Transcript Burstein
Toward a Culture of
Cybersecurity Research
Aaron Burstein
TRUST & ACCURATE Research Fellow
Samuelson Clinic & BCLT, Boalt Hall
UC Berkeley
Overview
• Why cybersecurity matters
• Why cybersecurity is a hard problem,
and why research is crucial
• How communications privacy law
inhibits research
• A better balance between privacy and
cybersecurity
Why Cybersecurity Matters
• Attacks target infrastructure
– Internet is the “nervous system”
– Transportation, energy, water, banking
connected by Internet
– Example: Massive cyber attack against
Estonia, May 2007
• Potential for devastation is growing
– Pervasive networked devices (think home
thermostats and building materials)
Why Cybersecurity Is Hard
• Attacks are cheap and easily disguised.
A “distributed denial
of service” attack
Attacker
ISP 1
ISP 2
Victim
(e.g., military system
or small country)
ISP 3
• It’s hard to distinguish innocuous from malicious traffic until
it’s too late due to lack of coordination.
• Defense involves many open research questions.
Tension Between Privacy and Research
• Electronic Communications Privacy Act (ECPA)
regulates acquisition, disclosure
• Scenario: UC Berkeley researcher seeks network
logs (IP addresses only) from commercial ISPs.
– ISP voluntary disclosures regulated by ECPA
– Addressing info and contents (e.g., e-mail bodies)
protected under ECPA
– Stored record disclosure vs. “real-time”
interceptions
– Disclosures to a “governmental entity” (UC
Berkeley) more restricted
– Consent is unworkable
– No research exceptions
ECPA almost certainly bars disclosure
We need a cybersecurity
research exception to the
ECPA.
Properties of a Research
Exception
• Tailored
– For research only
– Excludes law enforcement access
• Comprehensive
– Applies to communications contents and real-time
interception
• Protective
– Prohibits further disclosures (voluntary or
compelled)
• Controlled
– Institutional review is integral
Would a Research Exception Work?
• Legislative action would give legitimacy
to uses of data that are already
analyzed, collected
• Exception would allow efficient datasharing institutions to develop
• Exception’s institutional framework
could extend to diverse data types (not
just communications, e.g. passwords)
Conclusion
• Coordinated threats are potentially
devastating.
• Urgent need for more coordinated
defenses
• ECPA reform needed to make this
happen