CYBERSECURITY EXPERTS – WHO QUALIFIES?
“I need a cybersecurity expert. Do you know anyone?” First, that’s like asking for a doctor. What kind? Dermatologist? Orthopedics? Cardiologist? While “generalists” exist, there are also several niche areas within the umbrella of cybersecurity like digital forensics, firewall configuration and management, and network design.
Second, does this expert need to withstand court scrutiny? Unlike other fields of technical expertise and study, legitimate experts in cybersecurity do not always follow the path of undergraduate to graduate-level education. In cyber, many experts are forged from work experience and skillsets developed over time. Unfortunately, the traditional legal standards by which to qualify an individual as an expert may exclude those lacking higher-education credentials.
There is little case law on evidentiary standards as applied to cybersecurity. The Federal Rules of Evidence (which are generally adopted by the states) set a 3-standard test to admit expert testimony, focusing on qualifications, specialized knowledge, and usability in determining necessary facts.
U.S. Courts further look to a 30-year-old opinion from the United States Supreme Court opinion in Daubert v. Merrell Dow Pharmaceuticals, Inc., to determine reliability of the expert’s testimony. Daubert requires Courts to consider: (1) Whether the expert’s techniques are tested and reliable in delivering an opinion; (2) whether the expert’s methodology was subjected to positive peer review (often by publication); (3) the methodology’s rate of error; (4) the existence and maintenance of standards controlling its operation; and (5) whether the expert’s methodologies have widespread acceptance within the relevant community.
However, working cybersecurity experts (who do not make a living as a professional witness) often lack publications or a doctorate. Therefore, there is no standardized checklist of requirements for expert witnesses testifying on cybersecurity as there often is for accident reconstruction experts.
In Orbital Eng’g, Inc. v. Buchko, the Western District of Pennsylvania, evaluated whether a purported expert was qualified to testify on the roles and responsibilities of a C-suite level executive regarding cybersecurity. The proposed expert, Mr. Donald Price, boasted a masters degree in “Information Systems Management as well as more than 20 years of experience consulting and advising entities concerning their IT systems, conducting cybersecurity assessments, leading cybersecurity incident response teams and directing digital forensic investigations.”
As a part of his work, Mr. Price performs assessments and make recommendations to clients on improving their cybersecurity, with a focus on the individual roles and responsibilities of various employees based on the existing policies and assignment of responsibilities.
While the Court found Mr. Price qualified to testify and offer opinions on the issue of cybersecurity, he could not testify on the responsibilities of the COO (that he was evaluating for potential negligence) in an abstract manner using cybersecurity-related responsibilities of a hypothetical chief operating officer. Any such testimony “must be based on the specific facts of this case as they relate to the individual COO’s role and responsibilities and his critique of his/her performance.”
In 2015, the Southern District of Florida in National Union Fire Ins. Co. v. Tyco Integrated, also “daubert’d” a cybersecurity expert opinion on information security standards and effectiveness. The expert, Dr. Eric Cole, was a former Chief Technology Officer for McAfee, with a background in internet technology for the Central Intelligence Agency, and an instructor for SANS. Dr. Cole’s CV includes a doctorate in Network Security, bachelors and masters degrees in Computer Science, a Certification as an Information Systems Security Professional (CISSP).
In opining that a party failed to meet industry standards for cybersecurity, Dr. Cole compared the information technology systems of similarly-size companies in the same field, used National Institute of Standards and Technology and Payment Card Industry materials, and pulled from his own experience. Dr. Cole’s testimony was admitted on “Industry Standards,” but the Court held that Dr. Cole could not testify on sufficiency of “record retention programs” – even when relating to previous network architecture records and software use.
The lesson here? Be as specific as possible on the issue(s) to be examined and consider looking beyond the traditional higher-education benchmarks.