CYBERSECURITY OUTLINE PROFESSOR EICHENSEHR SPRING...
46
CYBERSECURITY OUTLINE PROFESSOR EICHENSEHR SPRING 2015 Print: CFAA, Budapest Convention, EEA, Geneva Convention, Cal. Data Breach Law, SEC Disclosure Guidelines 1. INTRO a. Sony Hack i. Timeline 1. June a. North Korea makes negative comments about the Interview 2. November a. Discovery of Sony hack (Nov. 24, 2014) i. Sony realized that their systems have experienced a breach ii. Message regarding Sony’s CEO was displayed on every internal computer b. Contacted law enforcement within a few days of the discovery of the initial breach c. First data dump (Nov. 27, 2014) i. Stolen movies (Annie, James Bond, etc) 3. December a. Threatening email sent to all of Sony’s employees (Dec. 05, 2014) b. The Interview is referred to in the hackers’ communications (Dec. 08, 2014) c. Warnings sent out to media outlets by Sony in regards to the information dumps (Dec. 14, 2014) i. Hired on lawyer David Boyce to manage the media attention d. Threats are communicated to theaters against showing the Interview (Dec. 16, 2014) e. Major cinemas begin dropping the Interview (Dec. 17, 2014) i. CEO Linton makes statement that they have no further release plans for the movie f. Identification of North Korea as the perpetrator by the FBI, statement issued (Dec. 19, 2014) i. Obama reprimands Sony for pulling the movie 1. Restriction on American freedom of speech 2. Promises proportional response on the part of the US ii. Secretary of State Kerry condemns North Korea for the cyberattack and indicated that this violated international norms iii. First time the US has called out a foreign country for a cyberattack g. Obama makes statements on CNN, calling it an act of “cybervandalism” (Dec. 21, 2014) i. Contrast with John McCain calling it “cyberwarfare”
Transcript of CYBERSECURITY OUTLINE PROFESSOR EICHENSEHR SPRING...
CYBERSECURITY OUTLINEPROFESSOR EICHENSEHR
SPRING 2015
Print: CFAA, Budapest Convention, EEA, Geneva Convention, Cal. Data Breach Law, SECDisclosure Guidelines
1. INTROa. Sony Hack
i. Timeline1. June
a. North Korea makes negative comments about the Interview2. November
a. Discovery of Sony hack (Nov. 24, 2014)i. Sony realized that their systems have experienced a
breachii. Message regarding Sony’s CEO was displayed on
every internal computer b. Contacted law enforcement within a few days of the
discovery of the initial breachc. First data dump (Nov. 27, 2014)
i. Stolen movies (Annie, James Bond, etc)3. December
a. Threatening email sent to all of Sony’s employees (Dec. 05,2014)
b. The Interview is referred to in the hackers’ communications(Dec. 08, 2014)
c. Warnings sent out to media outlets by Sony in regards tothe information dumps (Dec. 14, 2014)
i. Hired on lawyer David Boyce to manage the mediaattention
d. Threats are communicated to theaters against showing theInterview (Dec. 16, 2014)
e. Major cinemas begin dropping the Interview (Dec. 17,2014)
i. CEO Linton makes statement that they have nofurther release plans for the movie
f. Identification of North Korea as the perpetrator by the FBI,statement issued (Dec. 19, 2014)
i. Obama reprimands Sony for pulling the movie1. Restriction on American freedom of speech2. Promises proportional response on the part of
the USii. Secretary of State Kerry condemns North Korea for
the cyberattack and indicated that this violatedinternational norms
iii. First time the US has called out a foreign country fora cyberattack
g. Obama makes statements on CNN, calling it an act of“cybervandalism” (Dec. 21, 2014)
i. Contrast with John McCain calling it “cyberwarfare”
h. North Korea’s internet goes down (Dec. 22, 2014)i. The Interview is released (Dec. 24, 2014)j. Email releases and other data releases occur throughout
Decemberi. Employee and past employees’ personal information
1. Social security numbers, etcii. Passwords and other company informationiii. Contracts with third-parties and vendors
1. Internal contracts2. Fee arrangements
4. Januarya. Obama issues executive order against North Korea (Jan. 02,
2015)i. Economic sanctions against North Korea
1. Specific entities and individuals2. Authorizes the US Treasury department to do
soii. Makes statement that this is the US’s first response
to the Sony attack1. Denies connection with previous North Korean
internet outage incidentii. Issues
1. Sonya. Labor issues
i. Employee and previous employee information beingreleased
1. Stolen Personally Identifiable Information (PII)a. Social security numberb. Medical records
b. Security issuesi. Past incidents of hackingii. Known weaknesses in their security systemsiii. Negligence in protecting their systems
c. Noticei. Previous warning email – does this constitute
sufficient notice?d. Intellectual property
i. Stolen intellectual property and its distribution1. Movies2. Contracts3. Business plans4. Scripts5. Production plans and drafts
e. Notificationi. Failure to notify employees of breach in a timely
manner1. Federal: SCC notification requirements for
publicly-traded companiesa. Duty to shareholders
2. State: Data breach notificationsf. Contractual issues
i. Theaters pulling out constitutes a breach of contractg. Injunctive issues
i. Whether Sony can legally enjoin media outlets frompublishing the stolen information
2. Government a. Whether any international laws have been brokenb. Proportionality of responsec. Whether criminal laws have been violated and, if so, what
laws?d. Sony’s counterattack measures
i. DDOS attacks for websites hosting stolen IPii. Recovery and preparation for any future attacks
e. Do the government sanctions comply with international lawf. Freedom of expression
i. Chilling effect on freedom of speech, future movies,actions of media outlets
2. WHAT IS CYBERSECURITY?a. Cybersecurity threats
i. Framework1. CIA triad
a. Confidentialityi. Keeping information secure and secret
b. Integrityi. System and data not being improperly alteredii. Issue of accuracy
c. Availabilityi. Being able to use the system as anticipatedii. Having data being accessible when needed
2. Resiliencea. The ability to withstand and endure security treats instead
of allowing systems to critically fail i. Keeping systems running even when they are
compromisedii. Speed in system restoration
b. Considered a backstop for the 3 CIA factorsc. Elements that aid in increases of resilience:
i. Back-upsii. Extra network capacity (in response to DDOS
attacks)iii. Higher quality data encryption
ii. Difference between threats and vulnerabilities1. Vulnerability
a. A vulnerability becomes a threat when there is a bad actorb. Vulnerabilities have no consequences as of yet, but have
the potential to leave the system open to future harmsc. Examples:
i. Weak authentication1. Poor training 2. Poor password use
ii. New technologies with undiscovered loopholes1. BMW issue
iii. Bad code with loopholesiv. Out-of-data virus prevention softwarev. Careless insiders
2. Threatsa. Threats occur where a bad actor takes action to endanger
the systemi. Cybersecurity threats definitional issues:
1. Inexactness2. Newness of the issue3. Dependent on the approaches of each
government and countrya. Different tools and different concernsb. Variety of state concerns:
i. US: Defense and offenseii. EU: Civilian and militaryiii. Austria: Protection of key legal
assets, natural dangers, includediv. Israel: Flexibilityv. Estonia: Personal responsibility
vi. Hungary: Education andawareness-raising, inclusion ofpolicy and techniques
vii. Proactive and reactiveviii. New Zealand: Element of
detection, acknowledging thefallibility of the internet, points outresilience issues
ix. Turkey: Putting systems back intothe state prior to the cybersecurityincident, mentionscountermeasures
x. Public responsibility andgovernmental responsibility
4. Difference between macro and microcybersecurity
5. No authoritative document on the subjecta. No negotiated definition between
governmentsb.
