Legal Landmines: How Law and Policy are Rapidly Shaping Information Security

Presented at Black Hat USA 2018, Aug. 8, 2018, 1:30 p.m. (50 minutes)

The Internet was a much different place 25 years ago. Technology, and the free flow of information has rapidly changed the world forever. Along with that change came the frightening prospect of losing all of our privacy, attacks on our critical infrastructure, election tampering, invasive ad targeting, and the general paranoia that comes with knowing that no technology is safe. The law, regulatory bodies, and government policy has struggled to keep up with this change, but times are changing. In recent years, we have seen the legal community at the front of some of the most important battles regarding information security. The legal communities impact on information security is growing every year. This panel brings together some of those insightful and forward thinking minds to discuss some of the emerging legal trends in security that will impact all of us tomorrow.

Presenters:

• Amit Elazari - Doctoral Candidate, UC Berkeley School of Law, Center for Long-Term Cybersecurity, UC Berkeley School of Information
  Amit Elazari is a doctoral law candidate at UC Berkeley School of Law and a Berkeley Center for Long-Term Cybersecurity Grantee, as well as a member of the Algorithmic Fairness and Opacity Working Group at UC Berkeley. She graduated Summa Cum Laude from her LL.M. in IDC, Israel and she holds an LL.B. and a B.A. in Business Administration (Summa Cum Laude) from IDC, Israel. Her work has been published in leading technology law journals, presented in conferences such as RSA, USENIX Enigma, BsidesLV, BsidesSF, DEF CON-Skytalks and Women in Cybersecurity, and featured in leading news sites such as Vice, The Washington Post, The Guardian and The Verge. Additionally, Amit teaches at Berkeley’s Legal Studies program and serves as the submissions editor of BTLJ, the world’s leading Technology Law Journal. On 2018, Amit was granted a CLTC grant for her work on private ordering regulating information security, exploring safe harbors for algorithmic auditors and security researchers.
• Allison Bender - Counsel, ZwillGen PLLC
  <p>Allison Bender counsels Fortune 50 companies and startups in a range of industries on cybersecurity and privacy matters in the U.S. and internationally. Drawing from her roots in government, national security, and R&D, she helps clients navigate legal issues associated with emerging technologies and aids clients in strategically managing legal, financial, and reputational cybersecurity risks. Allison translates technical, operational, legal, and policy issues to create practical solutions for clients’ legal challenges. Her cybersecurity and national security preparedness counseling is informed by over 80 incident response efforts. When drafting corporate policies and considering product design options, Allison’s advice is seasoned in the management of breaches involving personal data, intellectual property, payment card information, export controlled technical data, and other regulated information. Her experience also extends to counseling on cybersecurity and national security due diligence in mergers and acquisitions, vendor management, and transactions.</p> <p>Most recently at Hogan Lovells, Allison focused on cybersecurity matters including preparedness, risk management, incident response, engagement with law enforcement, and public policy strategies. Before joining Hogan Lovells, Allison served as a cybersecurity attorney at the Department of Homeland Security (DHS), where she advised the Office of Cybersecurity & Communications on cybersecurity and privacy laws, regulations, and policies.</p> <p>From DHS, Allison brings experience in incident response as well as cybersecurity policy, information sharing, liability, and incentives. She was the primary operational legal counsel for the federal response to the Heartbleed vulnerability, the USIS-KeyPoint data breach, and the Healthcare.gov data breach. She served as Chair of the Automated Indicator Sharing Privacy & Compliance Working Group, provided primary legal advice for the implementation of Executive Order 13691 regarding Information Sharing and Analysis Organizations (ISAOs) and private sector clearances, advised the DHS Cyber Information Sharing and Collaboration Program (CISCP); and advised the Interagency Task Force implementing Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” Presidential Policy Directive 21, “Critical Infrastructure Security and Resilience,” focusing on the “NIST Cybersecurity Framework,” development of the Section 9 list, classified and unclassified information sharing, liability, and incentives. Allison was also principally involved in DHS policy efforts related to cybersecurity export controls, particularly Wassenaar implementation.</p> <p>Before focusing on cybersecurity, Allison spent six years at DHS negotiating complex international and domestic multimillion dollar research and development agreements in a variety of emerging science and technology areas. She served as Chief Negotiator for the United States Government on nine legally binding international agreements. She led the oversight of over $1 billion in DHS activities, leading compliance programs for export controls and treaty and regulatory compliance. Allison also spent four years as primary counsel for the SAFETY Act, providing legal advice on legislation that protects companies with antiterrorism technologies, laying the groundwork for many of the policies and procedures for its current operation and reviewing over 500 applications.</p> <p>Allison received her L.L.M. in National Security Law, with distinction, from Georgetown University in 2012, a J.D. from Washington & Lee University in 2006, and a B.A. from the University of Virginia in 2003.</p>
• Leonard Bailey - Special Counsel for National Security, U.S. Department of Justice
  Leonard Bailey is Special Counsel for National Security in the Computer Crime and Intellectual Property Section. He has prosecuted computer crime cases and routinely advises on cybersecurity, searching and seizing electronic evidence, and conducting electronic surveillance. He has managed DOJ cyber policy as Senior Counselor to the Assistant Attorney General for the National Security Division and then as an Associate Deputy Attorney General. He has also served as Special Counsel and Special Investigative Counsel for DOJ's Inspector General. Mr. Bailey is a graduate of Yale University and Yale Law School. He has taught law courses at Georgetown Law School and Columbus School of Law in Washington, D.C.
• Paul Rosen - Partner, Crowell & Moring LLP
