Defining Cybersecurity Law
Contents
INTRODUCTION
In “Defining Cybersecurity Law,” Jeff Kosseff, the author, appears to be more concerned with improving cybersecurity law than defining it. In this paper, I will provide a brief summary and critique of the four substantive sections of this article. I will conclude with a mention of the aspects of cybersecurity law the author missed. My main issues with this article are the author’s (1) preoccupation with the prevention of cybersecurity breaches instead of balancing security against values, (2) definition of cybersecurity law, which is overly aspirational and over-inclusive, (3) underplaying of the role of litigation penalties and mitigation of harms from cybersecurity breaches, and (4) failure to address potential downsides of intervention and technological architecture.
CYBERSECURITY CHALLENGES
Kosseff begins the substantive sections of his article with a case study on the 2014 Sony Hack. He uses the massive hack to illustrate the threats, harms, and challenges of modern cybersecurity. He details the process by which the bad actors were able to infiltrate Sony, the various people and organizations harmed, the legal fallout, and the national security implications. The discussion of this large-scale hack and its effects shows why cybersecurity is a topic worthy of concern. The author focuses on the various incentives faced by Sony; both for and against improving their cybersecurity, the large monetary and intangible damages, the wide-ranging stakeholders that were harmed, and some of the difficulties victims face responding to these kinds of attacks. This large-scale attack is useful to frame the discussion on cybersecurity challenges, but it doesn’t cover all the challenges. It’s missing balance, it could have benefited from a larger discussion of other types of smaller, more common threats, and a more extensive discourse about the difficulties of stopping cybersecurity threats with the law. In many ways, cybersecurity law is like criminal law or laws dealing with national security. The law must always balance competing concerns and values. For example, there is a need to balance values like security, safety, and preventing harm, with values like privacy, freedom, and economic efficiency. The legal response to the September 11th attacks was widely criticized for overzealous and ineffective measures. That discussion should also address the risks and harms of the measures used to prevent or stop terrorist attacks. An attempt to remove all risks of terror attacks could plausibly result in a tyrannical or overbearing police presence, or a substantial slowdown of economic growth and innovation.
DEFINING CYBERSECURITY LAW
In this section, Kosseff provides a definition for cybersecurity law and his reasoning for this definition. His process to arrive at a definition was going through simple questions: (1) What are we securing? (2) Where and whom are we securing? (3) How are we securing? (4) When are we securing? And, (5) Why are we securing? The definition of cybersecurity law he gives is as follows: “…a legal framework that promotes the confidentiality, integrity, and availability of public and private information, systems, and networks, through the use of forward-looking regulations and incentives, with the goal of protecting individual rights and privacy, economic interests, and national security.” One of the positive aspects of this definition is that it expands the common conception of cybersecurity law to more than just securing the confidentiality of information. By including integrity, availability, systems, and networks in what cybersecurity is securing, the expanded definition can apply to laws about things like DDOS attacks and various kinds of fraudulent electronic information. However, apart from this increased applicability, this definition suffers from being overly general and overly aspirational. A definition should explain or describe what something is and how it functions. Mixing aspirational language into a definition of a general term leads to logical issues. Kosseff’s definition of cybersecurity includes words like “promotes,” and “with the goal of.” These words show that Kosseff is using the term as a stand-in for a particular view on what cybersecurity law should be, as opposed to simply describing what cybersecurity law is and what it pertains to. Further, he includes in his definition “through the use of forward-looking regulations.” Including this value-laden language in the definition makes the term objectionable for anyone who disagrees with those values. Moreover, defining cybersecurity law this way leads to absurdity. Later in this paper, the author describes the current cybersecurity law framework as being backward looking. Because his definition of cybersecurity law insists it is “forward-looking,” the current US cybersecurity laws he describes do not qualify as cybersecurity law. Another issue with this definition is that it is overly broad. Kosseff never qualifies any part of the definition, so it must relate to computers, the internet, or even electronics. According to this definition, laws ensuring the availability of physical paper books in a public library could constitute a form of cybersecurity law. If accepted generally, the aspirational language and over-applicability of this definition would make the term “cybersecurity law” less clear and less useful for legal professionals seeking understanding and guidance in this area of law.
ASSESSMENT OF CURRENT U.S. CYBERSECURITY LAW
I saw the assessment of laws relating to cybersecurity in the United States in section 4 as the most useful part of this article. The summary of cybersecurity laws helps simplify the disparate legal processes and makes it easier for readers to determine what sort of cybersecurity issues are covered and neglected. The author focuses on six categories of laws associated with cybersecurity: (1) data security statutes, (2) data breach notification statutes, (3) data security litigation, (4) computer hacking laws, (5) electronic surveillance laws, and (6) the Cybersecurity Act of 2015. Kosseff then goes on to say how these current laws measure up to his definition. Here, I took issue with his assessment of data breach notification statutes, his dismissal of data security litigation and penalties, and the lack of an argument for why the cybersecurity act will actually improve cybersecurity.
