“I attended Randy's workshops on Risk Management during the 2010 Midwest IANS conference in Chicago. I found his insights on Risk Management engaging, but, even more so, his facilitation of the workshop group's discussion especially helpful. The sessions were thought provoking and provided me with substance that I have since been able to apply on the job.”
Washington, District of Columbia, United States
Contact Info
2K followers
500+ connections
About
Activity
-
What a thrill to join our amazing client, Rubrik, as they begin their journey as a NYSE-listed company. Thank you, Peter McGoff, Anne-Kathrin…
What a thrill to join our amazing client, Rubrik, as they begin their journey as a NYSE-listed company. Thank you, Peter McGoff, Anne-Kathrin…
Liked by Randy Sabett
-
Looking forward to participating in an ABA fireside chat tomorrow entitled "Cyber War Stories From the Frontlines: From Ransomware to Hacking Back".…
Looking forward to participating in an ABA fireside chat tomorrow entitled "Cyber War Stories From the Frontlines: From Ransomware to Hacking Back".…
Shared by Randy Sabett
-
Last week, my colleagues and I authored a piece on the new Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) draft rules that will…
Last week, my colleagues and I authored a piece on the new Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) draft rules that will…
Shared by Randy Sabett
Experience & Education
Licenses & Certifications
Publications
-
Defend Forward: Moving Toward Coordinated Active Cyber Response
Practicing Law Institute (PLI)
The notion of defend forward, the unclassified and publicly communicated cyber policy of the U.S. Government, will require coordination on a number of different fronts if we are to be successful in raising the cost to our adversaries of attacking our systems. The recently released report from the Cyberspace Solarium Commission defines defend forward as the “proactive observing, pursuing, and countering of adversary operations and imposing of costs in day-to-day competition to disrupt and…
The notion of defend forward, the unclassified and publicly communicated cyber policy of the U.S. Government, will require coordination on a number of different fronts if we are to be successful in raising the cost to our adversaries of attacking our systems. The recently released report from the Cyberspace Solarium Commission defines defend forward as the “proactive observing, pursuing, and countering of adversary operations and imposing of costs in day-to-day competition to disrupt and defeat ongoing malicious adversary cyber campaigns, deter future campaigns, and reinforce favorable international norms of behavior, using all of the instruments of national power.” In light of the amount of network infrastructure not controlled by the government, defend forward necessarily must involve the private sector and, therefore, necessitates cooperation on a variety of cyber fronts between the government and the private sectors. Specifically, in order for a defend forward approach to work, we assert that not only must there be improvements in information sharing and public private partnerships, there must also exist clear rules of engagement for active cyber response. We explore both of these assertions in this paper and propose a new construct to support and facilitate defend forward.
Other authorsSee publication -
Recent Cybersecurity Developments in Healthcare, 3rd ed. (and supplements)
E-Health, Privacy, and Security Law / Bloomberg BNA (ABA Health Law Section
This treatise provides health law practitioners and e-health professionals with a full exploration of the legal, regulatory, transactional, and ethical issues at the nexus of health and information technology, including e-health, privacy, security, social media, HIPAA, HITECH, and more. It also includes guidance on maximizing technology to cut costs and improve marketing, all while staying compliant and avoiding penalties. The new Third Edition includes updated chapters on the e-health industry…
This treatise provides health law practitioners and e-health professionals with a full exploration of the legal, regulatory, transactional, and ethical issues at the nexus of health and information technology, including e-health, privacy, security, social media, HIPAA, HITECH, and more. It also includes guidance on maximizing technology to cut costs and improve marketing, all while staying compliant and avoiding penalties. The new Third Edition includes updated chapters on the e-health industry and health information technology, as well as discussion of: recent security breach settlements with HHS's Office for Civil Rights (OCR) and the implications, as well as a new chapter on other cybersecurity developments in healthcare.
Other authorsSee publication -
A Fine-Grained Approach for Analyzing Active Cyber Response by the Private Sector
Practising Law Institute (PLI)
This paper proposes a framework for classifying current active cyber response (ACR) techniques and a fine-grained approach for analyzing active cyber response by the private sector according to a rules-based analysis of those techniques. We propose that ACR for the private sector be defined as a diverse set of TTPs that can be (a) used for identifying, detecting, analyzing, and mitigating threats to a network and (b) classified along a spectrum of varying risk and permissiveness. The paper…
This paper proposes a framework for classifying current active cyber response (ACR) techniques and a fine-grained approach for analyzing active cyber response by the private sector according to a rules-based analysis of those techniques. We propose that ACR for the private sector be defined as a diverse set of TTPs that can be (a) used for identifying, detecting, analyzing, and mitigating threats to a network and (b) classified along a spectrum of varying risk and permissiveness. The paper begins by reviewing the current models for characterizing ACR and proposing a classification method for ACR TTPs. The paper further proposes a decisional framework for determining whether a proposed ACR operation should be permitted to proceed based on factors including: severity of the threat; nature of the attacker system being targeted by ACR; effects of the ACR on the attacker system; time elapsed between detection of attack and initiation of ACR; and possible collateral effects of the ACR. The paper proposes that such a fine-grained approach to authorizing ACR by the private sector could be used by a cyber operations court or other authority hearing applications for ACR and issuing determinations regarding specific actions.
