chevron-down Created with Sketch Beta.
December 10, 2024 Feature

Where Law and Cybersecurity Come Together: The Synergy of SciTech and the RSA Conference

Ruth Hill Bro and Hoyt L Kesterson II

A synergistic confluence of digital signatures, X.509, the ABA Science & Technology Law Section’s (SciTech Section’s or SciTech’s) Information Security Committee, and the RSA Conference occurred in the 1990s.

In 1976, Stanford cryptography pioneers Whitfield Diffie and Martin Hellman published New Directions in Cryptography. This paper described a new kind of encryption that used a pair of keys, where one key of a pair was used to encrypt data that then could only be decrypted with the other key of the pair. An intrinsic result of this type of encryption is the ability to identify the entity that encrypted the data.

In 1977, Ron Rivest, Adi Shamir, and Leonard Adleman published A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. In 1982, they formed the company RSA Security (RSA being the first initials of their surnames) to market their patented algorithm. In 1991, that company held the first RSA Conference, which has been held annually since 1993, starting with about 200 attendees; the 2024 conference had over 41,000 attendees. Although the initial conferences focused on encryption technology, especially public key, after a few years the RSA Conference broadened to cover the many aspects of cybersecurity and privacy.

Meanwhile, the international organizations CCITT and ISO began working on a standard to convey the public key of the key pair. That standard defined an association of authorities that attest to a binding of a public key to the identity of a person or object; that attestation is declared by the issuing of a public-key certificate. The third version of that standard was published in 1993.

The SciTech Section realized that digital signatures and the organizations that issued public-key certificates had to satisfy demanding criteria to trust their use in legal environments. In 1992, SciTech gathered attorneys and security experts to produce the Digital Signature Guidelines (released in 1996) and the PKI Assessment Guidelines (released in 2003). That gathering became the Information Security Committee (ISC).

ISC members initially attended the annual RSA conference to monitor the technology but started giving presentations to describe the digital signature guidelines initiative. In 2002, the RSA Conference created a defined Law Track to discuss how law might affect, and be affected by, emerging technology. The ISC also holds an annual meeting on the weekend preceding the RSA Conference. ISC members are frequent RSA Conference presenters, while some conference attendees attend the ISC meeting and are often presenters there. Two mainstays of the RSA Conference Law Track are a mock trial and a panel discussing legal hot topics, both led by SciTech/ISC leaders.

The RSA Conference has posted videos of many of the mocks and hot topics on YouTube.

The Mock Trial

In 2006, Steve Wu proposed the first mock trial, Challenging a Digitally Signed Legal Document in Court. The hypothetical was about a digitally signed amendment to a living trust. Wu and David Isom played the attorneys; Anne Rodgers played the attorney of an involved third party; Hoyt Kesterson played an expert; and Charles Merrill (an attorney) played the judge, fully investing himself in the role by wearing a wig borrowed from a barrister friend. The legal lesson was that the argument should not focus on the rigor of the encryption algorithm, but instead on the rigor of the signing process.

The mock trial has been held every year at RSA since then. In 2008, Steve Teppler suggested that the mock use real judges. U.S. Magistrate Judge John Facciola heard a case on spoliation of digital documents. He began the tradition of declaring the audience as his law clerks and, instead of conducting the normal Q&A, he asked attendees to state how they would rule and why.

Over the years, judges Laurel Beeler, Mitchell Dembin, Richard A. Kramer, Andrew Peck, Shira A. Scheindlin, and Brian Tsuchida also participated in the mocks.

The hypotheticals for the mocks have tracked events and technologies as they occurred, addressing digital forensic investigation, eDiscovery, attacking your attacker, data breach, access to security vulnerability reports, software liability, blockchain, ransomware, protected work status of incident forensic reports, third-party liability, and deception. Some mock topics became Section-sponsored webinars.

Sometimes a mock is based on current events. In 2011, Whose Fault Is It That I Didn’t Know It Wasn’t You was based on several bank account takeover lawsuits that occurred the year before. It focused on what constitutes a commercially reasonable effort to authenticate a purported account holder.