ii.b. Examples:
i. Malicious insiders1. Looking to steal information, trade secrets, etc,
from employers2. Have access to passwords and privileged
informationii. Malware
1. Ransomwarea. Data is encrypted to lock out users and
money must be paid in order to regainaccess
i. Implicates confidentiality, integrityand availability
b. EX: Cryptolockeriii. Phishingiv. Virusesv. DDOS attacks
vi. Hackers and other cybercriminalsvii. Advanced persistent threats
1. Classification of states that are activelyengaged in hacking or spying
2. EX: Chinac. Why threats exist
i. Why is the internet so vulnerable?1. The architecture of the internet
a. Lack of transparencyb. Anonymityc. Decentralization
i. Difficult, expensive and maybeimpossible to change thefundamental structure of theinternet
ii. Anonymity is important to protectfreedom of expression
ii. Exponential innovation1. More points of access, new configurations may
result in unprecedented access2. Pressure for innovation results in push for
quick-release products that are less thoroughlyresearched and secured
a. Change might slow innovation,disadvantage small start-ups andnegatively effect the economy
iii. Widespread integration into economy and society1. More devices with access2. Critical infrastructure is operated through the
internetiii. General issues
1. Cyber as an offensive-dominated environment a. Easier and cheaper to attack (find a weakness in the
system) than to defendi. Fueled by anonymity structure
1. You don’t know where the attack is comingfrom, at what time, resulting in less time andknowledge through which one can formulate adefense
2. Low barrier to entry a. Tools and information for cyberattacks are widely available
on the interneti. Black market for cybercrime tools allows experts to
pass on tools and information to those with intentiv. Perpetrators of cyberthreats
1. Criminal hackersa. Financially-motivated criminal gangs
2. Hacktivism3. Espionage attacks
a. Trade secret theftb. Spying
v. Cases1. Wall Street spear-phishing incident
a. Factsi. Use of Wall Street lingo to conduct hackii. Malware was contained in emails that were sent to
executives, which contained sophisticated Wall Streetlanguage
b. Combination of hacking and social engineeringc. Getting confidential information about particular industries
i. Focus on pharmaceuticals and healthcared. Tailored to the recipient
i. Looks like something you would receive fromsomeone that you are actively in contact with
ii. Requires more work on the part of the hackers2. Zeus BotNet takedown
a. Factsi. Mass takeover of users’ computers and used them
to, collectively, swarm other websites1. Malware allowed the bot-herders to direct the
networks of compromised computers to docertain tasks
a. Some were aimed at DDOS attacksb. Some aimed at stealing credentials
ii. Stole banking credentials and initiated wire transfersoverseas of over $100 million
iii. Simultaneous infection with Cryptolocker3. Estonia cyber-riot
a. Factsi. Movement of a statue resulted in Russian DDOS
attacks being directed at Estonia’s governmentwebsites which further replaced Estonia’s sites withRussian propaganda
ii. Suspected to be orchestrated by the Russiangovernment
1. Information was posted on Russian-languagewebsites, which allowed private citizens toutilize this information as well
4. Iranian hack of US banksa. Facts
i. Banks were bombarded with DDOS attacks thatresulted in bank shutdowns
b. Thought to be too sophisticated to be the work of amateurhackers, attributed to Iran
i. Takes a lot of bandwidth to direct that much traffic atthe banks
5. Associated Press (AP) Twitter hacka. Facts
i. Tipped stock market by $136 millionii. One in a series of defacement of media
organizations’ websites1. Said that Obama was injured on AP’s Twitter
a. Caused the market to dive for 3 minutesiii. Used a phishing email directed at AP staff members
that asked them to click a particular link6. Flame virus
a. Factsi. US and Israel develop the Flame virus in order to
hack Iranian oil companies1. The virus collected information and sent a
steady stream of information back to owners toallow them to prepare for more targetedattacks
a. Activation of microphones and camerasto allow for remote spying
b. Could receive commands throughBluetooth
2. Activated as a Microsoft updateii. Claims that the virus’s DNA was similar to the coding
used in Stuxnet – had similar programming languageand overlapping code
iii. Flame was the precursor to Stuxnetiv. The level of malware sophistication indicates state
involvement7. Stuxnet
a. Factsi. Virus was able to gain control of nuclear facility
centrifuges and cause them to spin out of control,thereby destroying it, while simultaneouslytransmitting to Iranian authorities that it was fine
ii. Iranians attributed it to human error for a period8. Cyberattack on a Saudi Arabian firm
a. Factsi. Perpetrator initiated the attack on a day when
55,000 of the employees were not there due toreligious holiday
ii. Erased data on 3/4s of the corporate PCs andreplaced it with a picture of a burning American flag
b. US sees it as Iran firing back for Stuxnet9. NSA infiltration of Yahoo and Google clouds
a. Factsi. Used the link between data centers and targeted the
internal clouds of the companies to gather privateinformation
1. Data travelling between data centers isunencrypted
a. Has led to companies encryptingeverything
ii. Came out as part of Snowden leak10. Protestors in Hong Kong
a. Factsi. Message in WhatsApp requested people join a
protest group, which in turn, gave the Chinesegovernment access to their phones and coordinates
b. Attributed to the Chinese government as this is a tacticthat has been used before
vi. Documents detailing cybersecurity threats1. IP Commission Report
a. Puts majority of blame for economic IP stealing on China(50%-80%), India and Russia
b. Annual losses are comparable to current US exports toAsia, around $300 billion
c. Considers IP theft as “the greatest transfer of wealth inhuman history”
d. Recommendationsi. Increasing the giving of visas, green cards and
related immigration documents to IP and techworkers
ii. Increase the Department of Justice and the FBI’sability to combat the theft
iii. Create a private right of action under the EconomicEspionage Act
1. Bypassing the DOJ as to the sole method ofprosecution
iv. Confiscation of goods that use stolen IPv. Deny foreign companies who have stolen American
IP use of American banking systemvi. General change of the cost-benefit calculus for
entities benefiting from stolen IPvii. Would not allow US companies to be bought by
companies that did not have strong IP protection1. However, range of diplomatic and investment
consequencesviii. Companies that experience cybertheft should be
allowed to retrieve their information, if it does notdamage the intruder’s network
1. Endorses hacking back2. Mandiant report, APT1
a. Mandiant is a forensic security firmi. Made their name doing investigations on
compromised companies b. Report named China as a Advanced Persistent Attack
i. Triggered a chain of organizations naming China incybersecurity issues
ii. Attribution of acts to government sponsored actors inChina – Unit 61398
1. Tracing of IP locations
2. Evidence of a particular building with the IPresources
3. Employees has the necessary IP backgroundsa. Required that they be able to speak
English4. Keyboard that was used to code was set to the
Chinese languageiii. Industries that were part of China’s 5-year plan
1. Satellites and telecom2. Mining3. Engineering4. Aerospace5. Government
iv. Average length of time the virus was in the systemwas about a year, the longest being 4 years and 10months
1. Lack of detection is a big issue2. Computers compromised through spear-
phishing3. CONCEPTUAL CYBERSPACE ARTICLES
a. Cyberspace Declaration of Independence; Barlowi. In response to the Communications Decency Act, which applied
regulations for radio and television to the internet1. Struck down by the Supreme Court a year later
a. Impermissibly vague, did not define indecency, violatedthe First Amendment
ii. Views the internet as a new space, requiring a new layer of consentiii. No physical coercion is applicable in the cyber world
b. Law and Borders – the Rise of Law in Cyberspace; Johnson, Posti. Asserts that governments should not and cannot regulate the internet
1. Arguments:a. Absence of territorial borders in cyberspaceb. Difficulty in tracking users’ locationsc. Effects of online activities are not necessarily tied to one
location, easily crosses bordersd. Enforcement almost impossiblee. Enforcement may be illegitimate
i. Power of the government is derived from the will ofthe people
1. View that users need to consent to begoverned (again
2. View that government cannot effectivelyregulate because they do not understand thecyber community
f. If all governments regulated, there would be conflictingregulations and overlapping jurisdictions
i. No notice of what the law isii. Conflict of laws might result in users complying with
the strictest regulations resulting in a race to thebottom
c. The Internet and the Abiding Significance of Territorial Sovereignty;Goldsmith
i. Argument1. Internet governance is not inherently different
a. Extraterritorial effects are common in the real world2. Separate internet sovereignty would overlap with state
regulatory measures3. Many nations have common regulatory interests4. Problem of not being on notice as to what law applies is
exaggerateda. Content providers can give notice
5. Does not believe that consent is as big an issue as Johnson andPost.
a. You have consented to your territorial government, you donot need to consent again
i. Part and parcel to existing governments 6. The more integrated we are with the internet, the more territorial
laws will have hold over the internet, in turn7. Enforcement
a. Physical coercion can still occur in cyberspace becauseactors exist outside of the internet and the governmentcan still act on the assets and persons of that actor
8. Regulatory leakage issue exaggerateda. EX: Companies incorporate in other states to get around
enforcementi. Not a purely cyber issueii. Does not need to be perfect in order to be effective
9. International harmonization would be difficulta. States’ views represent a spectrumb. Influenced by businesses as trade agreements and
business interests may create a trend towardsharmonization
10. Governments do not own the underlying infrastructure tothe internet, so difficult for states to directly regulate
d. Code 2.0; Lessigi. Idea that code is law
1. Code as a regulator, as how it functions and is designed is theultimate restrictor of behavior
a. The people who created the internet are the regulators andthese people are non-governmental actors
b. Sets the terms in which the internet functionsii. Argument
1. Liberty in cyberspace will not come from the absence of the statea. Rejects Johnson and Post’s anarchist viewsb. Governments are acting to benefit the public good and are
held accountable to suchi. Whereas coders are motivated by the economy and
could quietly change things without anyone noticing4. STRUCTURE OF CYBERSPACE
a. Net neutralityi. All internet traffic is routed at the same speed
ii. SCC has announced future regulation that would prohibit “throttling” 1. Classified the internet as a public utility
b. Structurei. Internet Corporation for Assigned Names and Numbers (ICANN)
1. US is relinquishing control of ICANN to other multi-stakeholderprocesses
a. Due to increasing criticism about the US’s dominant role ininternet infrastructure
b. Congress prohibited the Department of Commerce fromappropriating funds for the transfer, but did not prohibitthe transfer itself
i. Does not need funds to transition ICANN, transfer ofauthority will automatically occur when the contractruns out in Sept., 2015
ii. Internet Engineering Taskforce (IETF)1. Multi-stakeholder group 2. Develops the technical protocols that runs the internet
