Independent legal expert talks security and regulation
Real Conversations podcast | S4 E18 | December 8, 2022
Bram Abramson practices law and public policy as principal of 32M, a boutique digital rights and risk advisory firm.
Internet regulation has become a controversial, hot button issue in recent years with wide implications – not least for cyber security. A Canadian legal specialist, Bram Abramson, unpacks the issues and shares his clear – personal – opinion on what all this could mean for organizations around the world. His advice is that CSPs should stick to the five guiding principles of cybersecurity, and they won’t become unstuck.
Below is a transcript of this podcast. Some parts have been edited for clarity.
Michael Hainsworth: Never has a communications service provider felt more in the middle. On one side is the end customer, the individual, and the enterprise industry. On the other, the regulator monitors how the business is conducted; to ensure equity, safety, and security. In today’s world of ‘work from home’ and the rise of the fourth industrial revolution, CSPs have had to dot their own i’s and cross their own t’s as the attack surface expands. Bram Abramson is a lifelong telecom player, going as far back as the 1980s, as the SysOp of early FIDO-based email networking systems, to today's role as a principal at 32M, a legal, regulatory, and public policy firm specializing in regulated technology competition. So, naturally, Bram requested we run a legal disclaimer to start our conversation.
Bram Abramson: I should note that my comments reflect only my own views and opinions. They do not necessarily reflect the views, opinions, or understanding of any other person or organization, including any clients or any organization on whose behalf I act.
Michael Hainsworth: Oh, I was hoping you were going to read it like one of those medical infomercial style disclaimers.
Bram Abramson: I thought you were going to let me read it, and then speed it up to the real version.
Michael Hainsworth: How well have service providers protected their networks during the time of COVID?
Bram Abramson: It's an interesting question because the time of COVID has been one during which the base problem has really shifted, I think. On the whole, service providers have done reasonably well. The nimbler and the better equipped I suppose they are, the better they've done, but COVID has been a time during which we decentralized work. I mean, to state the obvious, I'm sitting in my basement, you're sitting somewhere pretty close to where you live, I'll suspect. It's done everywhere. I don't think I'm telling much that's new in this, but the vectors of attack have started to flatten, to shift. In a lot of ways, it became sort of ‘consumerized’. Cyber attackers saw the value in soft targets; started to spread out along the chain of vulnerabilities, personal devices, user privileges, and so on. It became more multichannel probably. We've seen a lot more SMS phishing, vishing – voice-wise, and so on. I know I answer my phone even less than I did before COVID—which is scary.
Generally, all the ransomware that we hear about constantly, has really been an evolving environment for service providers. They've done a good job at keeping up, but less and less has been under their traditional sphere of control. Perhaps there's also been the opportunity for service providers to sort of get to know their customers a little bit better and expand into different areas and start getting new partnerships that they might not have before.
Michael Hainsworth: Tell me how securing the network is different during times of war versus times of peace, because we're also dealing with what's going on in Europe now, and there's a whole new attack vector opportunity inherent in that as well.
Bram Abramson: I agree. And it's a tough one because I'll make an analogy. In politics, we talk about the permanent campaign a lot. They talk about a universe in which everyone is always campaigning, and nothing really stops. The cycles have shortened so much that they're sort of eternal. And in some ways, it's starting to get that way a bit with securing a network. There’s been constant disruption, especially with COVID. And if you look at COVID and then this war in Europe, it's been an interesting sequence, if anything, with constant disruption and constant evolution. The difference between times of war and peace, in some ways, peace time is almost becoming, for cyber, the prelude to war, a time to gather allies, a time to establish good industry practices, data sharing, and all those good things, but at the same time to be constantly ready for the unexpected to happen.
Unfortunately, in terms of the flattening out that I mentioned, perhaps it's consistent with that. Bad things may happen at any time and do happen at any time, and we must be ready for them.
Michael Hainsworth: You mentioned that in times of peace, that's the opportunity, among other things, to establish good practices.
