Preventing Cyber Attacks: Standard Setting for Civilian Infrastructure

By Eugenia Lostri

The Center for International Law and Governance at the Fletcher School of Law and Diplomacy hosted a conference on cybersecurity and the law on September 14 and 15. Following is a review of one of the panels held during the conference.

The draft paper for this session can be viewed here.

Standard setting to create robust and resilient civilian infrastructure that can prevent the effects of cyber attacks was the topic of discussion moderated by Bhaskar Chakravorti, Dean of Global Business and founding Executive Director of the Institute for Business in the Global Context at The Fletcher School of Law and Diplomacy with authors Scott Shackelford, Associate Professor of Business Law and Ethics and the Cybersecurity Program Chair at Indiana University, Scott Bradner and commentator Alison Russel, Assistant Professor of Political Science and International Studies at Merrimack College.

The draft paper authored by Shackelford and Bradner deals with security issues related to the Internet of Things (IoT). The notion of IoT maintains that everything will soon be connected to the Internet. The rise of “smart devices” might be the first thing to come to mind, but most IoT devices are smaller and cheaper. This, however, comes attached with questions about device security. This concern for device security can be illustrated by the Mirai botnet, which in October 2016 took advantage of vulnerabilities in the IoT, affecting internet services in the United States managed by the tech firm Dyn.

Once the subject was presented, the conversation focused on the cybersecurity standards set by industry, national governments and international organizations to make networks and network-connected devices more secure. The expansion of technology gives place to new types of attacks. So, how does one guard against hackers or politically-motivated attacks? Targets must be tougher to reach. This could be achieved by strengthening hardware, software, protocols, code and users. The panel also brought up the role of civil society and what their responsibilities are.

The panel then steered towards a comparative case study on the contemporary approaches to IoT security by the European Union and the United States. Particular attention was paid to the impact of the General Data Protection Regulation (GDPR) and the Network Information Security (NIS) Directive in the EU. The influence of the National Institute for Standards and Technology (NIST) Cybersecurity Framework on IoT security with a focus on mitigating the risk of politically motivated attacks was also discussed.

Alison Russel’s comments on the paper focused on the risks and responsibilities that the expansion of IoT represents for consumers. For one, consumers might not be aware of the connectivity and what it means. But also, what are the responsibilities that networks and service providers hold? And how does it correlate to the responsibilities that pertain to the manufacturers? There must be an acknowledgement of the connectivity and its consequences. Lastly, and returning to the original point regarding what this means for consumers, she posed the core question about the actual benefits of having everything connected to the Internet.