CYBERSECURITY OUTLINE

PROFESSOR EICHENSEHR

SPRING 2015

Print: CFAA, Budapest Convention, EEA, Geneva Convention, Cal. Data Breach Law, SEC Disclosure Guidelines

1. INTRO

a. Sony Hack

i. Timeline

1. June

a. North Korea makes negative comments about the Interview

2. November

a. Discovery of Sony hack (Nov. 24, 2014)

i. Sony realized that their systems have experienced a breach

ii. Message regarding Sonys CEO was displayed on every internal computer

b. Contacted law enforcement within a few days of the discovery of the initial breach

c. First data dump (Nov. 27, 2014)

i. Stolen movies (Annie, James Bond, etc)

3. December

a. Threatening email sent to all of Sonys employees (Dec. 05, 2014)

b. The Interview is referred to in the hackers communications (Dec. 08, 2014)

c. Warnings sent out to media outlets by Sony in regards to the information dumps (Dec. 14, 2014)

i. Hired on lawyer David Boyce to manage the media attention

d. Threats are communicated to theaters against showing the Interview (Dec. 16, 2014)

e. Major cinemas begin dropping the Interview (Dec. 17, 2014)

i. CEO Linton makes statement that they have no further release plans for the movie

f. Identification of North Korea as the perpetrator by the FBI, statement issued (Dec. 19, 2014)

i. Obama reprimands Sony for pulling the movie

1. Restriction on American freedom of speech

2. Promises proportional response on the part of the US

ii. Secretary of State Kerry condemns North Korea for the cyberattack and indicated that this violated international norms

iii. First time the US has called out a foreign country for a cyberattack

g. Obama makes statements on CNN, calling it an act of cybervandalism (Dec. 21, 2014)

i. Contrast with John McCain calling it cyberwarfare

h. North Koreas internet goes down (Dec. 22, 2014)

i. The Interview is released (Dec. 24, 2014)

j. Email releases and other data releases occur throughout December

i. Employee and past employees personal information

1. Social security numbers, etc

ii. Passwords and other company information

iii. Contracts with third-parties and vendors

1. Internal contracts

2. Fee arrangements

4. January

a. Obama issues executive order against North Korea (Jan. 02, 2015)

i. Economic sanctions against North Korea

1. Specific entities and individuals

2. Authorizes the US Treasury department to do so

ii. Makes statement that this is the USs first response to the Sony attack

1. Denies connection with previous North Korean internet outage incident

ii. Issues

1. Sony

a. Labor issues

i. Employee and previous employee information being released

1. Stolen Personally Identifiable Information (PII)

a. Social security number

b. Medical records

b. Security issues

i. Past incidents of hacking

ii. Known weaknesses in their security systems

iii. Negligence in protecting their systems

c. Notice

i. Previous warning email does this constitute sufficient notice?

d. Intellectual property

i. Stolen intellectual property and its distribution

1. Movies

2. Contracts

3. Business plans

4. Scripts

5. Production plans and drafts

e. Notification

i. Failure to notify employees of breach in a timely manner

1. Federal: SCC notification requirements for publicly-traded companies

a. Duty to shareholders

2. State: Data breach notifications

f. Contractual issues

i. Theaters pulling out constitutes a breach of contract

g. Injunctive issues

i. Whether Sony can legally enjoin media outlets from publishing the stolen information

2. Government

a. Whether any international laws have been broken

b. Proportionality of response

c. Whether criminal laws have been violated and, if so, what laws?

d. Sonys counterattack measures

i. DDOS attacks for websites hosting stolen IP

ii. Recovery and preparation for any future attacks

e. Do the government sanctions comply with international law

f. Freedom of expression

i. Chilling effect on freedom of speech, future movies, actions of media outlets

2. WHAT IS CYBERSECURITY?

a. Cybersecurity threats

i. Framework

1. CIA triad

a. Confidentiality

i. Keeping information secure and secret

b. Integrity

i. System and data not being improperly altered

ii. Issue of accuracy

c. Availability

i. Being able to use the system as anticipated

ii. Having data being accessible when needed

2. Resilience

a. The ability to withstand and endure security treats instead of allowing systems to critically fail

i. Keeping systems running even when they are compromised

ii. Speed in system restoration

b. Considered a backstop for the 3 CIA factors

c. Elements that aid in increases of resilience:

i. Back-ups

ii. Extra network capacity (in response to DDOS attacks)

iii. Higher quality data encryption

ii. Difference between threats and vulnerabilities

1. Vulnerability

a. A vulnerability becomes a threat when there is a bad actor

b. Vulnerabilities have no consequences as of yet, but have the potential to leave the system open to future harms

c. Examples:

i. Weak authentication

1. Poor training

2. Poor password use

ii. New technologies with undiscovered loopholes

1. BMW issue

iii. Bad code with loopholes

iv. Out-of-data virus prevention software

v. Careless insiders

2. Threats

a. Threats occur where a bad actor takes action to endanger the system

i. Cybersecurity threats definitional issues:

1. Inexactness

2. Newness of the issue

3. Dependent on the approaches of each government and country

a. Different tools and different concerns

b. Variety of state concerns:

i. US: Defense and offense

ii. EU: Civilian and military

iii. Austria: Protection of key legal assets, natural dangers, included

iv. Israel: Flexibility

v. Estonia: Personal responsibility

vi. Hungary: Education and awareness-raising, inclusion of policy and techniques

vii. Proactive and reactive

viii. New Zealand: Element of detection, acknowledging the fallibility of the internet, points out resilience issues

ix. Turkey: Putting systems back into the state prior to the cybersecurity incident, mentions countermeasures

x. Public responsibility and governmental responsibility

4. Difference between macro and micro cybersecurity

5. No authoritative document on the subject

a. No negotiated definition between governments

b.

ii.

b. Examples:

i. Malicious insiders

1. Looking to steal information, trade secrets, etc, from employers

2. Have access to passwords and privileged information

ii. Malware

1. Ransomware

a. Data is encrypted to lock out users and money must be paid in order to regain access

i. Implicates confidentiality, integrity and availability

b. EX: Cryptolocker

iii. Phishing

iv. Viruses

v. DDOS attacks

vi. Hackers and other cybercriminals

vii. Advanced persistent threats

1. Classification of states that are actively engaged in hacking or spying

2. EX: China

c. Why threats exist

i. Why is the internet so vulnerable?

1. The architecture of the internet

a. Lack of transparency

b. Anonymity

c. Decentralization

i. Difficult, expensive and maybe impossible to change the fundamental structure of the internet

ii. Anonymity is important to protect freedom of expression

ii. Exponential innovation

1. More points of access, new configurations may result in unprecedented access

2. Pressure for innovation results in push for quick-release products that are less thoroughly researched and secured

a. Change might slow innovation, disadvantage small start-ups and negatively effect the economy

iii. Widespread integration into economy and society

1. More devices with access

2. Critical infrastructure is operated through the internet

iii. General issues

1. Cyber as an offensive-dominated environment

a. Easier and cheaper to attack (find a weakness in the system) than to defend

i. Fueled by anonymity structure

1. You dont know where the attack is coming from, at what time, resulting in less time and knowledge through which one can formulate a defense

2. Low barrier to entry

a. Tools and information for cyberattacks are widely available on the internet

i. Black market for cybercrime tools allows experts to pass on tools and information to those with intent

iv. Perpetrators of cyberthreats

1. Criminal hackers

a. Financially-motivated criminal gangs

2. Hacktivism

3. Espionage attacks

a. Trade secret theft

b. Spying

v. Cases

1. Wall Street spear-phishing incident

a. Facts

i. Use of Wall Street lingo to conduct hack

ii. Malware was contained in emails that were sent to executives, which contained sophisticated Wall Street language

b. Combination of hacking and social engineering

c. Getting confidential information about particular industries

i. Focus on pharmaceuticals and healthcare

d. Tailored to the recipient

i. Looks like something you would receive from someone that you are actively in contact with

ii. Requires more work on the part of the hackers

2. Zeus BotNet takedown

a. Facts

i. Mass takeover of users computers and used them to, collectively, swarm other websites

1. Malware allowed the bot-herders to direct the networks of compromised computers to do certain tasks

a. Some were aimed at DDOS attacks

b. Some aimed at stealing credentials

ii. Stole banking credentials and initiated wire transfers overseas of over $100 million

iii. Simultaneous infection with Cryptolocker

3. Estonia cyber-riot

a. Facts

i. Movement of a statue resulted in Russian DDOS attacks being directed at Estonias government websites which further replaced Estonias sites with Russian propaganda

ii. Suspected to be orchestrated by the Russian government

1. Information was posted on Russian-language websites, which allowed private citizens to utilize this information as well

4. Iranian hack of US banks

a. Facts

i. Banks were bombarded with DDOS attacks that resulted in bank shutdowns

b. Thought to be too sophisticated to be the work of amateur hackers, attributed to Iran

i. Takes a lot of bandwidth to direct that much traffic at the banks

5. Associated Press (AP) Twitter hack

a. Facts

i. Tipped stock market by $136 million

ii. One in a series of defacement of media organizations websites

1. Said that Obama was injured on APs Twitter

a. Caused the market to dive for 3 minutes

iii. Used a phishing email directed at AP staff members that asked them to click a particular link

6. Flame virus

a. Facts

i. US and Israel develop the Flame virus in order to hack Iranian oil companies

1. The virus collected information and sent a steady stream of information back to owners to allow them to prepare for more targeted attacks

a. Activation of microphones and cameras to allow for remote spying

b. Could receive commands through Bluetooth

2. Activated as a Microsoft update

ii. Claims that the viruss DNA was similar to the coding used in Stuxnet had similar programming language and overlapping code

iii. Flame was the precursor to Stuxnet

iv. The level of malware sophistication indicates state involvement

7. Stuxnet

a. Facts

i. Virus was able to gain control of nuclear facility centrifuges and cause them to spin out of control, thereby destroying it, while simultaneously transmitting to Iranian authorities that it was fine

ii. Iranians attributed it to human error for a period

8. Cyberattack on a Saudi Arabian firm

a. Facts

i. Perpetrator initiated the attack on a day when 55,000 of the employees were not there due to religious holiday

ii. Erased data on 3/4s of the corporate PCs and replaced it with a picture of a burning American flag

b. US sees it as Iran firing back for Stuxnet

9. NSA infiltration of Yahoo and Google clouds

a. Facts

i. Used the link between data centers and targeted the internal clouds of the companies to gather private information

1. Data travelling between data centers is unencrypted

a. Has led to companies encrypting everything

ii. Came out as part of Snowden leak

10. Protestors in Hong Kong

a. Facts

i. Message in WhatsApp requested people join a protest group, which in turn, gave the Chinese government access to their phones and coordinates

b. Attributed to the Chinese government as this is a tactic that has been used before

vi. Documents detailing cybersecurity threats

1. IP Commission Report

a. Puts majority of blame for economic IP stealing on China (50%-80%), India and Russia

b. Annual losses are comparable to current US exports to Asia, around $300 billion

c. Considers IP theft as the greatest transfer of wealth in human history

d. Recommendations

i. Increasing the giving of visas, green cards and related immigration documents to IP and tech workers

ii. Increase the Department of Justice and the FBIs ability to combat the theft

iii. Create a private right of action under the Economic Espionage Act

1. Bypassing the DOJ as to the sole method of prosecution

iv. Confiscation of goods that use stolen IP

v. Deny foreign companies who have stolen American IP use of American banking system

vi. General change of the cost-benefit calculus for entities benefiting from stolen IP

vii. Would not allow US companies to be bought by companies that did not have strong IP protection

1. However, range of diplomatic and investment consequences

viii. Companies that experience cybertheft should be allowed to retrieve their information, if it does not damage the intruders network

1. Endorses hacking back

2. Mandiant report, APT1

a. Mandiant is a forensic security firm

i. Made their name doing investigations on compromised companies

b. Report named China as a Advanced Persistent Attack

i. Triggered a chain of organizations naming China in cybersecurity issues

ii. Attribution of acts to government sponsored actors in China Unit 61398

1. Tracing of IP locations

2. Evidence of a particular building with the IP resources

3. Employees has the necessary IP backgrounds

a. Required that they be able to speak English

4. Keyboard that was used to code was set to the Chinese language

iii. Industries that were part of Chinas 5-year plan

1. Satellites and telecom

2. Mining

3. Engineering

4. Aerospace

5. Government

iv. Average length of time the virus was in the system was about a year, the longest being 4 years and 10 months

1. Lack of detection is a big issue

2. Computers compromised through spear-phishing

3. CONCEPTUAL CYBERSPACE ARTICLES

a. Cyberspace Declaration of Independence; Barlow

i. In response to the Communications Decency Act, which applied regulations for radio and television to the internet

1. Struck down by the Supreme Court a year later

a. Impermissibly vague, did not define indecency, violated the First Amendment

ii. Views the internet as a new space, requiring a new layer of consent

iii. No physical coercion is applicable in the cyber world

b. Law and Borders the Rise of Law in Cyberspace; Johnson, Post

i. Asserts that governments should not and cannot regulate the internet

1. Arguments:

a. Absence of territorial borders in cyberspace

b. Difficulty in tracking users locations

c. Effects of online activities are not necessarily tied to one location, easily crosses borders

d. Enforcement almost impossible

e. Enforcement may be illegitimate

i. Power of the government is derived from the will of the people

1. View that users need to consent to be governed (again

2. View that government cannot effectively regulate because they do not understand the cyber community

f. If all governments regulated, there would be conflicting regulations and overlapping jurisdictions

i. No notice of what the law is

ii. Conflict of laws might result in users complying with the strictest regulations resulting in a race to the bottom

c. The Internet and the Abiding Significance of Territorial Sovereignty; Goldsmith

i. Argument

1. Internet governance is not inherently different

a. Extraterritorial effects are common in the real world

2. Separate internet sovereignty would overlap with state regulatory measures

3. Many nations have common regulatory interests

4. Problem of not being on notice as to what law applies is exaggerated

a. Content providers can give notice

5. Does not believe that consent is as big an issue as Johnson and Post.

a. You have consented to your territorial government, you do not need to consent again

i. Part and parcel to existing governments

6. The more integrated we are with the internet, the more territorial laws will have hold over the internet, in turn

7. Enforcement

a. Physical coercion can still occur in cyberspace because actors exist outside of the internet and the government can still act on the assets and persons of that actor

8. Regulatory leakage issue exaggerated

a. EX: Companies incorporate in other states to get around enforcement

i. Not a purely cyber issue

ii. Does not need to be perfect in order to be effective

9. International harmonization would be difficult

a. States views represent a spectrum

b. Influenced by businesses as trade agreements and business interests may create a trend towards harmonization

10. Governments do not own the underlying infrastructure to the internet, so difficult for states to directly regulate

d. Code 2.0; Lessig

i. Idea that code is law

1. Code as a regulator, as how it functions and is designed is the ultimate restrictor of behavior

a. The people who created the internet are the regulators and these people are non-governmental actors

b. Sets the terms in which the internet functions

ii. Argument

1. Liberty in cyberspace will not come from the absence of the state

a. Rejects Johnson and Posts anarchist views

b. Governments are acting to benefit the public good and are held accountable to such

i. Whereas coders are motivated by the economy and could quietly change things without anyone noticing

4. STRUCTURE OF CYBERSPACE

a. Net neutrality

i. All internet traffic is routed at the same speed

ii. SCC has announced future regulation that would prohibit throttling

1. Classified the internet as a public utility

b. Structure

i. Internet Corporation for Assigned Names and Numbers (ICANN)

1. US is relinquishing control of ICANN to other multi-stakeholder processes

a. Due to increasing criticism about the USs dominant role in internet infrastructure

b. Congress prohibited the Department of Commerce from appropriating funds for the transfer, but did not prohibit the transfer itself

i. Does not need funds to transition ICANN, transfer of authority will automatically occur when the contract runs out in Sept., 2015

ii. Internet Engineering Taskforce (IETF)

1. Multi-stakeholder group

2. Develops the technical protocols that runs the internet

a. Developed IPv.4: 4.3 billion IP addresses, however, running out

b. Developed IPv.6: Expands IP addresses by a gazillion

iii. Internet Society

1. Open-forum that anyone can join, including individuals and organizations for a fee

2. Advocates for an open internet

3. Operates on a multi-stakeholder consensus model (humming!)

iv. International Telecommunications Union (ITU)

1. Started in order to regulate telegraphic exchanges between countries

2. Debate at World Conference on International Telecommunications (WCIT) 2012 on whether to include the internet as one of the forms of communication that they can regulate

a. Pushed by Russia, adopted by some, but not others

i. Normally operates by consensus rule, but this conference broke tradition and had a formal majority vote

ii. Big player countries walked out

b. Internet issue was talked about in a side resolution, not in the binding part of the treaty itself

c. Language of the resolution stated that all governments play an equal role

i. Imposition of a multi-lateral instead of the original multi-stakeholder model

ii. Equal role language is a slam on the US

3. Is a UN body, and giving the ITU the ability to regulate the internet would mean that each UN state gets one vote, and would cement the multi-lateral model transition

c. Multi-stakeholder model

PROS

CONS

Run by private industry and not by state governments or organizations

Current stakeholders are more competent and well-versed in the subject than governments