Bram Abramson: To be honest, they're evolving, but they're still all over the place. We're starting to get there, and we're formalizing our practice. One thing, as I mentioned, so I'll expand a bit further, is really the idea of gathering allies, of working together. I mean, there's nothing new about information and threat sharing, but it’s started to gather more momentum, or at least I would like to think so during COVID when folks really had to adopt a ‘we're all in this together’ kind of attitude, so that helps. At the same time, we're also starting to see the walls between some of the disciplines drop, and that's helpful as well. Much of it by necessity. Privacy is a very good example to be honest. And there's been some recognition that as we formalize our practice, either industry cooperates to apply sort of a privacy lens, or it will be imposed from the outside.
When we talk about all these things happening at once, COVID has unfolded, probably a substantial portion of the time now that the GDPR has been in effect in Europe, leading the rest of the world to start to standardize, as a result of the way the GDPR works and hooks in offshore data processing and everything else. We're really starting to see a lot of convergence between areas that were still, probably still are, pretty separate, but we're coming together.
In some ways, network management is at the heart of that. And when I think about that, I guess I go back to net neutrality, which has been this constant debate ever since we've been mass users of the internet really in the world of internet policy, but one area that was always kind of black boxed was network management. The idea that, "Look, if you're securing your network, it's okay." And certainly, here in Canada where I'm sitting, 10 to 15 years ago, it was sort of enough to have an internet traffic management framework that said, "Look, if the practice is for the purpose of network security, or if it's employed temporarily to address unpredictable traffic events, it's probably okay." Whereas now, that was in 2009, now in 2022, work is underway to determine if you're doing blocking for the purposes of cybersecurity, how are we going to define that and nail it down, what does it mean exactly, and how do we hold even those network management activities to guiding principles?
If called on, how do you show that your activities meet definitions of necessity and accuracy, transparency, privacy, accountability? Concepts like those are tradeoffs but working towards guiding principles is in some ways becoming the glue that's holding all this together.
Obviously, we have all kinds of standards and all kinds of frameworks and everything else, best practices from all corners of our different sectors, but it is starting to come together in a way that sees things more and more formalized and more and more recognized as a distinct set of tied-together disciplines. And look, I think that's probably helpful.
Michael Hainsworth: So, then what would you see as a guiding principle that we should be talking about at the service provider level, but we aren't?
Bram Abramson: It's interesting, and I return to it only because I've been quite wrapped up in these debates lately in Canada, but it's quite interesting to see. One of the questions that we had to answer back to our regulator here, the CRTC (Canadian Radio-television and Telecommunications Commission), was, “Are there any cybersecurity activities that can't be held to the five guidelines of being necessary, being accurate, being transparent, being sort of pro-privacy and being accountable? Now, none of those are sorts of absolutes, right?”
Necessity doesn't mean that if you don't do it, you die. It means that it's being done exclusively for the purpose of cybersecurity and not for any other purpose, not for competitive reasons, not for political reasons, and so on. Accurate doesn't mean it's perfectly accurate, but it means that you've taken reasonable steps to make any impact on legitimate services is as minimal as possible, so you're reducing false positives and over blocking, and so on to the extent that you can, and that you're taking reasonable steps.
Transparent, which means that you're doing some sort of reporting. And obviously, we've seen a real rise in recent years in transparent reporting and regular delivering to the public of standardized information around what's being blocked, around what network management practices are in place, and generally giving people reassurance that those whom they entrust with their network traffic are treating that network traffic responsibly, and that they have the means to know exactly what's happening.
Customer privacy. So again, the idea that you provide the highest level of consumer privacy protection possible under the circumstances. You're not compromising your ability to protect network traffic, but is what you're doing necessary given the privacy rights that individuals have?
And finally, accountability. Again, that doesn't mean that carriers and service providers are on the hook for everything that happens and that their liability sort of ratchets up exponentially. It means are they treating things in an accountable manner? Are they watching what they're doing? Are they reviewing their blocking systems periodically? Do they know what's happening in their systems? Are they taking the steps to find out? Are they just saying, "Look, we've outsourced that to a vendor, and we don't need to or care to know.”? Those five principles, to be honest, again, because I'm sort of sitting and considering these actively, I think they're quite interesting. So, it's around necessity, accuracy, transparency, privacy, accountability.
Michael Hainsworth: You mentioned the regulator in Canada, the Canadian Radio Television and Telecommunications Commission. Service providers have expressed concern that in an attack, say a denial-of-service attack, false positives could halt as much as 10% of actual good traffic.