Sometimes the hypothetical is a “what if” that speculates what might occur when a new technology is widely deployed. The most recent mock hypothetical (May 2024), called Old McDonald Had a Server Farm—A I, A I, Oh!, concerned a doll company’s sales records extracted during a ransomware attack and stored on the dark web. An app’s AI found those data. Using other data, the AI inferred that a famous cage fighter was a doll collector, and the app announced this inference. Is the app guilty of a privacy violation?

U.S. Magistrate Judge Laurel Beeler heard Kristin Madigan and Ruth Bro argue the case. Dazza Greenwood and Hoyt Kesterson played the expert and fact witnesses. Defense counsel and some “law clerks” (audience members) argued that if anyone was at fault, it was the company that lost control of purchase records. Most breach regulations would not consider records for purchasing doll records to be sensitive personal data. The doll company didn’t know that the purchaser was a famous cage fighter, nor did the company announce that the cage fighter collected dolls. A “law clerk” observed that if a human had stumbled across the purloined data, performed the same analysis, and published the same conclusion, no litigation would have occurred. AI might well provide the ability, currently only in the hands of government intelligence agencies, for anyone to examine the life of anyone. Should we be enacting laws to forbid that?

Hot Topics

For years at RSA, usually kicking off the Law Track, tech-savvy lawyers and industry experts from SciTech have spotlighted the hottest cyber law issues in 60 minutes or less. The hot topics panel has provided a practical snapshot of emerging cyber developments in law, regulation, policy, standards, litigation, and industry frameworks on a range of issues, including privacy and civil liberties, cyber-conflict, identity, the Internet of Things (IoT), corporate restructuring, international technology marketplace, NIST guidance on privacy and security, GDPR compliance, encryption, data breaches, ransomware, nation-state threat actors, bots, elections as critical infrastructure, supply chain, cryptocurrencies, foreign tech investment rules/CFIUS, deepfakes, disinformation, and the return of quantum. In the last two years, one of the hottest topics has been artificial intelligence (AI), especially generative AI (GenAI).

In April 2023, in their panel “Playing with Fire? The Latest Cyber Law Hot Topics,” Michael Aisenberg (moderator), Ruth Bro, Cynthia Cwik, and Lucy Thomson highlighted four critical emerging cyber issues: systems of trust, privacy and surveillance, the transformational role of AI (GenAI), and C-Suite cybersecurity vulnerabilities. This panel was on fire, in keeping with its theme. The focus on AI was prescient, as it seemed to be mentioned every other word at the rest of the RSA Conference, held less than five months after the November 2022 release of Chat GPT ignited a firestorm about GenAI.

In May 2024, in their panel “When Lightning Strikes: The Latest Cyber Law Hot Topics,” Ruth Bro (moderator), Ted Claypoole, Kimberly Peretti, and Lucy Thomson presented a lightning round on seven critical emerging cyber issues (all with connections to AI):

AI invades our brains (Claypoole). Brain Computer Interfaces (BCI) powered by AI can monitor a person’s attention span, read brain signals to reconstruct sentences a person has heard, and more, raising the question of whether we have a legal right to brain privacy. The United Kingdom and Australia already have cases on this.

Battle strategies against today’s ransomware actors (Peretti). With ransomware attacks in 2023 increasing 37%, payments setting a record high of over $1 billion (with the average ransom at $1.54 million), and the average cost of an attack (not counting ransom payment) at $1.53 million, it is critical to develop a battle strategy. This strategy includes quickly setting up a structure with third-party experts for incident response, assessing whether systems must be taken offline (and preparing for resulting business interruption), understanding the process for restoring backups (including testing and validation), having key communication principles ready to execute, determining any immediate 8-K reporting obligations and regularly reassessing as material facts evolve, and engaging the board early and often, but keeping lines between oversight and day-to-day management clear.

The new groundbreaking Executive Order 14117 to protect Americans’ sensitive personal data (Thomson). The EO, issued February 28, 2024, seeks to protect bulk sensitive data, including personal identifiers and biometric, financial, health, genomic, geolocation, and sensor data, as well as U.S. government data on personnel (including current and former employees and contractors) and locations (linked to geofenced areas). Covered countries include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. Their sophisticated exploitation of bulk data uses advanced technologies, big-data analytics, AI, and high-performance computing to manipulate sensitive data and enable cybercrimes, espionage, coercion, influence, and blackmail, in addition to building profiles for surveillance, influence, intimidation, and curbing of dissent. Watch for a Notice of Proposed Rulemaking (NPR) from the U.S. Department of Justice.

The promise of GenAI vs. privacy promises (Bro). The transformational power of GenAI feels a bit like Prometheus stealing fire from the gods. GenAI is fueled by data, including sensitive and other personal data (often subject to privacy promises). We’ve seen fired-up responses in the form of regulators (FTC, data protection authorities, and others); litigation (especially regarding biometrics/facial recognition); legislation (state laws restricting automated decision-making and more); and the press (businesses getting tried in the court of public opinion). Take steps to decrease risks, including avoiding embedding sensitive personal data in LLMs (large language models); anonymizing or de-identifying data where possible; and assessing whether datasets are subject to privacy law requirements.

Hacking as acts of war under cyber insurance (Claypoole). Cyberattacks are a tool of modern warfare, and insurance law will adapt. “Acts of war” is a common exclusion in insurance policies, but it could encompass cyber operations, not just traditional acts of warfare. Check your company’s cyber insurance to find what activities will lead to denial of coverage.

SEC and other legal duties to protect operational technology (Thomson). The SEC’s new rules on cybersecurity and risk, effective September 5, 2023, require public companies to report “material” cybersecurity incidents (four days after they determine the incident is material) and disclose how management and corporate boards are conducting cyber risk oversight. To do this, companies must have clearly defined processes for evaluating the impact of a cyberattack. The SEC cyber rules/materiality considerations were one of the hottest topics at this year’s conference, with at least five panels focused solely on this topic and many others (including keynotes) discussing implications.

Preparation (board level and beyond) as the best cyber defense (Peretti): Within 48 hours of a cyber incident, you will need to do a lot of things fast and well. Preparation is key. That includes establishing in advance relationships with third parties (e.g., forensics, negotiator, data review, data recovery, law enforcement, PR/crisis communications); establishing protocols for SEC materiality assessments; fine-tuning incident response plans and protocols (make them operational); establishing and maintaining a cyber crisis communications plan; and testing plans and procedures at every level (conduct regular tabletop exercises with frontline IT, executives, and the Board).

Beyond all of this, panelists emphasized the need to train and continually raise awareness: Educate yourself and your workforce about the potential risks of cyber and emerging technologies, including GenAI. That is advice that stands the test of time, one technology after another.

And that takes us back to the power of synergy . . . when law and cybersecurity come together. As SciTech celebrates 50 years (1974–2024), it is fitting to consider the synergistic confluence of developments in the 1990s that led to SciTech and the RSA Conference collaborating for nearly two decades on cybersecurity legal issues.

    Entity:
    Topic:
    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

    Ruth Hill Bro

    -

    Ruth Hill Bro is a privacy and cybersecurity attorney, special advisor/past co-chair of the ABA Cybersecurity Legal Task Force, member of the ABA Task Force on Law and AI, senior advisor to SciTech’s Privacy, Security, and Emerging Technology Division, planning committee member for all of SciTech’s AI and Robotics and IoT National Institutes, 2008–2009 SciTech Section Chair, 2009–2016 SciTech Membership and Diversity Committee chair, and founder/past chair of SciTech’s E-Privacy Law Committee.

    Hoyt L Kesterson II

    -

    Hoyt L. Kesterson II is a security and risk architect. For 21 years he chaired the international standards group that created the X.509 public-key certificate. He is co-chair of SciTech’s Information Security Committee. Since 2010 he has managed the mock trial at the RSA Conference. He is a testifying expert. From 2011 to March 2023 he was a PCI Qualified Security Assessor.