CISA | The Student Journal of Information Privacy Law

The Application of Information Privacy Frameworks in Cybersecurity

By Dale Dunn

INTRODUCTION

The frequency of cyberattacks is increasing exponentially, with human-driven ransomware attacks more than doubling in number between September 2022 and June 2023 alone.[1] In a vast majority of attacks, threat actors seek to penetrate legitimate accounts of their target’s employees or the accounts of their target’s third-party service provider’s employees.[2] In the remaining instances, threat actors exploit existing vulnerabilities to penetrate their target’s systems.[3] Combatting these attacks requires a holistic, whole-of-society approach.

Current technology and security norms leave room for improvement. The Cybersecurity and Infrastructure Security Agency (CISA) describes current technology products as generally being vulnerable by design (“VbD”).[4] To help companies produce secure products instead, CISA, in combination with its partners, has proposed the Secure by Design (“SBD”) framework.[5] However, SBD will not be sufficient on its own to prevent threat actors from succeeding. The quantity and availability of personal information available today enables threat actors to efficiently bypass security measures.

The Fair Information Practice Principles (“FIPPs”) and the Privacy by Design (“PBD”) framework should be implemented in addition to SBD to reduce both the likelihood and the potential harm of successful cybersecurity attacks. The FIPPs are procedures for handling data that mitigate the risk of misuse.[6] PBD is a supplementary method of mitigating the potential harm that can result from data in a system or product.[7] While both the FIPPs and PBD were developed for use with personal information, they can and should apply beyond that specific context as a way of thinking about all data used and protected by information systems.

This paper is arranged in five sections. The first section describes the requirement of reasonable security. The second section then explains the Secure by Design framework. Section three, the FIPPs and PBD. Section four provides a case study in which social engineering is utilized by a threat actor to conduct cyberattacks. Finally, section five recommends measures companies and other organizations should take to implement the SBD, FIPPs, and the PBD. In sum, this paper will show information privacy principles and methodologies that should be implemented to reduce the risk of cybersecurity attacks.

Continue reading →

Rethinking the Government’s Role in Private Sector Cybersecurity

By Devon H. Draker, University of Maine School of Law, class of 2023 [1]

Abstract

Cyber-attacks on the private sector through the theft of trade secrets and ransomware attacks threaten US interests at a federal level by undermining US economic competitiveness and funding groups with interests adverse to those of the US. The federal government can regulate cyberspace under the Commerce Clause, but the current cybersecurity regulatory landscape is ineffective in addressing these harms. It is ineffective because legislation is either bad-actor focused and punishes the proverbial “hacker,” which has no teeth due to jurisdictional reach limitations, or because it attempts to punish the victim-company in hopes of motivating the development of sufficient safeguards. The missing puzzle piece in solving this issue is “intelligence.” Intelligence in military terms is the process of combining information to create an actionable plan that anticipates what the enemy will do based on operational factors. The utility of intelligence in cyberspace is that it provides companies the ability to anticipate not only when they may be attacked based on trends in their sector, but also what methods would likely be used to carry out the attack. There are two ways that cybersecurity intelligence could be achieved. The first approach involves integrating cybersecurity units from the United States Military into the private sector to collect information on attacks and provide intelligence to private sector companies based on this information gathering. This approach also allows the US Military to continue its proficiency in the cyberspace domain, which is a rising concern for US military leaders. The second approach involves expanding the Cybersecurity and Infrastructure Security Agency’s (CISA) regulatory powers to enact mandatory reporting regulations for more than just “critical infrastructure.” Each approach has its own drawbacks, but both offer significant advantages as compared to the current regulatory landscape.

Continue reading →