Automated Assistant: Welcome to the Cyber Risk Management podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual Chief Information Security Officer is Kip Boyle, and your virtual Cybersecurity Council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Kip Boyle: So Jake, what are we going to talk about today?

Jake Bernstein: Today Kip we're going to see what else lies at the intersection of cybersecurity technology, policy, and law, and to do that we're going to talk with the published author and professor Josephine Wolff. Josephine is the author of a recent book entitled, You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches. She's Assistant Professor of Cybersecurity Policy at Tufts University. So Josephine, welcome to our podcast.

Josephine Wolff: Thank you so much for having me.

Jake Bernstein: So what caused you to write your book?

Josephine Wolff: Well I've always been really fascinated by case studies of cybersecurity breaches, and I knew I wanted to sort of do a research project around a series of those case studies. One of the things that I find most interesting about them is this question of sort of who ends up paying for them? How does that get decided in court? What are the various legal battles and regulatory investigations that happen after something really hits the headlines?

I spent some time kind of going into some of these older breaches trying to understand if you wait a year, if you wait two years, what are the kinds of rulings that you start to see coming out of either the Judicial Branch or the Federal Trade Commission or other types of regulators or legal authorities. That was when I decided that what I really wanted to focus on was the aftermath of these breaches and sort of extending the timeline for the amount of attention that we usually pay to these types of incidents where there's a week, maybe two weeks, maybe three if it's something really big, and then it kind of fades away and we forget about it.

I really wanted to spend some time on kind of that long two or three year curve afterwards, where everything is very slowly wending its way through the legal process and the insurance claims are being filed and the regulators are sort of poking their noses into it. That was the genesis of this book was me trying to see sort of what can we do if we give a wider time horizon to some of these incidents and think about not just the immediate consequences, but the longterm cleanup and mitigation and settling of costs.

Kip Boyle: Oh Josephine, I read your book and I thought it was fantastic. There's really not another book out there quite like it. I love how you're kind of pluming the long tail on these things because you're right, they kind of burst into the headlines. Some of them don't ever actually burst into the headlines, but some of them do, and then they quickly go away as the new cycle pushes something else in front of us, but these things take a long time to resolve as you well point out. Anybody who reads the book will definitely appreciate that. So I wanted to ask you, how did you go about choosing the cases that you discussed and researched?

Josephine Wolff: Yeah, that's a great question. So there were so many cyber security incidents that I was so excited about and want to spend a lot of time on and I went through a lot of different ones before I landed on the nine that are actually in the book. Part of the selection process was I knew I really wanted to organize them according to the attacker's motivation. So the book is divided into these three sections and there are three case studies that are financially-motivated cyber crimes, then there are three cases around espionage, and finally there are three cases around what I call sort of public humiliation or revenge in which the attackers aren't trying to get money, aren't trying to steal secrets, they're just trying to kind of publicly shame the victims in some way. That would be something like the Sony Pictures breach or the Ashley Madison breach.

I knew I wanted a sort of good variety across those different categories because I wanted to look at all of these different models of what attackers might be trying to accomplish. Then within each of those categories, I spent a long time trying to think about first of all examples that I thought were representative of a larger class of attacks because when you do this kind of case study research, you don't just want to pick. So for instance, one of the cases I didn't do even though I'm very fascinated by it is Stuxnet, the worm that was used to interfere the Iranian Nuclear Development Program. Part of it was just that when I looked at that case I felt like this is so unique. This is so its own thing as compared to the other types of incidents we've seen that I don't think I can really generalize on it effectively. So part of it is I was looking for sort of case studies I could use that would stand in as examples of a larger set of cases.

So for instance, I look at the TJ Maxx breach and I use that a little bit as a stand in for a whole series of payment card breaches that we see in the retail industry, or in Gameover Zeus and CryptoLocker, I'm using that to sort of represent a whole trend towards ransomware. Similarly like the PLA Unit 61398 Economic Espionage is about sort of trying to represent that whole category of economic espionage and in some ways the most important selection factor, and this is an obvious one but a really crucial one when you're talking about cybersecurity breaches, was I needed in cases where there was enough information, there was enough either sort of legal procedure or reports or technical investigations or regulatory investigations that I thought I would be able to actually do the research, right?