More legitimate than one state government acting for everyone

Takes into account the views of more states

Chance of one particular governments interest being overly represented is smaller

So far has been effective in governing the internet

No real feasible alternatives

Too many people are involved; easy to make backdoors

Not enough order

Ineffective enforcement

Driven by technology companies which are largely headquartered in the US

Common citizens do not have the resources or technical know-how to voice an opinion

Western-dominated

Skews everything in a profit-driven, self-interested way; private industry agenda needs to be taken into account

d. Views

i. International Strategy for Cyberspace (US AND EU VIEW)

1. Promotes:

a. Multi-stakeholder governance

i. US can promote this because it decreases worldwide governmental control, while at the same time the US has other levers of control through which it can exert its power and therefore does not need to make it explicit

b. Freedom of expression

c. Privacy

d. Establishing international norms

i. Safety, stability

e. Interoperability

i. One internet for the whole world, not multiple national internets

ii. Anti-fragmentation

ii. International Code of Conduct (CHINESE AND RUSSIAN VIEW)

1. Promotes:

a. Multi-lateral governance

b. Pro-fragmentation of the internet

c. State sovereignty in the internet sphere

d. Content control

e. State acts as primary figure in information selection

f. Prohibition on proliferation of hostile activities

g. Establishing alternative norms

i. Respecting cultural differences

ii. Freedom of expression, etc, are not international norms

5. DISCLOSURE AND TRANSPARENCY IN THE CYBER SPHERE

a. SEC disclosures

i. For public companies, requests disclosure of cybersecurity risks through guidance materials not mandatory or binding

1. Requires disclosure where triggered by a material risk

a. Information is considered material if there is a substantial likelihood that it would change the attitude of an investor

ii. Attacks covered by disclosure materials

1. Not just data breaches that compromise viable data

a. DDOS attacks

b. Insider attacks

c. Third-party attacks

d. IP theft

2. Any kind of cybersecurity risk as long as it meets the materiality threshold

iii. Level of detail

1. Vague standard not too generic to not provide enough information, but not too much that it would disclose or cause future risks (too much specificity might give other hackers a road map)

iv. Benefits of public disclosure requirements (Singer, Friedman)

1. Puts similar companies on notice as to how they might be attacked or that they might be attacked

2. Holds companies more accountable

a. Companies have the choice of upping their security or waiting for an attack to occur and subsequently disclosing it

3. Transparency helps shareholders make decisions

4. Creates competition and a market for security

5. Increases board attention on the issue

6. Helps in risk assessment

a. Ability to value the breach in a monetary manner

b. Company considerations

i. Associated costs upon breach

1. Remediation costs

a. Cost of notification in the case of a data breach

2. Litigation costs

3. Increased security costs, post-attack

a. Trainings

b. Upgrading of systems

c. Employment of third-party protections

4. Reputational costs

a. Loss of confidence by the public

b. Company security

c. Loss of customers

d. Content disclosure

e. Damaged relationships

5. Incentive payments to retain customers after they have been damaged by a cyber attack

6. Trademarks and trade secrets

a. Lost revenue from stolen IP

7. Cost of countermeasures

8. Costs of preventative measures

ii. Risks

1. Are you a target?

2. Frequency of attacks in your industry?

3. Threatened attacks?

4. Prior attacks?

5. Financial stability after breach?

6. Litigation due to breach?

c. Examples of data breaches

i. RSA (Enter the Cyber Dragon)

1. Facts

a. Company makes security keys that prides itself on one-time passwords

i. Created two-factor authentication secure ID tokens

b. Chinese hackers found the source code for the security device

i. Defense contractors were the ones using the products, so very alarming

c. Unclear how long hackers were in system

d. Replacement of the secure ID tokens in June, attack occurred during March

i. RSAs parent, EMC filed an 8-k making the disclosure public the day of the attack

1. Did not state what information was taken, did not tell customers what they should do, what remedies they can pursue

d. Data breach notifications

i. Data breach laws designed to protect individuals and customers

1. Goal of disclosure is to tell customers to take protective steps, not to warn other companies

2. Provides different protections than SEC, including credit protection, customer awareness

3. Very expensive to send notices

a. Creates litigation costs

b. Large costs, however, increase board awareness of the issue

ii. Complicated data breach notification compliance

1. data breach laws of each state

a. Method of notification

i. Email

ii. Phone

iii. Mail

iv. Substitute notice

1. Printing something in the media

2. Posting on the companys website

v. However the customer has previously consented to being contacted by the company

b. Trigger for substitute notice

c. What constitutes personal information

i. Name

ii. Social security number

iii. Drivers license

iv. Medical information

v. Health insurance information

vi. DNA

vii. Fingerprinting

d. What amount of time in which to send out notice

i. All states allow some delay for working with law enforcement, incentivizes companies to do so

e. Notification triggers

i. CA: Strict liability if breach, no requirement of subsequent risk of harm

ii. Other states take into account risk of harm

1. Whether the unauthorized access will result in misuse

iii. Companies may seek an initial waiver from customers at the beginning of the consumer relationship

1. However, some states have found this to be against public policy

iv. Some states allow a private right of action for consumers (class actions)

v. Compliance more difficult for small companies

vi. Data breach notification laws

1. Cal. Civ. Code 1798.82

a. General

i. First data breach law passed in the country

ii. Applies to businesses in California with personal identifiable information

b. Trigger: what causes a requirement to notify?

i. That the information was, or is reasonably believed to be, acquired by an unauthorized person

1. Strict liability, no requirement of harm

c. Timing

i. Most expedient time possible without unreasonable delay

1. Reasonableness as a standard, not a rule

2. Acceptable delay:

a. Involvement of law enforcement

b. If disclosure would impede a case

c. Measures necessary to restore the system

d. No notice exemptions are allowed

i. No waiver provision

1. Customers cannot sign anything that will waive their right to notification

e. Private right of action

f. Specific permissible methods of notification

i. Written notice

ii. Electronic notice

1. In the case of an email breach, cannot notify through email

iii. Substitute notice

1. Can be used where the number of people is enormous, you cannot contact them or the cost is prohibitively expensive

g. Content

i. Has to be in plain language

ii. If they are going to provide identity theft services, cannot charge for it

h. Parties

i. The people whos information has been compromised

ii. The State Attorney General

1. Triggered by number, 500+ California residents

2. 3 purposes of data breach notification law

a. Politeness

i. You should know when something of yours is stolen

b. Provide statistics for security experts

c. Increase the costs to companies

i. Force them to take security seriously and increase spending on it

3. Potential future movement to one unified federal data-breach law

4. Current, federal data breach statutes

a. HIPAA

i. Applies specifically to healthcare providers

ii. GLBA

1. Financial institutions must disclose breaches of financial and banking information

vii. Examples of data breach notifications

1. Sony letter

2. Target letter

3. People of the State of California v. Kaiser Health Plan

a. Facts

i. A hard drive was sold at a thrift shop containing a large amount of peoples personal information

ii. Kaiser learned of the drives whereabouts in Sept., 2011, retrieved it in Dec., 2011 and did not begin notifying people until Mar., 2012.

b. First suit brought for unreasonable delay

6. EXISTING CYBERSPACE LAWS

a. Originally intended to only cover hacking and has been stretched to cover things it was never meant to cover

i. Did not predict the expansion of the internet and its effects on the CFAA

ii. Consequently, a very harsh statute to use in relation to certain internet cases

iii. Violation of terms and conditions (contract-based restrictions) is a clashing point between circuits as to whether it is a viable theory

b. Has both civil and criminal sides, with civil definitions getting leaked into criminal cases

c. Government is exempted from the CFAA in 1030(f)

d. CFAA 18 USC 1030(a)

i. Initially passed in 1984

1. Established crimes relating to the misuse of a computer to obtain national security secrets or personal financial records or hacking of US governmental computers

ii. 7/8-9 distinct crimes:

1. (a)(1) Accessing a computer without authorization or exceeding authorized access to obtain classified information with reason to believe that such information is to be used to the injury of the US.

a. Unauthorized access is not defined

b. Exceeding authorized access defined as accessing a computer with authorization and using such access to obtain or alter information that the user is not authorized to obtain or alter

2. (a)(2) Accessing a computer without authorization or exceeding authorized access to obtain:

a. Governmental information

b. Financial information

c. Information from a protected computer

i. Most frequently charged category of CFAA crimes

3. (a)(3) Accessing any nonpublic computer of a department or agency of the US intentionally and without authorization or exceeding authorized access

a. Applies specifically to US government computers

b. Rarely used

4. (a)(4) Knowingly, with intent to defraud, accessing a protected computer without authorization or exceeding authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer or the value of such use is not more than $5,000

