IGF 2019 OF #45
Information Sharing 2.0: privacy and cybersecurity

Description

It is widely recognized that sharing actionable information – information about vulnerabilities, malware indicators, and mitigation measures promotes cybersecurity. As cybersecurity law and policy has evolved, questions have been raised about the privacy implications of information sharing among organizations and between them and CSIRTs. Certain legislative texts such as the EU General Data Protection Regulation and the US Cybersecurity Information Sharing Act of 2015 tackles this uncertainty directly, by clarifying the conditions under which such information sharing is allowed. Still, there remain unanswered questions about the collection, use and sharing of such information, in light of heightened sensitivity to privacy protection in recent years. The aim of the discussion is to explore the intent and effects of leading legislative texts such as the GDPRand the CISA rules, in search of examples of balanced legal rules that can promote both cybersecurity and data protection. Drawing from the best practices put forth by the participants and comments from the audience, the panel will deal with the intent and pragmatic deployment of these and similar rules. The experiences shared can hopefully inform the global cybersecurity-privacy conversation for the benefit of stakeholders - CSIRTs, law and policy makers, privacy professionals and private companies - across the globe, in designing legal rules in this area. . The international community, by being receptive to such input, could enable the development of better global interfaces between domestic policies to enhance cybersecurity. Such an approach can constitute a fertile terrain for effective international conversations on cybersecurity to take place. Guiding questions: o What were the underlying considerations and legal factors behind the relevant provisions of the GDPR, CISA and other relevant legislative texts? o In practical terms, how have these provisions been understood and implemented by the private and public sector in the context of cybersecurity? o A majority of the processing activities in the cybersecurity context is focused on machines and not on their users, and the data collected is mainly technical. How does that affect the analysis of applicable data protection laws? o What are the main lessons for developing cyber law and policy? o What are the main issues to take into account for global interoperability in this area?

Organizers

Israel National Cyber Directorate

Speakers

Isabel Skierka, Researcher, Digital Society Institute (DSI), ESMT Berlin (Moderator) Mr. Amit Ashkenazi, Head of the Legal Department, Israel National Cyber Directorate  Andrew Cormack, Chief regulatory adviser, Jisc technologies, https://www.jisc.ac.uk/staff/andrew-cormack

SDGs

GOAL 3: Good Health and Well-Being
GOAL 9: Industry, Innovation and Infrastructure
GOAL 17: Partnerships for the Goals

1. Key Policy Questions and Expectations

What are the challenges and opportunities of information sharing?

How do different jurisdictions treat this issue?

What are lessons for promoting cooperation and information sharing

 

 

2. Summary of Issues Discussed

The discussion dealt with untangling some of the conceptual issues related to cybersecurity and privacy, and how to carry out this exercise, when promoting domestic policy.

 

There was broad support for the utility of the discussion, and additional relevant examples were brought up.

Long post-session report phase            

The discussion aimed to highlight the role of domestic legislation and legal rules in order to support cyber defenders. The conclusion was that the EU General Data Protection Regulation serves as an important example in that it clarifies in Recital 49 that information processing and sharing for a cybersecurity purpose is legitimate. Thus it recognizes that cybersecurity protects privacy by preventing attackers illegally accessing  personal data. This specific rule has value because it reduces the level of legal risk to cyber defenders, and reduces some of the complexities that inevitably accompany modern data protection regimes. Thus this policy serves to promote defense.

 

By abstracting from the concrete issue to a more general view of law, technology and policy of this specific issue, the session also highlighted the value of pragmatic dialogues and concrete solutions between technologists and lawyers. Promoting these conversations has value both for domestic policy making, and can also assist promoting better global interoperability of legal frameworks.

 

3. Policy Recommendations or Suggestions for the Way Forward

From a governance point of view, there is room for more focused discussions on issues which can support cyber defenders. Thus there is value in mapping legal constraints or challenges to cybersecurity best practices. Based on this mapping, there is value in having a multistakeholder,multi jurisdictional discussion amongst relevant professionals to discuss the contours of the issue, and to enable to better scope it. Based on this exercise, productive discussions can be conducted to promote common understandings and ways forward.

 

 

 

Long post-session report phase

             

Many governments are promoting, developing and deploying domestic cybersecurity polices. In this context, government has a role not only as a regulator or operator of the national CSIRT, but also as an institution that can convene stakeholders, assess the need for clearer legal rules, and creating domestic legal change when necessary.