Bram Abramson: Yes.
Michael Hainsworth: And that affects service. Is there a role for regulators in determining how we address this?
Bram Abramson: I want to be careful. I've talked about some of the good ideas that the Canadian regulators had, and that's not meant to suggest that regulators should play an outsized role here. I think in all things, to the extent that we as an industry can come together, that's where you want to be. Regulators ultimately are there to solve problems or should be there only to solve problems that industries and that market participants can't solve for themselves. And especially with the internet, which, of course, is a marvelous engine of free speech and everything else, that's especially true. And in the past, regulators have been pretty good at confining themselves to the bottom layer, zero to two in OSI (Open Systems Interconnection) terms I should say. In other words, really the nitty gritty telecom layers of the network, and not getting too into the internet and its various applications, including its basic core protocols like DNS (Domain Name System).
At the same time, regulators do exist to solve some of those market failures, and so the problem that you're identifying around good through put and so on is really one where you say, "Look, how is it that we're at the point where we're at, and are there any coordination problems in particular that can be addressed?" There's probably a whole range of roles a regulator could usefully play, especially when it can be shown that there aren't too many alternatives. A very basic one might simply be to say that networks serving a certain volume of endpoints should at least do something responsible to keep up with best practice to minimize the false positives you're talking about. So maybe that looks like minimum network security obligations on networks, and that's something I understand that we're starting to see discussion of, especially in the UK, in Canada now, as well with some proposed new legislation which would give way to regulations which haven't been written.
We're a ways away, but it's almost like a basic hygiene check. If nothing else you might say, to just switch metaphors for a second, if you're going to be a network of a certain size on which a certain number of people depend, you're driving a big bus, we need to make sure that you have your license.
Michael Hainsworth: Right. You've told me in the past that we're seeing an explosion of internet regulation worldwide that doesn't just regulate the internet, but the network layers and their activities. How so? And what does this mean for telecos specifically?
Bram Abramson: It's an interesting question because we see so much discussion now about internet regulation. And it's true, there is a lot of it being discussed, and it's also true we should be wary and be careful about it. Over-regulation can be a knee jerk reaction sometimes and is often not the correct response and is not a helpful response. But that said, I think when we talk about internet regulation, it's often helpful to sort of pin down what exactly we are talking about? Certainly, we've seen a lot of activity around speech regulation, around online harm, around news financing, that sort of thing. We're seeing more and more around regulating different markets that have existed off the internet and are moving onto the internet, whether it's video, and that's the idea of regulating big online video distributors, whether it's regulating digital currency markets, and all those things.
But I guess there's almost two sides to this. It's, what's the problem we're trying to solve? And a lot of the time these are real world issues that we've seen in the past that are now moving onto the internet. And at other times, these are things that are native to the internet and certainly social networks are things that we don't see much in the real world. But on the other hand, it's also about, what are the steps we're taking, and which layer of the internet are we addressing, in order to try and solve these issues? To take a real-world example, should pirated hockey games be blocked or addressed in some way so that those who paid big bucks for those rights shouldn't see those rights pirated? That's something we've seen before the courts in Canada recently, so what is the least harmful way to address that?
First of all, is that an internet problem per se? In other words, how are people... Well, to take one example, how are people paying for this? And if we tried to go after the financial intermediaries before we go after the internet-based intermediaries, then a second step is "Okay, if it's happening on the internet, what do we mean?" In other words, are we going after the hosts? Are we going after the people who are providing the DNS entries that allow it to be easy for users to find the right place to find these websites, and so on? Because if the IP address is hopping around constantly, it's probably less easy for them. And ultimately, are we going after the current network layer’s access on these at the consumer side as well, which is what we've seen in Canada’s recent court decisions in locating the blocking?
And I guess in general, one of the things that may get confusing at times is, what is the difference between those different applications, what is the difference between those different layers, and are we careful in distinguishing between them when we make those rules? Again, when we want to go after copyright infringement, if we should go after copyright infringement in a given circumstance, are we careful about saying, "Look, we're going to take the least harmful approach possible by affecting as few endpoints as we need to." Are we going to rely on this case, which was about, I don't know, Google de-listing results from its search engine, which is very different at one layer than relying as a precedent on a telco blocking a given range of IP addresses over a period of time?
