[00:00:14] >> Hi everybody sorry on the tech It turns out there were 2 h.d.m.i. things and we had no idea that we were plugging in an h.d.m.i. they didn't connect anything that was the that was the surprise. You know I saw my quarter was really happy and I couldn't figure out why wouldn't work. [00:00:56] And he was so suppose you work with for the chief information security officer of Sony Pictures and your task is to help the sea so know what cyber threats you face. And. Do you review the movies the studios are loosing releasing is that part of the job do you think it's funny. [00:01:16] That seem like that's part of the job a couple people are nodding yes but I bet a lot of you wouldn't have thought the bet was the job so Sony made a picture of a lot of you know a few years ago that mocks the North Korean dictator who then led a nation state attack we're going to nation state attack on Sony that melted a lot of their servers and wrecked their email system and so one more of the story is that when you think about your threat models and cyber. [00:01:41] Having a stupid movie probably wasn't one of them for a lot of people but it illustrates that it's not just code that can lead to problems and can lead to threats to your organization but it's a broader story than that so for it's a day I briefly tell my background talk about I'll do a 1st piece of the thing about these non-code aspects of cybersecurity and I have I've written an article in Pak on the communications the a.c.m. about a pedagogic cyber security framework and then I'm going to spend a couple of minutes on the globalization of criminal evidence so just to preview that you know we've moved a lot of things to the cloud and the criminal evidence for a lot of countries is suddenly stored overseas. [00:02:21] Which means that law enforcement cannot get the evidence which makes police sad and to try to fix this last night I was in Washington actually a u.s. Attorney General was giving a talk because the United States and the u.k. signed a treaty last night to try to start to fix this problem so I'll give you a preview of that as sort of a breaking news thing so interest my background I went to school for a long time I worked as a law professor writing about the Internet the law of the Internet in 1993 so that before you were around to be reading such things in the late ninety's I worked for President Clinton in the White House I was the White House coordinator for the HIPAA medical privacy rule I was on the writing committee for the financial privacy rule did a working letter working group on encryption in 1990 u.s. government loosened its export controls and allowed the export of strong encryption and I was involved in that and did working group on how to update wiretap laws I started teaching the law of cyber security 16 years ago. [00:03:20] And then 2013 after Snowden President Obama created a 5 person review group to try to say what do we do about the n.s.a. and I was honored to be one of the 5 people for that n.s.a. review group and I'll show you a picture that that was the year I came to Georgia Tech and the lead person for policy here for the associate director of policy for the I speak that's my background so the nice picture I got out of working for for the White House President Obama the guy on the left who's falling asleep is me right. [00:03:52] Actually I'm listening carefully you have to tell your boss which one of those it is President Obama Michael morality used to lead the CIA Richard Clarke the well known cyber security person so this was when we briefed the president our report and many of the recommendations from our report actually became implemented so that was gratifying we sort of changed some things about the n.s.a.. [00:04:15] So moving from my background to the non-code story this is the article that was intact them. A proposal for teaching the organizational legal and international aspects of cybersecurity so. Most of you how many of you. Have a computer science as your main focus in the computer science and how many of the policy people here. [00:04:40] So there's a couple of people not many who have the Master's and policy vision of cybersecurity so I assume most of you start with writing code and more details about this and I'll provide the slides to the organizers later on my website where we have sort of background documents about. [00:05:01] This framework. And ongoing work we're doing there. But the idea is to see if we can come up with a conceptual framework. To organize the numerous issues that are not just code issues to do cyber security and try to also show that that could organize a curriculum for what you study and can help both technical and non-technical audiences. [00:05:28] Now having been around 5 or security for a long time I've known lots and lots of computer science people and I'm actually I really have spent a lot of time in computer science and I have an appointment in the College of computing that real cybersecurity. Is Lost I'm missing a fly sorry let me start Did I miss it. [00:05:49] I don't have it in this. So this way. A lot of times when you when I talk to cyber security people they think real cyber security is code and then there's some of that other stuff. And my fim is that real cyber security a lot of the time is about non-code So there's a cybersecurity workforce framework and national list of one of the cyber security jobs it listed $33.00 specialty areas a couple years ago for these jobs 10 of the specialty areas primarily involve code and more than half primarily involve non-code work were mixed code in one code so another was somewhere around a 3rd of the job categories are overwhelmingly code and the rest of cybersecurity jobs have an important or dominant non-code perspective and that's somewhat different way to think about it than a lot of people start because you tend to think the real stuff the real stuff is