Risks to cybersecurity from data localization, organized by techniques, tactics and procedures

Abstract

ABSTRACT The risks of data localization to cybersecurity – organizational effects”, we provided a framework for the risks of data localization to cybersecurity, finding that 13 of 14 ISO 27002 controls would be negatively affected by the localization of personal data. This paper complements that analysis, focusing on the techniques, tactics and procedures (TTPs) of threat actors and defenders. Using the ENISA Guidelines and the MITRE ATT&CK Framework as authoritative approaches for cataloguing relevant TTPs, we highlight three important tactics that defenders use for cybersecurity purposes – threat hunting; privilege-escalation attack; and red teaming/pen testing. These three categories, considered essential to a mature cybersecurity programme, would routinely require cybersecurity defenders to access personal data that would be restricted by current data localization laws and proposals. The paper then provides a quantitative model illustrating the effects of data localization, finding that halving the number of IP addresses available to a defender would more than double the likely time until a new attack was detected. The paper concludes by noting that until and unless the proponents of localization address the unintended effects of data localization, scholars, policymakers and practitioners have strong reason to expect significant cybersecurity harms from hard localization requirements.