Cooley’s Sabett: Data Security Laws, AI and Cyber Threats

As an attorney and former crypto engineer, Randy Sabett approaches cybersecurity from both a legal and technical standpoint in his role at Cooley LLP. Sabett will participate in a panel called “New Generation of Cyberattacks: Assessment of the Evolving Threat Landscape in Satellite and Aerospace” at the 2017 CyberSat Summit on Nov. 7. Here, he breaks down some of the major cybersecurity threats facing satellite and other industries, and highlights how data security laws must evolve to address them.

VIA SATELLITE: Do you have an example of a hack or cybersecurity breach that exemplifies the vulnerabilities that must be addressed?

Sabett: No matter how good the security is, if there is something connected to the internet and you have vulnerabilities, the attackers are going to find their way in one way or another. Stuxnet is a good example of that. I think Stuxnet resembles the kinds of things the satellite industry would have to worry about, because Stuxnet was penetration of what’s called an air-gapped network. That was a system that wasn’t connected to the internet and an attack was still carried out on those devices. The way they carried it out was by a USB drive that they were able to entice someone to insert into a machine that’s inside this air-gapped network, and that delivered the payload that eventually brought down the machines. So, the point in giving you that example is that even something that is not connected to the internet can be attacked if there’s a way in.

I think the important thing to take away is that the technology is only part of it. There are other pieces to the security picture: “people, processes and technology” is a common phrase. No doubt you’ve got to have good security technology. But the people are important as well. Look at Stuxnet; if that person had been better trained, perhaps the attack wouldn’t have happened.

Randy Sabett, vice chair of Cooley’s privacy & data protection practice group. Photo: Cooley.

VIA SATELLITE: What do you think is the biggest threat in the cybersecurity landscape? Is there any one technology or capability you’re most worried about?

Sabett: In the business world, the biggest issue right now is something called business email compromise. It is the number one threat according to the FBI. This could be indirectly a threat in the satellite landscape.

Let’s use “Acme Corp.” [as a hypothetical example]. They work off to the side with some network optimization company [that is] not necessarily totally security focused. The attackers have done their research — perhaps there’s a whole bunch of social media vectors that can be used to find out information about Acme. They find out the names and email addresses of several employees, then use the compromised system of the service provider to send emails to somebody or multiple people inside Acme Corp. The email might say, “Click here to get the documents you need,” and to enter your credentials here. The Acme employee(s), trusting the email that has come from the service provider, enter their username and password and at that point the attacker is in. You can just imagine what could happen from there.

VIA SATELLITE: So, what are the potential implications for the satellite industry?

Sabett: In the satellite scenario, the accessibility to the satellite network to be used for launching an attack might be more of an issue for the attacker. But if an attacker were to get in, they now have a significantly more concentrated type of attack target. What if they were to shut down the GPS system? What if somebody shut down a significant internet pipe that transmits lots of bits from one location to another? What if somebody shut down a significant number of phone lines? It’s much different than breaking into a network and shutting down a couple hundred machines. We’re talking about a device with much greater throughput, and therefore if you take it down, it will have much more significant effects.

Sabett: First of all, AI can be useful for certain things but it’s not a panacea for all security problems. I prefer the phrase “machine learning” because a lot of the applications from a cybersecurity perspective are not AI in the traditional sense. It’s more the process of looking at patterns, detecting things that deviate from those patterns, and then alerting someone to it — and doing all of that in a way that’s much faster than current technology. Technologies such as firewalls might not catch certain indicia of attack — machine learning, assuming it has learned enough about your network, might be able to detect it. To summarize, machine learning is going to be useful as an augmentation to other cybersecurity technology; it’s not going to displace it.

You flip the coin over, however, and then realize that attackers are just as likely to use machine learning to figure out ways to avoid the types of defenses that you have. It’s a constant cat-and-mouse game but the expectation is that it’s not just going to be the good guys using machine learning.

VIA SATELLITE: How do you see data security laws in the U.S. changing over the next few years?

Sabett: Generally speaking, cybersecurity is a horizontal concept. It cuts across all different kinds of businesses. Even a mom-and-pop shop, whether it’s restaurant or a little corner store, if they have a computer that is connected to the internet to do their books or file their taxes, they need to pay attention to cybersecurity. If they don’t, they could be turned into a small part of a bigger attack being launched by, as one example, what are called “bot herders.” That can happen with big companies too.

The difficulty with legislation is that if you’ve got this horizontal concept, how do you legislate in one fell swoop across all these business verticals? No one has figured out how to do that.

One thing that did come out of the prior administration is something called the NIST Cybersecurity Framework. It started out solely focused on critical infrastructure, which arguably satellites would be a part of, but its use has expanded out beyond critical infrastructure. I think the difficulty, though, is taking something like that and trying to turn it into something that is legislative.