Other authorsSee publication -
The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, 1st Ed.
American Bar Association
The ABA Cybersecurity Handbook provides practical cyber threat information, guidance, and strategies to lawyers and law firms of all sizes. The guide considers the interrelationship between lawyer and client, establishing what legal responsibilities and professional obligations are owed to the client in the event of a cyber attack. The book provides strategies to help law firms defend against the cyber threat, and also offers information on how to best to respond if breached.
-
Adequate Attribution: A Framework for Developing a National Policy for Private Sector Use of Active Defense
Journal of Business & Technology Law
Once primarily the domain of the federal government and a few specialized defense contractors, “active defense” has become an increasingly common topic even in unclassified circles due to (a) much more media exposure, (b) a general relaxing of attitudes toward offensive cyber behavior and, to some extent, (c) a frustration with the ability for companies to protect themselves with a purely defensive posture. Whether called active defense, standing your cyber ground, or hacking back, the notion…
Once primarily the domain of the federal government and a few specialized defense contractors, “active defense” has become an increasingly common topic even in unclassified circles due to (a) much more media exposure, (b) a general relaxing of attitudes toward offensive cyber behavior and, to some extent, (c) a frustration with the ability for companies to protect themselves with a purely defensive posture. Whether called active defense, standing your cyber ground, or hacking back, the notion of offensive use of cyber capability continues to gain considerable attention. This paper lays out an argument that since absolute identification of a cyberattacker is unrealistic, a national dialog should occur around what constitutes adequate attribution for carrying out active defense techniques. We then provide a normative framework for use by the private sector when contemplating the use of active cyber defense.
Other authorsSee publication -
The Third-Party Assurance Model: A Legal Framework for Federated Identity Management
Jurimetrics: The Journal of Law, Science, and Technology of Arizona State University College of Law
ABSTRACT: Computer network compromises continue to plague all sectors of business and government, particularly where multiple stakeholders need to share large amounts of data and collaborate online. While the ability to reliably and accurately authenticate a person is a critical aspect of securing access to computer network resources, such user authentication has not, historically, been a high priority. Federated identity management has evolved as a mechanism for certain entities to make…
ABSTRACT: Computer network compromises continue to plague all sectors of business and government, particularly where multiple stakeholders need to share large amounts of data and collaborate online. While the ability to reliably and accurately authenticate a person is a critical aspect of securing access to computer network resources, such user authentication has not, historically, been a high priority. Federated identity management has evolved as a mechanism for certain entities to make assertions on which other entities can rely, by establishing a trust framework amongst such heterogeneous stakeholders. This trust framework can provide an acceptable level of assurance that the identity of a user a group of users associated with on stakeholder can be properly verified such that a user or group of users associated with another stakeholder can rely on the purported identity of the users in the other group. Traditional federated models, however, have not been optimized for operational use. In response, a third-party assurance (3PA) model is proposed that incorporates the best features of the industry standard hub and consortium models, utilizing (a) existing bilateral agreements between asserting and relying parties and (b) a federation operator (FO). The 3PA model creates a double-binding obligation on the asserting party (AP) to comply with the rules of the identity federation (IdP). Under the 3PA model, the IdP has one set of contractual obligations directly applicable to it via its contract with the FO. The IdP has a second set of contractual obligations to each relying party (RP) in the federation (as a third-party beneficiary) via the incorporation by reference of the rules of the federation.
Other authorsSee publication -
Internet X.509 PKI Certificate Policy and Certification Practices Framework
Internet Engineering Task Force (IETF)
This document presents a framework to assist the writers of certificate policies or certification practice statements for participants within public key infrastructures, such as certification authorities, policy authorities, and communities of interest that wish to rely on certificates. In particular, the framework provides a comprehensive list of topics that potentially (at the writer's discretion) need to be covered in a certificate policy or a certification practice statement. This…
This document presents a framework to assist the writers of certificate policies or certification practice statements for participants within public key infrastructures, such as certification authorities, policy authorities, and communities of interest that wish to rely on certificates. In particular, the framework provides a comprehensive list of topics that potentially (at the writer's discretion) need to be covered in a certificate policy or a certification practice statement. This document supersedes RFC 2527.
