Are Cyber Security Incident Response Teams (CSIRTs)
Redundant or Can They Be Relevant to International Cyber
By Zahra Dsouza
The magnitude of cyber security incidents is growing due to the sophistication of tools and techniques employed by adversaries and increased interdependency. International cooperation is vital to prevent and respond to trans-border cyberattacks. A key response to cybersecurity incidents has been Cybersecurity Incident Response Teams (“CSIRTs”). However, CSIRTs face legal and practical challenges to their continuing existence. The role and relationships of CSIRTs within the state and with international actors is unclear, which manifests in a trust deficit and a lack of cooperation in incident response.
This paper examines the constitutive statutes of the International Red Cross and Red Crescent Movement (“Movement”) and proposes that the role of actors in the cybersecurity landscape and CSIRTs be re-conceptualized by adopting functions of components of the Movement and features of the relationships between them. This paper provides background on the cyber security incident landscape and the global CSIRT network, discusses the legal and practical obstacles that limit information sharing, and explores emergency response mechanisms to humanitarian crises. The paper suggests that: (1) Forum for Incident Response and Security Teams (“FIRST”) serve as an umbrella organization responsible for providing information, support, and coordination between CSIRTs; (2) that States support National CSIRTs (“NCSIRTs”) by enacting legislation that clearly defines the mandate of CSIRTs and allocate resources for CSIRTs; and (3) that NCSIRTs assist victims and contribute to the community by assisting in the development of other CSIRTs. This will enable CSIRTs to coordinate the response to cyber security incidents at a global level.
By Alex Bossone
In a global economy where consumer data is an increasingly valuable asset, businesses are facing an ever-increasing threat of data breaches. While countries in the European Union all have established independent Data Protection Agencies (DPAs) to regulate the data security practices of companies, the United States has opted to allow the Federal Trade Commission (FTC) to function as its own “de-facto” DPA pursuant to its preexisting consumer protection authority.
The FTC has developed substantial expertise in the area of data security, but it remains constrained to a vague “reasonableness” standard when determining whether businesses that suffer data breaches have undertaken adequate security measures. This standard has faced resistance from companies that argue the FTC has not provided clear requirements for what security practices are required to avoid penalization.
The Federal Communications Commission (FCC), which regulates data security practices in the telecommunications industry, proposed a promising alternative enforcement model that imposed more specific standards on the target company in a recent data breach action. Not only did the FCC seek to eliminate the cause of that breach, but it also imposed clearly-defined security measures aimed at preventing future breaches from other foreseeable sources.
Congress needs to modernize U.S. data legislation by affirmatively granting the FTC explicit authority over the data security practices of businesses. A new model under the FTC should take the FCC’s approach as an example upon which to build, and create a more stringent, efficient data security framework that ensures companies constantly adapt to the latest technological innovations. The ultimate goal should be to keep personal data in the rightful control of consumers, many of whom do not yet realize the true value that it holds.
The Quadrennial Review: The Federal Communications Commission’s Latent Superpower & What Can Be Done to Free It
By Bryan Schatz
It’s a bird! It’s a plane! It’s faster than a speeding bullet! It’s… changing media consumption avenues!
As more Americans begin to consume their media over the Internet, it becomes increasingly apparent that the standing media ownership rules – the rules governing who can own what TV station, radio station, or newspaper in a given market and nationally – are outdated as the shift towards Internet media has already begun. While these rules exist to protect Americans from a concentration of viewpoints, these rules must be updated regularly to guarantee that viewpoints are not lost, especially as the Internet becomes the dominant source of news.
The Federal Communications Commission (the “FCC”) currently enforces media ownership rules, guaranteeing diversity, localism, and competition. But, the current media ownership rules need to be able to adapt to the changing times. The FCC has that precise superpower in its Quadrennial Review authority. Every four years, the FCC is empowered to review its media ownership rules in order to maintain, modify, or repeal the rules to best serve the public interest. But, this superpower is currently locked up and reduced from its full potential due to constant legal challenges and intense scrutiny from the courts.
This Note explains how the FCC has attempted – and failed – to modify its media ownership rules through the use of the Quadrennial Review and suggests potential solutions to help free this regulatory tool from its current stagnancy. Section II will explore the legislative, legal and procedural history of the Quadrennial Review and highlight the current media ownership rules. Section III will analyze the potential solutions that Congress, the courts, and the FCC can employ to help the FCC realize the power underlying the Quadrennial Review and let the FCC guide the way into the new media consumption era and protect consumers.
By Monica Savukinas
The Internet connects us all in ways the law has yet to fully understand. In recent years, Google has developed into a powerful search engine that effectively functions as a monopoly on indexing Internet content. We have also created an entirely new industry around social media where individual users freely share information, both trivial and profound, about every aspect of their lives. And then we have developed an online memory, with cached data and viral sharing, such that almost nothing on the Internet can ever be truly deleted.
Personal identity has become a twofold construct: an offline identity, which an individual displays in his or her interpersonal interactions; and an online identity, which an individual displays on the Internet in various forms, for friends, family, acquaintances and strangers alike. With new technology has also come new ways to harm others, and because our twofold identities are not always easy to separate, online harms can creep into offline harms in ways the law has yet to anticipate. A federal statute is necessary to update and enforce our cultural understanding of identity and the human rights to which we are entitled under the federal Constitution.
By Staff of the Federal Communications Law Journal