Thanks, everyone, for joining us on the Security Influencers Channel. We're hosting a series of brief and highly informative interviews with influential security leaders and in 2015, we're talking about the implications of rapid software development and continuous security.Today we're joined by Doug DePeppe who has about ten different jobs in cyber security, including being Founder of the EosEdge Legal team, he's a former White House adviser with the 60-day Cyber Space Review, he's a co-founder of the Cyber Resilience Institute, and the Chair of the Cyber Security Working Group for the DHS-affiliated Regional Consortium Coordinating Council.
He also co-sponsors a new transatlantic Darknet intelligence partnership, he's co-founded several cyber preparedness initiatives, and he's an Assistant Professor of the Cyber Security Master's program at UMUC, University of Maryland University College.
In this interview we discuss what prompted Doug to get into security after, like me, beginning his professional career as a lawyer. What did he see as the opportunity in cyber law as he was looking at it? We also discuss the notion of a public/private partnership to deal with cyber-attacks in a way that government cannot. How can this reasonably be achieved because in cyber space the problem of accurately identifying the attacker, or attribution, is super hard? We also spend some time talking about why there haven't been more negligence cases in cyber law.
The following is a brief excerpt of our interview:
Jeff Williams: So, I don't want to blame the victim here, but I think some of the companies that are getting attacked have some pretty egregious security practices, right? Shouldn't we focus more on defense and I guess that what I'm asking is, is the public/private partnership the only one best way forward or are there other things we ought to be doing?
Doug DePeppe: So far I think we've primarily been talking about the, from my perspective, the role of the institution of law, that the public/private partnership structure and governance can be built. But I think now we're getting into, in my view, some of the practice of law, things that I'm engaged with. So one of the benefits of cyber law and the expertise and the connections . . . because everyone now holds out their card if they're in cyber, right? They're a cyber-security professional. It doesn't matter where they've been in IT, they may not even have IT and they have policy background, strategy background, everybody has taken IT off their resume and now they're cyber, right? They're a cyber-expert.
I think you see the same thing in law because it's a business opportunity. So I think you've got to discriminate as to who your cyber law professional is, but what we've been able to do is to develop a vertically integrated model because one of the many value propositions of a knowledgeable law firm in the cyber domain is that besides risk and risk transfer and those kind of services, we can vertically integrate cyber providers underneath our umbrella. We have an alliance that we describe in our practice where vendors are looking to team with us because when they go to work, in many cases we can protect the confidentiality of their work.
And that's a great service to both the vendor, so he doesn't expose his customer, but also to the ultimate customer, our client, because then they don't have to knee jerk when there's an incident. They don't have an immediate breach. So the vendor goes in to a certain work and detects a confidentiality or integrity violation. Then from that step they do some root cause analysis and they confirm a breach.
At that point in many cases there's a number of compliance requirements for reporting, costs start skyrocketing, brand starts being affected, and it's incident or emergency response mode. If you can do it underneath the cloak of the cyber law firm, then there are certain advantages to confidentiality. I won't commit to say that there's never any reporting or anything like that, but now you're in a more managed process. You can do your due diligence and you can go about it in a deliberate, careful manner and protecting your brand and protecting your customers as well. So that's a vertically integrated solutions that we're working with a number of cyber vendors and cyber intelligence services.
Jeff Williams: Interesting. I think a really good approach to security would sort of layer legal protections, your contracts, I mean I guess it really layers on your governmental law but then you've got your own contractual arrangements. Then you've got insurance arrangements and you've also got technical protections. And if you try to view any one of those individually, you probably won't make great decisions, but if you look at it vertically integrated that way, it makes a lot of sense to me.
Doug DePeppe: Yeah, I mean it's a holistic risk approach, right? So I look at it this way, is in no knock . . . and we have a lot of partners so and they do things I can't do. But one of the problems, I think, in cyber security has been the view that it's a network problem. In fact the CIA triad, confidentiality, integrity, availability, that's trained in our professionals has them thinking internally when in today's cyber environment the internal controls are just obstacles for advanced attackers to circumvent. And now to get from what I just described to my point, is that when an incident occurs, rather than trying to plug holes and you have to do that, but is look at the holes that matter.
And typically that's a brand question and that's a legal question, right? Which are the holes that are going to cause the greatest harm to my company? And that gets into being aware of your compliance requirements, the data breach statutes and so on. Where's the data that has significance, the PAR, the PCI, the HIIPA and so on? Knowing where those attachment points are and structuring a plan before an attack and also then afterwards that focus on those because they should have the highest priority because they have the greatest exposure, risk of exposure to the customer.
