Building a Cybersecurity Roadmap: Developing America’s Edge


Recently the Lab sent member Aaron Alva to Washington DC (from one Washington to another!) to attend a cybersecurity event co-hosted by the Center for National Policy and the Christian Science Monitor. The event included a Q&A with the White House cybersecurity coordinator Michael Daniel, and a panel with experts including DEF CON founder Jeff Moss.

In the below post, Aaron highlights key takeaways from the event, specifically from the White House coordinator.

Mr. Daniel shared a few key areas that will be important to our nation’s cybersecurity progress in the future:

  1. Cybersecurity is a hard policy problem;
  2. the cybersecurity workforce needs to grow—in numbers, skills, and disciplines;
  3. the White House will attempt piecemeal legislation for cybersecurity since wholesale bills haven’t worked; and
  4. the National Institute of Standards and Technology (NIST) Cybersecurity Framework, while voluntary, is important and will be emphasized by the White House.

Mr. Daniel had some insightful comments on cybersecurity as a policy issue. He noted that cybersecurity is emerging as one of the defining policy challenges for the 21st century, yet it is not obvious why cybersecurity is such a difficult problem. Cybersecurity could be an easy problem. It could be ensuring that everyone patches vulnerabilities so that intruders cannot get into systems. But, taking a step back, cybersecurity is difficult because it cuts across social, private, and public lives. Mr. Daniel asserted that cybersecurity is not merely a technical problem—it is also an economic, political, and human behavior problem. It is a “wicked problem.” It is a problem that will take a wide variety of disciplines to help solve.

Second, Mr. Daniel emphasized the need for a cybersecurity workforce. His idea of a cybersecurity workforce encompasses two main themes—size and diversity of skills. Mr. Daniel noted that the workforce needs to be much bigger. He referenced government initiatives to increase workforce size. These initiatives include increasing the number of university Centers of Excellence in Information Assurance (UW is a Center of Excellence in Academics & Research). They also include growing the NSF CyberCorps scholarship program (of which I am a recipient). Mr. Daniel also described the need for more diverse skills for the cybersecurity workforce. He referenced the National Initiative for Cybersecurity Education (NICE initiative), which has developed a heatmap of cybersecurity roles necessary for a robust workforce. He noted that cybersecurity careers need to include individuals who understand how cybersecurity interacts with industries, businesses, and the law.

Third, the White House cyber czar briefly described his role as coordinator, and his new approach to cybersecurity legislation. He described his role is as a soft power in the White House. His goal is to align policy within the government bureaucracy. Mr. Daniel asserted that cyber is too big to put one person in charge, and the more appropriate role for the White House cyber coordinator is to get various agencies to coordinate.

Mr. Daniel also emphasized the need for cybersecurity legislation, and that legislation was long overdue. He stated that the White House will try a new approach. The White House will work to pass pieces of cybersecurity legislation however possible. The new piecemeal approach is in contrast to the typical approach of attempting to pass cybersecurity legislation all within a single bill.

Fourth, Mr. Daniel discussed the NIST Cybersecurity Framework. The Framework was developed by NIST by direction of an Executive Order from the White House. The Framework emphasizes that organizations should use risk management practices for cybersecurity through five categories. Organizations should Identify assets to secure; Protect those assets in a manner consistent with risks; Detect attacks; Respond efficiently after an incident to mitigate harm; and Recover from an incident.

Mr. Daniel believes that the Framework should be voluntary, but stressed that the US has a long history of effective voluntary standards. He noted that ultimately market forces will push the Framework forward. In a number of questions, Mr. Daniel referred back to the Framework’s main categories to emphasize the need for organizations to use risk management practices to deal with cybersecurity issues.

Finally, as part of the Q&A, I had the opportunity to ask Mr. Daniel a question. I asked what can be done to change the conversation from fear of being breached to one more realistically tailored to the fact that breaches will occur. I referenced recent headline breaches of Target, JPMorgan Chase, Home Depot, and others. I noted that these headlines primarily focused on the incident itself, rather than what the companies did in response to being attacked. His answer was telling, and I think he was correct. Mr. Daniel used the NIST Cybersecurity Framework to illustrate that there’s a missing part to the conversation. “But what [the NIST Cybersecurity Framework] is really saying is you got to actually figure out what information you have that you care about, and why do you care about it? What do you actually want to protect it from? Is it exposure at all? Or is it that you want to protect it from manipulation, that’s your greatest concern. And so that starts to define how you think about it and how you protect it, which is that second step.” See the full exchange here.
Aaron 2
In conclusion, the White House cybersecurity coordinator provided helpful insights into the executive branch’s approach to cybersecurity. Mr. Daniel’s emphasis on the policy challenges, workforce needs, legislation, and risk management practices show a White House that desires to engage on a number of cybersecurity issues. Mr. Daniel remained optimistic that progress can be made on these issues, and that itself was welcomed news to the DC audience.



Guest Post: Comparative Analysis of Data Protection in Korea and the European Union


This is a guest post by Yoon Sukbe, a member of the South Korea Ministry of Science, ICT and Future Planning and visiting scholar at the University of Washington School of Law.