a. Developed IPv.4: 4.3 billion IP addresses, however, runningout
b. Developed IPv.6: Expands IP addresses by a gazillioniii. Internet Society
1. Open-forum that anyone can join, including individuals andorganizations for a fee
2. Advocates for an open internet 3. Operates on a multi-stakeholder consensus model (humming!)
iv. International Telecommunications Union (ITU)1. Started in order to regulate telegraphic exchanges between
countries2. Debate at World Conference on International Telecommunications
(WCIT) 2012 on whether to include the internet as one of theforms of communication that they can regulate
a. Pushed by Russia, adopted by some, but not othersi. Normally operates by consensus rule, but this
conference broke tradition and had a formal majorityvote
ii. Big player countries walked outb. Internet issue was talked about in a side resolution, not in
the binding part of the treaty itselfc. Language of the resolution stated that “all governments
play an equal role”i. Imposition of a multi-lateral instead of the original
multi-stakeholder modelii. “Equal role” language is a slam on the US
3. Is a UN body, and giving the ITU the ability to regulate theinternet would mean that each UN state gets one vote, andwould cement the multi-lateral model transition
c. Multi-stakeholder modelPROS CONS
Run by private industry and not bystate governments or organizations
Current stakeholders are more
Too many people are involved; easyto make backdoors
Not enough order
competent and well-versed in thesubject than governments
More legitimate than one stategovernment acting for everyone
Takes into account the views of morestates
Chance of one particulargovernment’s interest being overlyrepresented is smaller
So far has been effective ingoverning the internet
No real feasible alternatives
Ineffective enforcement Driven by technology companies
which are largely headquartered inthe US
Common citizens do not have theresources or technical know-how tovoice an opinion
Western-dominated Skews everything in a profit-driven,
self-interested way; private industryagenda needs to be taken intoaccount
d. Viewsi. International Strategy for Cyberspace (US AND EU VIEW)
1. Promotes:a. Multi-stakeholder governance
i. US can promote this because it decreases worldwidegovernmental control, while at the same time the UShas other levers of control through which it can exertits power and therefore does not need to make itexplicit
b. Freedom of expressionc. Privacyd. Establishing international norms
i. Safety, stabilitye. Interoperability
i. One internet for the whole world, not multiplenational internets
ii. Anti-fragmentationii. International Code of Conduct (CHINESE AND RUSSIAN VIEW)
1. Promotes:a. Multi-lateral governanceb. Pro-fragmentation of the internetc. State sovereignty in the internet sphered. Content controle. State acts as primary figure in information selectionf. Prohibition on proliferation of hostile activities g. Establishing alternative norms
i. Respecting cultural differencesii. Freedom of expression, etc, are not international
norms5. DISCLOSURE AND TRANSPARENCY IN THE CYBER SPHERE
a. SEC disclosuresi. For public companies, requests disclosure of cybersecurity risks through
guidance materials – not mandatory or binding 1. Requires disclosure where triggered by a material risk
a. Information is considered material if there is a substantiallikelihood that it would change the attitude of an investor
ii. Attacks covered by disclosure materials
1. Not just data breaches that compromise viable dataa. DDOS attacksb. Insider attacksc. Third-party attacksd. IP theft
2. Any kind of cybersecurity risk as long as it meets the materialitythreshold
iii. Level of detail1. Vague standard – not too generic to not provide enough
information, but not too much that it would disclose or causefuture risks (too much specificity might give other hackers a roadmap)
iv. Benefits of public disclosure requirements (Singer, Friedman)1. Puts similar companies on notice as to how they might be
attacked or that they might be attacked2. Holds companies more accountable
a. Companies have the choice of upping their security orwaiting for an attack to occur and subsequently disclosingit
3. Transparency helps shareholders make decisions 4. Creates competition and a market for security5. Increases board attention on the issue6. Helps in risk assessment
a. Ability to value the breach in a monetary mannerb. Company considerations
i. Associated costs upon breach1. Remediation costs
a. Cost of notification in the case of a data breach2. Litigation costs3. Increased security costs, post-attack
a. Trainingsb. Upgrading of systemsc. Employment of third-party protections
4. Reputational costs a. Loss of confidence by the publicb. Company securityc. Loss of customersd. Content disclosuree. Damaged relationships
5. Incentive payments to retain customers after they have beendamaged by a cyber attack
6. Trademarks and trade secretsa. Lost revenue from stolen IP
7. Cost of countermeasures8. Costs of preventative measures
ii. Risks1. Are you a target?2. Frequency of attacks in your industry?3. Threatened attacks?4. Prior attacks?5. Financial stability after breach?
6. Litigation due to breach?c. Examples of data breaches
i. RSA (Enter the Cyber Dragon)1. Facts
a. Company makes security keys that prides itself on one-time passwords
i. Created two-factor authentication – secure ID tokensb. Chinese hackers found the source code for the security
devicei. Defense contractors were the ones using the
products, so very alarmingc. Unclear how long hackers were in systemd. Replacement of the secure ID tokens in June, attack
occurred during Marchi. RSA’s parent, EMC filed an 8-k making the disclosure
public the day of the attack1. Did not state what information was taken, did
not tell customers what they should do, whatremedies they can pursue
d. Data breach notificationsi. Data breach laws designed to protect individuals and customers
1. Goal of disclosure is to tell customers to take protective steps,not to warn other companies
2. Provides different protections than SEC, including creditprotection, customer awareness
3. Very expensive to send noticesa. Creates litigation costsb. Large costs, however, increase board awareness of the
issueii. Complicated data breach notification compliance
1. data breach laws of each statea. Method of notification
i. Emailii. Phoneiii. Mailiv. Substitute notice
1. Printing something in the media2. Posting on the company’s website
v. However the customer has previously consented tobeing contacted by the company
b. Trigger for substitute noticec. What constitutes personal information
i. Nameii. Social security numberiii. Driver’s licenseiv. Medical informationv. Health insurance information
vi. DNAvii. Fingerprinting
d. What amount of time in which to send out notice
i. All states allow some delay for working with lawenforcement, incentivizes companies to do so
e. Notification triggersi. CA: Strict liability – if breach, no requirement of
subsequent risk of harmii. Other states take into account risk of harm
1. Whether the unauthorized access will result inmisuse
iii. Companies may seek an initial waiver from customers at the beginningof the consumer relationship
1. However, some states have found this to be against public policyiv. Some states allow a private right of action for consumers (class actions)v. Compliance more difficult for small companies
vi. Data breach notification laws1. Cal. Civ. Code §1798.82
a. Generali. First data breach law passed in the countryii. Applies to businesses in California with personal
identifiable information b. Trigger: what causes a requirement to notify?
i. That the information was, or is reasonably believedto be, acquired by an unauthorized person
1. Strict liability, no requirement of harmc. Timing
i. “Most expedient time possible without unreasonabledelay”
1. Reasonableness as a standard, not a rule2. Acceptable delay:
a. Involvement of law enforcementb. If disclosure would impede a casec. Measures necessary to restore the
system d. No notice exemptions are allowed
i. No waiver provision1. Customers cannot sign anything that will waive
their right to notification e. Private right of actionf. Specific permissible methods of notification
i. Written noticeii. Electronic notice
1. In the case of an email breach, cannot notifythrough email
iii. Substitute notice1. Can be used where the number of people is
enormous, you cannot contact them or the costis prohibitively expensive
g. Contenti. Has to be in plain languageii. If they are going to provide identity theft services,
cannot charge for ith. Parties
i. The people who’s information has been compromisedii. The State Attorney General
1. Triggered by number, 500+ California residents2. 3 purposes of data breach notification law
a. Politenessi. You should know when something of yours is stolen
b. Provide statistics for security expertsc. Increase the costs to companies
i. Force them to take security seriously and increasespending on it
3. Potential future movement to one unified federal data-breach law4. Current, federal data breach statutes
a. HIPAAi. Applies specifically to healthcare providersii. GLBA
1. Financial institutions must disclose breaches offinancial and banking information
vii. Examples of data breach notifications1. Sony letter2. Target letter3. People of the State of California v. Kaiser Health Plan
a. Factsi. A hard drive was sold at a thrift shop containing a
large amount of people’s personal informationii. Kaiser learned of the drive’s whereabouts in Sept.,
2011, retrieved it in Dec., 2011 and did not beginnotifying people until Mar., 2012.
b. First suit brought for unreasonable delay6. EXISTING CYBERSPACE LAWS
a. Originally intended to only cover hacking and has been stretched to coverthings it was never meant to cover
i. Did not predict the expansion of the internet and its effects on the CFAAii. Consequently, a very harsh statute to use in relation to certain internet
casesiii. Violation of terms and conditions (contract-based restrictions) is a
clashing point between circuits as to whether it is a viable theoryb. Has both civil and criminal sides, with civil definitions getting leaked into
criminal cases c. Government is exempted from the CFAA in §1030(f)d. CFAA 18 USC §1030(a)
i. Initially passed in 19841. Established crimes relating to the misuse of a computer to obtain
national security secrets or personal financial records or hackingof US governmental computers
ii. 7/8-9 distinct crimes:1. (a)(1) Accessing a computer “without authorization or exceeding
authorized access” to obtain classified information “with reasonto believe that such information is to be used to the injury of theUS.”
