This presentation will address many of the legal issues associated with cyber security research and development (R&D) and the use of Internet traffic data in testing potential solutions. Cyber security R&D is critically important to protect U.S. national and economic security interests. Experts have estimated that approximately $2.5 trillion flows through international financial networks on a daily basis. Approximately 85% of critical infrastructure in the U.S. is owned by the private sector. These networks service more than just private sector entities; they are critical to government operations and national security capabilities. A 1995 research report to the Joint Chiefs of Staff noted that "Over 95 percent of the worldwide telecommunications needs of the Department of Defense (DoD) are satisfied by commercial telecommunications carriers."
Thus, the very networks that support our economic viability and DoD operations and network-centric warfare capabilities are under the direct control of private sector entities. If these private sector networks are not secure, none of us are, and we cannot make them more secure without cyber security R&D initiatives that develop new solutions to close vulnerabilities in our networks, operating systems, and information technology environments. This will, in turn, require (a) the use of test datasets representative of the various types of traffic data in today's communications environment, and (b) a close analysis of the legal issues associated with those datasets.
The test datasets required for this broad cyber security problem involve many types of traffic data, such as denial of service backscatter data, Internet exchange data, topology measurement data, network telescope data, Internet worm data, Border Gateway Protocol routing table data, and Voice Over Internet Protocol measurement data. Some of the test datasets will contain headers of Internet traffic data, including Internet Protocol (IP) addresses or other data from which a personal identity might be ascertained. Thus, privacy issues are a key risk to cyber security R&D efforts. In addition, legal risks could flow from violations of the data providers' privacy policies or noncompliance with applicable laws/regulations and contractual requirements, such as nondisclosure agreements. Conflict of law and jurisdictional issues may also have to be resolved in R&D efforts that use datasets obtained from foreign providers.
Researchers, review boards, and funding agencies and organizations must be able to trust that their cyber security R&D projects are not running afoul of the law because of legal issues attached to test datasets. In addition, providers of data must understand the legal issues that may be attached to their data or that may arise because the researcher is from a governmental entity.
Drawing upon a unique combination of more than twenty years of technical, legal, policy, and business experience, Ms. Westby provides consulting and legal services to public and private sector clients around the world in the areas of privacy, security, cybercrime, e-discovery, and outsourcing risk management. She also serves as Adjunct Distinguished Fellow for Carnegie Mellon CyLab. Prior to forming Global Cyber Risk, Ms. Westby served as senior managing director for PricewaterhouseCoopers (PwC), specializing in outsourcing and cyber security/privacy issues. Before that, she was president of The Work-IT Group; launched In-Q-Tel, an IT venture capital/solutions company for the CIA; served as director of domestic policy for the U.S. Chamber of Commerce; and was senior fellow and director of IT studies for the Progress & Freedom Foundation. Earlier in her career, Ms. Westby practiced law with two top-tier New York firms and spent ten years in the computer industry specializing in database management systems.
Ms. Westby is a member of the bars of the District of Columbia, Pennsylvania, and Colorado and serves as chair of the American Bar Association's Privacy and Computer Crime Committee. She is a member of the World Federation of Scientists' Permanent Monitoring Panel on Information Security and represents the ABA on the National Conference of Lawyers and Scientists. She is also a member of the United Nations High Level Experts Group on Cyber Security. Ms. Westby is co-author and editor of four books on privacy, security, cybercrime, and enterprise security programs. She speaks globally and is the author of numerous articles. B.A., summa cum laude, University of Tulsa; J.D., magna cum laude, Georgetown University Law Center; Order of the Coif.