Communications of the ACM

and management issues of how to design and manage cybersecurity contracts: How should cybersecurity be treated in outsourcing or insurance contracts? Cell 9A concerns legal and political science issues of how laws get drafted and implemented. Cell 10C calls on international relations expertise to discuss the role of supranational institutions. Few individuals are expert in all of this literature. Researchers can develop an issue list for each cell, along with canonical readings to assign in general examinations.

For cybersecurity practitioners, I have often encountered practitioners (and researchers) who believe “real” cybersecurity involves writing code, perhaps with some vague acknowledgment of the need for “ interdisciplinary” study. The sheer volume of issues identified in the 3x3 matrix emphasizes the growing significance of non-code issues—bad decisions in any part of the matrix can negatively affect cybersecurity. As with the existing seven layers of the stack, organizations can identify their vulnerabilities by systematically examining layers 8 to 10. Organizations can then better identify and mobilize expertise for these non-code cyber issues.

In sum, the PCF provides a parsimonious way to identify and develop a response to the growing number of non-code cybersecurity risks. The 3x3 matrix visually categorizes and communicates the range of non-code cybersecurity issues. No longer can “real” cybersecurity refer only to technical measures. Instead, a large and growing amount of cyber-risk arises from problems at layers 8, 9, and 10. Extending the stack to these 10 layers results in an effective mental model for identifying and mitigating the full range of these risks.

References

1. Jensen, M.C. and Meckling, W.H. Theory of the firm: Managerial behavior, agency costs and ownership structure. Journal of Financial Economics 3, 4 (Oct.

1976), 305-360.

2. Surman, G. Understanding security using the OSI model. GSEC Practical Version 1. 3 (Mar. 29, 2002); https://bit.ly/2BaJGrV.

Peter Swire ( Peter.Swire@scheller.gatech.edu) is the Elizabeth & Tommy Holder Chair of Law and Ethics in the Scheller College of Business and Associate Director for Policy in the Institute for Information Security and Privacy at Georgia Institute of Technology in Atlanta, GA, USA.

Copyright held by author.

Looking at layer 8 as a whole, the simple point is that overall cybersecurity significantly depends on how well an organization handles risk within its organization (8A), its contracts and relations with other actors (8B), and standards and norms that come from the private sector (8C).

Governments, for purposes of the PCF, create laws. Cell 9A contains laws that govern what an individual or organization can do. For instance, using U.S. examples for illustration, the HIPAA Security Rule sets requirements for medical providers. As a different example, consider legislation that would prohibit the use of strong encryption or require a backdoor. I have opposed such legislation, but it illustrates how a government law, applying to each organization, can affect cybersecurity risk.

Cell 9B contains laws that govern how organizations and individuals interact. Some of the HIPAA requirements fit here, such as the business associate requirements of HIPAA that govern contracts with outside parties. An important example in cell 9B is the Computer Fraud and Abuse Act, the anti-hacking law that defines when it is criminal to access computer systems without authorization.

Whereas cells 9A and 9B primarily concern government laws affecting the private sector, cell 9C applies to government limits on government action. The limit on illegal searches in the Fourth Amendment is one example. More broadly, cell 9C concerns the controversial topic of government surveillance. Surveillance sometimes aids security, such as when a criminal is detected, and sometimes hurts security, such as when government actions create backdoors or other vulnerabilities.

The international layer applies to actions taken within one nation that are intended to have cyber effects in other nations. Cell 10A concerns unilateral actions by one government, such as the U.S. The government, for instance, may decide that U.S. Cyber Command should launch a cyberattack on a hostile nation.

Cell 10B involves relations with
other nations, which is the main task
of diplomacy. There are formal trea-
ties that affect cybersecurity, such
as the Budapest Convention’s provi-
sions about cybercrime and Mutual
Legal Assistance. More generally, cell
10B applies to the range of possible
cooperation with other nations on cy-
berattack or defense.

Finally, cell 10C applies to limits on nations that come from other nations. For instance, some countries have proposed to set cybersecurity rules through the International Telecommunications Union, associated with the United Nations. If such rules are implemented, then supranational laws could govern cyber actions that have transborder effects.

Applying the Framework

Adding layers 8, 9, and 10 to the OSI stack in the PCF brings important advantages to the study and practice of cybersecurity. I have personally experienced the framework’s usefulness in teaching cybersecurity at my own institution: my cybersecurity classes cover every topic mentioned in this column. The PCF provides students with invaluable context for how all the issues fit together, to ensure they understand the “big picture.” The framework also clarifies the scope of a cyber-curricu-lum. Some classes, for instance, focus primarily on how a CISO or company should manage a company’s risks (layer 8). Others are mostly about international affairs (layer 10), perhaps with discussion of national cybersecurity laws (cell 9A). The PCF enables program directors and students to concisely describe the coverage of a cybersecurity class or curriculum.

The 3x3 matrix clarifies a research agenda for those seeking to identify and mitigate non-code cyber problems. For example, cell 8B raises legal The PCF provides a parsimonious way to identify and develop a response to a growing number of non-code cybersecurity risks.