a. “Unauthorized access” is not defined
b. “Exceeding authorized access” defined as “accessing acomputer with authorization and using such access toobtain or alter information that the user is not authorizedto obtain or alter”
2. (a)(2) Accessing a computer “without authorization or exceedingauthorized access” to obtain:
a. Governmental informationb. Financial informationc. Information from a protected computer
i. Most frequently charged category of CFAA crimes3. (a)(3) Accessing any nonpublic computer of a department or
agency of the US intentionally and “without authorization orexceeding authorized access”
a. Applies specifically to US government computersb. Rarely used
4. (a)(4) Knowingly, with intent to defraud, accessing a protectedcomputer “without authorization or exceeding authorizedaccess,” and by means of such conduct furthers the intendedfraud and obtains anything of value, unless the object of thefraud and the thing obtained consists only of the use of thecomputer or the value of such use is not more than $5,000
5. (a)(5) Knowingly cause the transmission of a program,information, code or command, etc, causing intentional damagewithout authorization
a. (A) Transmission of a virus, malware, etc, that results indamage to the receiving computer
b. (B) Recklessly causing damagec. (C) Intentional access causing damage or loss
i. Computer damage clauseii. Covers both unauthorized damage and unauthorized
access that causes damage 6. (a)(6) Knowingly, and with intent to defraud, traffic in any
password or similar information through which a computer maybe accessed without authorization if:
a. (A) Such trafficking affects interstate or foreign commerce,or
b. (B) Such computer is used by or for the governmenti. Prohibits trafficking in passwords
1. Misuse of passwords is not trafficking ofpasswords
7. (a)(7) With intent to extort from any person any money or otherthing of value:
a. (A) Threatening to cause damage to a protected computerb. (B) Threatening to obtain information from a protected
computer or impair the confidentiality of informationc. (C) Demanding or requesting money or other thing of value
in relation to damage to a protected computer where suchdamage was caused to facilitate the extortion
8. (b) Whosoever conspires to commit such crimes or attempts tocommit such crimes
iii. Enforcement of CFAA
1. Action can be brought by:a. Federal prosecutorb. Private right of action (§1030(g))
2. Definitionsa. “Protected computer”
i. Computer used in or affecting interstate commerce,including computers located outside of the US
ii. Computer used exclusively by a financial institutionor by the US government
b. “Exceeds authorized access”i. To access a computer without authorization and to
use such access to obtain or alter information in thecomputer that the accessor is not entitled to soobtain or alter
c. “Authorization”i. Code-based
1. Passworda. Clearer showing of circumventing
authorizationb. Usually conducted by outsidersc. Violations more similar to traditional
hackingii. Contract-based
1. Terms of servicea. Based on a promise, not on incapacityb. Usually conducted by insidersc. More closely tracks “exceeding
authorized use”iv. Cases
1. UNITED STATES V. MORRISa. Facts
i. Defendant dared to test the limits of the internet 1. At this time, the university, government and
military institutions were linked together ii. Released a worm to see how big the internet was,
but wound up causing a lot of damage1. Booted worm into a MIT computer 2. Worm was programmed to guess passwords
b. Analysisi. Charged with CFAA §1030 precursor: intentionally
accessing a federal computer without authorization 1. Defendant argues that he just exceeded
authorized use ii. Court found that his conduct consisted of
unauthorized access as he did not use his access in away related to his access’ proper function
2. INTERNATIONAL AIRPORT CENTERS V. CITRINEa. 7th Circuit; Posnerb. Employee decided to quit and before he turned in his
computer, he erased all of the data on the computer
c. Taking actions adverse to your employer may mean thatyou no longer have authorization
i. Employee authorization depends on your role as anagent of the company
ii. When you breach the duty of loyalty, you lose allauthorization
d. Held that he had accessed the computer withoutauthorization
3. DEPARTMENT OF JUSTICE INDICTMENT OF CHINESE OFFICIEALSa. Facts
i. Chinese military officials charged with using spear-phishing tactics to gain information about designspecifications for nuclear power, business plans andas a general entry-point into various Americancompanies
b. Analysisi. Charged with:
1. Unauthorized access2. Conspiracy3. Transmission that intentionally causes damage4. Accessing a protected computer and taking
information5. Economic espionage6. Wire fraud (separate from CFAA violations)
4. UNITED STATES V. NOSALa. En banc, 9th Circuit; Kozinski
i. Criminal cybersecurity caseb. Facts
i. Convinced his ex-coworkers to take proprietyinformation from his old firm and to help him use thatinformation to start a new firm
1. Recruited ex-coworkers to download companycontacts from a company-restricted database
c. Analysisi. Charged with CFAA §1030(a)(4) – aiding and abettingii. Court limited violations of restrictions on information
as code-based access, and not contract-based access1. “Exceeding authorized access” is limited to
violations on access to information and not onits use
2. Court favors narrow interpretationa. Notice – many individuals violating terms
of service may not realize that they arecommitting a federal crime
b. Criminalizes a wide swathe of behaviori. Makes everyone a criminal
c. Canon interpretationi. Should be up to Congress to make
things illegal, not the courts
ii. Courts should construe the criminalstatutes narrowly based on theRule of Lenity
d. Terms of service often goes unreade. Possibility of discrimination
i. Prosecutorial discretion insufficientii. May be used as a pretext for firing
employeesf. Wants consistent interpretation and one
definition across the whole statute g. Vaguenessh. Affects not just employee contracts, but
also internet consumersi. Reaches conduct that is not inherently
wrongfuliii. Other remedies for trade secret infringement, apart
from CFAAd. Holding
i. Finds for Nosal; the phrase “exceeds authorizedaccess” within the meaning of the CFAA is limited toaccess-based restrictions, not use-based restrictions
1. Violations of contract-based restrictions notcovered
5. WEC CAROLINA ENERGY SOLUTIONS V. MILLERa. 4th Circuitb. Facts
i. Employee took proprietary information fromcompany, goes to work for a competitor and usesthat proprietary information to steal clients from hisold employer
c. Analysisi. Alleged violation of the CFAA 1030(a)(2)(c) -
broadest, (a)(4) – fraud, (a)(3) – damageii. CITRIN case
1. 7th Circuit; Posner2. Facts
a. Airport employee erases all companyinformation on a laptop beforesubsequently leaving the company
3. Cessation of agency theorya. Breach of a duty of loyalty means that
the employee loses all authorizationbeyond that point
iii. Rejection of cessation of agency theoryiv. Finds that if you had code-based access, there is no
violation under the CFAA6. UNITED STATES V. DREW
a. Factsi. Mother uses fake Myspace account to terrorize
another little girl who subsequently killed herselfb. Analysis
i. Government argued that violation of terms of servicerenders access to a computer unconstitutional,charged defendant with violation of Myspace’s termsof service
1. Cannot include a photo of another personwithout their consent
2. Cannot solicit information from someone under18
ii. Was convicted and judge struck down the convictionfor void-for-vagueness reasons
1. Encourages discriminatory enforcementa. Difficult to tell what is actually prohibited
under a statute 7. U.S. V. MARIO AZAR
a. Factsi. IT worker unhappy when he did not get a full-time
position and wiped everything off of the masterserver
1. Has the effect of disrupting communicationsbetween Pacific, Gas and Electric and theiroffshore oil platforms
8. U.S. V. MIJANGOS; U.S. V. KAZARYANa. Facts
i. Defendants were sex-extortionists1. Would hack through victims’ accounts and
computers to search for intimate pictures2. Would turn on computer cameras without the
victims’ knowledgeii. Mijangos would monitor victims and would pretend to
be their significant others in order to access privateinformation and photos
iii. Would threaten the victims with posting the videosonline
9. U.S. V. CHANEYa. Hacked celebrity accounts
10. U.S. V. MOOREa. Revenge porn king
11. U.S. V. VOGELAARa. Hacked into post-production company and stole pre-release
movies 12. AARON SWARTZ CASE
a. Factsi. Tried to download a significant portion of the JSTO
databaseii. Charged under wire fraud statute and CFAAiii. Circumvented a significant amount of code-based
restrictions 1. Both unauthorized access and exceeding
authorized accessiv. Killed himself after being threatened with 35 years of
jail time
b. Aaron’s Lawi. Potentially could change the CFAA to cover only
code-based accessii. Would eliminate liability in the CFAA for
contract0based accessiii. Would reform the penalties
7. ACTIVE DEFENSE (HACKING BACK)a. General
i. The Department of Justice has held that there is no exception in theCFAA for companies hacking back
b. Kinds of active defense i. Planting of false information (OK)ii. Stolen information that self-destructs (OK)
1. Issue of whether this will damage the perpetrator’s systems iii. Beaconing (OK)
1. Shows where the data is allowing you to trace2. Alerts the company that the data has left its system
iv. Patrolling cybercrime forums (OK)1. Accounting information, offers to sell intellectual property, etc
v. Honeypots (OK)1. A weakened server seeded with information2. Traps set to entice hackers to a particularly weakly defended
server in order to see what they are looking for, what techniquesthey are using and in an effort to look for clues of their identity
vi. Accessing the sever of the hacker and deleting the stolen files (NO)vii. Stewart Baker’s Poisoned RATs (NO)
1. Remote Access Toola. A way in for hackers to get into a company’s server; sends
malware or a beacon back to identify themviii. Disabling hackers’ servers (NO)ix. Virtual labyrinths (OK)
1. Continuous misdirection of hackers2. Increases the hacker’s costs
c. Arguments i. For hacking back
1. “Your computer, my data”: Because it is your data, you’reallowed to follow it and take it back or control how it is used
a. Argument hurt by the fact that the CFAA talks aboutaccessing computers, not data
2. Compromised machines owned by innocent third partiesa. You are doing them a favor by letting them know what is
happening to themb. However, this is tempered by the fact that you cannot
harm their computer in your counterattackc. Limit: Cannot cause damage, but surveillance, likely okay
i. Must be very confident when launching yourcounterattack that the third-party will not bedamaged, or else you will get no protection
3. More resources for private defense4. Less political controversy
a. Private parties’ actions cannot be attributed to the state
ii. Against hacking back1. CFAA prohibits the transfer overloading of a computer with data,
even if it is used to stop an ongoing attacka. CFAA(a)(5)(A) – computer damage statute
i. “Knowingly causing the transfer of code, command,etc… causing damage to a protected computer.”