code so the genesis for this project came from my teaching so each spring including this spring I teach coast to coast between computing and Public Policy and Management called information security strategies and policy and this spring I'll be teaching the course for the 6th time and it's required for a master's in information security Mueller teaches a fall version of it I teach the spring version of it and it turned out as I kept teaching it for a while then eventually I organized the course into 3 modules. [00:07:18] And one module is about corporate cyber security policies and governance so a homework assignment would be draft a ransomware policy for a hospital group or that's a job you could imagine working on there's ransomware attacks on hospitals we have to have a policy for what we do if it rains somewhere thing happens who do we call who's part of the team what do we do what's our policy to pay or not pay etc So that's a quick wit component to the course another thing in cybersecurity is the government's goes in government rights laws and regulations so at the state level New York State for instance has a very strict cyber security law for financial services firms is that a good idea is that a bad idea how do you comply with it and so that's a set of things that come from the government and from laws and then the 3rd part is the nation state problem and so one recent year you had to pretend to my class that you were part of the National Security Council staff for the president and you were supposed to rate a memo on what the cyber threats from Russia were and what policy responses we should do to try to either deter or react against Russian cyber threats those are really different tasks writing a ransom or policy thinking about a state law for cybersecurity and trying to help a national security discussion but I think you'd see all of those seem like cyber security. [00:08:39] So part of what I'm trying to say in the course is how do we organize our thinking so that we know how to do this part of cyber security. Here's one of my favorite diagrams that comes from a publication So imagine the sort of operations where the people middle level people and the c.e.o. the people at the top so early in a career for people who love it there are people who are implementing who are operationally checking the logs writing specific code for specific things as cetera. [00:09:11] And in most organizations they would report up to somebody in the middle maybe a business person maybe a manager of i.t. and that person in the middle would have to understand fairly well what's going on here and that person in middle has another job they have to tell him top management rather our priorities what are our policies what should we do as an organization do we need this bigger budget do we need this bigger budget what are the 3 priorities for the year so the person in the middle has to be able to speak a really different language to the Board of Directors to the c.e.o. to people who've never had a computer science course and they're going to they're walking into a room as the cyber security person who is supposed to explain to the board of directors what these board of directors people should know and so one of the points from my question what I say is is that not only would you maybe want to be doing this maybe earlier in your career but if you progress in the organization you might want to be somebody who can both talk to this. [00:10:11] In talk to top management or talk to outside people explain to Congress what the problem is a setter and so that would require quite different vocabulary and skills and styles for communicating because telling people how to make sure all the servers are locked down is different from telling the c.e.o. what the 3 biggest issues are for the next 5 years for the company really different jobs and so if you want to be able to rise in the organization you might want some of those skills to be in the middle or upper middle part of the thing and so that's where that's what we see the task is being now how many people of people have ever heard of the o.s.i. stack Laos want to say Ok Pretty much everybody or the rest of you have heard of it and you're not paying attention so you didn't raise your hands I saw several people. [00:10:55] Into that. And say this is you know one version of it you start with the physical layer at the bottom you move all the way up to the application layer and so the idea is we can build on that So here's a chart about vulnerabilities that can happen at each level so that the physical level if somebody cuts the wire that's a cybersecurity problem there's nothing coming in at later 7 for instance for applications you know tons of things to do about 7 threats and how to try to clean up your applications what I'm going to say is that is the c So is the organization and layer 9 is the government the country you're in and layer 10 is the international set of things and I see that there's distinct jobs for these different things so. [00:11:46] You're writing in computer languages for latest one to 7 of the o.s.i. stack primarily but these letters are mostly natural language I'm speaking English today that's how we do draw as that's how we do business decisions that's how we do diplomacy and for organizations the standard unit the protocol unit is a contract my company is working with your company and cybersecurity has the auditing rights here's what we're paying here is what the quality of service requirements are as a contract that's what companies do governments their main thing is law it is forbidden to do this or you must do that and in international They don't have the law the same way we don't have one Congress or one you know set of rules and then we argue with each other and that's called diplomacy so. [00:12:38] So that so sadly the scary version for people with a technical background is do you really have to learn contracting in law and diplomacy to be cyber security we're going to suggest is you should be aware that this is part of the package and probably you want to team with those people when you're working on stuff you're not going to become an expert in all those things but if you know those things might be important like in Sony they might have wanted to know in the cyber security side that we're actually tweaking the nose of the North Korean dictator. [00:13:15] If the if the security people had seen that they might have said wait a 2nd we're got to be on high alert if we're doing it or at least we have to think about because so many thought is it's risk profile was as a sort of normal company and now the risk profile was a nation state hated them and wanted to do maximum harm so that's just a different way of thinking about what the job is. [00:13:39] So here is really a little more detail I have 3 columns ladies organizations and Roughly speaking this is what we do in the business school how do you manage your company how do you manage organizations. What do we do within the organization within the organisation we do things like Incident Response Plan so we don't have as much of a problem today to preach we do a lot of training we have all the good fiber hygiene you all know how to do we allocate roles and responsibilities who's to see so who's What's how does that fit in with the CIA And then there's all the user precautions now that's a set of things that the c. so would have to worry about what about the middle and the middle one is how do we get along with other organizations so in cybersecurity today there's much more contracts company to company in order to achieve cybersecurity how do we run our vendors how do we make so for banks when they get banks get examined by the bank examiners the bank examiners now go in and say who bank do you deal with and do they have security so here's an example I worked as a consultant a day a week with a law firm. [00:14:44] The last from has banks for clients so every year the major banking clients. Come into the law firm to do a physical security check to see what the procedures are in place that was not true 5 years ago but today the vendor management is a huge part because you are outsourcing so many things in so many ways in a company that a lot of the risk is with through your vendors and it's not you yourself so them managing the vendors turns out to be a huge part of the risk. [00:15:15] We can have a contract for cyber insurance when does that make sense or not for the organization we can do all the information sharing the financial services I sacked I sounds and I Saks that that you me well have encountered there's other things that happen in the private sector sometimes the private sector generates standards and rules so a famous one for you other people know what p.c.i. d.s.s. is it's a credit card swipe rules and there's really heavy security rules Ok that was made up by views that Master Card American Express with a little tiny help from the merchants but not much and if you're much in it and you want to get paid by credit cards and debit cards which is highly positive thing for merchants they really like to get paid if you like to get paid you have to comply with the private sector set of industry standards are those the right standards how do you manage that how do you interact with that if you were Visa what would you do if you were Wal-Mart What would you do there are also technical standards that the I and other people do so just at the level of contracts and private sector these are tasks that you might want to look at. [00:16:19] How about the government layer so government is the law schools I was trained as a lawyer originally public policy schools as we have here at Georgia Tech and within the organization you might be a medical provider that has to do HIPAA for a bank that has a degree in least Bliley and there's at least 80 countries and probably that's an outdated low number that has specific cybersecurity laws so if you're in Kazakhstan and what's the Kazakhstan security rule you might not know that off the top your head but it's required if you're operating in that country so you have to think about that we have lots of State and other data breach laws you have just kicked in with data breach laws under g.d.p. in the last year and cover men can write laws that affect your company they can say here's the maximum bit length for encryption which the United States used to do you can have other rules like in China where these are the standards you're supposed to use for encryption in China so a government might affect individual companies in that way we also have the government also set the rules for how actors go back and forth to each other so what is happening to the Computer Fraud and Abuse that what's considered unauthorized access when are you allowed to do security researcher known. [00:17:32] And also there's government and private sector sharing the point is that the government setting rules for interactions between players is setting rules for insider entity and then the government also sets rules for itself so and United States we have limits on wiretaps under government law and under the 4th Amendment to the Constitution the point is all of these things affect cyber security right or your data breach process the practices what can you do on encrypt and how do you stop or prosecute unauthorized hackers that's part of cybersecurity but you can think about it as the posts of Savva security that come from a government writing laws. [00:18:11] Later tens the international layer. So within a country there's a lot of discussion right now about when it's a good idea to have unilateral cyber action should the United States be more often in various ways in the sense of computer hacking offensive in various ways. And also what does the United States do to try to deter