When the US Army requires legal advice covering the defence of its IT networks, operational attorney Robert Clark is called in.
Clark works for the US Army Cyber Command, an organisation that protects the US Department of Defense (DoD) information networks. He also lectures on cyber security law and society at UMBC in Maryland, Baltimore in the United States.
Clark took time out from his busy schedule to speak with Computerworld Australia ahead of his visit to Australia for the AusCERT security conference.
What are the hot legal topics in computer network operations right now?
Criminal law in US searches of computers and limits on them are big, as is requiring defendants to reveal passwords to encrypted files.
What is your advice for IT security managers when it comes to working with legal counsel?
Work with counsel early and often, take time to have your experts break down the technology so the lawyers can understand it. Both attorneys and small to medium enterprises (SMEs) should be willing to sit down to understand the technology and how the law applies to that technology.
What forward planning should companies be doing to avoid negligence claims in the event of a data breach?
Negligence involves a duty, breach, causation and damage/injury. Several standards are in place as examples to see what is required by other business to insure they are not negligent. For example, in the US there are online banking standards for companies to follow. As for other businesses, you have to look to the standards that govern your particular area, evaluate them and decide which ones to implement. Business is all about risk management and there are plenty of information security companies that will sell services to help [the] business implement proper standards.
What are some of the recent incidents and intrusions that have occurred and why are these not classed as attacks?
For an intrusion to be qualified as an attack it must meet the threshold under international law which requires a use of force, by individuals under state control, and recognised by the victim state as a cyber-attack. The Stuxnet worm of 2009 never caused the victim state of Iran to declare they suffered an attack that was attributed back to state actors or control.
What are the challenges you face in the role of operational attorney?
Getting out from behind my desk, keeping up-to-date with our people and being an active member of the staff to assist the Command in its responsibilities.
As a security professional what keeps you awake at night?
I sleep fine at night and have faith in our security professionals both within and outside of government.
What are the three biggest issues facing the information security industry today?
Resources, funding and people. It's difficult to monetise a successful IT security program and this will always be the challenge for IT professionals, to explain to the C-level folks why their budget can't be slashed and why it is important.
Clark is scheduled to present at the upcoming security conference AusCERT in May.
IDG Communications is an official media partner for AusCERT 2012.
Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU