2017 Fellows Research Abstracts

Jasson Casey Many organizations now treat cybersecurity as a first-class citizen in terms of budget and executive leadership priorities. However, few board members truly understand how to measure the efficacy of their cybersecurity programs, dollars spent and even leadership. Short of experiencing a breach or incident, justifications for budget and measures of effectiveness remain an abstract concept that do not compare to the levels of rigor applied to typical board initiatives. This research focuses on measuring the efficacy of a cybersecurity program by focusing on the observable dynamics of an organization and measuring how these dynamics correlate to past incidents or breaches. The focus will be on exclusively external, observable signals and historic breach data across a large set of public organizations to develop models. The goal is to provide a framework for board reporting that can speak to the efficacy of existing cybersecurity programs, identify high-risk gaps and inform future decisions.

Susan Hennessey, Matt Noyes Susan and Matt are examining a series of issues that receive comparatively little attention in cyber policy conversations: The role of state and local law enforcement in countering cybercrime; how legislative language creates (often unintentional) barriers to interagency cooperation; the role of law enforcement in countering hybrid transnational and international cybersecurity threats and; the First Amendment implications of failing to address cyber threats. Their research will aim to develop both a full account of the challenges as well as actionable policy recommendations to address them. They look to draw attention to, and encourage progress on, those critical underlying issues which too often fail to garner public or policy attention.

Nicholas Christin Online anonymous marketplaces such as Silk Road and its many descendants are notorious for narcotics sales. However, there are also many offers for "cyberweapons" and other digital goods (e.g., DDoS attacks, login credentials, hacking-for-hire, etc.) Some very large online anonymous marketplaces in fact got started by helping the barter of such items. Primarily using the data our team at Carnegie Mellon University has collected over the past six years, propose a longitudinal analysis of the digital goods being sold on online anonymous marketplaces. We will first quantitatively describe the type of goods being sold—breaking them down between compromised credentials, "hacking as a service," and actual software vulnerabilities, and estimated sales, before attempting to determine whether external factors—e.g., deployment of bug bounty programs or, on the other hand, large-scale data breaches—affect the availability of the goods we see.

Kate Charlet Evolving trends at the intersection of biology and digital technology raise interesting questions about how these fields will further converge, and how governments and societies should manage the security and policy implications. In Summer 2017 alone, news reports surfaced about: researchers who were able to encode malicious software into strands of DNA; the use of cryptographic techniques to obscure private genetic information while allowing medically-useful information to be studied; techniques for hacking brain interfaces that increased the chances of guessing user passwords; the development of mobile applications for consumers to easily explore their own genetic information and; the susceptibility of DNA testing data to hacking. This article will synthesize key trends and technologies that will become increasingly relevant to the digital and cyber security community, seek to distinguish reality from hyperbole, and explore the benefits and promise of the technology while offering recommendations to navigate policy and security issues. ​

Summer Fowler, Davis Hake, Randi Kieffer In cybersecurity today, the economics favor an adversary who must only be right once to inflict costly damage on an organization. Unable to prevent all incidents, defenders must efficiently manage their risk within their existing resource constraints. This challenge is exacerbated by increasingly connected, complex systems, the growing sophistication of adversaries, and the ability for less sophisticated actors to acquire capabilities. This research paper will result in a set of best practices to help executives and senior management train themselves to identify core business risks and organization risk appetite, provide guidance on cyber risk management investments, and to measure the performance and efficacy of those investments.

Gabe Rottman The federal Computer Fraud and Abuse Act has been expanded repeatedly over the years, and currently criminalizes any “unauthorized access” to a computer. The concept of authorization is slippery, however. Some courts have required a technical circumvention of an access restriction—colloquially, “hacking”—before finding criminal liability. Others have found it to encompass, for instance, an individual authorized to access a computer system sharing a password with someone without access. At some point, this definitional uncertainty is going to conflict with the First Amendment’s guarantees of freedom of speech and the press. One of the most logical areas will be digital investigative journalism, especially when reporters use pseudonyms to, for instance, identify discriminatory commercial practices online (because, often, such tactics will violate a website’s terms of service). This article will look at the current state of the art in investigative journalism, and suggest that contrasting the CFAA’s definitional issues with deficiencies in press freedom protections could help clarify the scope of both.

Brian Russo Right to privacy, expectation of privacy, privacy in the digital age. These are terms frequently used to describe what a free and open Internet means in terms of individuals and their activities connected to it. And yet existing privacy protections seem to reflect safeguarding individual’s personally identifying information, activities conducted behind closed doors in one’s home. Demands for Internet privacy seem to greatly exceed the physical execution of privacy protections.

Examples of how physical activity conducted in public places may afford privacy but not anonymity abound. Banks and many businesses maintain surveillance systems such as video cameras both when closed and during operating hours. They can use these systems to identify specific individual activity at any point in time. With proper documentation, law enforcement may access such information. Walking down the street, entering any public facility, driving a car, all of these activities allow for observation by witnesses. In all of these cases, an individual’s business may be conducted privately and personal information protected, but the individual is not completely anonymous.

