Amending the ECPA to enable a culture of cybersecurity research.

• Author: Burstein, Aaron J.

TABLE OF CONTENTS I. INTRODUCTION II. THE UNIQUE PROMISE OF TECHNICAL RESEARCH IN IMPROVING CYBERSECURITY A. Defining Cybersecurity B. Defending Against Known Threats: The Inadequacy of Prevention C. The Limits of Deterrence D. Adapting to Evolving Threats Through Detection and Resilience: The Case for Focusing on Technical Research III. HOW COMMUNICATIONS PRIVACY LAW LIMITS CYBERSECURITY RESEARCH A. Communications Privacy Law 1. Wiretap Act 2. Stored Communications Act. Pen/Trap Statute 4. State Laws 5. Gaps B. Institutions IV. COPING WITH THE DEARTH OF CYBERSECURITY DATA A. Scientific Goals of Data Sharing B. Data Needs: A Picture of the Ideal C. Public Releases 1. Non-Content Data 2. Communications Contents D. Private Access V. A PRIVACY-PRESERVING FRAMEWORK FOR CYBERSECURITY RESEARCH A. Requirements for a Cybersecurity Research Exception to the ECPA B. Institutions C. Creating New Threats? VI. CONCLUSION I. INTRODUCTION

Computer and network security (together, "cybersecurity") have become matters of major economic, social, and national security importance. Computer networks have joined other systems like transportation, energy, defense, and health care that are critical to the functioning of the national economy. (1) Indeed, computer networks are the "nervous system" that ties together and controls these other components of our national infrastructure. (2) Increasingly sophisticated network attacks, however, constantly threaten this infrastructure and the activities that rely on it. These attacks do not simply damage an isolated machine, or disrupt an individual's or single enterprise's access to the Internet. Instead, modern attacks threaten to target infrastructure that is integral to the economy, national defense, and daily life. (3) Although society has benefited from innovative applications that connect people and devices via the Internet, (4) malicious parties have taken advantage of the Internet's connectivity by exploiting technological and human vulnerabilities to perpetrate attacks for personal, financial, and political gain. (5) The FBI estimated in 2005 that cybercrime costs the United States $67.2 billion annually. (6)

But the risks of insecurity go beyond financial damage. For example, Estonia endured a massive flood of Internet traffic in 2007, which crippled networks within the country, leading to a shutdown of banks and other services. (7) In 2003, the "Slammer" worm spread rapidly across the Internet, shutting down South Korea's "entire Internet system" and disrupting ATM transactions in the United States. (8) The following year, the "Witty" worm deleted random data from the hard drives of the hosts it infected worldwide. (9) As networked devices--not only personal computers but cell phones, appliances, and even the materials in buildings--become pervasive, (10) the potential for harm from successful attacks will continue to grow. Although the United States has not suffered major Internet physical infrastructure outages as a result of cyberattacks, attempts to defeat the defenses of critical information systems are relentless. (11)

Understanding how to detect and defend against such attacks is an active research area within computer science, (12) and technical research (13) in this area is, in turn, a central element of national cybersecurity policy. (14) The era of network-wide attacks began in 1988, when the "Internet Worm," a program that replicated itself from one networked computer to another without human intervention, quickly spread to an estimated five to ten percent of computers connected to the Internet. (15) The Worm exploited flaws in individual computers, traversing their networks without regard to organizational boundaries, and quickly spread from one organization's network to another. The response to the Worm also crossed institutional boundaries, with researchers and administrators sharing alerts and suggestions for mitigation with their peers at other organizations. (16) This informal coordination of defenses helped to stop the Internet Worm relatively quickly, and computer security experts who studied the Worm recommended creating a formal organization to coordinate information sharing about vulnerabilities and malicious activity. Given the complexity of the Internet and the diversity of malicious activity connected with it, understanding what information to share and how to analyze it remains a difficult scientific problem.

