to really
be that everyone is doing it, then they’ll move
on to other stuff. SAM CURRY: And there are tools
that can help prevent it. They do exist. And so companies should
go through a little bit of an assessment overview. ARI SCHWARTZ: But
once you’re hit and you don’t have the
backup, your choice is basically to pay. SAM CURRY: Or not and
suffer the consequences. ARI SCHWARTZ: Yeah. JEN ELLIS: OK. You had 30 seconds. ARI SCHWARTZ: Right, sorry. JEN ELLIS: You’re good. ARI SCHWARTZ: So I agree with
you there, but it’s just– SHANE STANSBURY: Go ahead, Jen. JEN ELLIS: No, I’m good. SHANE STANSBURY: You’re good? JEN ELLIS: They got it. SAM CURRY: We stole hers. SHANE STANSBURY:
Other questions? Yeah, Sam. AUDIENCE: One of
the hacks that seems like it terrorists could– [AUDIO FEEDBACK] SHANE STANSBURY: Whoa. AUDIENCE: I think
it’s just the– anyway, that could change– JEN ELLIS: Technology. AUDIENCE: –terrorists could
change behavior or that could catalyze change and
regulation is taking control of planes, cars, pacemakers. Mostly that’s just
been white hat hacking. Is there any reason
that we haven’t seen black hat hacking in that way? JEN ELLIS: So I’m going
to ask you a question. How would we know? Do you think that today
when there’s a car crash that anybody investigates
whether the car was tampered with electronically? AUDIENCE: Probably not. JEN ELLIS: And if you are not
President of the United States and you drop dead and
you have a pacemaker, do you think they look to see
if the pacemaker was hacked? AUDIENCE: Probably not. JEN ELLIS: So I don’t think
it is the case that it’s happening a lot today. But I will say we have
no idea in reality whether or not it is. We base our assumptions on
this based on probability and the fact that we
think that we haven’t seen widespread enough impact to
make it think it looks like it. It would only be in
pretty targeted cases. ARI SCHWARTZ: So I think one
of the moves that’s gone on– and Rapid7 is active
in this space. And same reason
that some of this as well, not quite
as much, but it is getting a lot
more researchers out there looking at stuff. SAM CURRY: Yeah, we do that. ARI SCHWARTZ: And when the black
hat conference comes around in August, you hear
a lot of these things all out at one time. And it’s super scary. But for the most part, the
researchers are responsible. And they’re telling the
companies in advance. So things are fixed before
we actually see them, right? And so I think that’s the most– and that’s good. It’s a good cycle to have that. But it does kind of put us out
there in this world where there are these vulnerabilities
sitting out there that no one knows about. Someone could be hacking
them, could be exploiting them if they figure out about them in
advance without telling anyone. But we have a good community
now of researchers more and more every day telling people. And there’s this effort to do
bug bounty programs and all those where they pay
researchers if there’s a bug, you know, those kinds of things. I think those are
all positive things to get us less and less
vulnerabilities out there. But as we have more
connected stuff, you still have the
more difficult problem. JEN ELLIS: Yeah. The other thing that
I would add just quickly is when I was young,
which is a long time ago, there was this sort of
like received wisdom that everybody
talked about, which is that Macs were unhackable
and Windows systems were super hackable. And it was bullshit. What the reality was
was that attackers will go where the greatest
opportunity is presented and where they can
get the best bang for their buck or their reward. And so a lot more people at
the time, like a huge amount more people at the time,
used Windows systems. And so that’s where they
focused their attention. And I think that today, when
we talk about IoT attacks, there’s no real reason for
your average profit motivated attacker to focus in that area. Because your average
profit motivated attacker is getting so
much bang for their buck from phishing emails and
targeting big businesses. SAM CURRY: It’s easier. JEN ELLIS: And they require
no technical skill whatsoever. Where you have to worry
about IoT is two things. One, it’s the huge, huge, huge
proliferation and the fact that we’re going
to get to a point where everything
around us is connected. And two, it’s the idea of
specifically targeted attacks, where you’re really going
after somebody and the ability to target their– so, for example, you’ve
attracted a stalker. And that stalker is
watching you in your house. That is a horrible– SAM CURRY: I want to
chime in really quickly. SHANE STANSBURY: Sure. SAM CURRY: I published
a paper years ago called “Towards a Law of
Malware Probability,” that talks about applying
game theory when it’s financially motivated. You can look it up online. So you can see the
factors that they weigh when they attack you. JEN ELLIS: You’re so
much fancier than me. Game theory, look at you. SAM CURRY: That was
like 10 years ago. But it’s out there. You can go find it. The other thing is let’s stop
talking about boogeymen, right? Because there are
specific attackers that you will face
whether you’re legal counsel for a government
institution or a company. Which do you think is more
likely just as a hypothetical– you don’t have to answer,
a rhetorical question– that somebody would make
every car on the FDR in New York turn left at
60 miles an hour, right? That would be horrendous, right? Or that somebody would hack
ways and make them slightly more inefficient to drive
up the price of gas in order to manipulate
stock on the stock market? Right? So– JEN ELLIS: It comes
back to [INAUDIBLE].. SAM CURRY: –that
kind of attack– far less splashy,
far more profitable. And they won’t do
it even as long as they can still phish
people, as Jen said, right? So they will take the
path of least resistance to most return. It’s an ROI equation. So there you go. SHANE STANSBURY: We are
unfortunately out of time. We’ve scratched the
surface, but I think that we have learned a lot. And most importantly,
there’s plenty of work for future lawyers here. So thank you all for joining us. [APPLAUSE]

3 thoughts on “Cybersecurity Law and Policy: What Are the Top Issues for 2019?

  • ebennallie Post author

    5:35 to skip intro… but why would you 🙂

  • Cambridge Analyst Investigatior Post author

    Lets Stop China from sending out Gang Stalkers to Sabotage the U.S. with Chemical War fare..

  • Cambridge Analyst Investigatior Post author

    Cambridge Analytics Ex CEOs Mr&Mrs. Nix..
    JoeMarquetta.. (Leakers)Mrs. Nix number is 4156911364.
    My number is 415 336-3598 and my name is Eugene Hart … Im the Presedent Elect from the 2016 election. I am the main person that's steering the operation..

Leave a Reply

Your email address will not be published. Required fields are marked *