Risks to Cybersecurity from Data Localization, Organized by Techniques, Tactics, and Procedures

In our first paper, “The risks of data localization to cybersecurity – organizational effects”, we provided a framework for the risks of data localization to cybersecurity, finding that 13 of the 14 ISO 27002 controls would be negatively affected by the localization of personal data. This paper complements that analysis, focusing on technical measures, for the techniques, tactics and procedures of threat actors and defenders. This paper uses the ENISA Guidelines and the MITRE ATT&CK Framework as authoritative approaches for cataloguing relevant TTPs. Using these two approaches, we highlight three important tactics that defenders use for cybersecurity purposes – (1) threat hunting; (2) privilege escalation attack; and (3) pen testing and other red teaming. All three of these categories, considered essential to a mature cybersecurity programme, would routinely require the cybersecurity defenders to access types of personal data that would be restricted by current data localization laws and proposals. The paper then provides a quantitative model illustrating the effects of data localization under plausible assumptions. In the model, halving the number of IP addresses available to a defender would more than double the likely time until a new attack was detected. The paper concludes by noting that until and unless the proponents of localization address the unintended effects of data localization to the risks for cybersecurity, scholars, policymakers and practitioners have strong reason to expect significant cybersecurity harms from hard localization requirements.

Suggested Citation: Suggested Citation

Swire, Peter and Kennedy-Mayo, DeBrae and Bagley, Andrew and Modak, Avani and Krasser, Sven and Bausewein, Christoph, Risks to Cybersecurity from Data Localization, Organized by Techniques, Tactics, and Procedures (June 1, 2023). American University School of Public Affairs Research Paper No. 4466479, Georgia Tech Scheller College of Business Research Paper No. 4466479, Journal of Cyber Policy, volume 9, issue 1, 2024[10.1080/23738871.2024.2384724], Available at SSRN: https://ssrn.com/abstract=4466479 or http://dx.doi.org/10.1080/23738871.2024.2384724