Combine an academic, a practitioner, a techie, and a lawyer, and you have Dr. Amit Elazari Bar On, director of global cybersecurity policy at Intel and lecturer at UC Berkeley’s School of Information, whose focus is cyberlaw, privacy and intellectual property.
Before Intel, Elazari Bar On promoted Israeli patented photovoltaic technologies and served in an Israeli military elite intelligence unit.
In short, she knows her cybersecurity and isn’t afraid to share.
SEE: Launching a career in cybersecurity: An insider’s guide (free PDF) (TechRepublic download)
In partnership with the UCLA Burkle Center for International Relations, Elazari recently held a live podcast to discuss her research in cybersecurity, patents, copyright, privacy and private ordering, and the evolving cybersecurity issues plaguing companies.
The focus was on how security is one of the most evolving and impactful landscapes in the regulatory sphere and the proposed initiatives in the areas of data protection, Internet of Things (IoT), Coordinated Vulnerability Disclosure (CVD), and more.
Following are highlights from Elazari’s talk:
The ethical hacker and bug bounties
Elazari discussed the emergence of the ethical hacker, someone who looks for vulnerabilities in cyber-systems and reports vulnerabilities to the corporation, so it can mitigate the vulnerability and issue a patch for a fix.
She referenced the drone manufacturer’s DJI’s bug-bounty program, and explained, “This is basically a concept that is really developing among not just Silicon Valley companies, but the entire technology sector.
“This is the idea that companies can actually collaborate with external hackers, ethical hackers, friendly hackers, and security researchers,” who are not employed by the organization, “but out there testing the devices for potential security vulnerabilities or for potential issues that might leak information of users or whatnot.”
The companies are “actually offering money bounties, yes, like in the wild, wild West,” Elazari continued.
The security community, she said, is into the concept of bug bounties and is becoming increasingly popular in Europe, with the Swedish and Dutch community.
Hacking, however, is not clean nor does it work according to a plan, she said. “It’s really about collaboration and increasing collaboration, and this is going to be more important as we think about all the regulatory initiatives and concepts that we have in the area of IoT security, an area which is definitely critical,” she said.
In the DJI system case, an ethical hacker detected a vulnerability, she said. He reported it, but due to miscommunication and disagreements, “a legal threat letter was exchanged, mentioning one piece of legislation that you might have heard about, computer crime and fraud, the Computer Crime Fraud and Abuse Act,” she said.
The Computer Crime Fraud and Abuse Act (CFAA), Elazari said, is one of the main anti-hacking laws in the United States.
“It basically deals with the legality of activities like hacking an unauthorized access to computers and deals with issues of criminal and civil liability around hacking,” Elazari explained. “And those are issues that we still have some legal ambiguity around, academically speaking, here in the United States. It touches upon key issues like the legality of scraping information from the internet, and the relationship between employees and companies, and how employees potentially violate the company, [due to] computer-usage policies.”
Because of how interconnected everyone seems to be, “what we’re seeing with connectivity, [are] definitely proposed regulations of policies in the area of security and privacy,” Elazari said. She brought up the California Consumer Privacy Act (CCPA), which is the California privacy law that is coming to consumers in California starting January 2020.
“This is just one example of the kind of issue that we’re seeing and regulatory landscape, the issue of equipping users with rights, about their data,” she said.
SEE: What Businesses Need to Know About the California Consumer Privacy Act (CCPA) (TechRepublic Premium)
The focus on cybersecurity issues, she said, is less on the breach of confidentiality, but the misuse of how the information is handled.
Control of personal data
“In the past, conversations [focused on the] kind of damages [that] arise, data harms,” she said. “Today, we are seeing regulators talking a lot about data rights,” basically regulatory concepts where, “individuals have in their data, the right to delete, and right to port their information. All of these concepts are expansions we’re seeing in the regulatory landscape, and we need to think about things like harmonization, as we address those issues.”
“Regulators,” she continued, “are becoming very technical and very tech savvy. So the Federal Trade Commission, the main consumer protection organization here in the United States, has done a lot of work in the area of security. And what’s interesting is that if you look at some of the settlements that they brought against companies…they have very detailed settlements. They have technical experts, they have a whole division of engineers working together with the lawyers, and they go into the weeds.”
Passwords are still a security issue still, but in the future Elazari noted, “You will not have passwords anymore, and these are the kind of innovations that we’re working on.”
Technologies are international and continue to cross borders. “That’s why we have international standards on this,” she said. “It is why we need harmonization. The UK court of practice suggested that the vulnerability disclosure policy is one of the issues that they want to see in IoT security. So definitely, this is a global issue. We need to harmonize, and we need to think about the global nature of technology.”