1. CONDUCTING CYBERSECURITY RESEARCH LEGALLY AND ETHICALLY By Aaron J. Burstein; Presented by David Muchene

2. Objectives  Explain the areas of law that are most applicable to cyber security research.  Offer general guidelines for various ethical issues that may arise while doing research.

3. Introduction  There are several cyber security research activities that have legal considerations associated with them  Collecting real network data  Running malware in test beds  Disrupting or mitigating attacks  Publishing certain results

4. Obtaining Network Data  Obtaining network data is sometimes critical to a researchers work.  Communication and Privacy laws limit access to traffic on networks  Wiretap Act:  Prohibits real-time interception of ‘contents’ of electronic communication  Pen Register/Trap and Trace Statute:  Prohibits interception on ‘non-content’ of electronic communication

5. Obtaining Network Data  Stored Communication Act  Prohibits providers of electronic communication to the public from disclosing customers’ content  Providers are given an exception to the Wiretap Act and the Pen/Trap statute  Researchers should be granted similar exception since  Could potentially protect the researcher’s institution’s network  Researchers do not pursue criminal investigation nor seek to embarrass anybody.

6. Sharing Network Data  Sharing data could be useful to the research community  The Stored communication Act limits the sharing of this data.  Generally only applies to providers of electronic communication to the public  Researchers working within a university/private network setting do not have to worry about the disclosure provisions

7. Infected Hosts  It’s often necessary to allow attackers to exploit a host or to run malware in a controlled environment to understand behaviors of attacks  Researchers must make sure that malicious software does not make it beyond their test-beds  The computer Fraud and abuse act holds them liable otherwise  They must also be careful not to hold any illegal material on their system.

8. Mitigating Attacks  Researchers may be in a position to disrupt an attack. However before doing so they should:  Determine if they break any laws  Consider the institution’s reputation

9. Publishing Results  Researcher are for the most part protected by the first amendment  They are not however protected if their results somehow conflict with the DMCA  They should consider whether their results could help adversaries attack the researcher’s network

10. Conclusions  Lots and lots and lots of legal considerations when doing cyber security research  Privacy is important and researchers must realize this as they conduct their work 