or respond to cyber. [00:18:38] Threats there's relationships with other countries so for instance of several years ago when under President Obama Chime in the u.s. signed an agreement where China promised not to go after u.s. trade secrets anymore and actually for you or to the incidence of the attacks on trade secrets went down that's an international agreement on cyber security and what kind of hacking counts as a violating an agreement so how we cooperate and how we threaten other countries is something in the international realm and then the international world might set international rules on this Should the United Nations play a role in cyber security there's negotiations going on this year where Russia China and other countries are talking about that so all of this could affect global cyber security it could affect whether you're going to be attacked by other people if you are a private actor you're going to be what kind of agreements we might do to try to cut down the risk that's part of cyber security. [00:19:38] I know when I've given this talk I get asked will write about users you know do they count and I think user is not a government I think a user is not an international actor and I suggest that users you at home or your family members at home are part of layer 8 the organizational layer and this way you think about it and really you have like the group big banks that spend hundreds of millions of dollars down to smaller and smaller smaller entities until eventually you have one person sitting in their apartment that's a very small private entity and that private entity that person that family member who's not an i.t. lacks an i.t. Department bank has an i.t. Department users don't they that user usually doesn't have a lawyer general counsel to say what's Ok and what's not Ok and they face lots of risks and so the user is trying to figure out how to survive and by the way that's pretty similar to a 5 person business trying to figure out how do we survive when a 50 person business is not that good at cyber security so there's a continuum of sophistication here and when we want savage security for society we should think about setting it up so works for the great big companies but also for the smaller and smaller units that have to face these risks. [00:20:55] So this is that within the household had it had as the individual family set up it's. Set or how do they get how do they figure out how to. You know for internet of things coming to their house how do they think about configuring their home network so that it's secure they might be good at it probably many of them are not what about relations with other actors that users find terms of service users worry about identity theft and you can get insurance for it users hired outside vendors you know Geek Squad as an example of that and users are great big part of why we have laws government regulation of business trying to make sure the hospitals are safe and the banks are safe so that's a way to think about how individual users conceptually fit into this framework. [00:21:42] So not explain the 3 layers and now here's some possible uses for this intellectual model this this idea is maybe we can describe pedagogically what's done in which course so Professor Lulu spends a bigger fraction of his time on layer 10 a and b. and c. international relations and cyber norms he board is about the name system and other international actors and some of it's in law as a different cybersecurity course which is how to be a c. So an overall curriculum you could design for yourself for instance and so ripped out of these 9 boxes layers 89 and 10 with the in between and so for it will resign boxes which things have been covered or not covered and if you haven't covered one you're totally at sea and you don't know how to think about it that might be part of your general education to think about. [00:22:33] It also means I've done all of this as a project course for years because I couldn't figure out how all these things fit together but now if we have a 3 by 3 cell we can assign reading and do a treatise and have exams on stuff you're supposed to know who get the 3 by 3 matrix we can know what of the literature she should know how would you decide what's a good state data breach law how do you decide what's the role of the United Nations how would you decide whether or not to do cyber insurance and so we could teach a curriculum for non-code aspects of cybersecurity in a more organized way. [00:23:12] Now. Being part being around computer science folks policy is usually defined in the computer science world as everything that's not code if you all heard that before there is code right and then then you say well how is that going to be managed you say that's policy or what's the law in that you say that's policy is that roughly the way Ok at least some of you are not and that's that's my sense I've gotten it from professors here so Ok now public policy schools think there's a little more nuance still entire religious policy it's not just everything but it isn't computer code we have to worry about that seems Ok business schools manage this law schools manage this international relations school so there's multiple departments in the university who are doing parts of this layer 8 layer 9 in Layer 10 and you can't just say that's in a disciplinarian policy because you wouldn't even know whether to go to the business school or go to the law school or go to someone else. [00:24:09] So one hope here is for people with a technical background who tend to think about code 1st maybe we can bring a sense of order and understanding to the current jumble of issues maybe you can start to get your arms around and figure out this is what I sort of know this is what I need to know this is not so much my department I'll get someone else to do that. [00:24:29] And if we do that then you and your team and your