  <p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Paul Rosen, the former Chief of Staff at the Department of Homeland Security, is a partner at the law firm Crowell & Moring where he focuses on white collar criminal defense, government enforcement actions, privacy and cybersecurity for corporate and individual clients. </span></p><p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Prior to entering private practice, Mr. Rosen spent more than a decade working across all three branches of the federal government. He held senior positions in the Obama Administration at the Department of Homeland Security and the Department of Justice, and also served as counsel to then-Senator Joseph R. Biden on the Senate Judiciary Committee. </span></p><p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">In his most recent government position as Chief of Staff at DHS, Mr. Rosen managed the operational, organizational, policy, and legal needs of the third-largest department of government, with 230,000 employees, a $60 billion budget, and 22 component agencies. In doing so Mr. Rosen oversaw DHS’s response to some of the most sensitive and complex challenges facing the United States, including significant cybersecurity events and other national security and counterterrorism incidents.</span></p><p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Before joining DHS, Mr. Rosen spent more than four years at the Department of Justice including as a federal prosecutor in the U.S. Attorney’s Office for the Eastern District of Virginia and in the Criminal Fraud Section of DOJ where he prosecuted financial crimes across the country. </span></p><p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">In private practice Mr. Rosen’s work includes incident preparedness and response, and defending and responding to government inquiries and related litigation in connection with cybersecurity and privacy issues. In 2017 the National Law Journal named Paul a <em>Cybersecurity and Data Privacy Trailblazer</em> and the Los Angeles Business Journal selected Paul for its <em>Cyber Security Lawyer of the Year</em> award.</span></p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Mr. Rosen earned his J.D., Order of the Coif, from the University of Southern California School of Law and his B.A., <em>summa cum laude</em>, from the University of Colorado at Boulder. After graduating law school he served as a law clerk to U.S. District Judge Gary Allen Feess in the Central District of California.</span>
• Jennifer Granick - Surveillance and Cybersecurity Counsel, American Civil Liberties Union
  Jennifer Granick fights for civil liberties in an age of massive surveillance and powerful digital technology. As the new surveillance and cybersecurity counsel with the ACLU Speech, Privacy and Technology Project, she litigates, speaks, and writes about privacy, security, technology, and constitutional rights. Granick is the author of the book American Spies: Modern Surveillance, Why You Should Care, and What To Do About It, published by Cambridge Press and winner of the 2016 Palmer Civil Liberties Prize. Granick spent much of her career helping create Stanford Law School’s Center for Internet and Society. From 2001 to 2007, she was Executive Director of CIS and founded the Cyberlaw Clinic, where she supervised students in working on some of the most important cyberlaw cases that took place during her tenure. For example, she was the primary crafter of a 2006 exception to the Digital Millennium Copyright Act which allows mobile telephone owners to legally circumvent the firmware locking their device to a single carrier. From 2012 to 2017, Granick was Civil Liberties Director specializing in and teaching surveillance law, cybersecurity, encryption policy, and the Fourth Amendment. In that capacity, she has published widely on U.S. government surveillance practices, and helped educate judges and congressional staffers on these issues. Granick also served as the Civil Liberties Director at the Electronic Frontier Foundation from 2007-2010. Earlier in her career, Granick spent almost a decade practicing criminal defense law in California. Granick’s work is well-known in privacy and security circles. Her keynote, "Lifecycle of the Revolution" for the 2015 Black Hat USA security conference electrified and depressed the audience in equal measure. In March of 2016, she received Duo Security’s Women in Security Academic Award for her expertise in the field as well as her direction and guidance for young women in the security industry. Senator Ron Wyden (D-Ore) has called Granick an "NBA all-star of surveillance law.”
• Joseph Menn - Technology Projects Reporter, Thomson Reuters
  <p>Joseph Menn is an investigative technology reporter at Reuters, having previously worked for the Financial Times and Los Angeles Times. He wrote the influential 2010 bestseller “Fatal System Error: The Hunt for the New Crime Lords who are Bringing Down the Internet,” a real-life thriller that brought the modern face of cybercrime to a mainstream audience. It was placed on the official reading list of the U.S. Strategic Command and named one of the ten best nonfiction works of the year by Hudson Booksellers. He also wrote “All the Rave: The Rise and Fall of Shawn Fanning’s Napster,” the definitive inside account named one of the three best books of the year by Investigative Reporters & Editors Inc. His next book will be out in early 2019.</p><p>Menn won the 2017 prize for breaking news from the Society of American Business Editors & Writers for revealing that Yahoo had secretly scanned all user mail for the Foreign Intelligence Surveillance Court. In 2006, he was a finalist for best technology coverage for stories that included Microsoft's decision not to warn Hotmail users including minorities, journalists and human rights lawyers that its investigators believed their emails had been captured by the Chinese government. Also at Reuters, he reported that security icon RSA accepted $10 million to include an NSA-crafted pseudo random number generator as the default in a software security kit and that internal Kaspersky Lab emails bolstered claims by former employees that it had tricked rival security competitors into recording false positives on customer machines.</p><p>Menn has spoken at conferences including Def Con, Black Hat DC and RSA.</p>

Links:

• https://www.blackhat.com/us-18/briefings/schedule/#legal-landmines-how-law-and-policy-are-rapidly-shaping-information-security-11855
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2018/Legal Landmines - How Law and Policy are Rapidly Shaping Information Security.mp4
• https://www.youtube.com/watch?v=cBNZNotSlQM

Similar Presentations:

• The Circle Of HOPE (2018) / "Help! My Toaster's Attacking Me!" and Other 911 Calls of the Future: An Update on the Legal and Policy Landscape for the Internet of Things
• H2K (2000) / The Legal Panel
• THOTCON 0x6 (2015) / Being a Victim can be a Crime [Ain’t Losin’ Data a Breach?]