Risks to Cybersecurity from Data Localization, Organized by Techniques, Tactics, and Procedures

This paper continues the research program begun in “The Effects of Data Localization on Cybersecurity – Organizational Effects” (“Effects”). This paper supplements Effects by organizing the risks to cybersecurity by the techniques, tactics, and procedures (“TTPs”) of threat actors and defenders. To categorize the TTPs, we rely on two authoritative approaches, the widely-known MITRE ATT&CK Framework and 2019 guidelines on “The State of the Art” for cybersecurity supported by the European Union Agency on Cybersecurity (“ENISA”). Based on these two approaches, localization laws disrupt the defenders’ ability to determine “The Who and the What” of an attack. Details about “who” is attacking often require access to personal data. Similarly, as an attacker moves through a defender’s system, there are often account names or other personal data in tracking “what” the attacker does in the system. Threat hunting and privilege escalation are two essential defensive measures that are likely to be especially hard hit by limits on data transfer. Similarly, localization laws can result in “Risks From Knowing Less Than the Attacker.” An essential part of good cyber defense is for the defenders to test the system through “red teaming,” including penetration (“pen”) testing. With localization, attackers can hop across borders to find holes in system defenses; defenders, however, are prohibited from using information gathered in one locality to jump to another locality. Localization thus limits defenders from effectively testing flaws in their systems.Part II of the paper examines the tension between the European Union’s regulatory requirements for cybersecurity and data protection. Part III examines the MITRE ATT&CK Framework and ENISA guidelines, and how they identify relevant TTPs of a cybersecurity defense system. Part IV supplements Part III by providing a quantitative model illustrating effects of data localization under plausible assumptions. In the model, halving the number of IP addresses available to a defender would more than double the likely time until a new attack is detected. Part V extends the analysis to the cybersecurity approaches now being considered under the proposed European Union Cybersecurity Standard. That standard, written in the name of cybersecurity, would create serious risks for cybersecurity, including by undermining state-of-the-art defensive measures such as threat hunting, privilege escalation, and pen testing. Part VI offers conclusions. The U.S., Europe, and other nations face incessant and sophisticated cyber-attacks. In the face of these threats, imagine that policymakers were considering a law that would degrade threat intelligence, leave systems open to privilege escalation, and bar effective pen testing and other red teaming. Such a proposed law would deserve great skepticism. As documented in this paper’s research, however, data localization laws appear to have such effects. This paper adds to the finding in Effects, that “until and unless proponents of localization address these concerns, scholars, policymakers, and practitioners have strong reason to expect significant cybersecurity harms from hard localization requirements.”