Jeff Williams: Interesting. I'm still on the fence about cyber law. I kind of got out of that after law school. Did you ever read the paper, The Law of the Horse by Frank Easterbrook, Judge Easterbrook? He describes the idea of creating the law of the horse, which would cover all the different ways that horses get used for riding, and for farming and so on. And he said, look, you can't have a law of the horse. It just doesn't make sense. It mixes up too many things. And he was saying that cyber law is kind of a silly concept because network technology is used for everything. And it doesn't make sense to try to pull it together into one sort of discipline. What do you think about that?
Doug DePeppe: Man, you're really making me think outside the envelope with that question. I think, I've been saying for some time, and others have too, that we need a cyber-disciplinary construct. In other words . . . and it's a horizontal. It's not a vertical.
Jeff Williams: So our current laws of property and contracts and constitutional law, those are all . . . cyber touches on each of those right?
Doug DePeppe: Right, exactly. And so there's a breadth of knowledge, but at the same time there's a community of practice, a community of interest that's needed to help develop these different components. And looking at just one or the other, it's just the saddle, right? I mean you're looking at one component. Well, both in the cyber realm and in the cyber law realm I think they parallel in this regard. It crosses multiple disciplines. It's horizontal. And that makes it all the more challenging.
Jeff Williams: Well, it makes sense. My experience in law school was that not too many of the folks there know anything about computers. So the judges and the lawyers and the legislators and everyone that's involved with most of the legal infrastructure just doesn't have the computer background to make really good decisions. So I'm glad to see it's starting to take off.
Doug DePeppe: And my motto is when you've had an incident call your cyber attorney. One it's for the practice that I described of confidentiality and getting good advice on what you should be focusing on from a priority standpoint, from an exposure standpoint. But we tend to . . . okay my computer's not working call the IT guy or gal.
Jeff Williams: Oh, interesting, right.
Doug DePeppe: And that's fine, but as soon as you detect a CIA violation, then having that IT guy or gal proceed to the next step in confirming the breach, you should've called your attorney before that. And I see it in my practice all the time and unfortunately it tends to be, and this is new, so that people learn from their mistakes and then I help them manage their risk going forward. But I've got a number of the vendors that I described in our alliance who get it. We have a trip wire, so to speak process, where they don't get to the confirmation of the breach. They get to a stage where they detect a CIA violation, we get involved and ultimately I'm protecting both the customer and the client. I mean, I'm protecting both the alliance partner and the client.
Jeff Williams: I think that absolutely makes sense. And it's funny, corporations naturally would consult their lawyers for any kind of other incident that happened, right? Like if they got attacked or smeared in the press or accused of a crime, they'd lawyer up instantly.
Doug DePeppe: Right.
Jeff Williams: But they don't do that for cyber because, I don't know, it hasn't gotten there yet, right?
Doug DePeppe: And I think the other example . . . there's a lot of, I've seen some criticism recently about the Sony incident because it's not their first. And I'm not casting any blame or dispersions, but I think from a legal standpoint, a legal exposure standpoint, once something has happened, you're on notice.
You have a higher duty. And so in those instances that we've dealt with that with our own clients, we've been able to put them on a pathway that avoids negligence, because that's where, from a litigation standpoint, there's substantial risk, right? So if you've had an incident or you're concerned about an incident, and these days a lot of statistics show that 97%, 100% have some kind of an integrity violation if not a compromise. So everyone is sort of in this boat already. And being able to map out from an incident what are the foreseeable consequences and what should be prioritized for getting on to whether it's a niche framework, cyber security framework, cyber essentials from the British, getting on a game plan to start working these things off.
If you can show that you've been reasonable, you don't have to be perfect unless you can't afford any kind of a breach. If your brand is such that you cannot afford the breach, then you're going to have to invest a lot more time and money. Most others can simply go by two standards, one am I compliant, and two, am I demonstrating that I've engaged in reasonable security. And that's where you need some advice because what's reasonable security depends upon what the FTC is ruling on. You know the Windham case came out recently and they have a number of opinions and consent decrees that show what reasonable security is. You have some cases and then you have best practices in the industry. But these are the sort of components that need to be used to show that you've been reasonable. But if you've been reasonable, then you start to reduce your risk exposure.
To hear the rest of my interview with Doug, click here.