There are so many things where everything is kind of trotted in proprietary company information or never quite makes its way into public records, and so that was also a really, really crucial deciding factor for me. I write about the Spamhaus attacks on the denial of service attacks. Again, I knew I wanted a denial of service attack in there because that's such an important class of incident. I chose those in part because they were really big and significant, but also in part because spam has actually gave CloudFlare the company that they work with to mitigate the attack's permission to publish information about them. So there were primary sources that I could go to and sort of look at what was the structure of these attacks? How were they being fought? That was a period of access that I just didn't have for a lot of other types of denial of service attacks.

Kip Boyle: Yeah. Well I thought the Spamhaus case that you covered was fascinating, and in particularly I enjoyed the opportunity to look into the world of blacklisting and the effect that it has on people who end up on black lists for being accused of being spammers, and I just had never really... I knew about blacklists, but I never knew anything about how they were put together or what the effect was when you re when you shouldn't be on one and how difficult it is to get yourself out of it and how it can be used as a weapon, a competitive weapon. So I just thought that was just like an extra bonus fascinating aspect of it. Well, I bet if you were going to write your book again, there's so many more cases, right? While Stuxnet, I can see why you wouldn't necessarily want to write that.

By the way, I think Kim's editor did a wonderful job in her Countdown to Zero Day. So if anybody wants to read about that, there's a wonderful book available that would let you do it. I think that's a completely different category of cyber war, right? So that's another super interesting area. Would you write about NotPetya or WannaCry? Because I just think those are just fascinating with the tremendous amounts of damage that they caused and all the litigation that really spun off that as people tried to file insurance claims and they've been denied to do acts of war clauses, and I just think wow, there's so much intrigue there.

Absolutely. So writing about cyber insurance has actually been a big focus for me the past year or so, and it's something I've been thinking a lot about. So I think I will write about NotPetya and WannaCry, and I have a little bit in shorter pieces, and I think it will be exactly sort of through that lens that you talk about of the insurance lawsuits that have come out of them because it's hard when you're looking at a tax like that to sue the attackers because we think that the nation states are behind them. There are some indictments, there are some ways of doing that, but the actual kind of legal proceedings that we've seen so far are very much again focused between insurers and the customers that are part of their policies, and that's very much sort of my sweet spot of different non attackers fighting with each other about whose responsibility this is.

So I think the insurance angle is a really important and interesting one. It's not as relevant for most of the cases I talk about in this book, partly because most of them emerged before many of these victims are holding any insurance policies. Nowadays that's not true. There are a lot of these insurance products that are being sold around cyber risk, and there are a lot of disputes about what they actually cover and what those expenses mean. So yes, I do hope that the next project will be really focused in on those insurer disputes and what this insurance industry looks like and how it's evolving and what some of the problems it faces are.

I think that's an excellent choice for a follow on book, no doubt.

Jake Bernstein: At the risk of derailing this particular episode, but I do think it is incredibly important and interesting to talk about, with insurance there's a tension between what the potential victims should and need to do in order to maintain coverage. I'm curious, given your position and the types of things that you think about on a daily basis, what is your general stance on say this kind of FTC reasonable cyber security requirement with respect to the fact that these are nation states, that you cannot sue the perpetrators. The whole thing, it really is a public policy quagmire and I tend to get overly focused on the current legal requirements, but policy is thinking about where things should go. So maybe just a comment or two on that, and then we'll continue on with this book.