5. (a)(5) Knowingly cause the transmission of a program, information, code or command, etc, causing intentional damage without authorization

a. (A) Transmission of a virus, malware, etc, that results in damage to the receiving computer

b. (B) Recklessly causing damage

c. (C) Intentional access causing damage or loss

i. Computer damage clause

ii. Covers both unauthorized damage and unauthorized access that causes damage

6. (a)(6) Knowingly, and with intent to defraud, traffic in any password or similar information through which a computer may be accessed without authorization if:

a. (A) Such trafficking affects interstate or foreign commerce, or

b. (B) Such computer is used by or for the government

i. Prohibits trafficking in passwords

1. Misuse of passwords is not trafficking of passwords

7. (a)(7) With intent to extort from any person any money or other thing of value:

a. (A) Threatening to cause damage to a protected computer

b. (B) Threatening to obtain information from a protected computer or impair the confidentiality of information

c. (C) Demanding or requesting money or other thing of value in relation to damage to a protected computer where such damage was caused to facilitate the extortion

8. (b) Whosoever conspires to commit such crimes or attempts to commit such crimes

iii. Enforcement of CFAA

1. Action can be brought by:

a. Federal prosecutor

b. Private right of action (1030(g))

2. Definitions

a. Protected computer

i. Computer used in or affecting interstate commerce, including computers located outside of the US

ii. Computer used exclusively by a financial institution or by the US government

b. Exceeds authorized access

i. To access a computer without authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled to so obtain or alter

c. Authorization

i. Code-based

1. Password

a. Clearer showing of circumventing authorization

b. Usually conducted by outsiders

c. Violations more similar to traditional hacking

ii. Contract-based

1. Terms of service

a. Based on a promise, not on incapacity

b. Usually conducted by insiders

c. More closely tracks exceeding authorized use

iv. Cases

1. UNITED STATES V. MORRIS

a. Facts

i. Defendant dared to test the limits of the internet

1. At this time, the university, government and military institutions were linked together

ii. Released a worm to see how big the internet was, but wound up causing a lot of damage

1. Booted worm into a MIT computer

2. Worm was programmed to guess passwords

b. Analysis

i. Charged with CFAA 1030 precursor: intentionally accessing a federal computer without authorization

1. Defendant argues that he just exceeded authorized use

ii. Court found that his conduct consisted of unauthorized access as he did not use his access in a way related to his access proper function

2. INTERNATIONAL AIRPORT CENTERS V. CITRINE

a. 7th Circuit; Posner

b. Employee decided to quit and before he turned in his computer, he erased all of the data on the computer

c. Taking actions adverse to your employer may mean that you no longer have authorization

i. Employee authorization depends on your role as an agent of the company

ii. When you breach the duty of loyalty, you lose all authorization

d. Held that he had accessed the computer without authorization

3. DEPARTMENT OF JUSTICE INDICTMENT OF CHINESE OFFICIEALS

a. Facts

i. Chinese military officials charged with using spear-phishing tactics to gain information about design specifications for nuclear power, business plans and as a general entry-point into various American companies

b. Analysis

i. Charged with:

1. Unauthorized access

2. Conspiracy

3. Transmission that intentionally causes damage

4. Accessing a protected computer and taking information

5. Economic espionage

6. Wire fraud (separate from CFAA violations)

4. UNITED STATES V. NOSAL

a. En banc, 9th Circuit; Kozinski

i. Criminal cybersecurity case

b. Facts

i. Convinced his ex-coworkers to take propriety information from his old firm and to help him use that information to start a new firm

1. Recruited ex-coworkers to download company contacts from a company-restricted database

c. Analysis

i. Charged with CFAA 1030(a)(4) aiding and abetting

ii. Court limited violations of restrictions on information as code-based access, and not contract-based access

1. Exceeding authorized access is limited to violations on access to information and not on its use

2. Court favors narrow interpretation

a. Notice many individuals violating terms of service may not realize that they are committing a federal crime

b. Criminalizes a wide swathe of behavior

i. Makes everyone a criminal

c. Canon interpretation

i. Should be up to Congress to make things illegal, not the courts

ii. Courts should construe the criminal statutes narrowly based on the Rule of Lenity

d. Terms of service often goes unread

e. Possibility of discrimination

i. Prosecutorial discretion insufficient

ii. May be used as a pretext for firing employees

f. Wants consistent interpretation and one definition across the whole statute

g. Vagueness

h. Affects not just employee contracts, but also internet consumers

i. Reaches conduct that is not inherently wrongful

iii. Other remedies for trade secret infringement, apart from CFAA

d. Holding

i. Finds for Nosal; the phrase exceeds authorized access within the meaning of the CFAA is limited to access-based restrictions, not use-based restrictions

1. Violations of contract-based restrictions not covered

5. WEC CAROLINA ENERGY SOLUTIONS V. MILLER

a. 4th Circuit

b. Facts

i. Employee took proprietary information from company, goes to work for a competitor and uses that proprietary information to steal clients from his old employer

c. Analysis

i. Alleged violation of the CFAA 1030(a)(2)(c) - broadest, (a)(4) fraud, (a)(3) damage

ii. CITRIN case

1. 7th Circuit; Posner

2. Facts

a. Airport employee erases all company information on a laptop before subsequently leaving the company

3. Cessation of agency theory

a. Breach of a duty of loyalty means that the employee loses all authorization beyond that point

iii. Rejection of cessation of agency theory

iv. Finds that if you had code-based access, there is no violation under the CFAA

6. UNITED STATES V. DREW

a. Facts

i. Mother uses fake Myspace account to terrorize another little girl who subsequently killed herself

b. Analysis

i. Government argued that violation of terms of service renders access to a computer unconstitutional, charged defendant with violation of Myspaces terms of service

1. Cannot include a photo of another person without their consent

2. Cannot solicit information from someone under 18

ii. Was convicted and judge struck down the conviction for void-for-vagueness reasons

1. Encourages discriminatory enforcement

a. Difficult to tell what is actually prohibited under a statute

7. U.S. V. MARIO AZAR

a. Facts

i. IT worker unhappy when he did not get a full-time position and wiped everything off of the master server

1. Has the effect of disrupting communications between Pacific, Gas and Electric and their offshore oil platforms

8. U.S. V. MIJANGOS; U.S. V. KAZARYAN

a. Facts

i. Defendants were sex-extortionists

1. Would hack through victims accounts and computers to search for intimate pictures

2. Would turn on computer cameras without the victims knowledge

ii. Mijangos would monitor victims and would pretend to be their significant others in order to access private information and photos

iii. Would threaten the victims with posting the videos online

9. U.S. V. CHANEY

a. Hacked celebrity accounts

10. U.S. V. MOORE

a. Revenge porn king

11. U.S. V. VOGELAAR

a. Hacked into post-production company and stole pre-release movies

12. AARON SWARTZ CASE

a. Facts

i. Tried to download a significant portion of the JSTO database

ii. Charged under wire fraud statute and CFAA

iii. Circumvented a significant amount of code-based restrictions

1. Both unauthorized access and exceeding authorized access

iv. Killed himself after being threatened with 35 years of jail time

b. Aarons Law

i. Potentially could change the CFAA to cover only code-based access

ii. Would eliminate liability in the CFAA for contract0based access

iii. Would reform the penalties

7. ACTIVE DEFENSE (HACKING BACK)

a. General

i. The Department of Justice has held that there is no exception in the CFAA for companies hacking back

b. Kinds of active defense

i. Planting of false information (OK)

ii. Stolen information that self-destructs (OK)

1. Issue of whether this will damage the perpetrators systems

iii. Beaconing (OK)

1. Shows where the data is allowing you to trace

2. Alerts the company that the data has left its system

iv. Patrolling cybercrime forums (OK)

1. Accounting information, offers to sell intellectual property, etc

v. Honeypots (OK)

1. A weakened server seeded with information

2. Traps set to entice hackers to a particularly weakly defended server in order to see what they are looking for, what techniques they are using and in an effort to look for clues of their identity

vi. Accessing the sever of the hacker and deleting the stolen files (NO)

vii. Stewart Bakers Poisoned RATs (NO)

1. Remote Access Tool

a. A way in for hackers to get into a companys server; sends malware or a beacon back to identify them

viii. Disabling hackers servers (NO)

ix. Virtual labyrinths (OK)

1. Continuous misdirection of hackers

2. Increases the hackers costs

c. Arguments

i. For hacking back

1. Your computer, my data: Because it is your data, youre allowed to follow it and take it back or control how it is used

a. Argument hurt by the fact that the CFAA talks about accessing computers, not data

2. Compromised machines owned by innocent third parties

a. You are doing them a favor by letting them know what is happening to them

b. However, this is tempered by the fact that you cannot harm their computer in your counterattack

c. Limit: Cannot cause damage, but surveillance, likely okay

i. Must be very confident when launching your counterattack that the third-party will not be damaged, or else you will get no protection

3. More resources for private defense

4. Less political controversy

a. Private parties actions cannot be attributed to the state

ii. Against hacking back

1. CFAA prohibits the transfer overloading of a computer with data, even if it is used to stop an ongoing attack

a. CFAA(a)(5)(A) computer damage statute

i. Knowingly causing the transfer of code, command, etc causing damage to a protected computer.