colleagues and all lead to better cyber security will have a broader sense of what needs to be the package to worry about later is 89 and 10 in addition to the traditional 7 layers and we'll get the team in the skills we need to do that. [00:24:51] It also creates a research agenda for cybersecurity so each cell has killed research questions or people here some of you are going to go for Ph D.'s in computer science or others not really a couple Ok having a research agenda that's pretty good you can really. Hear it is there's a 3 by 3 nature it's whether we need as the literature for each one of the cells in that matrix Well 8 be one of the uses the limits of cybersecurity insurance those are the questions of how. [00:25:21] We're going to deal with each other 9 a political science question whether we should have market approaches to this whether should we should have regulation and so then if you're going to write about the laws for financial cybersecurity and whether the New York state approach is good then you're going to have a literature and a research agenda for how to say this is better or this is worse and then 10 c. is another example the United Nations part is movie some technical people who are good at cybersecurity should try to figure out how to work with people who know about the United Nations and you'd sort of know what the job is because you know there's problems and issues around 10 c. so just handing you roll a nice research agenda for an automatic uneasy ph d.. [00:26:09] This is a surprise for practitioners the cyber security team is used to thinking about list one through 7 that's where people were trained in are comfortable in but we have the Sony example and so with the expanded stack we can spot the risks at layers $8.10 and we can spot mitigations at Layer $89.10 we also can define the skill sets that we need on the team so if Sony didn't have a nation state cyber security capability to think about it and they're coming out with other movies every year I hope they now have somebody who thinks about this before they do the next hit job and a dictator in another country it might be very very justified his job or comedy about the foreign dictator but the point might not take it well and so there's risks around that so when are we running into trouble or not that's similar to the road that lawyers are played for years for newspapers so if you are running a newspaper. [00:27:02] And you want to say things like you know Peter Swire is actually an elephant which is not true. You know do you get the lawyer for libel who would say you can't say that or you can say that and so the newspaper people had to say Ok what was what to say here now the movie people have to think about Ok Savva security people what risk do we have and it's not just that it's the banking people need it and other kinds of people need it. [00:27:29] When the United States put sanctions on Iran servile years ago one of Iran's responses was to him or us based banks and so if you were at the bank suddenly you're seeing a big spike up and then I was service attacks why was it coming from it's coming from Marine and it happened this week because last week the sanctions one that's a that's a specific cyber security problem at the technical level but if your team has the ability to at least connect those dots you might have a better sense of what you're facing what their goals would be for Ian what you might them do to mitigate those risks. [00:28:09] So the last. Slide on this part of the talk today conclusion on this framework we have a parsimonious structure to organize the jumble of issues that now crowd into previously sort of organize issues of law policy and business in my class we typically discuss all 9 of those cells and now maybe you can help people keep the issues straight it points out that attacks can happen at leaders 89 and 10 that can undermine security the company might have bad policies the nation might have bad laws or the international community might be dysfunctional and not prevent preventable attacks and so in that way we see that there's vulnerabilities in mitigations that are fundamentally similar to the other levels and my experience is I give a version of this lecture in week one and by the end of the semester when I look at the comments from the course I get the computer of the business students saying you know I didn't believe you Swire week one I thought real cyber security was really real cyber security but by the end of the semester under endless brainwashing they say that a much larger part of the current cyber threat environment comes from these not code things and the fact of code or in order to be effective to an organization will need to have the ability to work with there have broader visibility So that's this new theory of the non-code aspects to help everybody and make the world just a much better place Ok that's that part Ok let me see where I am on time. [00:29:43] So we could do 20 minutes of discussion but I think I'm going to give you 5 minutes on a different topic because this is the thing that happened last night Ok really old days if there was a murder in London where was the evidence mostly about who did it and stuff mostly in London right and today if there's a murder in London the evidence is in Mountain View. [00:30:04] That's where the e-mails are that's where the social network posts are that's where they admitted it was about everybody the alleged person that's where the location data very possibly is so literally on the run police are saying how do we get this stuff from Mountain View it's a long ways away and they don't speak the same language and stuff that they sort of do but anyway. [00:30:27] Ok so for the police one way to say it is the police cannot get data at rest and United States law makes it a crime if Facebook and Google and Microsoft and Amazon turn over the contents of communication unless they