Josephine Wolff: I have a lot of sympathy for the Federal Trade Commission and their unwillingness to sort of lay out any concrete security requirements or recommendations because of course as soon as you do that, every region is just going to go do those things and nothing else, and you're going to be in this very difficult position of having to update them and having to define them across a lot of different sectors and companies. At the same time, I also have a lot of sympathy for the companies that are looking for more guidance here and feel like we don't have a lot of resources or bandwidth to put into thinking about security. If you tell us what are the 10 things we need to do, we'll go out and do them, but if you just tell us it needs to be reasonable, that means something very different to different people in different standard setting organizations.

Honestly, I think it's a real failure of policymakers that there has been such reluctance to provide any more concrete guidance. I understand where it comes from, but I think that it leaves a real vacuum there for businesses that mean well that are trying, but that this is not their wheel house. This is not sort of where they've honed their expertise. I think we have to be a little bit braver and I hope the insurance industry will be part of this about saying look, we're willing to actually tell you what you need to do to avoid liability, and of course if there are crazy extenuating circumstances where it seems you've been really deliberately negligent, even though you may be obeyed the letter of the law, we'll reevaluate.

I think there's also just fear on the part of the policymakers of how are we going to be able to update this and how are we going to stay on top of evolving trends? I think they have to be less afraid of that. I think you have to accept yes, we're going to make some standards and we're going to have to change them once or twice a year, and that's just how this is going to go.

Kip Boyle: This is such a great conversation. I love where this is going because I have so much I want to say.

Jake Bernstein: This reminds me... I forget if it was last episode or the episode before, but we had started talking about a fire department for cyber security.

Kip Boyle: Right. Public infrastructure to deal with this.

Jake Bernstein: Public infrastructure to deal with this, and I think it is a really serious question. Fire is not always manmade, though it certainly can be, usually it's not, but yet cyber risk is always manmade by definition. So it's really just an interesting issue overall as to how we're going to deal with this.

Kip Boyle: Well, I think if we just look at the PCI DSS, the Payment Card Industry Data Security Standard, that's exactly the approach that they've taken is being extremely prescriptive and having detailed checklists and having to update them all the time, always fighting yesterday's battle is what I see there, and then having to also maintain it at the same time an entire cadre of approved assessors. Here's the thing about it, I just don't know that it's been all that successful in terms of preventing credit card data breaches because I don't know that any company that's experienced a credit card data breach wasn't considered PCI compliant immediately before the breach happened. I don't hear any stories about how Target was not PCI compliant and that's why they got breached. So I think the payment card industry has done a nice job of self-regulating to avoid government regulating. So in that sense it's been wildly successful, but I just don't know that it's been very useful beyond that.

Josephine Wolff: I think that's very fair. One of the things I write a little bit about in the book is the liability shift for credit cards around microchip enabled credit cards, and I think that's an interesting example to me, the cost of fraud finally pushing an industry a little bit over a cliff that they've been resisting for a long time to do something very expensive in the name of security, but also to do something that's not clear, it takes a huge bite out of fraud at the end of the day. It shifts it around, it moves more of it online and, but I don't think it's obvious that even that multi-billion dollar endeavor of replacing all the credit cards and replacing all the payment terminals has necessarily yielded the results we might have hoped for.

Kip Boyle: Yeah. I don't know that it has. Then the other thing is Josephine, I would also agree with you that I'm very sympathetic to the FTC is as they attempt to provide some kind of regulatory framework around this. I'm actually extra sympathetic because I actually think that they're doing the right thing, maybe not the practical thing, but I think they're doing the right thing by not being too prescriptive. I think the issue is that, and I think you put your finger on it, which is senior decision makers in organizations under FTC oversight, they just don't understand that cyber is a dynamic risk and they keep asking for a checklist and that checklist is how you manage a static risk like fire. So I think that everyone's head is in this space where, "Well, just give me the checklist and I'll take care of it, just like I do with all these other risks that I face". I think the FTC actually understands that it's not a static risk, but they don't know how to communicate that.

Josephine Wolff: That's really interesting.

