Attorney Deborah Housen–Couriel ’77 was a cybersecurity expert before the word “cybersecurity” ever existed. She explains what’s at stake today — for countries, corporations, and all of us.
Deborah Housen-Couriel ’77 finished law school at Hebrew University in Jerusalem just as mobile phones and satellite communications were becoming prevalent, and got her first job in the legal department of the Israeli Ministry of Communications.
Today, her practice focuses on global and Israeli cybersecurity, data protection, satellite communications, and outer-space law. She works with the leading Israeli cybersecurity firm Konfidas and teaches courses in cybersecurity law and regulation at two Israeli universities. She visited NMH and broke the topic down in a lecture titled “Global Cybersecurity Today: The What, Why, How, and Who,” and in a series of conversations with NMH Magazine and NMH computer science teacher David Warren.
The following questions and responses have been edited and condensed.
What exactly is cyberspace?
It’s the flow of information through computerized systems, as well as the computers themselves and the humans who operate them. It’s the internet, the GPS location services that we use on our mobile phones, Wi-Fi networks, undersea cable communications, satellite communications.
Cyberspace has always existed; it just wasn’t called cyberspace. The International Telecommunication Union treaty, which deals with regulation of the electromagnetic spectrum as a global resource, has been around since 1865, when the telegraph was invented. International law governs other aspects of cyberspace, too. So we have at least a partial legal framework in place.
What we don’t have are laws that deal with the incredibly fast pace of technological developments. Many innovative and positive uses of cyberspace have been overshadowed by devious uses, such as attacks on websites and our personal information, campaigns that damage democratic processes like elections, and “deep fakes” — manipulations of computerized data that are hard to detect.
What’s a specific example of a “devious use” of cyberspace?
The “WannaCry” malware attack in May 2017. It was a piece of computer programming that popped up on people’s screens and essentially said, “We’ve locked up all your data. If you want to set it free, pay us $300 in bitcoin.” The attack was first seen in Spain and went around the world within a day. Telecoms and gas companies had their data blocked; in the U.S., FedEx and Boeing were hit. Even airports were affected. The hardest hit was the National Health Service in Britain. Doctors and nurses could not read their computer screens, they couldn’t do blood tests; operations had to be canceled. The U.K. declared a national health emergency.
Fortunately, the malware was shut down within a few days, which is pretty quick. But we can all imagine what the consequences would have been if it had gone on for any serious period of time. Hostile cyber- activity is such a huge challenge because the hyper-connectivity we all enjoy and benefit from also brings us to a place of hyper-vulnerability.
Housen-Couriel works with numerous international groups to establish norms for how countries should act in cyberspace.
< Global Forum on Cyber Expertise >
< Global Commission for the Stability of Cyberspace >
< MILAMOS project (Manual on International Law Applicable to Military Uses of Outer Space) >
< “International Group of Experts,” authors of the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations >
Who is vulnerable to breaches in cybersecurity?
Most of us. In January, the International Telecommunication Union published a statistic that more than half of humanity — 51.9 percent, or 3.9 billion people — is connected to cyber-space. In 25 years, we’ve had a major move of most of the people in the world to an entirely new environment, and it’s only getting bigger.
Are some places in the world more secure or more vulnerable than others?
The best places to be for cybersecurity are countries with the lowest connectivity, such as North Korea or Myanmar, because the governments there provide limited physical infrastructure — probably intentionally.
Otherwise, there is no better or worse place. Think about vulnerability in terms of the “plumbing” of the internet: satellites, undersea cables, Wi-Fi connections, phone lines, cell-phone towers. Wherever there’s more connectivity for personal use, commerce, finance, health care, and national defense, there’s more vulnerability.
< Corporations buy
and sell personal
data. // We need to
be aware that if a
product is free, then
we are the product.>
What can be done to bolster cybersecurity?
At the level of the law, three things. First, countries can create national laws that criminalize hostile activity in cyberspace. Second, international agreements can set global norms about what is OK and not OK. This is nothing new; pretty much any human endeavor that operates on a global scale is addressed by international law. We eventually will have more and more treaties that address cyber-activity, but it will take time.
Third, we can improve our enforcement of national and international laws that already exist. This is not always straightforward in cyberspace; it depends on where the illegal activity takes place and if it is, in fact, regulated.
What are international organizations doing about cybersecurity?
Beginning in 2009, the UN Secretary-General started gathering governmental experts from a diverse group of countries to work out rules. They came back in 2015 and said, “All the familiar rules of international law that we already have? They work in cyberspace, too.” Currently, the UN has two separate groups, one headed by the United States and the other by Russia. They are working on clarifying laws and other norms that apply in cyberspace.
I was involved in a research project last year that mapped over 60 international and regional initiatives. Some of them propose what we call CBMs — “confidence building measures” — which is a term taken from nuclear disarmament parlance. So, information sharing, joint police enforcement, and cooperation with international policing organizations like Interpol and Europol are practical ways for countries to rely upon one another in cyberspace.
Last November, at the UNESCO Internet Governance Forum in France, the Paris Call for Trust and Security in Cyberspace was signed by 64 countries, more than 300 companies, and about 120 civil society groups. So even though we still have a lot of laws to develop, we have mechanisms that help countries talk about malicious activity in cyberspace and how to limit its effects.