The paradigm of data protection is being changed due to the advancement of network technology. Decentralization and effectiveness of Internet technologies enhance convenience of access and user’s benefit. However, the development of technologies increases the risk of data security breaches. Especially, clouding computing enables to transfer computer resources (e.g., networks, servers, storages, software, applications and services) to another place. The borderless nature of cloud computing causes controversy regarding jurisdiction between nations which have different regulations as well as the complexity of the protection of data protection. Generally, data protection systems could be classified into two categories. One is the horizontal and comprehensive approach of the EU and the other is the vertical and sectoral approach of the U.S. In the cloud computing context, it is very important to review the EU’s opinion on the limitation of data center for applying EU’s law on other country’s cloud computing service. Also, it is helpful for Korea to review the problem of its current data protection legal system and to suggest alternative system for strengthening the protection of personal data.

1. Is EU’s approach on data protection consistent with its position in world trade discussion?

High ranking officials of European Commission have said the necessity of regulation governing the location of cloud computing data center for data protection and industry development. Viviane Reding, the EU’s Commissioner for Justice, said that European government could promote the development of European clouds by making sure that data processed by European companies are only stored in clouds to which EU data protection laws and European jurisdiction applies. European Commissioner Digital Agenda Neelie Kroes posed a series of principles for the regulations of EU data located in clouds on EC’s website. Are these statements compatible with EU’s commitment in WTO?

In 1994 EU (fomerly EC) committed to the liberalization of computer and relation services, except the movement of natural person (mode 4) , during the Uruguay round of negotiation. This means that there is not any limitation of market access and there is national treatment of cross border supply of service (mode 1) and supply through commercial presence (mode 3) in this sector including data processing services, data base services. Mode 1 indicates that a user receives services from other countries through its telecommunication or postal infrastructure. Thus the country liberalizing the mode 1 of Computer and related services sector is not able to establish the incompatible regulation.

Computer and related services under the General Agreement on Trade in Services (GATS) is composed of the Consultancy Services related to the Installation of Computer Hardware (CPC 841), Software Implementation Services (CPC 842), Data Processing Services (CPC 843), Data Base Services (CPC 844), Maintenance and Repair (CPC 845) and other Computer Services (CPC 849). If clouding computing service is defined as the delivery of computational resources from a location other than the one from which the user is computing , it corresponds to the Data Processing Services and Data Base Services.

However, there could be an argument that the clouding computing service is included in the scope of the commitment of the EU, because this kind service was not feasible in 1990s when the Uruguay round was negotiated. With this perspective, it would be helpful for our understanding to consider Oracle’s CEO Larry Ellison’s statement that the redefinition of cloud computing is just for incorporating everything what we already do.

In the current world trade regime, it has been suggested that the principle of “technology neutrality” applies under the GATS. Application of this principle would mean ensuring a level playing field for all services irrespective of the technological platform used to deliver them . Particularly, in 2002 EU officially requested all WTO Member countries make commitments in Computer and related services at the highest possible level (i.e. the two-digit level – Provisional CPC Division 84) for minimizing the risk of the confusion in seeking to determine whether a particular Computer and Related Service has been committed when the service actually offered involves services covered in a number of different subsectors, and so help to better reflect technological developments and commercial realities in this sector .

Local presence obligations are a clear limitation of cross border supply of services (mode 1). Thus, if WTO Member countries which have already committed Computer and related services establish regulation on the place of cloud data center, it would be a breach of GATS rules. In this context, it is needed for EU to review whether its scheme would be compatible with its commitment or not.

2. Suggestion for reformation of Korean data protection legal system

When it comes to the data protection legal system, Korea takes comprehensive approach. All kinds of transactions are covered by relevant laws. But there are important differences compared with European system.

Korean data protection regulation is similar to that of the EU, taking comprehensive approach. But Korea has multiple laws on data protection. Besides “Data Protection Law” as a basic law, there are “Telecommunication Network Act” for telecommunication sector, “Use and Protection of Credit Information Act” & “Electronic Financial Transaction Act” for financial service sector, and so on. Enforcement of many laws could cause confusion and weaken the law abiding attitude. For example, if there were an accident of financial data leak online, more than four kinds laws mentioned above would apply to the accident. As a country taking comprehensive approach, it would be logical to maintain single law for data protection in private transaction.

With regards to the data protection, there are two relations. One is between government and people, and the other is between company and its customer. Higher level of data protection is required in former than latter because government is able to collect extensively. Sometimes personal data collection is done against information holder’s will or without the knowledge of him or her. While, company is permitted to collect personal information on the ground of customers’ consent and customers provide their information for benefit. Thus it is generally accepted that more strict regulation should applied to relations between government and people. But there are little differences in Korean Data Protection Law. It is desirable to separate the data protection legal system into government and private.