Jake Bernstein: Well I think that they're getting better at it. I think if you take a look at the most recent set of consent decrees from the FTC cases, you start to see this kind of newish "at a minimum" standard and they do list a whole lot of things to do, but they're more process oriented. You must have a written security program that must be reviewed on an annual basis. You must involve the board. You must do incident response, planning and practice, things that do respect the idea the fact really that cyber is a dynamic risk that isn't susceptible to a checklist. In fact, think of the gift that we would be giving cyber attackers if we did publish a checklist. "Well, this is great. I know exactly what everyone's going to do, so I'll just do something that goes around this list". I mean, it would be utterly pointless to give a checklist to anybody because fire doesn't innovate Kip, nor does fire care what we do, whereas cyber attackers absolutely are going to utilize that information to their advantage.

Kip Boyle: They study us all the time.

Jake Bernstein: Yes, exactly.

Kip Boyle: All the time. All right, so I'm going to discipline myself here and I'm going to say let's refocus on Josephine and her wonderful book. So let's think about our listeners, and so now Josephine I'm just going to ask you what are the main lessons that our listeners should take away from your book? I hope that they get it and read it because I think it's fantastic, but let's bait a hook here. Let's tell them what they're going to get if they read it. So what's the first thing?

Josephine Wolff: Sure. So I think the first lesson for me is that there is an unbelievable amount of ambiguity around who's responsible for cyber security incidents and because are so many different companies and stakeholders involved on the internet, right? You have internet service providers, you have software developers, you have hardware manufacturers with payment processors, you have web hosts, DNS operators on and on and on. That's created this really kind of complicated and rich ecosystem, but the question of who is responsible for security in all of the different ways that security can be implemented on the internet is really still a very unanswered one in our legal structures, in our liability regimes. That means that there's no clear way to assign blame, there's no clear way to determine where the financial incentives lie, and because of that there's a lot of freedom for all of these different stakeholders to point their fingers at each other and say, "Well it's not our fault there was a bot here. It's the service providers who are carrying all that bot traffic" and the service providers say, "Well, it's not our fault. It's the DNS operators who..."

So there's an enormous amount of finger pointing, which is enabled by the fact that regulators, policymakers, courts have not done a good job of trying to sort out, "You are responsible for security within this scope for the kinds of things you can control, and you're going to be responsible for another component of security" because it's really complicated. It's really hard, and a lot of people in policy roles and legal positions don't necessarily understand who all of the stakeholders are, what role each of them plays. One of the things I write about has to do with the certificate authority that gets compromised. I think that's a good example of sort of the kind of stakeholder that's really, really essential for online transactions, but also not very well understood outside of the technical community.

Jake Bernstein: Definitely not, and I was going to just point out the example that you write about the South Carolina data breach and the tax records and the IRS. That was just a frenzy of finger pointing going on in very fascinating ways, particularly because it was finger pointing between government agencies. "Oh, you should have told us to do that." "Well, you should have done this". It's an older event in the scheme of cyber attacks and it would be interesting to see how it played out today, but I think it is a prime example of the issues that are going on here and the ambiguity that you just mentioned.

Kip Boyle: I think we're seeing role shifting too. So today I saw an announcement by Microsoft that they've just taken down this botnet, I think it's called Necurs N-E-C-U-R-S, I don't know if I'm pronouncing that right, but this botnet that has been up and running for eight years and they just managed to cripple it so severely that they think it's dysfunctional now or defunct. Think about this, Microsoft just announced that it had to coordinate with internet service providers, domain registries, government search, cybersecurity firms, law enforcement, across 35 countries. It took them eight years to take this thing down. It wasn't an FBI announcement, it was a Microsoft announcement. What in the world? Could you imagine if there was a private company that announced that they just captured the most recent armed robber at a local bank branch? Everything is just weird.

Josephine Wolff: Yeah, I think that's exactly right that there are sort of distinctions between government and private industry that are really being blurred and confusing and perhaps not always beneficial ways in this space.

Kip Boyle: So no wonder why everyone's looking at each other going, "I don't know".

