1 / 10

Conducting Cybersecurity Research Legally and Ethically

Conducting Cybersecurity Research Legally and Ethically. By Aaron J. Burstein; Presented by David Muchene. Objectives . Explain the areas of law that are most applicable to cyber security research. Offer general guidelines for various ethical issues that may arise while doing research.

val
Download Presentation

Conducting Cybersecurity Research Legally and Ethically

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Conducting Cybersecurity Research Legally and Ethically By Aaron J. Burstein; Presented by David Muchene

  2. Objectives • Explain the areas of law that are most applicable to cyber security research. • Offer general guidelines for various ethical issues that may arise while doing research.

  3. Introduction • There are several cyber security research activities that have legal considerations associated with them • Collecting real network data • Running malware in test beds • Disrupting or mitigating attacks • Publishing certain results

  4. Obtaining Network Data • Obtaining network data is sometimes critical to a researchers work. • Communication and Privacy laws limit access to traffic on networks • Wiretap Act: • Prohibits real-time interception of ‘contents’ of electronic communication • Pen Register/Trap and Trace Statute: • Prohibits interception on ‘non-content’ of electronic communication

  5. Obtaining Network Data • Stored Communication Act • Prohibits providers of electronic communication to the public from disclosing customers’ content • Providers are given an exception to the Wiretap Act and the Pen/Trap statute • Researchers should be granted similar exception since • Could potentially protect the researcher’s institution’s network • Researchers do not pursue criminal investigation nor seek to embarrass anybody.

  6. Sharing Network Data • Sharing data could be useful to the research community • The Stored communication Act limits the sharing of this data. • Generally only applies to providers of electronic communication to the public • Researchers working within a university/private network setting do not have to worry about the disclosure provisions

  7. Infected Hosts • It’s often necessary to allow attackers to exploit a host or to run malware in a controlled environment to understand behaviors of attacks • Researchers must make sure that malicious software does not make it beyond their test-beds • The computer Fraud and abuse act holds them liable otherwise • They must also be careful not to hold any illegal material on their system.

  8. Mitigating Attacks • Researchers may be in a position to disrupt an attack. However before doing so they should: • Determine if they break any laws • Consider the institution’s reputation

  9. Publishing Results • Researcher are for the most part protected by the first amendment • They are not however protected if their results somehow conflict with the DMCA • They should consider whether their results could help adversaries attack the researcher’s network

  10. Conclusions • Lots and lots and lots of legal considerations when doing cyber security research • Privacy is important and researchers must realize this as they conduct their work

More Related