Randy Sabett

The notion of defend forward, the unclassified and publicly communicated cyber policy of the U.S. Government, will require coordination on a number of different fronts if we are to be successful in raising the cost to our adversaries of attacking our systems. The recently released report from the Cyberspace Solarium Commission defines defend forward as the “proactive observing, pursuing, and countering of adversary operations and imposing of costs in day-to-day competition to disrupt and… Show more

The notion of defend forward, the unclassified and publicly communicated cyber policy of the U.S. Government, will require coordination on a number of different fronts if we are to be successful in raising the cost to our adversaries of attacking our systems. The recently released report from the Cyberspace Solarium Commission defines defend forward as the “proactive observing, pursuing, and countering of adversary operations and imposing of costs in day-to-day competition to disrupt and defeat ongoing malicious adversary cyber campaigns, deter future campaigns, and reinforce favorable international norms of behavior, using all of the instruments of national power.” In light of the amount of network infrastructure not controlled by the government, defend forward necessarily must involve the private sector and, therefore, necessitates cooperation on a variety of cyber fronts between the government and the private sectors. Specifically, in order for a defend forward approach to work, we assert that not only must there be improvements in information sharing and public private partnerships, there must also exist clear rules of engagement for active cyber response. We explore both of these assertions in this paper and propose a new construct to support and facilitate defend forward. Show less

This treatise provides health law practitioners and e-health professionals with a full exploration of the legal, regulatory, transactional, and ethical issues at the nexus of health and information technology, including e-health, privacy, security, social media, HIPAA, HITECH, and more. It also includes guidance on maximizing technology to cut costs and improve marketing, all while staying compliant and avoiding penalties. The new Third Edition includes updated chapters on the e-health industry… Show more

This treatise provides health law practitioners and e-health professionals with a full exploration of the legal, regulatory, transactional, and ethical issues at the nexus of health and information technology, including e-health, privacy, security, social media, HIPAA, HITECH, and more. It also includes guidance on maximizing technology to cut costs and improve marketing, all while staying compliant and avoiding penalties. The new Third Edition includes updated chapters on the e-health industry and health information technology, as well as discussion of: recent security breach settlements with HHS's Office for Civil Rights (OCR) and the implications, as well as a new chapter on other cybersecurity developments in healthcare. Show less

This paper proposes a framework for classifying current active cyber response (ACR) techniques and a fine-grained approach for analyzing active cyber response by the private sector according to a rules-based analysis of those techniques. We propose that ACR for the private sector be defined as a diverse set of TTPs that can be (a) used for identifying, detecting, analyzing, and mitigating threats to a network and (b) classified along a spectrum of varying risk and permissiveness. The paper… Show more

This paper proposes a framework for classifying current active cyber response (ACR) techniques and a fine-grained approach for analyzing active cyber response by the private sector according to a rules-based analysis of those techniques. We propose that ACR for the private sector be defined as a diverse set of TTPs that can be (a) used for identifying, detecting, analyzing, and mitigating threats to a network and (b) classified along a spectrum of varying risk and permissiveness. The paper begins by reviewing the current models for characterizing ACR and proposing a classification method for ACR TTPs. The paper further proposes a decisional framework for determining whether a proposed ACR operation should be permitted to proceed based on factors including: severity of the threat; nature of the attacker system being targeted by ACR; effects of the ACR on the attacker system; time elapsed between detection of attack and initiation of ACR; and possible collateral effects of the ACR. The paper proposes that such a fine-grained approach to authorizing ACR by the private sector could be used by a cyber operations court or other authority hearing applications for ACR and issuing determinations regarding specific actions.
Show less

The ABA Cybersecurity Handbook provides practical cyber threat information, guidance, and strategies to lawyers and law firms of all sizes. The guide considers the interrelationship between lawyer and client, establishing what legal responsibilities and professional obligations are owed to the client in the event of a cyber attack. The book provides strategies to help law firms defend against the cyber threat, and also offers information on how to best to respond if breached.