What laws already exist?
In the European Union, there’s the GDPR — General Data Protection Regulation — which vests residents of the 27 EU countries with a constitutional right to have their personal data protected wherever it is in the world. So if I run a hotel in Israel and advertise it in the EU so that Europeans will come and use my hotel services, all of their information — names, passport numbers, email addresses, family members’ names — is protected, even though the data is being used outside of the European Union.
What about laws outside the EU?
China, Russia, and Vietnam have data-protection mechanisms in place. India is working on it. California already has a data-protection law and other states are following suit. But in the U.S. overall, there’s been less legal protection of personal data.
Corporations in America buy and sell that data. We need to be aware that if a product is free, then we’re the product. That’s going to stop if the GDPR has its way. For example, Facebook and Google are getting hit with fines left and right in Europe for the ways they are using personal data. And some people in the U.S. are more wary, especially after the Cambridge Analytica scandal. But what they don’t realize is that there are thousands more Cambridge Analyticas out there.
What happens when human rights are violated in cyberspace?
International law provides for protection of human rights such as the freedom to communicate and the freedom to have access to information. But how countries interpret and enforce international treaties can be very different. For example, in several countries, the sale of Nazi memorabilia is illegal. In the United States, it’s permitted, as part of the U.S. doctrine of freedom of speech.
Another problem is when countries block internet access to prevent political unrest and protests. Ethiopia and India have shut down the internet during national matriculation exams to avoid cheating. So each country balances human rights with national security, but countries maintain a large degree of sovereignty over the data that’s transmitted within their boundaries.
Cyberspace is a bit of a legal “Wild West” right now. But eventually, we will have a global code of conduct for countries, companies, and even individuals to understand what’s allowed and what’s not allowed. Are countries allowed, for example, to meddle in one another’s electoral or financial systems? Can a country self-defend when their systems have suffered from intentional and hostile interference? Under certain circumstances, even right now, the answer is a resounding “yes.”
So activities in cyberspace can escalate to actual war?
Mostly we are seeing cyber-hostilities that would not bring us to the brink of war, but we also have physical wars that have a strong cyber element, such as the current conflict between Russia and Ukraine.
The vulnerabilities that cause national security issues — should they be classified as an act of war between states? Is it an issue for the UN Security Council? Is it a criminal issue or is it terrorism? Is it for domestic laws to deal with? Should companies simply have in place stronger cybersecurity measures? Can we punish companies for not being adequately cyber-ready? The important thing to keep in mind is that countries, companies, and individuals are all vulnerable.
<The hyper-connectivity we all enjoy and benefit from also brings us to a place of hyper-vulnerability.>
On an individual level, what should we be thinking about?
There are many ways to boost our “cyber-hygiene.” First, be careful with your Wi-Fi connections. Wi-Fi is a wonderful enabling technology that’s used now by almost every one of us. It’s also one of the easiest ways to have your information stolen. At home, make sure you have an effective security code. When you’re not at home, be wary of free public Wi-Fi. It’s convenient, but you’re opening up yourself to vulnerabilities. I would never use free Wi-Fi for banking or other sensitive activities. One option is to use a VPN, a virtual private network, which provides more protection.
Second, for all of your cyber-enabled accounts, use two-factor identification. This is a good way to protect unauthorized access. Third, be careful where you buy your equipment so you can avoid what is called “supply chain vulnerability.” As individuals, we can’t check every single component in our computers, so purchase from a reliable source.
This is part of the education that all students, beginning in primary school, should be getting today. It’s no different from learning to cross the street safely, to avoid fire hazards, or to drive defensively.
What is next for the internet and cyberspace?
One of the hot topics now is 5G — the fifth generation of cellular mobile communications. It’s essentially the next version of the internet that will increase speed in a very dramatic way. Engineers and developers deserve a lot of credit for this, but what does it mean for regulation? Engineers don’t have the same criteria that lawyers do for what should be permitted in cyberspace. Their rule of thumb is: If it’s doable, let’s do it. Lawyers have a different task: balancing rights with constraints on harmful activities that may result from that innovative “let’s do it.”
The technical development of cyberspace — the “plumbing” — and the legal and policy developments are in the same universe, but the thinking about them is really different. We don’t yet have the techies talking to the lawyers who are talking to the policymakers who are talking to the politicians. Also, gender diversity, racial diversity, and ideological diversity are critical to cybersecurity, because you then have the advantage of approaching the problem of protecting the common good from a variety of angles. Everybody needs to be in the mix to move ahead with these challenges.
If cybersecurity is the realm of engineers and lawyers and politicians and governments, what role can young people play?
The responsibility for thinking about the incredible opportunities and vulnerabilities of cyberspace is falling to today’s students, the digital natives. These new challenges require new kinds of thinking, and students are already better at it than pre-digital generations. And right now, the world needs about 2 million more personnel to do the minimum job of protecting cyberspace. If anyone is looking for a career in cybersecurity, just walk through that door. It will be a fascinating journey.
This article was featured in NMH Magazine.