1. CFAA 1030(e)(8)a. “Damage” is defined as “any impairment
on the availability of data” i. Definition covers DDOS attack
2. Attribution is very difficult3. Potential interference with US government4. Escalation
a. Wrongful attribution may result in someone lashing out5. Resource allocation
a. Well-resourced companies would be able to protectthemselves, but not others
d. Governmental blind eyei. Delegitimization of the CFAA where prosecutorial discretion is used to
allow companies to hack back1. How should the CFAA be revised to allow hacking back?
a. Allow an affirmative defenseb. Pose conditions for retribution
i. Accurate attributionc. Limit on damages that you can do to another serverd. Manipulation of own data to protect itself is okay
ii. Other potential options1. An armed non-governmental cybersecurity enforcement entity2. Letters of mark
a. Companies getting permission from the DOJ to hack back ifthey fulfill certain criteria – allowing private action underspecific circumstances
8. Cyberespionagea. Economic Espionage Act
i. General1. Passed in 1996, signed into law by Clinton2. Addresses economic security and relates it to national security
a. Extends federal protection to trade secrets3. Is not a cyber-specific statute
a. Often charged with other statutes, including CFAAi. EX: UNITED STATES V. NOSAL
ii. EEA covers 2 types of trade secret misappropriation1. 18 USC §1831 – economic espionage
a. What is a foreign instrumentality? 18 USC §1839(1)i. “Means any agency, bureau, ministry, component,
institution, association, or any legal, commercial, orbusiness organization, firm, or entity that issubstantially owned, controlled, sponsored,commanded, managed, or dominated by a foreigngovernment.”
b. What is a foreign agent? 18 USC §1893(2)
i. “Means any officer, employee, proxy, servant,delegate, or representative of a foreign government.”
c. Important commonality is foreign state ownership andcontrol
d. §1831 charged much less frequently than §1832 i. §1831 economic espionage penalty is much higher
1. Economic espionagea. Individuals: $5 million or up to 15 years
imprisonment, or bothb. Organization: Fine up to $10 million or
three times the value of the stolen item(18 USC §1831(b))
2. Trade secreta. Individuals: Fine and imprisonment up to
10 yearsb. Organization: Fine of not more than $5
million e. Elements
i. Theft of a trade secretii. Knowledge that the theft would benefit a foreign
government, agent, instrumentality, etc2. 18 USC §1832 – trade secret theft
a. What is a trade secret? 18 USC § 1839(3) i. “Means all forms and types of financial, business,
scientific, technical, economic, or engineeringinformation, including patterns, plans, compilations,program devices, formulas, designed, prototypes,methods, techniques, processes, procedures,programs, or codes, whether tangible or intangible,whether or how stored, compiled, or memorializedphysically, electronically, graphically,photographically, or in writing if:
1. (A) The owner thereof has taken reasonablemeasures to keep such information secret, and
a. Expanded on in UNITED STATES V.CHUNG
i. “Advised employees of theexistence of trade secrets…”
ii. Marking information as secretiii. Restrictions on accessiv. Password protectionv. Physical protection
2. (B) The information derives independenteconomic value, actual or potential, from notbeing generally known to, and not beingreadily ascertainable through proper means by,the public
a. For economic value courts consider:i. Value to ownerii. Value to competitor
iii. Whether the information wouldyield an economic advantage
iv. Whether someone had to pau for itv. Cost of development
b. Circuit disagreement as to readilyascertainable by whom?
i. EEA: the public v. Uniform TradeSecrets Act (UTSA): “Other personswho can obtain economic valuefrom its disclosure and use” – theeconomically relevant portion ofthe public
b. Elementsi. Intention to convert the trade secret to benefit
someone other than the owner1. Does not need to show specific attribution like
§1831ii. Knowledge or intention that the offense will injure
the owner of the trade secretiii. Has to affect interstate commerce
c. Trade secret v. economic espionagei. Trade secret definition requires more than economic
espionage, substantial overlapii. Economic espionage differs in that it requires
“benefit to any foreign government, foreigninstrumentality, or foreign agent”
iii. Attempted conspiracy are causes of actions underboth trade secret and economic espionage
d. Trade secret thefti. Must be used in or intended to be used in interstate
or foreign commerceii. Must have the intent or knowledge that the use of it
will injure the owner of the trade secretiii. Does not need to benefit a foreign government
1. Just needs to show that someone other thanthe owner benefited from the use of the tradesecret
a. Does not require attribution iii. General presumption against extra-territorial application (18 USC §1837)
1. EEA only applies to conduct that occurs abroad if:a. (1) The offender is a natural person who is a citizen or
permanent resident alien of the United States, or anorganization organized under the laws of the United Statesor a state or political subdivision thereof
b. (2) An act in furtherance of the offense was committed inthe United States
iv. Procedural restrictions1. Requires the approval of senior DOJ officials to charge EEA crimes
a. After 2001, approval no longer required for §1832, but stillrequired for §1831
v. What is covered by the EEA?
1. IP theft2. Data breaches
a. Customer data may not be a trade secret, but a client listwould be
vi. What is not covered by the EEA?1. DDOS attacks
a. No actual act of misappropriation2. Data wiping
b. Casesi. US V. GENOVESE
1. Factsa. Pieces of Microsoft source code was leaked for free on a
websiteb. Defendant took the source code and tried to sell it
i. Was not the source of the leak, did not do the actualhacking
2. Analysisa. Constitutional challenges to the indictment
i. Freedom of speech1. Since it was public information, he is allowed to
repeat itii. Was not a trade secret, since it was made publicly
availableiii. Void for vagueness argument
b. §1832 trade theft casei. Court found that it was not protected speech
1. Illegal activity does not constitute protectedspeech
3. Holdinga. Against the defendant
ii. US V. CHUNG1. Facts
a. Chung secreted information under his house over thecourse of decades
i. Was a Boeing contractor/engineerii. Gave information to the Chinese government
b. Largest archive of NASA information outside of NASA 2. Analysis
a. §1831 economic espionage casei. Indicted for 6 counts of economic espionage and 1
count of conspiracy to commit economic espionageb. Analytical process
i. Was the information a trade secret?1. Was it a secret?
a. Were there reasonable secrecymeasures?
2. Did the information have independenteconomic value?
a. Tasked by the Chinese government tosteal this information with the intent tobenefit the Chinese government
b. Boeing’s information may provide aroadmap for competitors in the future
c. Inferred economic value based on valueto the competitor
c. Criminal liability under the EEA can be established by thedefendant’s attempt alone
i. Attempt is penalized the same as completion c. Articles
i. CYBERESPIONAGE, SURVEILLANCE AND INTERNATIONAL LAW: FINDINGCOMMON GROUND (BANKS)
1. Cyberespionage has low barriers of entry 2. Relationship between international law and espionage
a. 3 answers:i. International law does not prohibit espionage,
therefore it is permitted 1. LOTUS CASE
a. Court found that if there is nothing ininternational law that says a state can’tdo something, then states can do it
i. Focus on state sovereignty ii. Unless specifically consented to an
international law, they are notbound.
2. Old viewii. International law affirmatively permits espionage
1. It is a widespread practice2. States are required to engage in espionage to
protect their citizens a. A necessary incident to self-defense
iii. International law prohibits espionage1. Non-intervention 2. Human rights reasons3. Right to privacy
a. Some countries do not interpret theICCPR’s right to privacy to include digitalsurveillance
i. Germany redrafted legislation toextend to electronic information;therefore can argue that the treatydid not already include it
4. State sponsored espionage can constitute forceand intervention, which is prohibited by the UNCharter
5. Vienna Convention on Diplomatic Relations(VCDR)
a. Prohibits diplomats from spyingi. Diplomats are required to respect
the laws of the receiving state andespionage is prohibiteddomestically in most countries
3. Proposals to regulate espionage
a. Limit espionage to allow for only national security reasonsi. Differentiation between national security espionage
and all other types?ii. What constitutes national security?
b. States could agree that international law prohibitseconomic espionage
i. Prescribes a limited category and does not run intoissues of defining national security
c. Internationalizing domestic laws such as the CFAA and theEEA
d. Prohibiting attacks on particular targets, creating a no-spyzone
e. No-spy agreementsii. UN GENERAL ASSEMBLY’S RIGHT TO DIGITAL PRIVACY
1. Not specific about what is covered by the right to privacy2. Recognizes the necessity of some surveillance
a. Reasons to curtail right to privacy:i. Countering terrorismii. Security
9. INTERNATIONAL LAWa. Types
i. Treaties1. A contract between countries2. BUDAPEST CONVENTION
a. First international treaty that deals directly with cybercrimeb. Negotiated in late 1990s, opened for signature in 2001,
came into force in 2004i. Has 45 member states
1. Russia has not signed2. US ratified the treaty in 2006
c. Additional protocoli. A separate treaty ratified by a number of member
statesii. Makes it a criminal offense to use computer systems
to distribute crimes against humanity and racist,xenophobic threats
1. Only 24 ratifications, no ratifications outsidethe Counsel of Europe
d. Articlesi. Article 2 – Illegal Access
1. Differs from the CFAA, in that in requiresobtaining computer data, not just accessing
ii. Article 5 – System Interference1. CFAA defines damage in relation to integrity
and availability of data, while BC articulates itas a “serious hindering without right of thefunctioning of a computer system”
iii. Article 7 – Computer-Related Forgery1. No similar CFAA provision
a. CFAA gets at it through computerdamage and computer fraud provisions
iv. Article 13 – Punishment1. Does not mandate a specific punishment, but
indicates that punishment should be “effective,proportionate and dissuasive sanction, whichincludes deprivation of liberty.”
