Institution : University of California, Berkeley, School of Information
Biography: Aaron Burstein is the TRUST and ACCURATE at the University of California, Berkeley, School of Information.† His research interests lie in the areas of cybersecurity law and policy, information privacy, intellectual property, and electronic voting.† In the realm of cybersecurity, government responses to cybersecurity threats through regulations of the private sector, new models of government-private sector cooperation, and support for research.† Prior to beginning his research fellowship, Burstein was a trial attorney in the U.S. Department of Justice Antitrust Division.† He is a 2004 graduate of the University of California, Berkeley, School of Law.
Publications : Aaron J. Burstein, Amending the ECPA to Enable a Culture of Cybersecurity Research, Harvard Journal of Law & Technology, vol. 21(1), 167-222 (2008).
Aaron J. Burstein, Conducting Cybersecurity Research Legally and Ethically, in Proceedings of the First USENIX LEET Workshop, San Francisco, CA, April 2008.
Abstract: Business firms play an essential role in identity management.† They control vast quantities of data that can be used to identify and authorize individuals.† Mismanagement of this information can lead to a variety of individual and social harms, including the revelation of private information, financial fraud, and medical identity theft.†† To address these harms, legislators and regulators in the United States have in recent years passed a complex set of rules that require firms to secure identifying information.†
How do these rules work in practice?† Do they actually prompt firms to adopt better identity management practices?† Or do they steer firms toward practices that are too costly or ineffective (or both)?† My colleagues and I have posed these questions to top information security strategists from companies operating in diverse sectors of the U.S. economy: information and communications technology, healthcare, manufacturing, and the energy infrastructure.† We chose to interview these security professionals because they are positioned at the interface between corporate management and the personnel who handle the firmsí security operations.† Thus, they are well-positioned to discuss how identity management regulations affect firmsí high-level strategies as well as their
Our preliminary analysis of responses collected from these interviews present widely varying and nuanced pictures of responses to identity management and other information security regulations.† Economic sector (and hence the details of applicable regulations) and the structure of relationships to consumers and other businesses are influential factors.† However, there is widespread agreement among the respondents in our sample that regulations have been successful in directing attention from top-level management to information security within firms and in giving security professionals greater authority to implement security mechanisms.† I will focus on cases that illustrate these contrasts most vividly.