and management issues of how to design and manage cybersecurity contracts: How should cybersecurity be
treated in outsourcing or insurance
contracts? Cell 9A concerns legal and
political science issues of how laws
get drafted and implemented. Cell
10C calls on international relations
expertise to discuss the role of supranational institutions. Few individuals
are expert in all of this literature. Researchers can develop an issue list for
each cell, along with canonical readings to assign in general examinations.
For cybersecurity practitioners, I
have often encountered practitioners
(and researchers) who believe “real”
cybersecurity involves writing code,
perhaps with some vague acknowledgment of the need for “
interdisciplinary” study. The sheer volume of
issues identified in the 3x3 matrix
emphasizes the growing significance
of non-code issues—bad decisions in
any part of the matrix can negatively
affect cybersecurity. As with the existing seven layers of the stack, organizations can identify their vulnerabilities by systematically examining
layers 8 to 10. Organizations can then
better identify and mobilize expertise
for these non-code cyber issues.
In sum, the PCF provides a parsimonious way to identify and develop
a response to the growing number
of non-code cybersecurity risks. The
3x3 matrix visually categorizes and
communicates the range of non-code
cybersecurity issues. No longer can
“real” cybersecurity refer only to technical measures. Instead, a large and
growing amount of cyber-risk arises
from problems at layers 8, 9, and 10.
Extending the stack to these 10 layers
results in an effective mental model
for identifying and mitigating the full
range of these risks.
References
1. Jensen, M.C. and Meckling, W.H. Theory of the firm:
Managerial behavior, agency costs and ownership
structure. Journal of Financial Economics 3, 4 (Oct.
1976), 305-360.
2. Surman, G. Understanding security using the OSI
model. GSEC Practical Version 1. 3 (Mar. 29, 2002);
https://bit.ly/2BaJGrV.
Peter Swire ( Peter.Swire@scheller.gatech.edu) is the
Elizabeth & Tommy Holder Chair of Law and Ethics in the
Scheller College of Business and Associate Director for
Policy in the Institute for Information Security and Privacy
at Georgia Institute of Technology in Atlanta, GA, USA.
Copyright held by author.
Looking at layer 8 as a whole, the
simple point is that overall cybersecurity significantly depends on how well
an organization handles risk within its
organization (8A), its contracts and relations with other actors (8B), and standards and norms that come from the
private sector (8C).
Governments, for purposes of the
PCF, create laws. Cell 9A contains
laws that govern what an individual
or organization can do. For instance,
using U.S. examples for illustration,
the HIPAA Security Rule sets requirements for medical providers. As a different example, consider legislation
that would prohibit the use of strong
encryption or require a backdoor. I
have opposed such legislation, but it
illustrates how a government law, applying to each organization, can affect
cybersecurity risk.
Cell 9B contains laws that govern
how organizations and individuals
interact. Some of the HIPAA requirements fit here, such as the business
associate requirements of HIPAA that
govern contracts with outside parties.
An important example in cell 9B is the
Computer Fraud and Abuse Act, the
anti-hacking law that defines when it
is criminal to access computer systems
without authorization.
Whereas cells 9A and 9B primarily concern government laws affecting the private sector, cell 9C applies
to government limits on government action. The limit on illegal
searches in the Fourth Amendment
is one example. More broadly, cell
9C concerns the controversial topic
of government surveillance. Surveillance sometimes aids security,
such as when a criminal is detected,
and sometimes hurts security, such
as when government actions create
backdoors or other vulnerabilities.
The international layer applies to actions taken within one nation that are
intended to have cyber effects in other
nations. Cell 10A concerns unilateral
actions by one government, such as
the U.S. The government, for instance,
may decide that U.S. Cyber Command
should launch a cyberattack on a hostile nation.
Cell 10B involves relations with
other nations, which is the main task
of diplomacy. There are formal trea-
ties that affect cybersecurity, such
as the Budapest Convention’s provi-
sions about cybercrime and Mutual
Legal Assistance. More generally, cell
10B applies to the range of possible
cooperation with other nations on cy-
berattack or defense.
Finally, cell 10C applies to limits on
nations that come from other nations.
For instance, some countries have
proposed to set cybersecurity rules
through the International Telecommunications Union, associated with
the United Nations. If such rules are
implemented, then supranational laws
could govern cyber actions that have
transborder effects.
Applying the Framework
Adding layers 8, 9, and 10 to the OSI
stack in the PCF brings important advantages to the study and practice of
cybersecurity. I have personally experienced the framework’s usefulness in
teaching cybersecurity at my own institution: my cybersecurity classes cover
every topic mentioned in this column.
The PCF provides students with invaluable context for how all the issues fit
together, to ensure they understand
the “big picture.” The framework also
clarifies the scope of a cyber-curricu-lum. Some classes, for instance, focus
primarily on how a CISO or company
should manage a company’s risks
(layer 8). Others are mostly about international affairs (layer 10), perhaps
with discussion of national cybersecurity laws (cell 9A). The PCF enables
program directors and students to concisely describe the coverage of a cybersecurity class or curriculum.
The 3x3 matrix clarifies a research
agenda for those seeking to identify
and mitigate non-code cyber problems. For example, cell 8B raises legal
The PCF provides a
parsimonious way to
identify and develop a
response to a growing
number of non-code
cybersecurity risks.