Law 832, Cyber Security Law and Policy

College of Law
Syracuse University
Syracuse, New York, USA

This course is a seminar offered during the fall term of 2012. It meets on Mondays. The web pages of this sit are not yet ready for the fall 2012 term, but they will be before the add/drop period begins on Thursday, August 23, 2012.

In the meantime, here is the outline from the fall 2011 iteration of this course:

I. Introduction and Terminology

A. The Nature of Cyberspace

Cyberspace is ubiquitous.  Cyberspace is decentralized, complex, adaptive and resilient. What does all that mean, and what else is cyberspace?  Is it so large and so complex that it constitutes a new challenge for humanity: how to affect something whose individual parts are all man-made but whose whole constitutes more than the sum of its parts and is beyond the control of any single person or organization?

1. History of development was for use by already trusted identities

2. Packets

3. TCP/IP

4. Network of networks

5. Control points

6. L ack of central authority (including ownership and governance)

7. Generative

8. Outsourced

9. Mostly all 3rd party

That is, most information in cyber is either transferred or stored by entities other than the sender and intended receiver (the “conversants”).  That makes an enormous difference in the applicable Constitutional analysis.

10. Cloud

11. More than the Internet

B. The Nature of the Threats to National Security in Cyberspace

Cyberspace connects us to each other and to all manner of information. Yet, it also connects us to cheats, frauds, spies, thieves, terrorists and child pornographers – and they to each other.  Given our society’s increasing dependence upon cyber technology, some of these threats rise to the severity of endangering our national security.  What are these threats and the vulnerabilities that they could exploit? Do we really know?

1. Vulnerabilities

a) Computer Network Attack (malicious code)

b) Distributed Denial of Service (DDOS)

c) Espionage / exploitation

d) Integrity degradation of data in transit

e) Integrity degradation of stored data

f) Destruction

g) Warfare complement

h) Recruiting/fund raising (cyber-facilitated terrorism distinguished from attacks on information infrastructure)

i) Enemy operational communications

j) Supply chain

2. Threats:

a) Nation states and their militaries and agents

b) Non-state actors:

(1) “patriotic hackers”

(2) Criminals (some organized)

(3) Terrorists (some working with criminals)

(4) Insiders

3. WCS categories

Networking computers blurred the boundaries between cyberwarfare, cybercrime, cyberterrorism, cyberattack, and more.

II. The Role of International Law in Securing and Regulating Cyber Space

If not the borderless realm for which its early pioneers once hoped, the Internet is at least transnational.  So, if it must be governed, shouldn’t it be governed by international law? In July, 2011, Department of Homeland Security Secretary Napolitano called for an “international legal framework” to “govern[] cyber.”  What international law does or could prevent cyber crime, limit cyber arms and warfare, and protect the free flow of ideas and of commerce?  Can treaties do that?

A. Existing Law

1. Law of armed conflict

a) Proportionality

b) Discrimination

c) Necessity

d) Humanity

2. Council of Europe Convention on Cyber Crime

3. Is access a human right?

B. Case study: What Actions in Cyberspace are “armed attacks”?

The United Nations Charter generally prohibits the “threat or use of force,” but permits self defense in the event of an “armed attack.” No consensus has emerged on what actions in cyberspace constitute a use of force or an armed attack.

1. Position in American Bar Association (ABA) report

2. Position in National Academy of Sciences (NAS) report

3. Position of 7/14/11 DoD Strategy for Cyberspace

4. Apply to real world scenarios

a) Stuxnet

b) Georgia

c) Estonia

d) dissidents

5. Elements of the definition of “armed attack” and of “use of force” in cyberspace

a) Effects? What kind?

b) Intent?

6. What constitutes the right of self defense? (Hack-backs)

III. The Role of Sovereign Government in Securing Cyber Space

Can a territorially based government affect a realm that knows no borders? Given that most of the infrastructure and technology of the Internet is privately owned, what tools do governments have to affect conduct in Cyberspace?

A. Methods (or “implementation mechanisms”)

1.  Regulation

2.  Criminal law

3.  Civil law

4.  Monetary incentives

5.  Education

6.  Leadership / best practices

7.  Military force

 

B. Case study: U.S. Attempts to use criminal law to affect conduct in cyberspace

With only five percent of the world’s population and an ever-decreasing percentage of Internet traffic, can criminal prosecution by United States courts regulate what happens in cyberspace? Given the transnational nature of the Internet, what right does one country have to impose its law on Internet traffic?  What is the legal basis for jurisdiction?  How can domestic law enforcement operate outside of the physical territory of the United States? Do traditional crimes such as trespassing and theft still have meaning in cyber, or do we need entirely new definitions of crimes?  Historical, a thing is not stolen if the owner still has it, so how does theft apply to data?  Is hacking into a computer the same as breaking into a building or a safe?