-
International Harmonization in Electronic Commerce and Electronic Data Interchange: A Proposed First Step Toward Signing on the Digital Dotted Line
American University Law Review
Part I of this Essay assesses recent activity and advances in public key cryptography and one potential application to international electronic commerce (EC) and electronic data interchange (EDI). Part II then examines the revolution in information security created by an area of mathematics known as public key cryptography and provides a short primer on cryptography leading into a discussion of digital signatures. Part II discusses the general areas of EC and EDI. Part III examines the existing…
Part I of this Essay assesses recent activity and advances in public key cryptography and one potential application to international electronic commerce (EC) and electronic data interchange (EDI). Part II then examines the revolution in information security created by an area of mathematics known as public key cryptography and provides a short primer on cryptography leading into a discussion of digital signatures. Part II discusses the general areas of EC and EDI. Part III examines the existing systems of international business transactions, focusing particularly on the challenges that must be addressed to facilitate electronic transactions. In Part IV, a review of recent efforts provides insight into what should occur next. Finally, Part V suggests the specific mechanism of digital signatures as a catalyst for stimulating harmonization in international EC and EDI.
Patents
-
Secure, easy and/or irreversible customization of cryptographic device
Issued US 6,981,149
-
Analog Noise Cancellation System Using Digital Optimizing of Variable Parameters
Issued US 5,440,642
Honors & Awards
-
ISSA Distinguished Fellow
Information Systems Security Association (ISSA) International
The ISSA Fellows Program formally recognizes significant contributions to the cyber community, cyber profession, ISSA leadership and sustained ISSA membership. The elite status of Distinguished Fellow designation is limited to only 1% of ISSA members and Fellow status is limited to 2% of the ISSA membership. Senior Member status is the first step towards fellowship and requires at least 5 years of membership.
-
Washington's Best Lawyers - Cybersecurity
Washingtonian Magazine
Washingtonian Magazine compiles a directory of Washington’s top legal talent in 21 practice specialties, as voted by area lawyers.
-
ISSA Security Professional of the Year
Information Systems Security Association (ISSA)
The ISSA awards the Security Professional of the Year award to honors one individual annually who best exemplifies the most outstanding standards and achievement in information security in the preceding year.
Recommendations received
2 people have recommended Randy
Join now to viewMore activity by Randy
-
There is a collaborative approach between the California Privacy Protection Agency, the CA AG, the FCC, the Federal Trade Commission etc on…
There is a collaborative approach between the California Privacy Protection Agency, the CA AG, the FCC, the Federal Trade Commission etc on…
Liked by Randy Sabett
-
The Federal Communications Commission (FCC) has adopted rules that establish a framework for the new US Cyber Trust Mark program. My outstanding…
The Federal Communications Commission (FCC) has adopted rules that establish a framework for the new US Cyber Trust Mark program. My outstanding…
Shared by Randy Sabett
-
Continuing to spotlight powerful women this month! This week I want to shine a light on Catherine A. Allen, a true trailblazer in technology strategy…
Continuing to spotlight powerful women this month! This week I want to shine a light on Catherine A. Allen, a true trailblazer in technology strategy…
Liked by Randy Sabett
-
It’s not every day that you get to experience your company’s historical milestone, but today is that day for all of us on the Cerus team. Today, we…
It’s not every day that you get to experience your company’s historical milestone, but today is that day for all of us on the Cerus team. Today, we…
Liked by Randy Sabett
-
In January, I moderated a panel at the 2nd annual Charleston CyberLaw Forum entitled "AI: Transforming Cybersecurity" - see video at…
In January, I moderated a panel at the 2nd annual Charleston CyberLaw Forum entitled "AI: Transforming Cybersecurity" - see video at…
Shared by Randy Sabett
-
In February, Cooley LLP, together with co-counsel from Freshfields, submitted an amicus brief advocating for 30 current and former chief information…
In February, Cooley LLP, together with co-counsel from Freshfields, submitted an amicus brief advocating for 30 current and former chief information…
Shared by Randy Sabett
-
Take a look at our blog post re the release of NIST CSF 2.0!
Take a look at our blog post re the release of NIST CSF 2.0!
Shared by Randy Sabett
-
Well this is going to be awesome. Our multidisciplinary Cooley LLP team thrives on playing a supporting role in achieving incredible milestones like…
Well this is going to be awesome. Our multidisciplinary Cooley LLP team thrives on playing a supporting role in achieving incredible milestones like…
Liked by Randy Sabett
Other similar profiles
-
Travis LeBlanc
Connect -
Liza Cotter
Connect -
Andrew Epstein
Connect -
Kris Kleiner
Special Counsel at Cooley LLP
Connect -
Allison Kutner
Connect -
John Beckman
Connect -
Christina Ayiotis, Esq., CRM, CIPP/E
Connect -
Robert Metzger
Connect -
Monique Altheim, Esq., FIP, CIPP US, CIPP E, CIPM
Connect -
Richard Griffiths
Connect
Explore collaborative articles
We’re unlocking community knowledge in a new way. Experts add insights directly into each article, started with the help of AI.
Explore More