How are those things different and who needs to know about that? In other words, do courts need to understand those differences? Do regulators need to provide information about those differences so the courts can be better informed? How is this supposed to work? What we're quickly seeing is everything sort of gets digitized and swallowed up in a way by the internet. Simply treating the internet as one big undifferentiated thing, I think is less and less helpful. As we talk about internet regulation, I know I'm off topic here, but it really starts to get to the point where we need to really slice into that and delaminate the different layers and really zero in on what it is we're talking about exactly.
Michael Hainsworth: Well, then how does the telco layer avoid being stuck in the middle, being caught in the middle, and being the one that ends up having to be the police officer for whatever the crime may be?
Bram Abramson: It's a very good question because, in practice, that's what's happening. We're seeing more and more obligations loaded onto telcos, whether it's in terms of performance, copyright enforcement, whether it's working with law enforcement to assist in all manner of cybercrime, whether it's enforcing age-related restrictions, it's really becoming quite detailed, and the level of obligation, responsibility and liability is ratcheting upwards. Telcos are in a privileged and a unique position with the obligatory points of passage for everyone's network traffic, and so they occupy sort of a high-trust role. On the one hand, they are relied on increasingly by law to assist in various legal functions. On the other hand, they're also relied on by end users as the trusted agents for their private network traffic, and that's a very high illness in terms of people's privacy rights, as well as their security, and all the other things that you might imagine.
For telcos, I think a lot of this lies in recognizing that they have an interest in that delamination, in that recognition of the different sorts of roles those different actors on the internet will play, and in making it clear that they're not the only actors on the internet and are often best considered as actors of last resort. In other words, if we're getting to the network layer, have we looked at all the other sorts of higher layer options first, or have we looked at the different solutions that are closer to the source of the problem first and so on? Sure, we need to play our part, but has that part been looked at carefully in the context of the whole, so that we're always doing the least amount of intrusion possible and are really adopting a least harmful approach, or are we sort of relying on the easiest, bluntest, heaviest tool at hand because it's the one that we look to most naturally?
There's a real, in a lot of ways, incentive for telcos to begin to recognize that they're part of... Well, not just to recognize because I think telcos know this, but to help others recognize that they're part of a fairly complex ecosystem, and they're just one part of it. It's the most visible part because, at the end of the day, the ISP is who we pay our money to access the internet, and to say, "Look, there's a lot going on here that we want to play our fair role, but at the same time, let's understand the full ecosystem and let's do no more harm than possible, especially when it comes to acting on real harms or real areas of concern because this might be the most effective, but the easiest that is to say, but it might not be the most effective place to start."
Michael Hainsworth: Since you're located in a basement in Canada, let's sort of extend your expertise in that area, which frankly applies, no matter where you are in the world. But in recent engagements with the Canadian government arguing for a less ‘telco-centric’ approach to dealing with botnets, we heard from some operators that they found themselves hampered by lacking the right kind of detailed threat data to reinforce their case. What are your thoughts on sharing of threat intelligence data among operators to make their networks, and the internet as a whole, more secure and make a common case in front of a regulator?
Bram Abramson: Yeah, it's a very good question, and I think it's actually targeted at the exact right level in terms of where we're at right now, because where this will go from a regulatory standpoint is still pretty open. As I was saying before, I think we see a lot of practices starting to coalesce, but we're still all over the place. I guess I would say that acting responsibly, taking a very active role in, first of all, auditing one's own practices and in understanding what best practices are, how you stack up against them, engaging with the surrounding context, and in developing a bit of a trusted environment in which telcos can cooperate with one another, can identify best practices in ways that are of course consonant with all of their obligations, that are careful not to achieve anti-competitive effects, that are not for commercial purposes, but are truly about really protecting end users and showing that you are properly cooperating with opportunities to share threats, to work with different CERTs and different information sharing analysis centers, organizations, automated indicator sharing, all those good things.
