International Cyber Threat Information Sharing: Legal Analysis

Long Term Goals

The long-term goal of this project is to enhance the security posture of the United States by enhancing cyber threat intelligence sharing throughout the cyber ecosystem. The ultimate goal is for automation and standardization in this area to transform how we monitor, detect, share, react, and remediate cyber threats. It also needs to be acknowledged this transformation could be unsettling to enterprises that may need to change how they operate and to vendors whose business models may need to change. In order to ensure adoption, we will need an understanding of the parties’ incentives and market positions, to best help the ecosystem as a whole adopt this transformational technology.

This project is part of an overall program to accelerate adoption of cyber threat intelligence sharing through a common understanding of the problem (this project); technologies missing or that need enhancement; legal barriers and solutions for adoption; policy barriers and solutions for adoption; and economic barriers and solutions for adoption.

Background for Long Term Goals

Automated cyber threat intelligence sharing, while not the single technology that will solve cyber attacks, is part of the solution. One thing hindering sharing is the perception, belief, and reality that some sharing may not be legal in all jurisdictions. Different jurisdictions have different rules and regulations pertaining to privacy, location of data, ability to share data without non-disclosure agreements, the ability to have non-disclosure agreements to enable information sharing, the ability to share with partners in other countries, and so on.

Moreover, as many S2ERC and industry affiliates are themselves multi-national corporations, even internal information sharing may come under differing rules. To complicate things further, many countries have different rules for sharing information within an enterprise, amongst a small set of enterprises, or with the general public.

Rules for sharing information with governments tend to be different than for private transactions. As such, this study will focus solely on private-private (or ‘business-to-business’) sharing.

In some countries, the data element the enterprise wants to share may be protected. For example, in the U.S., an IP address is, by case law, not personally identifiable information. In Germany, by contrast, and IP address is, by statute, personally identifiable information. Thus, an enterprise needs to be mindful of what they are sharing.

Also by country, the data element may not drive what is legal to share. Rather, how the enterprise collected the data may drive the sharing regime. For example, in the U.S., contract law appears to dominate what companies can share with whom, when. In others, only data with added value, such as compilations, analysis, and so on, can be shared. The underlying data must remain private.

This project is a continuation of the S2ERC CyberISE business-to-business, domestic US legal analysis project.

Intermediate Term Objectives

Examine the various laws in major OECD countries. We are unlikely to be able to analyze all 34 countries’ laws and contrast them. We have already done the U.S. In order of priority, we expect to examine Australia, UK, Germany, France, Israel, Estonia, Japan, Canada, Belgium, the Netherlands, South Korea, Mexico, Poland, Turkey, Chile, New Zealand, Norway, Slovak Republic, and Sweden. In the unlikely event we manage to look at all of these, we can look to the other 14 or other major countries as needed. A likely potential for non-OECD countries would be the Russian Federation, Ukraine, and Romania.

Schedule of Major Steps:

Stage 1

Step 1:

Approx. 6-8 weeks: Frame the research. Review the laws of Australia, UK and Germany. Produce written report on these legal requirements

This step includes the over-arching European Union (EU) regulation which applies to all EU member states and hence to other countries considered in subsequent steps as set out below. It should be noted that in several relevant areas, EU regulation is under review and development in 2015. The outcome of the review and new developments will be covered in the following steps, as necessary.

Approx. 2 weeks: Annotate the report reviewing these laws in combination with technology to document the environment

Step 2  

Approx. 6-8 weeks: Review the laws of France, Israel, Estonia, Japan and Canada. Produce written report on these legal requirements, including up-date on EU regulation as necessary

Approx. 2 weeks: Annotate the report reviewing these laws in combination with technology to document the environment.

Project progress will be assessed and reviewed at this step, to determine whether it will move to the next stage, Stage 2 as follows:  

Stage 2

Step 3

Approx. 6-8 weeks: Review the law of next group of countries- Belgium, the Netherlands, South Korea, Mexico and Poland. Produce written report on these legal requirements including up-date on EU regulation as necessary

Approx. 2 weeks: Annotate the report reviewing these laws in combination with technology to document the environment

Step 4

Approx. 6-8 weeks: Review the laws of Turkey, Chile, New Zealand, Norway, Slovak Republic, and Sweden written report on these legal requirements, including up-date on EU regulation as necessary

Approx. 2 weeks: Annotate the report reviewing these laws in combination with technology to document the environment

Step 5

Approx. 2 weeks: Completion of Stages 1and 2

Produce final paper summarizing results of technology and legal research including summary of factors that enterprises need to address, and those not of concern, with respect to cyber threat intelligence sharing.

Consider expansion of research to other OECD countries and to the Russian Federation, Ukraine, and Romania, as stage 3.

Dependencies:

There is a dependency and concomitant risk relating to the availability and access to translations of local laws. English translations of legislation of many of the countries are available but it does depend on the country. In some countries, case law may only be available in the local language so decisions of major importance may need to be translated and/or interpreted. If translation and /or review is needed, to maintain momentum the PIs will look at countries in the next group, so some modification to the country groups may be necessary as the project progresses to keep to the research on schedule.

Major Risks:

We may need legal advice from some jurisdictions. That could drive up the cost and time to complete.

Budget Note: Prof. Sullivan is on the faculty of the University of South Australia (UniSA). As UniSA is not a signatory to the I/UCRC program, they are electing to not do cost sharing and as such charge 22% indirect cost, as opposed to the NSF-mandated 10% indirect cost. As they are a subcontractor and not a partner, this is a pass-through cost to the affiliates (included in the budget figures above).

Staffing:

Clare Sullivan, PI: Legal research, writing

Eric Burger, Co-PI: Management, technology research, and writing

Category of Current Stage:

Follow-up to U.S. Legal Analysis project

Contacts with Affiliates:

CyberISE Program

Publications and Research Products:

Publication in a law journal and, if appropriate, a publication targeted to a widely read technology or business magazine. Journal targets include:

Journal of National Security Law & Policy
The Computer Law and Security Review

Conference targets include:

Privacy Law Scholars Conference (June 2016) in Washington DC
American Bar Association National Security Law Conference (October 2016) in Washington DC
International Conference on Legal, Security and Privacy Issues in IT law (October 2016) in (TBD)