Korean data protection regulations are not enough strong compared with the U.S, EU or Canada. Even though access of own information is widely accepted in many countries, in Korea for instance, data controller holds no liability for refusing access of customer without customer’s loss. Companies in Korea actually do not have any responsibility to permit the access of personal data provider because the burden of proof for damage is on customers. It is true that the Korean government tends to favor siding with companies than individuals. However, as the globalization is rapidly evolved especially through online, Korean companies should abide by foreign data protection laws. Considering the current trend, strengthening the level of data protection would not be new pressure to companies. Rather it could be helpful for them to possess competitiveness in global market.

(1) Carol. Celestine, “Cloudy” Skies, Brighter Future? In Defense of a Private Regulatory Scheme for Policing Cloud Computing, Univ. of Illinois Journal of Law, Technology & Policy (2013)
(2) Peter Swire & Kenesa Ahmad, Foundation of Information Privacy and Data Protection, IAPP (2012)
(3) Sebastian Zimmeck, The Information Privacy Law of Web Applications and Cloud Computing, Santa Clara Computer & High Technology Law Journal (2013)
(4) Bruce Schneider, Liars & Outliers: Enabling the Trust That Society Needs to Thrive, John Wiley & Sons, Inc. (2012)
(5) Eduardo Ustaran, European Privacy: Law and Practice for Data Protection Professionals, IAPP (2012)

Announcing the We Robot 2015 Call for Papers


The 2015 We Robot Call for Papers is now available. Inviting submissions for the fourth annual robotics law and policy conference, We Robot 2015 will be held in Seattle, Washington on April 10-11, 2015 at the University of Washington School of Law. We Robot has been hosted twice at the University of Miami School of Law and once at Stanford Law School. The conference web site is at

We Robot 2015 seeks contributions by academics, practitioners, and others in the form of scholarly papers or demonstrations of technology or other projects. We Robot fosters conversations between the people designing, building, and deploying robots, and the people who design or influence the legal and social structures in which robots will operate. We particularly encourage contributions resulting from interdisciplinary collaborations, such as those between legal, ethical, or policy scholars and roboticists.

This conference will build on existing scholarship that explores how the increasing sophistication and autonomous decision-making capabilities of robots and their widespread deployment everywhere from the home, to hospitals, to public spaces, to the battlefield disrupts existing legal regimes or requires rethinking of various policy issues. We are particularly interested this year in “solutions,” i.e., projects with a normative or practical thesis aimed at helping to resolve issues around contemporary and anticipated robotic applications.

Scholarly Papers
Topics of interest for the scholarly paper portion of the conference include but are not limited to:

  • The impact of artificial intelligence on civil liberties, including sexuality, equal protection, privacy, suffrage, and procreation.
  • Comparative perspectives on the regulation of robotic technologies.
  • Assessment of what institutional configurations, if any, would best serve to integrate robotics into society responsibly.
  • Deployment of autonomous weapons in the military or law enforcement contexts.
  • Law and economic perspectives on robotics.

These are only some examples of relevant topics. We are very interested in papers on other topics driven by actual or probable robot deployments. The purpose of this conference is to help set a research agenda relating to the deployment of robots in society, to inform policy-makers of the issues, and to help design legal rules that will maximize opportunities and minimize risks arising from the increased deployment of robots in society.

We also invite expressions of interest from potential discussants. Every paper accepted will be assigned a discussant whose job it will be to present and comment on the paper. These presentations will be very brief (no more than 10 minutes) and will consist mostly of making a few points critiquing the author’s paper to kick off the conversation. Authors will then respond briefly (no more than 5 minutes). The rest of the session will consist of a group discussion about the paper moderated by the discussant.

Unlike the scholarly papers, proposals for demonstrations may be purely descriptive and designer/builders will be asked to present their work themselves. We’d like to hear about your latest innovations—and what’s on the drawing board for the next generations of robots as well, or about legal and policy issues you have encountered in the design or deploy process.

How to Submit Your Proposal
Please send a 1-3 page abstract outlining your proposed paper, and a c.v. of the author(s) to

  • Paper proposals accepted starting Oct. 1, 2014. See for further information.
  • Call for papers closes Nov 3, 2014.
  • Responses by Dec. 14, 2014.
  • Full papers due by March 23, 2015. They will be posted on line at the conference web site unless otherwise agreed by participants.

We anticipate paying reasonable round-trip domestic coach airfare and providing hotel accommodation for presenters and discussants.

Co-Director Batya Friedman Discusses “Can We Build A Safer Internet?” in The New York Times

In a recent article the New York Times asked “Can We Build a Safer Internet?” They examined whether the harassment and hateful internet of today could one day change for the better and discussed the issue with Co-Director Batya Friedman:

“The question for designers of online communities, she said, is ‘how do we either create virtual norms that are comparable, or how do we represent those things so that people are getting those cues, so they modulate their behavior?'”

Read more here.

Co-Director Calo’s New Robotics Paper Receives National Coverage


Lab Director Ryan Calo’s new paper, “The Case for a Federal Robotics Commission,” has received recognition from both the Washington Post and Slate. The paper is part of a series hosted by Brookings that attempts to anticipate and address the legal issues that will arise as civilian robots become more common.