have a u.s. judge say that they've met the u.s. law standers probable cause of a crime so the British police officer saying we think it's this person but we don't really know we want to get the communications and they say Fine here's what you do you could police you talk to the British government who will talk to the u.s. Department of Justice who will talk to the Justice Department people in California who will talk to Facebook and if no so I went to pass the Department of Justice there in California who goes through a federal judge in California who says Ok I wish he were and then it goes to Facebook and then it goes back to the California royals and it goes back to the Washington lawyers and it goes back to the London battlement and then the police get the evidence you think that takes what 15 minutes 3 days something like that the average seems to be a year and if you're a police officer that's very frustrating that's not a great way to get evidence Ok if you can't get it rest let's think what else you want to make a date in transit Ok but you all are busy implementing huge T.V.'s everywhere so when the British do what's called a wiretap it doesn't work they just get encrypted zeros and ones. [00:31:54] And so if you are a police officer and you cannot get the evidence at rest and you cannot get the evidence in transit where are you going to get it. You don't get it and that makes the police sad and so I want you now for the next 10 seconds to feel sorry for the police who can't get any of the evidence and their job is they could be going after you know a family member looking to going after sex whatever exploitation they could be going yes whatever you think's a really bad crime but they might not be able to get the evidence and Ok that that seems to be a problem when it's happening rapidly because until Snowden didn't transit usually wasn't encrypted and until the cloud became big the evidence you typically was in the home country that's what So there's been a change to the technical market that I'm not here to Ok So beginning about a year and a half ago I created an organization called the cross border data form on the research director and and lead the board of this it's a 501 c 4 it has some companies in fruit of its members Amazon Apple Google Facebook Microsoft Intel Cisco and Twitter that's the list so they're working with us because they're the ones who are getting all these law enforcement requests and what they want is have a reasoned discussion about this problem we have 4 goals the 1st goal is for full legitimate law enforcement request for data that's relevant to investigating serious crimes if there's a murder in general I would like the police to get evidence of the murder and solve the murder. [00:33:33] Ok. 2nd goal protecting promote privacy and human rights as essential to the new legal approaches so we don't want some country with no judges no rule of law just being able to say to Facebook give us everything and everybody in our country that's massive surveillance that's a bad idea that makes for a bad internet we don't we don't want these companies doing that so we should build the safeguards so that when there's a judge to ask the right way and they have a real investigation yes you get it when it's a dictator trying to grab stuff without any law then you don't get it 3rd one is provide a workable regime for the companies that hold the data so this is what's happened in Brazil. [00:34:16] Brazil judges ask for evidence about crimes in Brazil they asked from one of the u.s. companies this company saying we can't it's a criminal violation and it will cost us money but it's also a criminal violation we won't do it Brazil said That's fine if you have employees in Brazil yes they're going to jail now. [00:34:36] It's happened employees for these major cloud providers are going to jail in Brazil out of this fight. And companies don't like that for the employees it reduces know around use just not a good. Ok so that's a good goal workable regime so that all these companies people don't have to go to jail and and then also I would like to try to save the Internet by resisting calls to localize data and I'll talk more about that in a minute why splitting up the Internet into lots of localized little pieces might not be so awesome. [00:35:10] So in the spring of 28 team the u.s. Congress actually did something that passed a law called the Cloud act and it creates a new system for what are called executive agreements to address the problem and the 1st one of these deals was signed last night in d.c. I was up there for the for the signing ceremony that's got been working on this a lot and negotiate this is negotiating with the European Union there's been initial talks with India to have a u.s. India data sharing agreement lots and lots of cloud users in India. [00:35:43] And the basic idea of the agreement is the u.k. the police in London can go directly to Facebook and Microsoft and Amazon and they can say I have a judicial order in England and you can now directly give it to me cloud provider if and only if the u.k. is made to have those good privacy promises but has to be the right kind of judge who has shown the right kind of showing is tailored in individual eyes and all that so that was a legitimate run for some requests directly on surge it doesn't have to go through 10 steps. [00:36:19] If the British father read the rules they're supposed to follow and if they don't we can cancel the treaty in 5 years by not renewing it so there's an idea that this should actually work and the idea for these executive agreements I was the 1st person proposed an article in 2015 so it became a law that's pretty cool professors don't get that very often but that's that's what happened Ok well if we don't get these executive agreements if we don't get cooperation to access to that at rest then law enforcement was going to push very very