Jake Bernstein: So I have some insight on that particular set of circumstances. The Microsoft Cyber Crime Unit is staffed with largely former government lawyers, and they're in a really interesting spot. We could have an entire episode on just this to be honest.

Kip Boyle: I'll write that down.

Jake Bernstein: Josephine, it's pretty clear that we should have you back because there's a lot of stuff to talk about beyond the scope of your previous book of course, but Microsoft has the technical chops to research and deal with these situations, and a lot of the times the civil courts are much more effective than the criminal courts at dealing with these type of issues. Just by and large, speaking as a former Assistant Attorney General for state of Washington here who was very, very active in internet crime and internet consumer protection violations, it is incredibly frustrating because the world's legal infrastructure is not designed to handle this action at a distance thing that that is the hallmark of cyber crime is nobody really foresaw what is going to mean to the court system and just-

Kip Boyle: Law enforcement.

Jake Bernstein: - Hundreds of years of legal precedent and law enforcement activity to suddenly, "Oh, so wait a second. The perpetrator of this crime is in Nigeria"-

Kip Boyle: Estonia.

Jake Bernstein: - "Estonia, former Soviet Republics. What are we going to do?" It's a major problem and that's before you even get to issues around maybe it's actually nation state sponsored. So it just doesn't end.

Kip Boyle: Okay, so the main lessons that listeners should take away from your book Josephine, the first is ambiguity, which I think we've been very clear on the ambiguity, right? What's the second one?

Josephine Wolff: The second one I think kind of comes back to the point you were making about how courts have been handling this, and that is that we're not super well equipped in the legal system to deal with the kinds of incidents that are not financially motivated. The kinds of injury we understand are generally tied to loss of money. When we're talking about some of these weirder incidents like Sony Pictures, like Ashley Madison, where what's being done is not necessarily theft or not directly theft, even if some of these incidents sometimes enable that, but instead of kind of large scale public shaming by releasing proprietary or personal or confidential documents or information, then it becomes really challenging for individuals to sort of be able to make the case that they've been hurt in some way, and that they deserve compensation.

I think the Ashley Madison breach is a good example of this, where the people who were trying to sue the website who had been its customers were first forced to reveal their full names by the court, and then sort of a lot of their claims around what had actually happened to them were dismissed as not being kind of sufficiently concrete or being a little bit too speculative. I think there's a real challenge there as we see new types of cybersecurity breaches that are not just about how do I steal money, but also about all of these other complicated issues and how we're going to provide incentives for companies to defend against that if when those things go to court, they're often being dismissed as sort of not clearly financially tied in any way.

Kip Boyle: Like CCPA, right Jake?

Jake Bernstein: Yeah. I was going to say, I think we're starting to solve those problems through simply by creating new laws that recognize loss of privacy as a cause of action, and then attaching a statutory damages figure to it, CCPA being the perfect example. There's many, many more coming.

Josephine Wolff: I think a real source of progress in this, even since the book came out, that we've seen some real sort of strides forward in terms of regulators acknowledging that privacy is itself something that should be protected.

Jake Bernstein: Much like trying to be a lawyer and a practitioner in this space, trying to be a writer and a researcher has got to be slightly frustrating because it takes a good solid year or two years to write a book, and by the time you publish so much has already changed.

Josephine Wolff: Absolutely.

Kip Boyle: Yeah, you got to pick your subjects carefully. Okay Josephine, what's the third main lesson our listeners should take away from your book?

Josephine Wolff: So the third main lesson for me has to do with this question of what are the types of cybersecurity incidents that you can interfere with or interrupt most effectively. My takeaway from this research has been that you can do that best when there are really big, powerful, centralized intermediaries, like say the payment networks, Visa or MasterCard who are at the center of whatever kind of crime or security breach is going on. When I sort of trace different models of financial cyber crime, as you see those centralized intermediaries cut out of the process, say through cryptocurrency transactions, which are the underpinnings of most ransomware now, you see that it gets more and more difficult to create incentives for anybody to intervene.