Unfortunately, current U.S. law adds to the difficulty. Communications privacy laws--specifically the Electronic Communications Privacy Act ("ECPA")--impede the sharing of Internet data with cybersecurity researchers. (17) The ECPA currently prohibits many instances of the acquisition, use, and disclosure of e-mails, Internet usage histories, instant messaging conversations, and other forms of electronic communications, without providing a research exception. (18) The central argument of this Article is that the ECPA should be amended to include a cybersecurity research exception and that a properly crafted and administered exception would pose little risk to communications privacy.

Sharing cybersecurity data in this manner would entail some risk. Allowing easier access to communications data increases the chance that the data will be misused. Data sharing, of course, can threaten more than communications privacy. The firms that control communications data are often reluctant to share it out of concern that their customers will react negatively, or that the data will expose sensitive information. (19)

The result is that much technical cybersecurity research is bound to the data available from the researcher's own institution, which in most cases is quite limited. Organizations seek to make their own information systems as secure as they can within resource constraints, even if the defenses they employ end up harming cybersecurity overall. As two cybersecurity researchers have put it:

It is typical in the current security culture for each autonomous organization ... to locally optimize network management and security protection.... There is a culture of pushing attackers away from oneself without any consideration of the poor overall security resulting from this lack of coordination between organizations. (20) Add to this the fact that the current culture of security encourages individuals and institutions to view security as an expense rather than a necessary means of avoiding lost time, money, and information, and the depth of the cybersecurity problem becomes apparent. (21) Given the need to coordinate responses on a wide scale to combat network threats, it is appropriate to consider how law might support system-level cybersecurity research and responses while protecting privacy.

Both Congress and the Executive Branch have recently become aware of the need to integrate privacy into cybersecurity policy. (22) In particular, the guiding national cybersecurity policy document, the National Strategy to Secure Cyberspace, recognizes that a new approach is necessary to encourage firms with data to share it with researchers who can put it to use. (23) The National Strategy also recognizes that cybersecurity responses must protect privacy and civil liberties. (24) But anyone searching this document for details about how to reconcile security and privacy will be disappointed. Communications privacy law, in particular, is an example of the law's failure to coordinate cybersecurity research and practice.

This Article argues that the ECPA's barriers to cybersecurity research are substantial and that addressing them forthrightly best serves the interests of research and privacy. The argument proceeds in four parts. Part II explains how the economic and technical components of cybersecurity render market- and law enforcement-based efforts to improve cybersecurity inadequate. Improving cybersecurity depends critically on continued research, but cybersecurity research currently faces a dearth of realistic, usable data to study modern-day threats. Part III argues that communications privacy law and norms contribute significantly to this shortage. The ECPA, in particular, reinforces the existing cultural resistance to cooperation among cybersecurity researchers by making data sharing among these researchers legally risky. Part IV demonstrates that the dearth of usable data is a serious impediment to research. Increasing cybersecurity researchers' access to such data would significantly aid their research. Part V presents a variety of measures--legal, institutional, and technological--that are necessary to improve communications data sharing with cybersecurity researchers while protecting individual privacy interests in the data. The Article argues that Congress should create a cybersecurity research exception to the ECPA granting formal permission to share communications data for research purposes, subject to strict institutional controls. This change would help confer legitimacy on the use of communications data in research, which, in turn, could shape norms that favor sharing.

2. THE UNIQUE PROMISE OF TECHNICAL RESEARCH IN IMPROVING CYBERSECURITY

   1. Defining Cybersecurity

      To avoid the possibility that "cybersecurity" will become too malleable a term in this Article, I will provide a definition. Elements of cybersecurity familiar to computer scientists include the following: a computer or network system's resistance to becoming unavailable or unusable due to unauthorized uses; resistance to attacks that corrupt data stored on the system and cause information to leak out of the system; and a guarantee that data can be restored after an attack. (25) A somewhat more functional definition emphasizes that security involves a process of identifying and remedying the vulnerabilities of a system within the context of a specified set of threats posed by an adversary; (26) cybersecurity applies these activities to networked computer systems. (27)

      Applying...