1. CFAA 1030(e)(8)

a. Damage is defined as any impairment on the availability of data

i. Definition covers DDOS attack

2. Attribution is very difficult

3. Potential interference with US government

4. Escalation

a. Wrongful attribution may result in someone lashing out

5. Resource allocation

a. Well-resourced companies would be able to protect themselves, but not others

d. Governmental blind eye

i. Delegitimization of the CFAA where prosecutorial discretion is used to allow companies to hack back

1. How should the CFAA be revised to allow hacking back?

a. Allow an affirmative defense

b. Pose conditions for retribution

i. Accurate attribution

c. Limit on damages that you can do to another server

d. Manipulation of own data to protect itself is okay

ii. Other potential options

1. An armed non-governmental cybersecurity enforcement entity

2. Letters of mark

a. Companies getting permission from the DOJ to hack back if they fulfill certain criteria allowing private action under specific circumstances

8. Cyberespionage

a. Economic Espionage Act

i. General

1. Passed in 1996, signed into law by Clinton

2. Addresses economic security and relates it to national security

a. Extends federal protection to trade secrets

3. Is not a cyber-specific statute

a. Often charged with other statutes, including CFAA

i. EX: UNITED STATES V. NOSAL

ii. EEA covers 2 types of trade secret misappropriation

1. 18 USC 1831 economic espionage

a. What is a foreign instrumentality? 18 USC 1839(1)

i. Means any agency, bureau, ministry, component, institution, association, or any legal, commercial, or business organization, firm, or entity that is substantially owned, controlled, sponsored, commanded, managed, or dominated by a foreign government.

b. What is a foreign agent? 18 USC 1893(2)

i. Means any officer, employee, proxy, servant, delegate, or representative of a foreign government.

c. Important commonality is foreign state ownership and control

d. 1831 charged much less frequently than 1832

i. 1831 economic espionage penalty is much higher

1. Economic espionage

a. Individuals: $5 million or up to 15 years imprisonment, or both

b. Organization: Fine up to $10 million or three times the value of the stolen item (18 USC 1831(b))

2. Trade secret

a. Individuals: Fine and imprisonment up to 10 years

b. Organization: Fine of not more than $5 million

e. Elements

i. Theft of a trade secret

ii. Knowledge that the theft would benefit a foreign government, agent, instrumentality, etc

2. 18 USC 1832 trade secret theft

a. What is a trade secret? 18 USC 1839(3)

i. Means all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designed, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if:

1. (A) The owner thereof has taken reasonable measures to keep such information secret, and

a. Expanded on in UNITED STATES V. CHUNG

i. Advised employees of the existence of trade secrets

ii. Marking information as secret

iii. Restrictions on access

iv. Password protection

v. Physical protection

2. (B) The information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public

a. For economic value courts consider:

i. Value to owner

ii. Value to competitor

iii. Whether the information would yield an economic advantage

iv. Whether someone had to pau for it

v. Cost of development

b. Circuit disagreement as to readily ascertainable by whom?

i. EEA: the public v. Uniform Trade Secrets Act (UTSA): Other persons who can obtain economic value from its disclosure and use the economically relevant portion of the public

b. Elements

i. Intention to convert the trade secret to benefit someone other than the owner

1. Does not need to show specific attribution like 1831

ii. Knowledge or intention that the offense will injure the owner of the trade secret

iii. Has to affect interstate commerce

c. Trade secret v. economic espionage

i. Trade secret definition requires more than economic espionage, substantial overlap

ii. Economic espionage differs in that it requires benefit to any foreign government, foreign instrumentality, or foreign agent

iii. Attempted conspiracy are causes of actions under both trade secret and economic espionage

d. Trade secret theft

i. Must be used in or intended to be used in interstate or foreign commerce

ii. Must have the intent or knowledge that the use of it will injure the owner of the trade secret

iii. Does not need to benefit a foreign government

1. Just needs to show that someone other than the owner benefited from the use of the trade secret

a. Does not require attribution

iii. General presumption against extra-territorial application (18 USC 1837)

1. EEA only applies to conduct that occurs abroad if:

a. (1) The offender is a natural person who is a citizen or permanent resident alien of the United States, or an organization organized under the laws of the United States or a state or political subdivision thereof

b. (2) An act in furtherance of the offense was committed in the United States

iv. Procedural restrictions

1. Requires the approval of senior DOJ officials to charge EEA crimes

a. After 2001, approval no longer required for 1832, but still required for 1831

v. What is covered by the EEA?

1. IP theft

2. Data breaches

a. Customer data may not be a trade secret, but a client list would be

vi. What is not covered by the EEA?

1. DDOS attacks

a. No actual act of misappropriation

2. Data wiping

b. Cases

i. US V. GENOVESE

1. Facts

a. Pieces of Microsoft source code was leaked for free on a website

b. Defendant took the source code and tried to sell it

i. Was not the source of the leak, did not do the actual hacking

2. Analysis

a. Constitutional challenges to the indictment

i. Freedom of speech

1. Since it was public information, he is allowed to repeat it

ii. Was not a trade secret, since it was made publicly available

iii. Void for vagueness argument

b. 1832 trade theft case

i. Court found that it was not protected speech

1. Illegal activity does not constitute protected speech

3. Holding

a. Against the defendant

ii. US V. CHUNG

1. Facts

a. Chung secreted information under his house over the course of decades

i. Was a Boeing contractor/engineer

ii. Gave information to the Chinese government

b. Largest archive of NASA information outside of NASA

2. Analysis

a. 1831 economic espionage case

i. Indicted for 6 counts of economic espionage and 1 count of conspiracy to commit economic espionage

b. Analytical process

i. Was the information a trade secret?

1. Was it a secret?

a. Were there reasonable secrecy measures?

2. Did the information have independent economic value?

a. Tasked by the Chinese government to steal this information with the intent to benefit the Chinese government

b. Boeings information may provide a roadmap for competitors in the future

c. Inferred economic value based on value to the competitor

c. Criminal liability under the EEA can be established by the defendants attempt alone

i. Attempt is penalized the same as completion

c. Articles

i. CYBERESPIONAGE, SURVEILLANCE AND INTERNATIONAL LAW: FINDING COMMON GROUND (BANKS)

1. Cyberespionage has low barriers of entry

2. Relationship between international law and espionage

a. 3 answers:

i. International law does not prohibit espionage, therefore it is permitted

1. LOTUS CASE

a. Court found that if there is nothing in international law that says a state cant do something, then states can do it

i. Focus on state sovereignty

ii. Unless specifically consented to an international law, they are not bound.

2. Old view

ii. International law affirmatively permits espionage

1. It is a widespread practice

2. States are required to engage in espionage to protect their citizens

a. A necessary incident to self-defense

iii. International law prohibits espionage

1. Non-intervention

2. Human rights reasons

3. Right to privacy

a. Some countries do not interpret the ICCPRs right to privacy to include digital surveillance

i. Germany redrafted legislation to extend to electronic information; therefore can argue that the treaty did not already include it

4. State sponsored espionage can constitute force and intervention, which is prohibited by the UN Charter

5. Vienna Convention on Diplomatic Relations (VCDR)

a. Prohibits diplomats from spying

i. Diplomats are required to respect the laws of the receiving state and espionage is prohibited domestically in most countries

3. Proposals to regulate espionage

a. Limit espionage to allow for only national security reasons

i. Differentiation between national security espionage and all other types?

ii. What constitutes national security?

b. States could agree that international law prohibits economic espionage

i. Prescribes a limited category and does not run into issues of defining national security

c. Internationalizing domestic laws such as the CFAA and the EEA

d. Prohibiting attacks on particular targets, creating a no-spy zone

e. No-spy agreements

ii. UN GENERAL ASSEMBLYS RIGHT TO DIGITAL PRIVACY

1. Not specific about what is covered by the right to privacy

2. Recognizes the necessity of some surveillance

a. Reasons to curtail right to privacy:

i. Countering terrorism

ii. Security

9. INTERNATIONAL LAW

a. Types

i. Treaties

1. A contract between countries

2. BUDAPEST CONVENTION

a. First international treaty that deals directly with cybercrime

b. Negotiated in late 1990s, opened for signature in 2001, came into force in 2004

i. Has 45 member states

1. Russia has not signed

2. US ratified the treaty in 2006

c. Additional protocol

i. A separate treaty ratified by a number of member states

ii. Makes it a criminal offense to use computer systems to distribute crimes against humanity and racist, xenophobic threats