Once primarily the domain of the federal government and a few specialized defense contractors, “active defense” has become an increasingly common topic even in unclassified circles due to (a) much more media exposure, (b) a general relaxing of attitudes toward offensive cyber behavior and, to some extent, (c) a frustration with the ability for companies to protect themselves with a purely defensive posture. Whether called active defense, standing your cyber ground, or hacking back, the notion… Show more

Once primarily the domain of the federal government and a few specialized defense contractors, “active defense” has become an increasingly common topic even in unclassified circles due to (a) much more media exposure, (b) a general relaxing of attitudes toward offensive cyber behavior and, to some extent, (c) a frustration with the ability for companies to protect themselves with a purely defensive posture. Whether called active defense, standing your cyber ground, or hacking back, the notion of offensive use of cyber capability continues to gain considerable attention. This paper lays out an argument that since absolute identification of a cyberattacker is unrealistic, a national dialog should occur around what constitutes adequate attribution for carrying out active defense techniques. We then provide a normative framework for use by the private sector when contemplating the use of active cyber defense. Show less

ABSTRACT: Computer network compromises continue to plague all sectors of business and government, particularly where multiple stakeholders need to share large amounts of data and collaborate online. While the ability to reliably and accurately authenticate a person is a critical aspect of securing access to computer network resources, such user authentication has not, historically, been a high priority. Federated identity management has evolved as a mechanism for certain entities to make… Show more

ABSTRACT: Computer network compromises continue to plague all sectors of business and government, particularly where multiple stakeholders need to share large amounts of data and collaborate online. While the ability to reliably and accurately authenticate a person is a critical aspect of securing access to computer network resources, such user authentication has not, historically, been a high priority. Federated identity management has evolved as a mechanism for certain entities to make assertions on which other entities can rely, by establishing a trust framework amongst such heterogeneous stakeholders. This trust framework can provide an acceptable level of assurance that the identity of a user a group of users associated with on stakeholder can be properly verified such that a user or group of users associated with another stakeholder can rely on the purported identity of the users in the other group. Traditional federated models, however, have not been optimized for operational use. In response, a third-party assurance (3PA) model is proposed that incorporates the best features of the industry standard hub and consortium models, utilizing (a) existing bilateral agreements between asserting and relying parties and (b) a federation operator (FO). The 3PA model creates a double-binding obligation on the asserting party (AP) to comply with the rules of the identity federation (IdP). Under the 3PA model, the IdP has one set of contractual obligations directly applicable to it via its contract with the FO. The IdP has a second set of contractual obligations to each relying party (RP) in the federation (as a third-party beneficiary) via the incorporation by reference of the rules of the federation. Show less

This document presents a framework to assist the writers of certificate policies or certification practice statements for participants within public key infrastructures, such as certification authorities, policy authorities, and communities of interest that wish to rely on certificates. In particular, the framework provides a comprehensive list of topics that potentially (at the writer's discretion) need to be covered in a certificate policy or a certification practice statement. This… Show more

This document presents a framework to assist the writers of certificate policies or certification practice statements for participants within public key infrastructures, such as certification authorities, policy authorities, and communities of interest that wish to rely on certificates. In particular, the framework provides a comprehensive list of topics that potentially (at the writer's discretion) need to be covered in a certificate policy or a certification practice statement. This document supersedes RFC 2527. Show less

Part I of this Essay assesses recent activity and advances in public key cryptography and one potential application to international electronic commerce (EC) and electronic data interchange (EDI). Part II then examines the revolution in information security created by an area of mathematics known as public key cryptography and provides a short primer on cryptography leading into a discussion of digital signatures. Part II discusses the general areas of EC and EDI. Part III examines the existing… Show more

Part I of this Essay assesses recent activity and advances in public key cryptography and one potential application to international electronic commerce (EC) and electronic data interchange (EDI). Part II then examines the revolution in information security created by an area of mathematics known as public key cryptography and provides a short primer on cryptography leading into a discussion of digital signatures. Part II discusses the general areas of EC and EDI. Part III examines the existing systems of international business transactions, focusing particularly on the challenges that must be addressed to facilitate electronic transactions. In Part IV, a review of recent efforts provides insight into what should occur next. Finally, Part V suggests the specific mechanism of digital signatures as a catalyst for stimulating harmonization in international EC and EDI. Show less