And we have that set up now by country, by industry, by community. We have various platforms for malware information sharing and so on. It's a question of, on the one hand, really showing that once you're a network of a certain size in particular, once you have the capacity that you are engaging proactively with these things, that you are engaging with your peers in a way that is honest and fair and transparent. On the other hand, you are doing so in ways that are consonant with the guiding principles I spoke about earlier. So again, as I say, there's probably a whole debate to be had about what those guiding principles should be, but I think for now, necessity, accuracy, transparency, privacy, accountability are not bad places to start. If somebody were to go forth and say, "Look, let's take a look at what you're doing. Are you complying with these different guiding principles? Can you show that you understand what's happening on your network, that you are doing things in the least intrusive way possible, that you're providing some transparency, that you're doing your best to reduce false positives, and generally promote accuracy, and that you're blocking to the extent necessary because it really is for cybersecurity?"
And then you sort of mark those to market by showing that you're doing what is best practice in the industry. Maybe you've already got your SOC Two Type One down into your role with your annual SOC Two Type Twos, maybe showing that you're meeting ISO in these standards, all the usual good things that I think people are starting to build, if they haven't already, into their cybersecurity programs, and certainly that most responsible large institutions procurement programs will require of you if you're a carrier these days, but really put all those things together and say, "Look, privacy in one corner, law enforcement in another corner, cybersecurity in yet another corner. That's not going to fly long term. So how do we put those things together and make sure that when we get out there in the industry and we talk about what we're doing, we can show that we're engaged and that we're reconciling all those different disciplines?"
Michael Hainsworth: TikTok is often seen as the poster boy for national security concerns. Is it possible to balance net neutrality with the obligations to protect national interests without dragging the CSP into the fight?
Bram Abramson: Yeah, it's a good question. And look, it really goes back to what we were talking about earlier, which is start with the different layers of the network and start with the different locations at which the harm, if any obviously, is taking place. When we talk about TikTok, it's an application, it's a complex application. It's got the user-ended application on the one hand, and there are all kinds of things happening all over the network, and things talking to one another, but at the end of the day, what is the specific concern that we're trying to address, and then how do we go there? And TikTok's a good example. I mean, it really marries a lot of different concerns and some of them are fairly non-technical and some of them really do go to those sorts of online harms issues and start with engaging with TikTok directly. I must say, TikTok has engaged in its corner with different governments and so on, and that's probably helpful if nothing else is the starting measure.
Then you simply walk down the chain, and you say, "Look for the specific harms we're trying to address, what is the least intrusive way to do so?" If it eventually gets to the point where we need to work with carriers themselves, and this is almost at the demand side of things, and unless we're talking about network suppliers to TikTok itself, then we get there, but at least we've done so in a way that's well measured, that's well-reasoned, that's well structured, in a way that's administratively fair and proportionate, and that really respects these guiding principles that I've talked about. In other words, what is the specific harm we're trying to address? And when there are multiple harms, then we address each one in turn, and really look at the remediation plan that we have for each of them in that way.
Michael Hainsworth: For a telco operator that is concerned about the implications of regulation by a governing body, and the application of it on their network, what would be the key takeaway for you that you would want them to have after listening to this conversation?
Bram Abramson: Don't wait for regulation to come find you. I mean, I don't think it's a complicated one, and I don't think it's a new one. But certainly, if you're a carrier, you're already engaged... or a carrier of any proportion, you're already engaged in all kinds of cybersecurity activities, as you should be and as you need to be, because your network won't work without them. Consider that a lot of the good things that you're doing will carry some weight, and that simply shows that you're doing them, as you've probably already had to do when doing your own cybersecurity audits, when doing your cyber insurance underwriting and so on, that will have some value for regulators who are concerned about making sure they do their jobs and that all the i’s are dotted and the t’s are crossed, so start by highlighting the good things you do. And then as you do so, make sure that you sort of continue to audit them for regulatory risk as well. Meaning, is what we're doing consonant with the kinds of guiding principles that a regulator would like to see applied?
Are we doing things in a way that is, well, that is on board with the other disciplines that interact with cybersecurity? The ones I've been talking about, privacy and law enforcement relations and all those good things, and do we have the means to talk about it in a sort of centralized and unified way that makes sense and that really spins out a narrative that is accurate, that is fair, and that regulators will appreciate having heard about. Because the more that the carriers who are already doing these things can explain what they're doing, I think the more reassurance, in many cases, regulators will have.