1. Only 24 ratifications, no ratifications outside the Counsel of Europe

d. Articles

i. Article 2 Illegal Access

1. Differs from the CFAA, in that in requires obtaining computer data, not just accessing

ii. Article 5 System Interference

1. CFAA defines damage in relation to integrity and availability of data, while BC articulates it as a serious hindering without right of the functioning of a computer system

iii. Article 7 Computer-Related Forgery

1. No similar CFAA provision

a. CFAA gets at it through computer damage and computer fraud provisions

iv. Article 13 Punishment

1. Does not mandate a specific punishment, but indicates that punishment should be effective, proportionate and dissuasive sanction, which includes deprivation of liberty.

e. Broadly lines up with the CFAA, does not mandate specific legislative language, but asks for criminalization of specific activities

i. Allows for state-by-state variation

ii. Uses access without right language

f. Obligates information sharing and facilitates signing of MLATs

i. Attempts to harmonize cyberlaws and allow for cooperation in investigation

g. Critiques

i. Vague definitions

ii. Lack of enforcement

iii. Weak cooperation provision

iv. Western focus

v. Not broadly ratified

vi. Countries filing reservations

h. JACK GOLDSMITH ARTICLE

i. BUDAPEST CONVENTION is a cautionary tale

1. Lax enforcement mechanisms

a. Not truly enforceable

b. Carve-outs by states

2. Vague definitions

3. Western-oriented

4. Has limited international adherence

3. AFRICAN UNION CONVENTION ON CYBERSECURITY AND PERSONAL DATA PROTECTION

a. Brand new treaty, no ratifications

b. Covers cybercrime, personal data protection, electronic protection

c. Borrows language from both CFAA and the BC

i. Uses CFAAs unauthorized access or exceeding authorized access versus BCs access without right language

ii. Uses BCs system interference language of to hinder and distort function of a computer system

d. Explicitly lists privacy as a right under Art. 25(3): Rights of Citizens

e. Critiques

i. No ratifications

ii. Freedom of speech concerns

iii. Lack of capacity for enforcement or implementation

iv. Too broad in scope

ii. Customary international law

1. State practice

a. Custom must be the general and consistent practice of states

b. Must be widespread

2. Customs of countries on the international stage

a. However, not all customs obtain the status of customary international law

3. Opinio juris sive necessitatis

a. An opinion of law or necessity

i. Done out of a sense of legal obligation

ii. States are not just engaging in the practice out of convenience or policy

1. Does it because they think they are legally required as a matter of international law to do it

4. States may not have signed onto a treaty, but may still be bound by customary international law

a. Generally enforce through actions taken by other states

5. Usually not an affirmative practice, but a defensive one, asking states to refrain from doing something

b. International procedural issues

i. Extradition

1. Taking a criminal defendant from one country and sending them to another country fro prosecution

2. Custody of persons, moving people across borders for the charging of crimes

a. US-Estonia

3. Requirements

a. Dual criminality

i. Must be a crime in both jurisdictions/overlapping cores of criminality

b. Minimum severity requirement

ii. Mutual legal assistance (evidence collecting function)

1. Perpetrators may be abroad and so evidence may also be abroad

2. MLATs

a. Mutual legal assistance treaties

b. Usually bilateral

c. Binding legal obligations for the receiving state ot respond, subject to some exceptions

i. Processed through the central authority of each state, government-to-government

1. Cannot be used by individual litigants

3. Letters of Rogatory

a. Processed between court-to-court

10. POLICY QUESTIONS

a. (1) Congress should pass a federal data breach notification law that would preempt all state data breach notification laws currently in effect

i. FOR

1. Current patchwork structure makes compliance for companies difficult and time-consuming

a. May result in customers in different states being notified of the same incident at different times with different information

2. Would unify requirements

3. Be cheaper to comply with

ii. AGAINST

1. Could lessen consumer protection if the federal threshold is higher

2. If aiming for stricter laws, could impose huge costs on small businesses

b. (2) International treaties are an effective means to address threats posed by cybercrime

i. FOR

1. Cybercrime is an international issue

ii. AGAINST

1. Treaties, ultimately, must be enforced by countries against other countries

a. Cybercrime may not be high up on other countries priority list

b. Imposing sanctions requires a lot of other considerations

c. No other outside enforcement mechanism

d. States can just not sign on to a treaty

2. Extradition issues

3. Definitional issues

a. Different parameters as to what constitutes a cybercrime, lack of consensus for punishement

c. (3) The current multi-stakeholder model of internet governance is less protective of individual rights than governance by government would be

i. FOR

1. They could provide better more consistent protection

ii. AGAINST

1. Governments would want to limit individual rights more due to national security reasons

2. Different countries governments may be more restrictive as to internet governance

a. EX: China

d. (4) Congress should increase the penalties for violating the CFAA and the EEA because current penalties are not deterring hackers

i. FOR

1. Could work for the EEA as it involves more deliberate criminal behavior

ii. AGAINST

1. Under the current CFAA definitions, people could accidentally be engaged in certain actions that could constitute hacking

a. If they are unknowingly committing a crime, deterrence is a moot issue

e. (5) The standard for what qualifies as an armed attack should be the same in the cyber-context as in a traditional, conventional armed attack

i. FOR

1. Can cause harm that is similar to a conventional armed attack, just through different channels

a. EX: Stuxnet; if the US had physically gone in to mess with the reactors, would likely have been considered an armed attack

ii. AGAINST

1. Fundamentally different sort of attacks

2. Difficulty in identifying whether an attack as occurred, who conducted it, what is the scope of the harm, whether civilians were harmed in the process and what would constitute excessive harm of a civilian in violation of Art. 55(1)(b)

3. Huge disagreements between states as to what would constitute an armed attack in the cyber-context

f. (6) Announcements, like NATOs Wales Summit Declaration, that cyberattacks can trigger collective-self-defense obligations make cyberattacks less likely

i. FOR

1. Allowing for self-defensive measures that are backed up by other states will result in more careful state consideration of using the attack, similar to the level of deliberation for conventional attacks

ii. AGAINST

1. Attribution is difficult, so, as a deterrence measure, most likely limited

2. May only be a consideration where it is a state actor perpetrating the cyberattack

a. Large portion of cyberattacks may not be conducted by the state

b. Collective self-defense measures would have to go through the state before it can reach the private actor

g. (7) The US is entitled to exercise forceful self-defense measures in response to the attack on Sony

i. FOR

1. Was an economic attack and the US has the right to protect itself

2. Attributed to a state actor, therefore the US could call upon NATO member states for collective self-defense

ii. AGAINST

1. Unclear whether the Sony hack would constitute an armed attack that would justify the use of retaliatory force

2. Unclear who the actors were

3. Does the release of civilian information constitute civilian harm?

a. Difficulty in ascertaining magnitude of harm

11. CYBERWARFARE

a. Jus cogens

i. Super strong customary international law

1. Cannot be overturned by treaty or other customary international law

2. Can only be overcome by another jus cogens

3. No current jus cogens or treaties for cyberwarfare

a. Must use existing treaties on war, and apply it by analogy to cyberspace

ii. Example

1. UN Charter Rules on the Use of Force

2. Rules against genocide

iii. Articles

1. MURPHYS PRINCIPLES OF INTERNATIONAL LAW

a. A state can suffer a use of force, but not have the right to retaliate as it does not rise to the level of an armed attack

i. States are only allowed to respond to uses of force when it amounts to an attack, whereas the US states that uses of force are armed attacks

b. If we said that cyberattacks were not armed attacks, then states would never be allowed to use force in retaliation

2. WHETHER A CYBERATTACK CAN BE AN ARMED ATTACK; SELF-DEFENSIVE FORCE AGAINST CYBERATTACKS, LEGAL, STRATEGIC AND POLITICAL DIMENSIONS (WAXMAN)

a. 3 possible answers

i. NO

1. Strict reading; cannot be an armed attack as must constitute kinetic violence

ii. SOMETIMES

1. Must result in violent consequences (effects-based)

a. Such as the consequences resulting from a conventional strike

b. EX: opening a dam on a village, activating nuclear weapons, disabling air traffic communications resulting in a crash

c. US takes this approach

i. Has no firm position as to cyberactions with no clear kinetic parallels

2. Depends on the magnitude of the consequences

a. Difficult to apply

b. EX: attack on the stock market

3. TALLIN MANUAL

a. Armed attack and use of force are not equated does not take US position

b. Exceptions to prohibition on the use of force

i. Self defense

c. Jus ad bellum

i. Recognized by the US

ii. Limitations on the right to self defense

1. Necessary

a. LETTER FROM US SECRETARY in relation to the CAROLINE INCIDENT

i. Leaving no choice of means

1. No peaceful alternatives

a. Diplomatic negotiations

b. Asking for cease and desist

ii. Admonition or remonstrance impracticable, or would have been unavailing

iii. Daylight could not wait

iv. Means necessary to remove the threat, and whether non-forcible means were adequate