1.  United States v. Morris

2.  Computer Fraud & Abuse Act

3.  Electronic Communications Privacy Act

4.  Trade Secrets / espionage act

5.  Material Support

6.  Proposed warrants for foreign searches (hacking warrants)

7.  Effective preemption of state crimes

8.  Current state of Commerce Clause as basis for jurisdiction

9.  Hacker arrests in summer of 2011

C. Case study: U.S. Attempts to use civil law to affect conduct in cyberspace

Professor Lisa Dolak has offered to join us for this session.

1. Tort law

a) Data theft

b) Failure to protect

2. Data Theft Disclosure Laws

3. Standards set by administrative regulations

4. Intellectual Property Law

 

D. Use of the Military to Secure Cyberspace

“Cybersecurity threats represent one of the most serious national security, public safety, and economic challenges we face as a nation,” according to the 2010 United States National Security Strategy.  When national security is at stake, surely it is appropriate to employ the military for protection.  And, in fact, “Operations in cyberspace are a critical aspect of our military operations around the globe,” according to then Chairman of the Joint Chiefs of Staff General Peter Pace.  Aside from what the military must do to protect its own networks from attack, when is it appropriate to use the military protect our nation’s and its citizens’ interest in cyberspace?  Can the threat of Mutual Assured Disruption of computer networks deter cyber attacks and cyber war the way that Mutual Assured Destruction deters the use of nuclear weapons? 

1. Current Military Cyber Organizations

a) U.S. Cyber Command

b) NATO Cooperative Cyber Defence Centre

c) People’s Army

2. Deterrence Theory

a) Conventional?

(1) Retaliation

(2) Denial

(3) Resilience

b) Cross-domain

3. Threats v. vulnerabilities

IV. The Role Of Private Sector In Securing Cyber Space

“[M]ost of the real-world governance of the Internet is decentralized and emergent; it comes from the interactions of tens of thousands of network operators and service providers – and sometimes users themselves – who are connected through the Internet protocols.”[1] Generally, those service providers are not owned by nation states.  Can the service providers and users govern themselves?  Should they? Syracuse University Professor Milton Mueller argues that “the problem of Internet governance has produced and will continue to produce institutional innovations in the global regulation of information and communications.”[2]  To what extent should the private sector comprise or at least be involved in those institutions?  Can the private sector provide its own security in cyberspace? Often, the private sector has technical expertise rivaling or exceeding that of nation states.  Do banks and corporations, for example, have a private right of self-defense in cyber?

A. Individual actors – “cyber hygiene”

B. Self-Governance

1. Internet Corporation for Assigned Names and Numbers (ICANN)

2. Internet Engineering Task Force (IETF)

3. United Nations World Summit on the Information Society (WSIS)

4. Working Group on Internet Governance (WGIG)

5. Internet Governance Forum (IGF)

C. Intermediaries

1. Internet service providers

2. Financial institutions

3. The domain name system (control of root files)

4. Information intermediaries (search engines, directories, data aggregators (e.g., ChoicePoint)

V. Attribution: The Key to Security, Trade, and Governance in Cyberspace?

“Attribution” in this context refers to determining the person responsible for a nefarious attempt to disrupt or alter a computer network or data.  An American Bar Association report calls it “[a]rguably the most salient technical issue in Cyberconflict,” and it is an obvious necessity for enforcement of laws against cyber crime. Of course, an action in cyber space that is truly anonymous is by definition incapable of attribution. Security requires a high capacity for attribution, while anonymity requires the opposite. Thus, the spectrum of attributability may be considered by some people to be a tradeoff between security and civil rights. This tradeoff is seen in the Secretary of State’s call to develop "new tools that enable citizens to exercise their rights of free expression" while at the same time pledging that "[t]hose who use the internet [sic] to recruit terrorists or distribute stolen intellectual property cannot divorce their online actions from their real world identities." Clearly, the Secretary wants persons engaging in political speech to be able to conceal their real-world identities from tyrants, but terrorists and criminals to be identifiable to law enforcement. If persons use the same authentication instrument for banking, medical records and “anonymous” blog posts, their speech can be attributed to their physical world identity. Who will make this necessary balance between trusted identification and civil liberties?  Is requiring the authentication of all cyber actors the sine quo non of cyber security?