Enabling individuals to operate across the internet in an anonymous fashion leaves the entire public at risk of exactly that which they seek to protect – the loss of privacy. Equifax, Target, OPM… the list of entities trusted with maintaining customers’ personal information that lost control of vast quantities of personal information is long. Rarely is the actor who engages in the criminal activity identified and brought to justice, largely because the Internet provides anonymity to users rather than privacy protections.

My research project delves further into this question of whether or not the term privacy has been conflated with anonymity for the purposes of Internet activity, and the degree to which the comingling of expectations causes public harm. Using existing privacy literature and drawing upon examples of privacy (not anonymity) in the physical domain, I anticipate demonstrating that the consequences of enabling online anonymity are detrimental to the public’s privacy equities.

Tim Maurer As cyberspace has emerged as the new frontier for geopolitics, states have become entrepreneurial in their sponsorship, deployment, and exploitation of hackers as proxies to project power. Such modern-day mercenaries and privateers can impose significant harm undermining global security, stability, and human rights. The U.S. government has unsealed several indictments over the past few years shedding unprecedented light on these proxy relationships which raise important questions about the control, authority, and use of offensive cyber capabilities. In a series of op-eds, I will review the origin, content, and impact of these indictments. My analysis is based on my forthcoming book 'Cyber Mercenaries: The State, Hackers, and Power' to be published by Cambridge University Press in January 2018 exploring the secretive relationships between states and hackers.

Jason Truppi Encryption has penetrated our lives in ways practically unimaginable by the early pioneers. Combined industry statistics estimate that 50-70% of the traffic that traverses the Internet is now encrypted. As industry continues to provide enhanced encryption options to the consumer, the government is actively admitting that they are losing visibility into threat actors who are perpetrating crimes and exploiting the security of nation states. The move to an encrypted Internet is not only impacting government, but the overall security posture of corporations as well. How is government and private sector planning to maintain security and privacy in a fully encrypted world? What are the alternatives for government and law enforcement? Will government have to implement new encryption regulations for exceptional access, or will they revert back to traditional methods in order to maintain foreign intelligence collection requirements? What are Silicon Valley tech companies inventing to counteract emerging threats while maintaining the privacy of their users? What opinions exist from lawmakers, privacy advocates and regular citizens, for how the government should approach the new encryption era? How is the rest of the world addressing these issues? Only by exploring these questions can we present innovative solutions on how to move the encryption debate forward and expose potential areas of collaboration and cooperation that will align interested parties rather than increasing the divide.

Eric Goldstein The past year has seen a steady drumbeat of cyber activities against the United States perpetrated or supported by the Russian government. A national debate is beginning to emerge around the appropriate response to this threat, which encompasses information operations intended to influence the 2016 Presidential election, cyber attacks against state- and county-level electoral infrastructure, and incursions into critical infrastructure such as the electric grid. Within this debate, a key question has yet to be addressed: is the U.S. government adequately organized and postured to take actions necessary to preserve our nation, its people, and its democratic ideals? This paper will argue that the current ad hoc model of vertical collaboration between the Federal government, State, local, tribal, and territorial governments, and the private sector has proven inadequate to manage a focused, long-term threat by a well-resourced adversary. Rather, a new model is needed in which all national resources can be appropriately coordinated and aligned in response to emerging risks. Building from extant research and international models, this paper will propose novel approach for organizing cybersecurity risk management activities by the United States government that will more effectively confront the present threat and provide greater agility to manage the next generation of risks.

Lisa Wiswell While government’s primary responsibility is to focus on its nation’s security and the well-being of its citizens, the private sector is incentivized to focus on their revenue growth and market share, where resources focus on compliance rather than on the kinds of things that result in an effective security posture. But when the Nation depends greatly on private industry to run its critical infrastructure, these competing incentives make the implications rather serious. One way the government and private industry alike have introduced security into a compliance strategy is to allow the “crowd,” or unknown, unvetted vulnerability researchers that participate in vulnerability coordination or bug bounty programs, to find vulnerabilities in networks, software, and even hardware as a low-cost solution. The premise is easy - the bad guys are already in your networks. Why not level the playing field and allow the good guys to participate, or otherwise provide incentives to turn findings over to you. While this security approach works well for many types of assets, there are limitations of coordinated vulnerability and bug bounty programs - particularly as it relates to the safety sectors such as the energy sector that are “systems of systems” and amalgamations of software, hardware, and firmware from an infinite number of vendors. This paper will debunk the popular concept that “the crowd” is an effective security concept for the energy sector, and provide recommendations for achieving the same objectives of lowering the cost of entry, and introducing fiscal motivations for vendors to find and fix their bugs, increasing the overall security posture.

Kathrine Carroll My articles will discuss the role of government regulation in cybersecurity, including how it can most effectively promote stronger cybersecurity and facilitate effective public-private collaboration. Specific topics that I will address include: lessons that can be drawn from U.S. anti-money laundering and resolution planning regimes in the financial institution space, whether federal regulation would help simplify cybersecurity compliance by pre-empting an emerging patchwork of state regulations, and the implications of the blurring of lines between the responsibilities (and capabilities) of private sector actors as opposed to government agencies traditionally tasked with defense and counter-intelligence missions.