hard to get evidence somehow or other if you were the police and anti-terrorism people and homeland security in the interior ministry in your country and you can't get evidence of crimes you're going to try to figure out some way to fix that and those those arguments are powerful in every country because there's going to be murders and stuff that are going on solved so if low carb diets have don't work maybe we should just make it so that we can make wiretaps work again by breaking strong encryption or me inbreeding products where there's no end in corruption the u.k. and Australia have passed those laws in the last couple years Australia did it just last year so under the u.k. Australia law if they show up at it and then encrypted service the service must provide a way to provide decrypted plaintext. [00:37:39] Now the company say we don't have a way to do that and the the real battle on that hasn't happened yet but governments have an advantage in the following sense if they really care about this they can close down the company from doing business in their country but it can put people from the company in jail so up until now the companies have been moving within encryption and fighting these mandates but if there's no have the heart for the law enforcement then they might get super serious about breaking encryption which my guess is you guys hate and I've written for years about why they should break encryption Ok here's another thing you can do is the police. [00:38:20] While we can't play cool she disappear as rats put malware on all the devices so we can get stuff before it's encrypted awesome idea great for cyber security right. Ok so I bet you don't have that. But there's an incentive for the police to try to gain access to the endpoint device at where there is some keyboard logger or some other way where there is access to plain text. [00:38:44] Were another one of the choices is if you can't get evidence from United States let's require localization of data and Russia and China and some of the countries in Southeast Asia have that on the books right now. And. Why that works for the police right now there's a database right here in London or right here in the home country the police can get the database they can squeeze the people who run the database they can get it locally police have been doing that for years the police get the evidence if it's inside their home country. [00:39:20] India is legislature strongly considering localizing which would require a very wide range of activity that's in India for the Internet to keep either a copy or only one of the only copy in India they're arguing about what localization would mean. And if you're a cloud provider it's hard to have data centers in 200 different countries right the scale of data centers doesn't fit that super expensive would seem stupid and a lot of the things that we like about the Internet like it disrupted if it starts being keep it only here keep it only there you can't get apps you can't get scale you can't get a lot of other things so I don't like localization either Ok what we have we hate the 1st option breaking corruption we hate the 2nd option which is malware everywhere from the government and I think you should hate the 3rd option as well in many instances. [00:40:13] So this u.s.-u.k. agreement next will go to Congress probably on Monday or Tuesday will get the text of it it probably won't be perfect but I think it'll be better than the alternatives then Congress gets 6 months to debate whether to do it and Congress can block it if they want and so I think we're going to get a lot more news stories probably even in the next week or so about this topic. [00:40:35] And my. I'd rather have this agreement which is police can get it with a judge's order and they have to follow privacy rules I like that better than the previous page and that's why we're working on that Ok so let me stop there and see if there's any questions now. [00:41:05] I was supposed to finish that article this summer and I didn't get it written. So. As you all know has g.d.p. are the general data protection regulation. In general Europe has stricter rules around private sector control of data about people in many instances the us has stricter legal rules around law enforcement access to data. [00:41:34] So the e.u. and the u.s. are negotiating right now they've had their 1st 2 meetings at senior levels and. One possibility is that the e.u. courts are going to say the u.s. has so much surveillance from the n.s.a. that did in general can't flow to the u.s. and that was a case that was argued in the court of justice for the European Union in July we're going to get a preliminary opinion this December and this is significant chance of significant blockage early in 2020 so that's one possibility the u.s. socks when it comes to privacy therefore you can't send data from Europe the United States that's a very big disruption in what we thought the world was like in terms of data and trade and stuff like that that's possible Another possibility is if you get the way privacy promises on both sides here's what we'll do with your stuff here's what you'll do with our stuff then maybe you get a deal and the fact is the rest of the e.u. is like London the rest of the e.u. has. [00:42:34] Providers that cannot cooperate with the police today. And so Europe ran for us Mint style desperately wants a deal. Your privacy fundamentalist style is I'm sure that's a good idea and how that conflict works out within the European legal system is something you know we'll have to watch how that develops this place. [00:42:57] So yes. This is the 1st one and it hasn't been published in full text of course. It's. Right some bad there. Yeah. Right. Yes. So there's a bunch of there's a bunch of rules in the cloud act so so right now the u.s. says you can't get out of stuff from us provider and then if you have a good enough