Mapping the Matrix

The new Center for Cybersecurity brings legal and technical talent together to take the lead on one of the most urgent issues of our time.

BY MICHELLE TSAI
ILLUSTRATIONS BY KOTRYNA ZUKAUSKAITE

When Apple refused to help the FBI unlock an encrypted iPhone belonging to one of the San Bernardino, California, shooters this spring, it put the issue of cybersecurity squarely at the center of a long-running US debate over how best to balance national security interests with civil liberties.

Federal investigators urgently sought access to the phone’s data to determine if the shooters were tied to a larger terrorist network. Apple CEO Tim Cook warned that complying with the request would give government the power to reach into anyone’s device.

In the public debate that ensued, policy experts clashed with technologists. The former proposed alternatives and compromises, while the latter maintained that giving the government a “master key” could possibly compromise security for all users. In the end, the government was able to retrieve the encrypted data without Apple’s help. But the battle over cybersecurity still rages—drawing in players from law and technology as well as government and the private sector.

Placing itself at the center of this matrix is the newly established NYU Center for Cybersecurity (CCS). A collaboration between NYU Law and the NYU Tandon School of Engineering’s computer science department, the center is addressing the vexing questions that arise at the meeting point of security and technology: How should the government and private parties interact when it comes to cybersecurity? What kind of legal and technical framework will enable companies to shore up their digital defenses? And what is the appropriate level of risk management for private companies?

NYU is one of the first universities to leverage an interdisciplinary approach in cybersecurity, and CCS’s founding team includes legal experts in national security and counterterrorism, as well as engineering specialists in digital forensics and hardware security.

“Unlike national security, which, for generations, has been the exclusive province of the state, cybersecurity inevitably requires a partnership between public and private actors,” says Professor Samuel Rascoff, a co-founder of the new center and faculty director of the Law School’s Center on Law and Security (CLS). “And we need to train people who are conversant not just with the legal issues, but who also understand the underlying technical problems.”

As cyberthreats grow in complexity and more organizations, governments, and citizens fall prey to them, it is clear that solutions will require a multifaceted approach. At CCS, lawyers and public policy experts work with computer scientists to train attorneys for the jobs of today and tomorrow and shape public discourse and policy on technology and security issues. The center engages in research and teaching, convenes thought leaders in this area, and offers a scholarship program for students committed to interdisciplinary work on cybersecurity. (See related story about Professor of Clinical Law Jason Schultz’s work on technology policy at the White House.)

Cat and Mouse Game

This spring Facebook Chief Security Officer Alex Stamos discussed the Apple-FBI encryption dispute at the launch of the Center for Cybersecurity with CCS fellow Judith Germano.

What we call the Internet—a ubiquitous web of networked computers—took shape in the 1960s when US computer scientists experimented with sending data in packets and connecting computers over dial-up phone lines. “It was a communications network designed by and for a small community of researchers in government and the academy,” says Zachary Goldman ’09, a CCS co-founder and executive director of the CLS. “It was not designed to be the backbone for global commerce and communications.”

In short, the Internet was not created with security in mind. But in an era in which everything from heart monitors to cash registers and entire “smart cities” is connected to the web, protecting data becomes all the more central—and challenging. Indeed, in 2015 alone, a quarter of Americans reported that they were notified about their personal information being compromised in a data breach, according to the RAND Corporation.

A 2016 Verizon study found that in 2,260 breaches from 67 contributing organizations in 82 countries, attackers required just seconds or minutes to gain access to systems in 93 percent of breaches. Meanwhile, it took weeks—or longer—for organizations to realize they’d been attacked. “On the Internet, no one knows you’re a thief,” says Randal Milch ’85, a former general counsel at Verizon who is a senior distinguished fellow at CCS.

Adding to the security challenge, by its nature cybersecurity implicates private companies in unique ways. “The private sector owns almost all the infrastructure, the private sector is the victim, and the private sector has responsibility for fixing the problems most of the time,” Goldman notes. “That demands a fundamentally different way of thinking about cybersecurity than other kinds of national security concerns.”

Thwarting attacks has evolved into a game of cat and mouse, according to Nasir Memon, who represents Tandon as a co-founder of CCS, along with Ramesh Karri, professor of electrical and computer engineering.

“If I’m trying to block every window and door in the building, it’s a tough job. The bad guys just have to find one opening, and they’re in,” says Memon, who leads Tandon’s computer science and engineering department and researches digital forensics, data compression, and security and human behavior. “Plus, I have to follow laws and norms. The bad guys can be creative. They don’t have to follow rules.