e. Broadly lines up with the CFAA, does not mandate specificlegislative language, but asks for criminalization of specificactivities
i. Allows for state-by-state variationii. Uses “access without right” language
f. Obligates information sharing and facilitates signing ofMLATs
i. Attempts to harmonize cyberlaws and allow forcooperation in investigation
g. Critiquesi. Vague definitionsii. Lack of enforcementiii. Weak cooperation provisioniv. Western focusv. Not broadly ratified
vi. Countries filing reservationsh. JACK GOLDSMITH ARTICLE
i. BUDAPEST CONVENTION is a cautionary tale1. Lax enforcement mechanisms
a. Not truly enforceableb. Carve-outs by states
2. Vague definitions3. Western-oriented4. Has limited international adherence
3. AFRICAN UNION CONVENTION ON CYBERSECURITY ANDPERSONAL DATA PROTECTION
a. Brand new treaty, no ratifications b. Covers cybercrime, personal data protection, electronic
protectionc. Borrows language from both CFAA and the BC
i. Uses CFAA’s “unauthorized access” or “exceedingauthorized access” versus BC’s “access withoutright” language
ii. Uses BC’s system interference language of to “hinderand distort function of a computer system”
d. Explicitly lists privacy as a right under Art. 25(3): Rights ofCitizens
e. Critiquesi. No ratificationsii. Freedom of speech concernsiii. Lack of capacity for enforcement or implementationiv. Too broad in scope
ii. Customary international law1. State practice
a. Custom must be the general and consistent practice ofstates
b. Must be widespread2. Customs of countries on the international stage
a. However, not all customs obtain the status of customaryinternational law
3. Opinio juris sive necessitatisa. “An opinion of law or necessity”
i. Done out of a sense of legal obligationii. States are not just engaging in the practice out of
convenience or policy1. Does it because they think they are legally
required as a matter of international law to doit
4. States may not have signed onto a treaty, but may still be boundby customary international law
a. Generally enforce through actions taken by other states5. Usually not an affirmative practice, but a defensive one, asking
states to refrain from doing something b. International procedural issues
i. Extradition1. Taking a criminal defendant from one country and sending them
to another country fro prosecution2. Custody of persons, moving people across borders for the
charging of crimesa. US-Estonia
3. Requirementsa. Dual criminality
i. Must be a crime in both jurisdictions/overlappingcores of criminality
b. Minimum severity requirementii. Mutual legal assistance (evidence collecting function)
1. Perpetrators may be abroad and so evidence may also be abroad2. MLATs
a. Mutual legal assistance treaties b. Usually bilateralc. Binding legal obligations for the receiving state ot respond,
subject to some exceptions i. Processed through the central authority of each
state, government-to-government 1. Cannot be used by individual litigants
3. Letters of Rogatorya. Processed between court-to-court
10. POLICY QUESTIONSa. (1) Congress should pass a federal data breach notification law that would
preempt all state data breach notification laws currently in effecti. FOR
1. Current patchwork structure makes compliance for companiesdifficult and time-consuming
a. May result in customers in different states being notified ofthe same incident at different times with differentinformation
2. Would unify requirements
3. Be cheaper to comply withii. AGAINST
1. Could lessen consumer protection if the federal threshold ishigher
2. If aiming for stricter laws, could impose huge costs on smallbusinesses
b. (2) International treaties are an effective means to address threats posed bycybercrime
i. FOR1. Cybercrime is an international issue
ii. AGAINST1. Treaties, ultimately, must be enforced by countries against other
countriesa. Cybercrime may not be high up on other countries’ priority
listb. Imposing sanctions requires a lot of other considerationsc. No other outside enforcement mechanismd. States can just not sign on to a treaty
2. Extradition issues3. Definitional issues
a. Different parameters as to what constitutes a cybercrime,lack of consensus for punishement
c. (3) The current multi-stakeholder model of internet governance is lessprotective of individual rights than governance by government would be
i. FOR1. They could provide better more consistent protection
ii. AGAINST1. Governments would want to limit individual rights more due to
national security reasons 2. Different countries’ governments may be more restrictive as to
internet governancea. EX: China
d. (4) Congress should increase the penalties for violating the CFAA and the EEAbecause current penalties are not deterring hackers
i. FOR1. Could work for the EEA as it involves more deliberate criminal
behavior ii. AGAINST
1. Under the current CFAA definitions, people could accidentally beengaged in certain actions that could constitute hacking
a. If they are unknowingly committing a crime, deterrence isa moot issue
e. (5) The standard for what qualifies as an armed attack should be the same inthe cyber-context as in a traditional, conventional armed attack
i. FOR 1. Can cause harm that is similar to a conventional armed attack,
just through different channels a. EX: Stuxnet; if the US had physically gone in to mess with
the reactors, would likely have been considered an armedattack
ii. AGAINST
1. Fundamentally different sort of attacks2. Difficulty in identifying whether an attack as occurred, who
conducted it, what is the scope of the harm, whether civilianswere harmed in the process and what would constitute excessiveharm of a civilian in violation of Art. 55(1)(b)
3. Huge disagreements between states as to what would constitutean armed attack in the cyber-context
f. (6) Announcements, like NATO’s Wales Summit Declaration, thatcyberattacks can trigger collective-self-defense obligations makecyberattacks less likely
i. FOR1. Allowing for self-defensive measures that are backed up by other
states will result in more careful state consideration of using theattack, similar to the level of deliberation for conventionalattacks
ii. AGAINST1. Attribution is difficult, so, as a deterrence measure, most likely
limited 2. May only be a consideration where it is a state actor perpetrating
the cyberattacka. Large portion of cyberattacks may not be conducted by the
stateb. Collective self-defense measures would have to go through
the state before it can reach the private actor g. (7) The US is entitled to exercise forceful self-defense measures in response
to the attack on Sonyi. FOR
1. Was an economic attack and the US has the right to protect itself2. Attributed to a state actor, therefore the US could call upon NATO
member states for collective self-defense ii. AGAINST
1. Unclear whether the Sony hack would constitute an armed attackthat would justify the use of retaliatory force
2. Unclear who the actors were3. Does the release of civilian information constitute civilian harm?
a. Difficulty in ascertaining magnitude of harm11. CYBERWARFARE
a. Jus cogensi. Super strong customary international law
1. Cannot be overturned by treaty or other customary internationallaw
2. Can only be overcome by another jus cogens3. No current jus cogens or treaties for cyberwarfare
a. Must use existing treaties on war, and apply it by analogyto cyberspace
ii. Example1. UN Charter Rules on the Use of Force2. Rules against genocide
iii. Articles1. MURPHY’S PRINCIPLES OF INTERNATIONAL LAW
a. A state can suffer a use of force, but not have the right toretaliate as it does not rise to the level of an armed attack
i. States are only allowed to respond to uses of forcewhen it amounts to an attack, whereas the US statesthat uses of force are armed attacks
b. If we said that cyberattacks were not armed attacks, thenstates would never be allowed to use force in retaliation
2. WHETHER A CYBERATTACK CAN BE AN ARMED ATTACK; SELF-DEFENSIVE FORCE AGAINST CYBERATTACKS, LEGAL, STRATEGICAND POLITICAL DIMENSIONS (WAXMAN)
a. 3 possible answersi. NO
1. Strict reading; cannot be an armed attack asmust constitute kinetic violence
ii. SOMETIMES1. Must result in violent consequences (effects-
based)a. Such as the consequences resulting from
a conventional strikeb. EX: opening a dam on a village,
activating nuclear weapons, disabling airtraffic communications resulting in acrash
c. US takes this approachi. Has no firm position as to
cyberactions with no clear kineticparallels
2. Depends on the magnitude of theconsequences
a. Difficult to applyb. EX: attack on the stock market
3. TALLIN MANUALa. Armed attack and use of force are not equated – does not
take US positionb. Exceptions to prohibition on the use of force
i. Self defensec. Jus ad bellum
i. Recognized by the USii. Limitations on the right to self defense
1. Necessarya. LETTER FROM US SECRETARY in relation to the
CAROLINE INCIDENTi. “Leaving no choice of means”
1. No peaceful alternativesa. Diplomatic negotiationsb. Asking for cease and desist
ii. “Admonition or remonstrance impracticable,or would have been unavailing”
iii. “Daylight could not wait”iv. Means necessary to remove the threat, and whether
non-forcible means were adequate
2. Proportionatea. Proportional in relation to what the attack was
supposed to achieveb. Not limited to repelling the initial attack, but ending
the conflicti. Whatever is necessary to eliminate the threat
1. Not limited by geographic location2. Does not have to a be a mirror image of
the attacka. Do not need to resort to same
tactics, type of weapon or type ofattack
c. Could it have been done with less violence with thesame objective of neutralizing the threat?
d. The response must not be excessive, must neproportionate to the threat
e. LETTER FROM US SECRETARY in relation to theCAROLINE INCIDENT
i. “Nothing unreasonable or excessive”f. Proportionality: responding to a conventional attack
with cyber means?i. Limit damage, lost livesii. Should not be required, but an option
1. Requiring a specific kind of responsewould take away from a state’s abilityto defend itself
iii. If you could accomplish the same goalthrough cyber means, would show you tookproportional, less violent action?
iii. TALLIN MANUAL; RULE 14 – Jus Ad Bellum1. Use of force of cyberoperations taken by a state must be
necessary and proportionate; no exemption for cybercontext
2. Peaceful cyber alternativesa. Firewallb. Detection and prevention systemsc. Requests to desistd. Expanding server capacity to withstand DDOS
attacks3. Cyber attacks do not necessarily require a cyber response
iv. How much of a constraint is necessity and proportionality onself-defense?
1. Easy to work around the requirements2. Only limits against ridiculously overbearing responses
a. Does not limit more nuanced differences inresponse
v. Temporal requirements1. Imminence
a. When you know an attack is going to happen, howsoon can you respond?
b. 4 possible answers
i. An attack must have already occurredii. Temporally-focused anticipatory self-defense
1. The attack is about to be launched;focused on the traditional meaning ofimminence
2. Minority positioniii. Anticipatory self-defense
1. When an armed attack is imminent2. US’s announced position, TALLIN
MANUAL’s majority positioniv. Last window of opportunity
1. Doctrine of last chancea. Focus on when the attack
becomes non-preventableb. Can be temporally remote from
the time of attack itself2. Majority position
v. Preemptive self-defense, probable futureattack
1. Could lead to paranoia, too mucharmed defense
2. Immediacy a. How long after a state suffers an armed attack can
that state respond forcibly?vi. UN Security Council authorized
1. Issues of political deadlock2. Authorized the Korean War, Bosnian War3. Cyber issues
a. Would require near perfect attributioni. Required evidentiary showing may be higher than is
possible in cyber contextb. Takes too long to go through Security Councilc. Debate on whether you can authorize force against non-
state actorsd. Collective self-defense
i. When one country is attacked, the victim-state can request assistancefrom other states
1. Request must be contemporaneousa. Limits other states from acting aggressively and jumping to
“help”b. The victim state can limit the kinds of assistance that can
be providedi. Does not need to allow the assisting-state to help
however the assisting-state sees fit2. Assisting-states stands in the shoes of the victim-state once the
request has been made3. All normal jus ad bellum limitations to self-defense still applies
ii. Authorized by UN Art. 51iii. NATO
1. Committed ex ante that an attack on any one of the memberstates will be considered an attack on all of them
a. 9/11 was the only time this was invokedb. Still requires a request for assistance, but is pre-committed
should there be a requesti. Victim-state not obligated to receive the insurance,
but assisting-states obligated to provide it2. WALES SUMMIT DECLARATION
a. Members obligated to establish their own defensesb. Enhanced information-sharing between NATO member
statesc. International law, jus cogens, jus ad bellum, jus in bello, UN
Charter applies to cyberd. Thought to be an empty gesture
i. Declaration of already existing NATO policy1. NATO would have treated a cyber attack as an
armed attackii. However, explicit statement helps advise states in
their course of actioniii. States signing on acknowledge that jus in bello
applies in cybersecurity contexte. Jus in bello
i. How states can use force during a conflictii. Treaties
1. Hague Conventiona. Restrictions on the method used in warfareb. Marten’s Clause (included in the preamble)
i. Intended to be a gap-filler in international lawii. “In cases not included in the specific language of the
treaty, parties are still to proceed in conjunction withcustomary international law”
1. Residual clause; anticipates that technologywill outpace treaties
2. Geneva Conventiona. Protection for victims (wounded, sick, POW, etc)b. Ratified by every countyc. 4 conventions, 2 additional protocols
i. The US has not ratified the additional protocols,which dignify insurgent groups and gives themprotections similar to states
d. Articlesi. Article 48
1. Must distinguish between civilians andcombatants and only attack the latter
a. Based on civilians maintaining their owncivilian status, however
b. Civilians are not protected once theyenter the fray
ii. Article 4(a)1. Defining combatants
iii. Article 511. Protection of the civilian population2. Indiscriminate attacks prohibited
a. Attacks that do not attempt to distinguishbetween civilians and combatants
b. Objective of spreading terror prohibitedc. Prohibits use of methods that cannot be
limited to either a civilian or militaryobjective
3. Cannot use civilian population as a shield4. Art. 55(1)(b)
a. Collateral damage okay, allowed to causecivilian casualties, but proportionalityimportant
b. Threshold: Must not be excessive inrelation to the concrete and directmilitary advantage anticipated
iv. Article 521. General protection of civilian objects
a. Civilian objects shall not be the object ofattack or reprisal
b. Presumption is that objects are notmilitary objects
iii. Principles1. States are prohibited from causing unnecessary suffering
a. States do not have unlimited freedom of choice as to theweapons that they are allowed to use
iv. Neutral state involvement 1. TALLIN MANUAL: RULE 94
a. Aggrieved party can take steps if a neutral state fails toterminate exercise of belligerent rights in its territory
i. Still subject to jus in bello rules 2. Criteria/proposals for showing that a neutral state is unwilling or
unable to deal with belligerents in its territory; GEOGRAPHY OFCYBER-CONFLICT (DEEKS)
a. Prioritize cooperation and consent with the state ratherthan a unilateral use of force
i. Neutral states can consent to use of force in theirterritories
b. Ask the neutral state to address the threat and give it anadequate amount of time to respond
c. Reasonably access the neutral state’s capacity and controlwithin the relevant region
d. Reasonably assess the neutral state’s proposed means tosuppress the threat
e. Evaluate its past interactions with the offending statei. Where the neutral state has failed to take action
after promises to do so in the past, can factor this in 3. Neutral states seem to get a higher level of protection than
civilians a. Can not engage neutral states, but unable to refrain from
not harming any civilians during a war v. Requirements
1. Distinction
a. Distinction in terms of if the choice of methods woulddistinguish between military or civilian
b. Distinction in choice of targetc. States must never make civilians the object of attack; must
always differentiate between civilian and military targetsd. HAROLD KOH
i. Principle of distinction should apply in cyber-contextii. Takes the position that the US will abide by the
principles of distinction whether it is internationalcustomary law of not
2. Proportionalitya. Whether civilian damage is excessive in relation to the
military advantage anticipated i. Difficult application to cyber context
1. Uncertainty as to effects on civilians,everything is interconnected
2. Difficult to determine what is “excessive”3. Hard to know how much advantage is gained4. What constitutes a weapon5. Prevalence of dual-use networks6. Attribution 7. When does a hacker constitute a combatant
a. Direct participation in a hostility iscomplicated as a cyber standard
8. Difficulty of human shield analogya. Countries may not even know that they
are doing it3. Precaution
a. Should always choose the option that causes the leastamount of damage to civilians, even where all options areconsidered proportionate
i. Differentiation between precaution andproportionality
1. Proportionalitya. Whether the harm caused was excessive
2. Precautiona. Whether the country took feasible
measures to protect civiliansb. Military must choose the most protective
option while still achieving their militaryobjective
ii. Might be proportionate to harm 100 people, butprecaution means that if there are 2 options, choosethe more protective one, and harm only 10
b. Geneva Convention Article 57i. “Constant care” shall be taken to spare civilian
populations, civilians and civilian objects1. “Constant care” is undefined in international
law, but it means you cannot completelydisregard civilians
ii. Should take “all feasible precautions” in the choice ofmeans and method of attack “workable orpracticable given all of the circumstances ruling atthe time”
f. Is a cyberattack an armed attack?i. TALLIN MANUAL: RULE 30 – Definition of Cyberattack
1. Does not mean an armed attack2. An attack that can be expected to cause harm to persons or
objects3. Almost verbatim tracks the Geneva Convention definitions4. Data
a. Does not find that data is an object, so it cannot beclassified as civilian or combatant
i. Arguments against:1. Data may be more important than objects itself2. Linked to numerous objects3. Data has been found to be a form of property
via trade secret laws and intellectual property ii. While data is not an object, can constitute an attack
if it affects systems and functions ii. Requirements for being a military object
1. Is it a military object based on nature, location or use? a. Use
i. Percentage of military use/civilian use1. EX: Tech company that makes off-the-shelf
software as well as military encryptionsoftware, Boeing as a military target, butstrong civilian application
ii. TALLIN MANUAL: RUEL 39 – Objects used for civilianand military purposes
1. Cyber functions are targets when they areinvolved in military operations
iii. However, dual use likely not known by civilian parties2. Does it effect a contribution to military action?3. Will the total or partial destruction or neutralization, or capture of
data, offer a definite military advantage?iii. Jus in bello
1. TALLIN MANUAL: RULE 43 – Indiscriminate means or methodsa. Prohibits use of cyberweapons that are inherently
indiscriminate by naturei. Differentiates from choice of indiscriminate use by
user2. Jus ad bellum proportionality
a. TALLIN MANUAL: RULE 51i. A cyber attack that may be expected to cause
incidental loss of civilian life, which would beexcessive compared to the military advantage to begained, is prohibited
1. Principle of distinction applies; cannot targetcivilians
b. Definitions of damage:
i. Kinetic damageii. Serious functionality disruptionsiii. Any unauthorized access
1. Not an appropriate standard for a law of wariv. TALLIN MANUAL: RULE 5
1. General duty for one state to not knowingly allow the unlawfuluse of its cyberinfrastructure to harm another state
2. Cyber issuesa. Attribution
i. Difficult for states to know where an attack is comingfrom
b. Borders are hard to policei. Borders are very porous/non-existent in cyberspace
c. Speed of cyberattacksv. What does a state have to know before taking action?