 

The IGF can support these processes as part of a global multistakeholder discussion by bringing together different professions and groups, and global perspectives.

 

 

4. Other Initiatives Addressing the Session Issues

Short post-session report phase (due 12 hrs after the session concludes): Please share any examples, projects, initiatives mentioned that are addressing the issues tackled in the session. [max. 100 words] 

 

During the session, participants discussed the issue of access to WHOIS registration data, which holds details about the registrants of internet domain names. This data supports decisions about the level of risk from a certain domain name. As a result of data protection analysis, access to this data has changed, and some participants commented that this issue should be revisited.

Long post-session report phase (

During the IGF 2019 there was a parallel discussion about "Use and Misuse of the DNS", which also analyzed in a pragmatic manner the issue of preventing misuse of the DNS system while following accepted principles related to content.

 

This lead to the conclusion that there are other technical and legal issues which affect cyber defenders and that robust discussion can promote dealing with them.

5. Making Progress for Tackled Issues

Some issues require further technical-legal discussions within the domestic context. The IGF can help in promoting  consistent terminology and analysis, as well as interoperability.

Long post-session report phase

 

The IGF 2019 in Berlin served as an excellent venue to meet global stakeholders, hear viewpoints, share views and allow reflection on the issues from the IGF's unique place in the governance discussion. The themes discussed in the session connected to the general themes in this area, and raised the interest of industry, academia, and non governmental organizations. As such they have proven the discussion valuable and therefore is seems useful to promote this type of discussion in an even more developed manner towards the next IGF.

6. Estimated Participation

Onsite participants - 50. 

Women - half. 

 

7. Reflection to Gender Issues

There was no discussion of gender issues. 

8. Session Outputs

The IGF 2019 in Berlin served as an excellent venue to meet global stakeholders, hear viewpoints, share views and allow reflection on the issues from the IGF's unique place in the governance discussion. The themes discussed in the session connected to the general themes in this area, and raised the interest of industry, academia, and non governmental organizations. As such they have proven the discussion valuable and therefore is seems useful to promote this type of discussion in an even more developed manner towards the next IGF.

Mr. Cormack posted his ovservations here: https://community.jisc.ac.uk/blogs/regulatory-developments/article/laws-help-security-and-incident-response

By abstracting from the concrete issue to a more general view of law, technology and policy of this specific issue, the session also highlighted the value of pragmatic dialogues and concrete solutions between technologists and lawyers. Promoting these conversations has value both for domestic policy making, and can also assist promoting better global interoperability of legal frameworks.

 

These conclusions fit in with some general reflections in this area that came up during the discussions in the 2019 IGF.

First, the concerns about greater divergence and legal unclarity, as described in the "Internet and Jurisdiction Global Status Report" [https://www.internetjurisdiction.net/news/launch-of-worlds-first-intern…]. This report highlights the risk of growing fragmentation because of legal issues that apply to the internet.

In the context of the session on information sharing, a recurring theme that came up was that even when  there is actually no legal conflict between cybersecurity and privacy, the perceived lack of clarity on this issue can by itself have a chilling effect on activities which are legal and socially positive.

Second, the importance of having a constant dialogue between technologists and lawyers. As the importance of technology in society rises, so does risk and legal risk, and these need to be handled. Legal advisors to National CSIRTS face these challenges constantly, and therefore are faced with new challenges and need to create new balanced frameworks to support the cybersecurity mission.

Third, the institution and mechanism for creating more clarity and facing these new challenges can be different between jurisdictions, and depends upon societal factors. While legislation seems the first choice, the issue of technological neutrality and enabling innovation may require other choices, or combination of intuitions.

Fourth, whatever the process for arriving at more clarity, it needs to be inclusive and transparent, and involve a multistakeholder approach.

Finally, having similar discussions and hopefully similar or compatible legal answers across jurisdictions can promote clarity for domestic professionals which may be under foreign rules, and for cross border cooperation.

Whereas there are dedicated organizations to deal with technical aspects of cybersecurity, there is a need to complement this discussion with the policy and legal aspects that can support them, in a multistakeholder fashion. The IGF can promote the global discussion and practical measures that will promote stability and security.