Presentation is loading. Please wait.

Presentation is loading. Please wait.

“The Non-Code Layers of the Cyberstack - Lessons for Cybersecurity”

Published byClaud Cain Modified over 6 years ago

Similar presentations

Presentation on theme: "“The Non-Code Layers of the Cyberstack - Lessons for Cybersecurity”"— Presentation transcript:

1 “The Non-Code Layers of the Cyberstack - Lessons for Cybersecurity”
Peter Swire Scheller College of Business Faculty Workshop December 7, 2017

2 The Challenge Cybersecurity management, law, and policy have a confusing, overwhelming jumble of issues to cover How can we teach that jumble? Is there a way to organize the material to bring clarity to the field? Can that lead to better responses to overall cybersecurity threats? “Real” cybersecurity “Real” cybersecurity is about writing code and doing technical work The “soft” issues have not been central to the task of “real” cybersecurity Vague approval of “inter-disciplinary” studies for cybersecurity But, with a lower priority than “real” cybersecurity

3 Project on Non-Code Aspects of Cybersecurity
This project proposes a new conceptual framework Organizes numerous, important, & non-technical cyber-issues Presents the curriculum and issues in ways that make sense to both technical and non-technical audiences in cybersecurity

4 The Genesis of this Project
MGMT/CoC/PubPol 4726/6726 “Information Security Strategies and Policy” This is my fourth time teaching the course, now required for Masters in Information Security, and credit for ITM and law for undergraduates How do all the pieces of this course fit together? There seems to be something coherent, but it’s been very hard to describe This fall – 3 parts of the course Government laws/regulations – project on proposed legislation for cybersecurity and Internet of Things Corporate cybersecurity policies and governance – draft ransomware policy for a hospital group Nation state and international – draft National Security Council memo on cyberthreats from Russia and policy options to respond My answer now: 3 layers of the cyber stack – organizational, governmental, international

5

6 Seven Layers of the OSI “Stack”
In my experience, these seven layers are well known to knowledgeable computer people who work on cybersecurity. Intuitively, they also know that cyber-attacks can happen at any of these 7 levels.

7 Some Cyber Vulnerabilities
Layer Vulnerability 1. Physical Cut the wire; stress equipment; wiretap 2. Data link Add noise or delay (threatens availability) 3. Network DNS and BGP attacks, false certificates 4. Transport Man in the middle 5. Session Session splicing (Firesheep); MS SMB 6. Presentation Attacks on encryption; ASN-1 parser attack 7. Application Malware; manual exploitation of vulnerabilities; SQL injection; buffer overflow Thanks to Bob Blakely for assistance with this material.

8 What is Missing from the 7 Layer OSI Model?

9 Layers 8, 9, and 10: Natural Language
International Natural language Diplomacy Layer 9 Governmental Law Layer 8 Organizational Contracts Layers 1-7 OSI stack Computer Code Various protocols

10 Layer 8: Private-Sector Organizations: Role of Contracts
Within the Organization Relations with Other Actors Other Limits on Private Sector Examples of cyber law and policy Incident response plans & other internal policies Training Cyber hygiene Roles, such as CISO Users’ precautions Vendor & other contracts & management Cyber-insurance Private-sector information sharing (ISACs) PCI-DSS and other industry standards Technical standards such as IETF Norms – follow the standards

11 Layer 9: Public Sector, Governmental Layer: The Law
Within the Organization Relations with Other Actors Limits on Government Examples of cyber law and policy HIPAA, GLBA, and other cyber rules Other state-created defensive measures (FTC Sec. 5, etc.) Rules limiting strong encryption Computer Fraud & Abuse Act and other limits on offense CISPA and public-private partnerships and information sharing Constitutional limits on state action, such as 4th Amendment Statutory limits on state action, such as ECPA and FISA

12 Layer 10: International Layer: Diplomacy
Within the Nation Relations with Other Nations Other Limits on Nations Examples of cyber law and policy Unilateral cyber actions, on spectrum from war to “cyber-peace” Deterrence against aggressive cyberattacks Formal treaties, including MLATs Less formal agreements, such as US/China trade secrets Cooperation with other nations on attacks and defense Possible supra-national governance, such as by UN or ITU Role of international law, including laws of war ISO standards and norms

13 Where do Users fit? A user is not a government or an international actor I suggest part of Layer 8 Could be called “private sector” instead of “organizational” layer Private sector actors range from individual users/sole proprietorship to modest size to large organizations Users lack an IT department, a general counsel, and face lots of risks 8A: “Within the household” – how individual/family manages 8B: “Relations with other actors” – Terms of service, insurance, hire Geek Squad Users likely a big concern at 9A (government regulation of business), such as HIPAA, GLBA, and consumer protection

14 The 3x3 Matrix of Cells Distinctions are good but not perfect:
Public vs. private, and protecting a government agency much like protecting a corporation Within and outside of the organization – gray areas, such as whether relations with a parent/affiliate are inside or outside of the organization My hope – readers can generally agree which problems go in which of the 3x3 cells; if so, then a useful framework for categorizing