I think a lot of that is just about pushing the costs of these breaches out more and more to individuals so that instead of your credit card number being stolen and fraudulent charges being put on that credit card and you call up your bank and they cover that for you, now when we look at a ransomware model, those are payments that individuals or companies have to make themselves directly unless they have insurance, which brings it back to the insurance conversation. That really removes the centralized incentives for any powerful intermediary to say, "Yes, this is costing us money. We need to invest."

Kip Boyle: As a cybersecurity practitioner what we often are trying to do is create choke points, right? Single places where you can funnel activity, and it just makes it easier to monitor that activity and control that activity. When everything is distributed then it's like, "Oh my gosh, I can't cover all this territory. It's just too much resources required." So then I got to make hard choices about, "Okay, well which parts of the territory will I cover?" and of course the threat will go to the dark places that I can't put a light on. So yeah, I get that.

Jake Bernstein: Well and I think too kind of almost combining, or at least taking a take into consideration all three of these lessons is that right now is an interesting time period in cybersecurity policy and liability in so far as there is a lot of, we'll call it low hanging fruit, in terms of getting private actors up to speed. I think that's where the FTC's enforcement actions and policy comes into play. The question that, again another episode entirely, basically is what do we do when there is kind of a general reasonableness about everyone's cyber security posture, kind of like we have now with fire. Everyone knows what they need to do and fire still happens. It still happens, but there's not a lot of question about... There's not a lot of ambiguity left in terms of fire and given the human centric reality of cyber crime, it's just fascinating to me to try to figure out where this is going to be in 10, 20, 50 years.

Kip Boyle: Yeah. It's going to look a lot like this I think, except we're going to be a lot older.

Jake Bernstein: It may be.

Kip Boyle: Okay, so Josephine let's wrap up the episode with your suggestion to our audience about what specific steps should they take given all this ambiguity and decentralization and all the difficulties. What should they actually do to manage their cyber risk?

Josephine Wolff: So because I've been spending a lot of time on cyber insurance, one of my recommendations is sort of thinking about comprehensive insurance policies that cover first and third-party costs, that cover legal fees and settlements and things like that. There are definitely a lot of complications around all of those things as well, and I'm not going to suggest... I think that's a panacea for everything, but I do think there are cases where we see it helping out individual victims a great deal.

I think also thinking about sort of contracts with third parties and cloud providers is really important right now because so much, especially for some of the smaller businesses is being contracted out to other vendors, and even if it's not directly your security vendor, could be somebody who has some access to your systems for whatever service they're providing, thinking about sort of all of those interconnected potential sources of risk and trying to be really clear in those contracts in those agreements about who's responsible for what, so that if something does go wrong, it doesn't lead to one of these really messy protractive legal fights.

Kip Boyle: Definitely. Okay well-

Jake Bernstein: I think we're going to have to have several more episodes with Josephine.

Kip Boyle: Well let's give her a chance to think about what her experience was on this episode, and then we'll check with her later, but I echo that absolutely Jake. I think there's so much more to talk about.

Josephine Wolff: I'd love to come back, it's been really great.

Kip Boyle: We do have to wrap up this episode, so Josephine thank you so much for being our guest today.

Jake Bernstein: Yes, thank you very much.

Kip Boyle: Where can people learn more about you and your work?

Josephine Wolff: Thank you. I'm a professor at Tufts University, so I have a website there, and I'm also on Twitter at Josephine C Wolf.

Kip Boyle: Excellent. Okay, well that wraps up this episode of the Cyber Risk Management podcast. Today we learned how conflicting interests and complexities and assessing liability and then blame, all of these things are a serious obstacle to keeping the internet secure, and we examined all this with the help of a professor and published author Josephine Wolff. We'll see you next time.

Jake Bernstein: See you next time.

Automated Assistant: Thanks for joining us today on the Cyber Risk Management podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.