A. Technically possible?

B. Crime

C. Deterrence

D. National Strategy for Trusted Identities in Cyberspace (NSTIC)

E. Proposals for new or other Internet

A new military protocol could replace TCP/IP, allowing for authentication of the sender of every packet, as well as prioritization and encryption.  A secure network with the protocol, applications and operating system incompatible to the public Internet could be established for the use of government and critical infrastructure.

 

VI. Speech, Privacy and Anonymity in Cyberspace

Is there a tradeoff between privacy and security? Is the relevant Constitutional standard to be found in the 1st Amendment or in the Commerce Clause.  Under the theory that radio signals travel in a limited spectrum and are commercial activity, the FCC enforces all kinds of content restrictions (including transmitter identification) that would never be permitted for printed material.  Yet, radio waves can be used for speech, and books can be sold in commerce.  If 1st Amendment analysis controls, then the anonymity of speech is protected because of the chilling effect identification would have on content.  If the Commerce Clause is the relevant analysis, then the presence of protected speech does not limit regulation any more than putting a political bumper sticker on a tractor-trailer truck exempts it from displaying a registration plate or a safety inspection sticker.  In the physical world, those principles are clear.  The Supreme Court hasn’t really reached such issues pertaining to cyber. The Circuits have held both that the Internet is an instrumentality of commerce, which would permit your plan to require authors of websites to identify themselves, and that the content of packets are protected speech, which would suggest that anonymity is protected. 

A. 1st Amendment Primer

B. 4th Amendment Primer

C. Electronic Communications Privacy Act

1. Stored Communications Act

2. Wiretap Act (Title III electronic surveillance)

3. Pen Register Act

D. Foreign Intelligence Surveillance Act

E. What constitutes a reasonable expectation of privacy in cyberspace?

F. What additional protections are desirable?

G. Does free speech require anonymity?

H. Privacy and Anonymity Are Not the Same

VII. Is Cyber Really a Domain?

A Rand report states: “The establishment of the 24th Air Force and U.S. Cyber Command marks the ascent of cyberspace as a military domain. As such, it joins the historic domains of land, sea, air, and space.” General Michael Hayden, however, asks:

Is cyber really a domain ? Like everyone else who is or has been in a US military uniform, I think of cyber as a domain. It is now enshrined in doc­trine: land, sea, air, space, cyber. … There are those in the US government who think treating cyber as an independent domain is just a device to cleverly mask serious unanswered questions of sovereignty when conducting cyber operations. They want to be heard and satisfied before they support the full range of our cyber potential.

What difference does it make?

 

VIII. Current U.S. Cyber Strategies

“[T]here has been no clear or single articulation of a cybersecurity policy. Nor has there been an agreed-upon framework for leadership and implementation of any policy that may be developed….In sum, if one thing is clear about the state of cybersecurity in the United States, it is that there is not now an agreed-upon way forward.” [3]  In 2011, the U.S. Government has released three strategy documents that could be subparts of an over-all national cybersecurity strategy.  What are their assumptions and goals?  Are they consistent?  What gaps do they leave? What agency of government should take the lead in cybersecurity?

A. Cyber Policy Review

B. White House International Cyber Strategy

C. DoD Strategy for Operating in Cyberspace

D. Review NSTIC

E. Walls, stovepipes, partnerships, and “multi-stakeholderism”

Note relationships in the strategies between government and private sector and between parts of government (LE v. Intel, military v. civilian).

IX. Current Legislative Proposals:

A. White House Draft Cyber Security Legislation

B. Lieberman, Collins, Carper Bill

C. Private Sector proposals

 

X. What Strategy, Regulations, and Statutes Would We Write?

To receive more information once the fall 2012 syllabus is published, please submit the following form.

  • Contact me
    • Required *
    • Please enter your name
      Invalid format.Please enter a full email address
    • Security Code
      Entered text does not match; please try again
      Which number is lowest 59 or 56?
      Incorrect repsonse; please try again
 

 

Sign-in

Not available.

You will be prompted for credentials when you attempt to access protected information.

About INSCT

The Institute for National Security and Counterterrorism (INSCT) -- a joint venture of Syracuse University's College of Law and of its Maxwell School of Citizenship and Public Affairs -- provides cutting-edge interdisciplinary research, graduate-level education, and public service on law and policy challenges related to national and international security.

INSCT