package of protection then we do an executive agreement and you can go directly to the companies. [00:43:48] There's a set of rules of was supposed to be in the package and one of them is protection for free expression and so exactly how that works out is going to be something we'll see just. So for instance. In the United Kingdom there's something called the Official Secrets Act that makes it illegal to publish things about certain government activities in India there's a blasphemy statute that makes it a crime in certain instances to say blasphemous things neither of those fit in the United States under the 1st Amendment. [00:44:19] And I think the basic story is going to be if we find out that's what the investigation is then we can use the existing treaties for that thing for that sort of go government to the other Government and talk about it we'll still have that as a backup for the hard cases but the normal cases which is this you know it's a brutal crime everybody involved was British It happened in Britain that that part is easy and we take care of but the issues on the edges where people fight about and part of the question is is it worth fixing the large number of normal cases compared to what will happen on the occasional other cases and people's judgments on that can vary radically and that's going to be one of the hard judgments for Congress when they look to the stars. [00:45:07] You know that civil liberties groups like Electronic Frontier Foundation hate this and they stink that the only thing they talk about they always talk about you know the free speech outrageous cases and they never talk about a normal crime that happens at a much like orders of magnitude more often the Justice Department has its version of the game they say all crimes are a combination of terrorism. [00:45:33] Child pornography drug smuggling You know so they pick their crimes and make it so they really need the evidence and if they have pics they are crimes and they say this shouldn't be turned over and then we try to my view I try to live somewhere where I listen to both sides but we think there's a lot of other crimes to the system that will work for that but those are hard judgments you know that people your mileage will vary about whether it's worth it or no other questions if please. [00:46:12] It's not a detail Heins it's one of the key legislative parts of the deal. So if Congress does nothing it goes into effect. Congress gets 6 months big for it to happen there has to be a certification by the attorney general that the cloud Act has been complied with after consulting with the secretary of state and so the government has to come to Congress and basically we think testify and explain the whole thing. [00:46:44] And Congress then gets at least hearings to complain about what they don't like to say what they say but it's going to be pretty hard for Congress to pass enough votes to overrule the administration when they've already signed on to it right this Justice Department has signed the treaty if Congress says we don't like it the president might veto Congress's decision and then Congress would need to have a 2 thirds majority in the house and 2 thirds of the Senate to override the veto So basically once it's signed you get a lot of publicity you get a lot of chance to complain about it you've got a lot to complain for the next 5 years before supper renewal but chances are once that find it goes into effect. [00:47:26] That's what Congress put in the cloud act. And then it's a variation of what's called fast track authority for traders so agreements if you wait for Congress to approve the u.s. u.k. thing Congress isn't approving anything right now they're going to almost nothing so nothing would ever happen and so the idea was we should tilt towards doing these agreements for all the reasons I've said but Congress has to really look at it and they can revisit it if they don't like how it's going. [00:47:56] Please. So. So if you go to the cross border data form we have lots of posts about all these things and one of the posts I wrote about the difference between a treaty which requires 2 thirds of the Senate. And the very wrong established done hundreds of times previously executive agreements and the statute Congress authorized this kind of executive agreement with whatever safeguards they put in and that is a statute passed by Congress and signed by a president and you could challenge it for constitutional weaknesses and my view is those challenges would lose and deserve to lose. [00:48:44] So you know people will have certain kinds of objections but it's really a treaty is one of the objections but we've had a very long practice of having other kinds of agreements that don't count as treaties under the treaty clause. I think Ok we'll do one more and then we'll go with that. [00:49:08] Yes. Yeah. I think you should you should make that your life mission. So the foundation's been funding this cyber project where there's a lot of. Different universities and stuff think tanks that I've been working on cyber related policies legal issues and stuff and they they asked me to present this to their grantees of the Hewlett thing so the people working in the space know about it it's being taught in at least some schools but you know in some level as an academic you write something you hope people like it and then you let the world sort of make that decision so I'm not going around campaigning to make it an official standard of the i.d.f. or something like that so but I'd love it I mean it seems to have been useful for people in a variety of settings and we'll see what people think of it thank you for your patience with the lousy text that I couldn't get into they didn't know if the other wrong in my court and for realising there's non-code to cybersecurity and for realising we've got another mess coming on this global evidence thing thanks very much.