2. Proportionate

a. Proportional in relation to what the attack was supposed to achieve

b. Not limited to repelling the initial attack, but ending the conflict

i. Whatever is necessary to eliminate the threat

1. Not limited by geographic location

2. Does not have to a be a mirror image of the attack

a. Do not need to resort to same tactics, type of weapon or type of attack

c. Could it have been done with less violence with the same objective of neutralizing the threat?

d. The response must not be excessive, must ne proportionate to the threat

e. LETTER FROM US SECRETARY in relation to the CAROLINE INCIDENT

i. Nothing unreasonable or excessive

f. Proportionality: responding to a conventional attack with cyber means?

i. Limit damage, lost lives

ii. Should not be required, but an option

1. Requiring a specific kind of response would take away from a states ability to defend itself

iii. If you could accomplish the same goal through cyber means, would show you took proportional, less violent action?

iii. TALLIN MANUAL; RULE 14 Jus Ad Bellum

1. Use of force of cyberoperations taken by a state must be necessary and proportionate; no exemption for cyber context

2. Peaceful cyber alternatives

a. Firewall

b. Detection and prevention systems

c. Requests to desist

d. Expanding server capacity to withstand DDOS attacks

3. Cyber attacks do not necessarily require a cyber response

iv. How much of a constraint is necessity and proportionality on self-defense?

1. Easy to work around the requirements

2. Only limits against ridiculously overbearing responses

a. Does not limit more nuanced differences in response

v. Temporal requirements

1. Imminence

a. When you know an attack is going to happen, how soon can you respond?

b. 4 possible answers

i. An attack must have already occurred

ii. Temporally-focused anticipatory self-defense

1. The attack is about to be launched; focused on the traditional meaning of imminence

2. Minority position

iii. Anticipatory self-defense

1. When an armed attack is imminent

2. USs announced position, TALLIN MANUALs majority position

iv. Last window of opportunity

1. Doctrine of last chance

a. Focus on when the attack becomes non-preventable

b. Can be temporally remote from the time of attack itself

2. Majority position

v. Preemptive self-defense, probable future attack

1. Could lead to paranoia, too much armed defense

2. Immediacy

a. How long after a state suffers an armed attack can that state respond forcibly?

vi. UN Security Council authorized

1. Issues of political deadlock

2. Authorized the Korean War, Bosnian War

3. Cyber issues

a. Would require near perfect attribution

i. Required evidentiary showing may be higher than is possible in cyber context

b. Takes too long to go through Security Council

c. Debate on whether you can authorize force against non-state actors

d. Collective self-defense

i. When one country is attacked, the victim-state can request assistance from other states

1. Request must be contemporaneous

a. Limits other states from acting aggressively and jumping to help

b. The victim state can limit the kinds of assistance that can be provided

i. Does not need to allow the assisting-state to help however the assisting-state sees fit

2. Assisting-states stands in the shoes of the victim-state once the request has been made

3. All normal jus ad bellum limitations to self-defense still applies

ii. Authorized by UN Art. 51

iii. NATO

1. Committed ex ante that an attack on any one of the member states will be considered an attack on all of them

a. 9/11 was the only time this was invoked

b. Still requires a request for assistance, but is pre-committed should there be a request

i. Victim-state not obligated to receive the insurance, but assisting-states obligated to provide it

2. WALES SUMMIT DECLARATION

a. Members obligated to establish their own defenses

b. Enhanced information-sharing between NATO member states

c. International law, jus cogens, jus ad bellum, jus in bello, UN Charter applies to cyber

d. Thought to be an empty gesture

i. Declaration of already existing NATO policy

1. NATO would have treated a cyber attack as an armed attack

ii. However, explicit statement helps advise states in their course of action

iii. States signing on acknowledge that jus in bello applies in cybersecurity context

e. Jus in bello

i. How states can use force during a conflict

ii. Treaties

1. Hague Convention

a. Restrictions on the method used in warfare

b. Martens Clause (included in the preamble)

i. Intended to be a gap-filler in international law

ii. In cases not included in the specific language of the treaty, parties are still to proceed in conjunction with customary international law

1. Residual clause; anticipates that technology will outpace treaties

2. Geneva Convention

a. Protection for victims (wounded, sick, POW, etc)

b. Ratified by every county

c. 4 conventions, 2 additional protocols

i. The US has not ratified the additional protocols, which dignify insurgent groups and gives them protections similar to states

d. Articles

i. Article 48

1. Must distinguish between civilians and combatants and only attack the latter

a. Based on civilians maintaining their own civilian status, however

b. Civilians are not protected once they enter the fray

ii. Article 4(a)

1. Defining combatants

iii. Article 51

1. Protection of the civilian population

2. Indiscriminate attacks prohibited

a. Attacks that do not attempt to distinguish between civilians and combatants

b. Objective of spreading terror prohibited

c. Prohibits use of methods that cannot be limited to either a civilian or military objective

3. Cannot use civilian population as a shield

4. Art. 55(1)(b)

a. Collateral damage okay, allowed to cause civilian casualties, but proportionality important

b. Threshold: Must not be excessive in relation to the concrete and direct military advantage anticipated

iv. Article 52

1. General protection of civilian objects

a. Civilian objects shall not be the object of attack or reprisal

b. Presumption is that objects are not military objects

iii. Principles

1. States are prohibited from causing unnecessary suffering

a. States do not have unlimited freedom of choice as to the weapons that they are allowed to use

iv. Neutral state involvement

1. TALLIN MANUAL: RULE 94

a. Aggrieved party can take steps if a neutral state fails to terminate exercise of belligerent rights in its territory

i. Still subject to jus in bello rules

2. Criteria/proposals for showing that a neutral state is unwilling or unable to deal with belligerents in its territory; GEOGRAPHY OF CYBER-CONFLICT (DEEKS)

a. Prioritize cooperation and consent with the state rather than a unilateral use of force

i. Neutral states can consent to use of force in their territories

b. Ask the neutral state to address the threat and give it an adequate amount of time to respond

c. Reasonably access the neutral states capacity and control within the relevant region

d. Reasonably assess the neutral states proposed means to suppress the threat

e. Evaluate its past interactions with the offending state

i. Where the neutral state has failed to take action after promises to do so in the past, can factor this in

3. Neutral states seem to get a higher level of protection than civilians

a. Can not engage neutral states, but unable to refrain from not harming any civilians during a war

v. Requirements

1. Distinction

a. Distinction in terms of if the choice of methods would distinguish between military or civilian

b. Distinction in choice of target

c. States must never make civilians the object of attack; must always differentiate between civilian and military targets

d. HAROLD KOH

i. Principle of distinction should apply in cyber-context

ii. Takes the position that the US will abide by the principles of distinction whether it is international customary law of not

2. Proportionality

a. Whether civilian damage is excessive in relation to the military advantage anticipated

i. Difficult application to cyber context

1. Uncertainty as to effects on civilians, everything is interconnected

2. Difficult to determine what is excessive

3. Hard to know how much advantage is gained

4. What constitutes a weapon

5. Prevalence of dual-use networks

6. Attribution

7. When does a hacker constitute a combatant

a. Direct participation in a hostility is complicated as a cyber standard

8. Difficulty of human shield analogy

a. Countries may not even know that they are doing it

3. Precaution

a. Should always choose the option that causes the least amount of damage to civilians, even where all options are considered proportionate

i. Differentiation between precaution and proportionality

1. Proportionality

a. Whether the harm caused was excessive

2. Precaution

a. Whether the country took feasible measures to protect civilians

b. Military must choose the most protective option while still achieving their military objective

ii. Might be proportionate to harm 100 people, but precaution means that if there are 2 options, choose the more protective one, and harm only 10

b. Geneva Convention Article 57

i. Constant care shall be taken to spare civilian populations, civilians and civilian objects

1. Constant care is undefined in international law, but it means you cannot completely disregard civilians

ii. Should take all feasible precautions in the choice of means and method of attack workable or practicable given all of the circumstances ruling at the time

f. Is a cyberattack an armed attack?

i. TALLIN MANUAL: RULE 30 Definition of Cyberattack

1. Does not mean an armed attack

2. An attack that can be expected to cause harm to persons or objects

3. Almost verbatim tracks the Geneva Convention definitions

4. Data

a. Does not find that data is an object, so it cannot be classified as civilian or combatant

i. Arguments against:

1. Data may be more important than objects itself

2. Linked to numerous objects

3. Data has been found to be a form of property via trade secret laws and intellectual property

ii. While data is not an object, can constitute an attack if it affects systems and functions

ii. Requirements for being a military object

1. Is it a military object based on nature, location or use?

a. Use

i. Percentage of military use/civilian use

1. EX: Tech company that makes off-the-shelf software as well as military encryption software, Boeing as a military target, but strong civilian application

ii. TALLIN MANUAL: RUEL 39 Objects used for civilian and military purposes

1. Cyber functions are targets when they are involved in military operations

iii. However, dual use likely not known by civilian parties

2. Does it effect a contribution to military action?

3. Will the total or partial destruction or neutralization, or capture of data, offer a definite military advantage?

iii. Jus in bello

1. TALLIN MANUAL: RULE 43 Indiscriminate means or methods

a. Prohibits use of cyberweapons that are inherently indiscriminate by nature

i. Differentiates from choice of indiscriminate use by user

2. Jus ad bellum proportionality

a. TALLIN MANUAL: RULE 51

i. A cyber attack that may be expected to cause incidental loss of civilian life, which would be excessive compared to the military advantage to be gained, is prohibited

1. Principle of distinction applies; cannot target civilians

b. Definitions of damage:

i. Kinetic damage

ii. Serious functionality disruptions

iii. Any unauthorized access

1. Not an appropriate standard for a law of war

iv. TALLIN MANUAL: RULE 5

1. General duty for one state to not knowingly allow the unlawful use of its cyberinfrastructure to harm another state

2. Cyber issues

a. Attribution

i. Difficult for states to know where an attack is coming from

b. Borders are hard to police

i. Borders are very porous/non-existent in cyberspace

c. Speed of cyberattacks

v. What does a state have to know before taking action?

1. Certain attribution

2. Actual knowledge

a. Duty to act

b. May give states plausible deniability

3. Constructive knowledge

a. Imposes knowledge on a person where they should have known

b. Duty to monitor

i. FOR

1. State itself is in the best position to know

2. Would not want to permit other states to look into your cyberinfrastructure

ii. AGAINST

1. Enforcement difficult

2. States have different capabilities

3. Privacy concerns for citizens

a. Could be sanctioning a lot of government monitoring, intrusive

4. Not a good use of resources

iii. Does this duty apply to states through which cyber attacks are routed?

1. Applies to the state where the attack originates

2. However, where routing is fairly instantaneous, impracticable for routing states to react

a. Data travels in a fragmentary way

b. May not have the ability to prevent it

3. LAW OF CYBERWARFARE (SCHMITT)

a. Predicts that there will be a movement towards accountability of routing states

g. Cyberwar: law by analogy

i. International wrongful act

1. Breach on an international legal obligation

a. Very broad; when an act of a state does not comply with a legal obligation

b. Exemptions

i. Consent

ii. Countermeasure

iii. Force majeur

iv. Self-defense

2. Attributable to the state

a. DRAFT IRC ARTICLES

i. Article 4: Conduct of organs of a state

1. Regardless of postion, regardless of whatever power it holds, its actions will be attributed to the state

2. Whether it is an organ of the state is determined by how it is organized based on internal law

ii. Article 5: Conduct of persons or entities who are not organs of the state

1. Attributed to the state where it is empowered by the state, provided that the person or entity was acting in that capacity

a. De facto organs of the state

i. Non-governmental organs exercising governmental authority

b. TALLIN MANUAL: RULE 6

i. Broader definition of state organ

ii. Individuals acting under the instruction of a state and is directly under the states direction or control

iii. ICJ standard: effective control (dominant standard)

1. U.S V. NICURAGUA

a. Must prove that the US has effective control of the military operations, weapons funded by the US not sufficient

2. Operation-by-operation control difficult to show high evidentiary status

3. Greenlights the idea of war by proxy, so long as they are doing it through a third-party and are not giving instructions

a. EX: Estonia cyber-riot, Sony hack

iv. International Criminal Tribunal for Yugoslavia: overall control

1. Looser definition, does not require operation-by-operation control

c. How to determine state responsibility?

i. Conventional

1. What is the relationship between the forces and the state military

2. Where are the weapons coming from

ii. Cyber

1. Amount of control the state has over its own network

2. Where is the international wrongful act is coming from (location)

3. Transfers of money to these groups by the government

4. How much the state knew about these operations

5. Governmental training programs

a. Are these people being trained by the government?

6. Any communications between the government and the attackers

7. Source of the code

8. How they are locating their targets

a. Are they being directed to particular targets or being matched up with vulnerabilities?

9. If the government authorizes hacking back, might make the government responsible for all of the companies subsequent actions

a. If the government issues a statement that it wont punish hacking back, then they might be permitting cyberwarfare by proxy

iii. Even if the state is not responsible for the conduct, if they adopt it as its own afterwards, would be responsible

1. Cannot protect hackers or prevent them from being prosecuted

iv. TALLIN MANUAL: RULE 8

1. Routing through a state is not sufficient to attribute it to the state

v. TALLIN MANUAL: RULE 7

1. Launch of a cyberattack from a governmental building is not dispositive as to whether it is an act of the state, but it does indicate that the state may be associated with the operation in question

a. Flipped from conventional context

3. Sony incident as an internationally wrongful act?

a. Yes, violation of sovereignty

i. Placement of malware within another states territory

ii. Or, if the North Korean government is not responsible, failure to prevent the use of its territory to cause harm to other states

iii. Manipulation of cyberinfrastructure of another state

b. An act of retorsion would be permissible

i. Retorsion v. countermeasures

1. Retorsion

a. An act that is lawful at all times; lawful, but unfriendly

b. EX: Suspending foreign aid, suspending trade, banning immigration

2. Countermeasures

a. An internationally wrongful act but for a preceding violation; a response to a unlawful act

i. Must be taken in response to a previous international wrongful act of another state, and must be directed at that state

ii. Victim state must call upon the state committing the wrongful act to discontinue the wrongful act or make reparations

iii. Proportionality requirement

iv. Effects of the countermeasure must be commensurate with the injury suffered

b. EX: Violation of sovereignty

c. Was the US taking down the North Korean internet a permissible countermeasure?

i. Did the US suffer an international wrongful act?

ii. Were the actions taken against the state responsible?

iii. Did taking down the North Korean internet induce compliance with international law?

iv. Did they call upon North Korea to cease the internationally wrongful act? Or did they take urgent countermeasures?

v. Was their act proportionate?

vi. Was the act taken in a way to permit resumption of obligations?

12. CYBERSECURITY REGULATION

a. Actors

i. Companies

1. May not properly value cybersecurity

a. May not think they will be targeted

ii. Individuals

1. Failure to see individual incentives

iii. Government

1. Lacks authority

b. Bad cybersecurity due to market failure (SINGER; FRIEDMAN)

i. Negative externality, a bad user does not individually bear all of the cost

1. Poor personal secure may result in your computer becoming part of a botnet that can, in turn, go out and commit other acts

2. Cost is borne by the system

c. Levels of government regulation

i. Government directly regulate

1. FOR

a. Can provide a minimum level of cybersecurity for companies that are unable to provide it for themselves

2. AGAINST

a. Implementing a blanket regime may be detrimental to a lot of big tech companies and the economy

b. Government may not be properly equipped to regulate in this field

3. Could issue

ii. Government issuing regulations requiring companies to provide cybersecurity

1. EU position

2. Can spur compliance

3. Not really any other entity to do this regulation, but better than direct governmental regulation

4. Mitigate externalities issue

5. Can provide a floor for cybersecurity

6. Can begin a trend towards greater cybersecurity

iii. Voluntary standards

1. Optional governmental regulations

2. Government can develop these standards in conjunction with the industries

a. Really expensive for companies to figure out what voluntary regulations they would wish to impose

3. Might make companies immune to lawsuits however, if they comply with a bare minimum voluntary standard

4. Obsolescence due to speed to technological development

iv. Do nothing

1. A market for security will develop eventually

13. ZERO-DAY VULNERABILITIES

a. Market for vulnerabilities

i. Responsibilities

1. Product creators

2. Buyers

a. Driving up demand

b. Disclosure

i. When disclosed, the software company patches up the hole and the government can no longer exploit it and use it to gain information

1. EX: If zero-day vulnerability had been disclosed and fixed, Stuxnet could not have occurred

ii. Risks of non-disclosure

1. Does not get fixed

2. Someone else is has also discovered and is accessing the vulnerability

iii. Government disclosure process

1. High-level interagency discussions within the intelligence branch about whether to disclose and claims is biased towards responsible disclosure

2. HEARTBLEED

a. A vulnerability on open SSL which contained a backdoor through which attac