15 Separation of Layers Tech friends comment that there is supposed to be a clear separation of layers of the stack; concern is that this doesn’t exist at the non-code layers That’s true; the “protocol” for layers 8, 9, & 10 is “natural language (English, etc.), so the separation not the same as lower levels of the stack For instance, users agree to TOS with vendors (8B) but subject to government rules (9A or 9B) In response, can usefully analyze the TOS, and can also usefully analyze the quality of the legal rule

16 Potential for the Cyber Curriculum
Helps describe what topics are done in which course: Mostly international relations and cyber norms, and course covers 10A, 10B, and 10C, with some layer 9 Mostly corporate governance for CISOs, lots of 8A and 8B, with a little bit of the others An overall curriculum could determine how full the coverage is of the 3x3 matrix Can also shift from a project course (reacting to new developments) to a lecture course or treatise/manual : Module on each cell of the 3x3 matrix, with typical vulnerability and governance issues for each cell For instance, 9A and compare market approaches to HIPAA or GLBA; if govern badly, then sensitive data is breached

17 Contributions of the 10-layer stack
Parsimonious structure to organize the jumble of issues now crowding into cyber law, policy, and business courses This fall, we discussed every issue in 3 charts in my cyber course For students and teachers, a way to keep the many issues straight Attacks can happen at layers 8, 9, and 10, if the company has bad policies, the nation has bad laws, or the international community does not prevent attacks Vulnerabilities at layers 8, 9, and 10 thus fundamentally similar to vulnerabilities at layers 1 to 7 Computing & business students, by end of the course, agreed that a large part of the current cyber threat is at these layers

18 The Project Presented this at Stanford this fall to other professors designing cyber law/policy/management courses Complete the text and diagrams for the 10 layers of the cyber-stack – I welcome your comments and suggestions Consider whether to write the manual/treatise for the 3x3 matrix Hopefully, bring a sense of order and understanding to the current jumble Which, in turn, would lead to better cybersecurity

Download ppt "“The Non-Code Layers of the Cyberstack - Lessons for Cybersecurity”"

Similar presentations

Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.

Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
Jinhyun CHO Senior Researcher Korea Internet and Security Agency.

Jinhyun CHO Senior Researcher Korea Internet and Security Agency.
Mongolian construction sector development, labor protection in construction sector Ph.d E.Namsrai Director of Mongolian Technical Technological College.

Mongolian construction sector development, labor protection in construction sector Ph.d E.Namsrai Director of Mongolian Technical Technological College.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Computer Networks Fall, 2007 Prof Peterson. CIS 235: Networks Fall, 2007 Western State College  What are the main layers? What happens at each?

Computer Networks Fall, 2007 Prof Peterson. CIS 235: Networks Fall, 2007 Western State College  What are the main layers? What happens at each?
CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: 509-359-6908 Office.

CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: Office.
James Ennis, Department of State, USA ITU-D Question 22/1 Rapporteur.

James Ennis, Department of State, USA ITU-D Question 22/1 Rapporteur.
Peter Swire Computing Community Consortium/CRA Workshop On Privacy By Design Berkeley February 6, 2015 Privacy by Design: More than Compliance with the.

Peter Swire Computing Community Consortium/CRA Workshop On Privacy By Design Berkeley February 6, 2015 Privacy by Design: More than Compliance with the.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Resources to Support Training Programs for CSIRTs.

Resources to Support Training Programs for CSIRTs.
Information Warfare Playgrounds to Battlegrounds.

Information Warfare Playgrounds to Battlegrounds.
IAPP KnowledgeNet Los Angeles “Thinking Outside the Cookie Jar” The Second Wave of Global Privacy Protection: Why This Year Is Different Peter Swire, Senior.

IAPP KnowledgeNet Los Angeles “Thinking Outside the Cookie Jar” The Second Wave of Global Privacy Protection: Why This Year Is Different Peter Swire, Senior.
13.6 Legal Aspects Corporate IT Security Policy. Objectives Understand the need for a corporate information technology security policy and its role within.

13.6 Legal Aspects Corporate IT Security Policy. Objectives Understand the need for a corporate information technology security policy and its role within.
Environmental Management System Definitions

Environmental Management System Definitions
Yangon, Myanmar, 28-29 November 2013 Cybersecurity-Related Standardization Initiatives in the EU and the U.S.: Lessons for Developing Countries Nir Kshetri.

Yangon, Myanmar, November 2013 Cybersecurity-Related Standardization Initiatives in the EU and the U.S.: Lessons for Developing Countries Nir Kshetri.
International Telecommunication Union Geneva, 9(pm)-10 February 2009 BEST PRACTICES FOR ORGANIZING NATIONAL CYBERSECURITY EFFORTS James Ennis US Department.

International Telecommunication Union Geneva, 9(pm)-10 February 2009 BEST PRACTICES FOR ORGANIZING NATIONAL CYBERSECURITY EFFORTS James Ennis US Department.
AUB Department of Electrical and Computer Engineering Imad H. Elhajj American University of Beirut Electrical and Computer Engineering

AUB Department of Electrical and Computer Engineering Imad H. Elhajj American University of Beirut Electrical and Computer Engineering
Information Warfare Playgrounds to Battlegrounds.

Information Warfare Playgrounds to Battlegrounds.
Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

Similar presentations

Ads by Google