Although staging a cyberattack requires a certain level of technical acumen, defending against one—and coordinating a postattack response—requires the skills of multiple stakeholders and specialists, including attorneys who can evaluate legal risks and protections as well as executives who oversee business decisions. In the 2013 Target data breach, in which hackers stole credit card information from 40 million customers during the holiday shopping season, the retailer had already invested heavily in data defenses, maintaining a system that would raise red flags for potential incidents. But there was confusion at Target over the severity of the compromise, and the big-box store drew heavy criticism for its slow public response, says Judith Germano, a former federal prosecutor, now with CCS, who advises Fortune 50 and other companies on cybersecurity matters.

“So much of getting cybersecurity right comes down to a communications issue among different stakeholders,” both inside an organization and across disciplines and private-public sector divisions, says Germano. For an example of a successful interdisciplinary operation, Germano points to the 2014 bust of Blackshades malware, software that allowed criminals to control victims’ computers—seizing passwords, banking credentials, and social media accounts, and even recording keystrokes and activating webcams. Law enforcement, diplomats, technologists, lawyers, and private sector companies from 19 countries came together in a takedown that resulted in more than 90 arrests and 300 executed searches.

Collaboration and coordination are still the exception rather than the rule, however. “Some people would say there’s a lot of ‘tech-splaining’ going on,” says Milch, describing how technologists sometimes talk down to legal and policy experts. “That’s why it’s important that technologists get a better grasp of the policy options and policy people get a better grasp of the technology issues—so they can speak to one another in the same language.”

A Base for Cybersecurity in NYC

Lady JusticeWith a mandate that spans research, teaching, and public debate, CCS is poised to serve as a national hub of cybersecurity research. Its location in New York City, the heart of the US financial and legal industries, is an advantage as CCS addresses critical concerns. One of the first issues that CCS is investigating by leveraging its policy and technology expertise is how best to incentivize corporations to get better at cybersecurity. Milch points out that government regulations in this area constitute a tricky balancing act. One arm of the government, such as the Department of Justice (DOJ), may prompt private companies to share information about security incidents to help law enforcement pursue cybercriminals. But cooperation may expose the companies’ security shortfalls, turning the companies into targets of investigation by other agencies—for example, the SEC or the FCC—due to their violations of security policies. Companies may also find themselves in the position of having to share proprietary information and trade secrets with the government.

 “Trust between the government and the tech sector is not at a great place right now,” says Luke Dembosky, a former DOJ official involved in investigating breaches at Target, Sony Pictures, Anthem, and many other companies, who has spoken about cybersecurity at the Law School’s CLS events. Now a partner at Debevoise & Plimpton, Dembosky advises companies on managing their cybersecurity risks. “Improving cybersecurity is a common goal across public and private sectors, and to make progress, we must work together to identify the basic steps that will move us closer to that goal. If we wait until we figure everything out, we will never get there.”

Since CCS is deeply rooted in two schools, teaching is naturally an area of focus. This fall, Goldman, Memon, and Milch will coteach a seminar on cybersecurity law and technology—the first of its kind at NYU. Goldman says the team expects every class to be an integrated discussion of legal and technical concerns, framing questions on issues like encryption, government access to data, and the use of sophisticated law enforcement investigative techniques from an interdisciplinary perspective.

(See related story about the ASPIRE cybersecurity program for NYU Law students.)

In addition to their individual projects—for instance, Tandon’s Karri intends to explore the cybersecurity implication of 3-D printing and Law’s Milch aims to investigate the use of attorney-client privilege in the aftermath of cyberattacks—CCS scholars are already conducting interdisciplinary research together. Goldman, a former policy adviser in the US Department of the Treasury’s Office of Terrorism and Financial Intelligence, teamed up with Tandon’s Damon McCoy, who studies the financial and technical networks underlying cybercrime, to publish a peer-reviewed paper in the July 2016 issue of the Journal of National Security Law & Policy. “Deterring Financially Motivated Cybercrime” explores regulatory interventions that can make it harder for cybercrime networks to monetize their thefts.

“This kind of cross-cutting thinking is the way to solve problems in this space,” says Dembosky. “Technologists aren’t going to solve the cybersecurity problem by themselves, and neither will lawyers and policymakers. What the Center for Cybersecurity is doing is very important: bringing people together with disparate skill sets to help narrow differences and solve problems that can’t be solved by any one discipline alone.”

Michelle Tsai is a public affairs officer at NYU Law.

Posted September 2, 2016