1. Certain attribution2. Actual knowledge
a. Duty to actb. May give states plausible deniability
3. Constructive knowledge a. Imposes knowledge on a person where they should have
knownb. Duty to monitor
i. FOR1. State itself is in the best position to know2. Would not want to permit other states to look
into your cyberinfrastructureii. AGAINST
1. Enforcement difficult2. States have different capabilities3. Privacy concerns for citizens
a. Could be sanctioning a lot of governmentmonitoring, intrusive
4. Not a good use of resources iii. Does this duty apply to states through which cyber
attacks are routed?1. Applies to the state where the attack originates2. However, where routing is fairly instantaneous,
impracticable for routing states to reacta. Data travels in a fragmentary wayb. May not have the ability to prevent it
3. LAW OF CYBERWARFARE (SCHMITT)a. Predicts that there will be a movement
towards accountability of routing statesg. Cyberwar: law by analogy
i. International wrongful act1. Breach on an international legal obligation
a. Very broad; when an act of a state does not comply with alegal obligation
b. Exemptionsi. Consent
ii. Countermeasureiii. Force majeuriv. Self-defense
2. Attributable to the state a. DRAFT IRC ARTICLES
i. Article 4: Conduct of organs of a state1. Regardless of postion, regardless of whatever
power it holds, its actions will be attributed tothe state
2. Whether it is an organ of the state isdetermined by how it is organized based oninternal law
ii. Article 5: Conduct of persons or entities who are notorgans of the state
1. Attributed to the state where it is empoweredby the state, provided that the person or entitywas acting in that capacity
a. De facto organs of the statei. Non-governmental organs
exercising governmental authority b. TALLIN MANUAL: RULE 6
i. Broader definition of state organii. Individuals acting under the instruction of a state and
is directly under the state’s direction or controliii. ICJ standard: effective control (dominant standard)
1. U.S V. NICURAGUAa. Must prove that the US has effective
control of the military operations,weapons funded by the US not sufficient
2. Operation-by-operation control difficult to show– high evidentiary status
3. Greenlights the idea of war by proxy, so long asthey are doing it through a third-party and arenot giving instructions
a. EX: Estonia cyber-riot, Sony hackiv. International Criminal Tribunal for Yugoslavia: overall
control1. Looser definition, does not require operation-
by-operation controlc. How to determine state responsibility?
i. Conventional1. What is the relationship between the forces
and the state military2. Where are the weapons coming from
ii. Cyber1. Amount of control the state has over its own
network2. Where is the international wrongful act is
coming from (location)3. Transfers of money to these groups by the
government
4. How much the state knew about theseoperations
5. Governmental training programsa. Are these people being trained by the
government?6. Any communications between the government
and the attackers 7. Source of the code8. How they are locating their targets
a. Are they being directed to particulartargets or being matched up withvulnerabilities?
9. If the government authorizes hacking back,might make the government responsible for allof the companies’ subsequent actions
a. If the government issues a statementthat it won’t punish hacking back, thenthey might be permitting cyberwarfareby proxy
iii. Even if the state is not responsible for the conduct, ifthey adopt it as its own afterwards, would beresponsible
1. Cannot protect hackers or prevent them frombeing prosecuted
iv. TALLIN MANUAL: RULE 8 1. Routing through a state is not sufficient to
attribute it to the statev. TALLIN MANUAL: RULE 7
1. Launch of a cyberattack from a governmentalbuilding is not dispositive as to whether it is anact of the state, but it does indicate that thestate may be associated with the operation inquestion
a. Flipped from conventional context3. Sony incident as an internationally wrongful act?
a. Yes, violation of sovereigntyi. Placement of malware within another state’s territoryii. Or, if the North Korean government is not
responsible, failure to prevent the use of its territoryto cause harm to other states
iii. Manipulation of cyberinfrastructure of another state b. An act of retorsion would be permissible
i. Retorsion v. countermeasures1. Retorsion
a. An act that is lawful at all times; lawful,but unfriendly
b. EX: Suspending foreign aid, suspendingtrade, banning immigration
2. Countermeasures
a. An internationally wrongful act but for apreceding violation; a response to aunlawful act
i. Must be taken in response to aprevious international wrongful actof another state, and must bedirected at that state
ii. Victim state must call upon thestate committing the wrongful actto discontinue the wrongful act ormake reparations
iii. Proportionality requirementiv. Effects of the countermeasure must
be commensurate with the injurysuffered
b. EX: Violation of sovereignty c. Was the US taking down the North Korean internet a
permissible countermeasure? i. Did the US suffer an international wrongful act?ii. Were the actions taken against the state responsible?iii. Did taking down the North Korean internet induce
compliance with international law?iv. Did they call upon North Korea to cease the
internationally wrongful act? Or did they take urgentcountermeasures?
v. Was their act proportionate?vi. Was the act taken in a way to permit resumption of
obligations?12. CYBERSECURITY REGULATION
a. Actorsi. Companies
1. May not properly value cybersecuritya. May not think they will be targeted
ii. Individuals1. Failure to see individual incentives
iii. Government1. Lacks authority
b. Bad cybersecurity due to market failure (SINGER; FRIEDMAN)i. Negative externality, a bad user does not individually bear all of the cost
1. Poor personal secure may result in your computer becoming partof a botnet that can, in turn, go out and commit other acts
2. Cost is borne by the systemc. Levels of government regulation
i. Government directly regulate1. FOR
a. Can provide a minimum level of cybersecurity forcompanies that are unable to provide it for themselves
2. AGAINSTa. Implementing a blanket regime may be detrimental to a lot
of big tech companies and the economy
b. Government may not be properly equipped to regulate inthis field
3. Could issue ii. Government issuing regulations requiring companies to provide
cybersecurity 1. EU position2. Can spur compliance3. Not really any other entity to do this regulation, but better than
direct governmental regulation4. Mitigate externalities issue5. Can provide a floor for cybersecurity6. Can begin a trend towards greater cybersecurity
iii. Voluntary standards1. Optional governmental regulations 2. Government can develop these standards in conjunction with the
industriesa. Really expensive for companies to figure out what
voluntary regulations they would wish to impose3. Might make companies immune to lawsuits however, if they
comply with a bare minimum voluntary standard 4. Obsolescence due to speed to technological development
iv. Do nothing1. A market for security will develop eventually
13. ZERO-DAY VULNERABILITIESa. Market for vulnerabilities
i. Responsibilities1. Product creators2. Buyers
a. Driving up demandb. Disclosure
i. When disclosed, the software company patches up the ‘hole’ and thegovernment can no longer exploit it and use it to gain information
1. EX: If zero-day vulnerability had been disclosed and fixed,Stuxnet could not have occurred
ii. Risks of non-disclosure1. Does not get fixed2. Someone else is has also discovered and is accessing the
vulnerabilityiii. Government disclosure process
1. High-level interagency discussions within the intelligence branchabout whether to disclose and claims is biased towardsresponsible disclosure
2. HEARTBLEED a. A vulnerability on open SSL which contained a backdoor
through which attackers can extract information;government accused of knowing about it for a long timeand not disclosing, also exploiting it
iv. Disclosure continuum1. Use2. Stockpile3. Disclose
c. Government participation in zero-day vulnerability marketi. Government has no choice, must stay ahead of these vulnerabilitiesii. However, US tax dollars going to illegitimate sourcesiii. Creation of further demandiv. Allows some hackers to act under the color of law
d. Important questionsi. Whose software is the vulnerability in?
1. Less of a duty to protect foreign citizens, less duty to discloseii. Do bug bounties pre-authorize activities that hackers/security
researchers conduct upon the software?1. Possible solutions
a. Contractb. Create parameters in which authorized hackers are
authorized to actc. Oversight
i. Registering with the company and logging in throughthe company
d. Giving of bug and code without actually exploiting ite. Sandbox-style play area
2. May be used as a way to get out of CFAA liabilitye. CURBING THE MARKET OF CYBERWEAPONS (STOCKTON)
i. 3 proposals1. Incentivize companies to make better products2. Export controls
a. What products and information can leave the USb. Potential multi-country export restrictionc. However, if the conduct is outside of US jurisdiction to
begin with, no effect3. Amend CFAA with due diligence requirements for sellers
a. Imposition of a duty on sellers of vulnerability informationto sell to only good buyers
14. DETERRANCEa. Making perpetrators of an attack decide not to go through with the attack
i. Due to retaliation or fear of consequences (FOCUS)1. Partially a function of perception; it works by convincing a
potential adversary that it will suffer unacceptable costs if itconducts an attack
ii. Not worthwhile for them to attack because it won’t succeedb. Issues with cyber deterrence
i. Attribution ii. Inability to properly signal
1. Letting other states know your capabilities may lead to issuesiii. Timingiv. DEPARTMENT OF DEFENSE deterrence strategies
1. Military retaliationa. Hacking back
2. Improving the defenses of systems and networksa. Invulnerability
3. Improving resilience to attack4. Interdependence of networks5. Attribution
6. Criminal lawa. Extradition issuesb. Different national definitions of cybercrime
7. Invisibilitya. Labyrinth
8. Economic sanctionsa. Targeting both perpetrators and the people who benefit
from the cybercrimeb. Slow-movingc. Interdependence may result in economic sanctions having
a blowback effect on own nation’s economy9. Diplomatic responses10. Declaratory policies
a. Statements of how the US will respond in the event of anattack
i. Can be a statement indicating that there will be aresponse without specifying what it will be
11. Collective defensea. Helping other countries bridge the digital divide