Data Breach Notification:
As noted in Section II, this author is very concerned with the prevention of large-scale future attacks. You can see the author’s impulse to over-value security again in the subsection on Data Breach Notification statutes. The author briefly mentions some of the positives of mandatory notification but treats these laws mostly dismissively. “To the extent that data breach-notification laws serve a useful purpose, it is unclear whether they actually prevent data breaches from occurring in the future.” Notable here is that he focuses on the extent to which data breach notification prevents data breaches – notable because that isn’t the primary purpose of data breach notification. The purpose of these laws is to give individuals or businesses time and information so that they can take steps to protect themselves. The author minimizes notification as a method for improving cybersecurity again later in the article, “If any of the laws require notice, the companies then must carefully draft a notice to each consumer to ensure that they meet each state’s procedural requirements. In the meantime, the companies are not devoting these resources to fixing the vulnerability that caused the breach in the first place, or preventing future attacks.” This again shows the author’s lack of regard for mitigation as a tool for improving cybersecurity.
Data Security Litigation:
Kosseff continually stresses that cybersecurity law should be more forward-looking. He says this for two reasons. First, “…for some companies, regulatory and litigation penalties alone will not deter bad behavior.” And second, “A regulatory model based on coercion and deterrence assumes robust government oversight through extensive government monitoring and inspections coupled with penalties for observed violations.” I disagree with both contentions. The first contention, that litigation penalties alone will not deter bad behavior, is incorrect because it assumes the current level of penalties couldn’t be raised to a higher level. Congress could grant further causes of action, or add punitive damages to add to litigation penalties. It’s generally accepted that businesses will put preventative measures in place as soon as predicted penalties outweigh the costs of implementing security measures. The second contention regarding penalties and deterrence, that a reliance on these methods would require onerous government oversight and monitoring, is also incorrect. For example, medical malpractice suits are a deterrent for doctors to avoid making mistakes. Doctors need to prevent avoidable mistakes to avoid catastrophic fines, costly insurance premiums, and deductibles, so they don’t go out of business. This process is backward-looking, it is a deterrent, and it does not require a large intrusive government agency conducting oversight and inspections.
Cybersecurity Act:
The arguments in favor of the Cybersecurity Act are not well supported in this piece. The author likes the act because it allows for cooperation between private entities and the government but does not explain why that cooperation will necessarily lead to positive results and better cybersecurity.
According to the author, the Cybersecurity Act does a few useful things. It allows: (1) monitoring of information systems for cybersecurity purposes, (2) “defensive measures for cybersecurity purposes”, and (3) sharing of information about cyber threat indicators or defensive measures with other private entities or the federal government. Presumably, this makes cybersecurity more robust. However, it’s not clear that business and government aims are always in line with policies that improve cybersecurity.
Governments would like to have more control and more ability to investigate crimes. They generally want control. Corporations want more information about customers to sell them ads and direct their behavior through marketing. Both of these goals often align against strong cybersecurity.
In the case of governments, they have been criticized by internet activists and organizations like the EFF for seeking to create backdoors to circumvent encryption. The ability to encrypt messages is crucial for sending secure messages by human rights activists, journalists, for protecting trade secrets and user data, etc. The problem with a government backdoor for encryption is that a backdoor for the government can also be accessible by a bad actor, thus weakening security.
In the case of private companies, saving vast amounts of unnecessary user data for use in their business model creates a valuable resource and incentive for bad actors to try to access. Another example is businesses pushing sensitive data to the cloud. It may be good for the business to streamline some service and market it a certain way even though that service creates unnecessary cybersecurity risks.
The author briefly brings up an aspect of my concern: “This open-ended communication can pose problems. Despite requirements for private entities to take steps to remove personal information before sharing cyber-threat indicators, critics attacked the statute for potentially immunizing companies that violate individuals’ privacy rights while not necessarily helping companies improve their cybersecurity.”
According to the author, “the Cybersecurity Act may encourage companies to improve their cybersecurity to prevent data breaches and therefore promote individual privacy. The Cybersecurity Act also helps to address threats to companies’ business operations by allowing the sharing of information about DDOS attacks, and to national security by allowing companies and the government to more agilely cooperate and identify emerging threats.” While it may be true that sharing some of this data may be good for preventing things like DDOS attacks, it’s unclear whether these positives of cooperation outweigh the risks.
GAPS IN CYBERSECURITY LAW
In the final section, Kosseff points out the major gaps he sees in cybersecurity law. He points to four areas: (1) integrity and availability, (2) economic interests and national security, (3) cooperative laws, and (4) forward-looking laws. These subjects are all aspects of this article he has focused on throughout the paper. I will briefly revisit them in turn. First, I agree with Kosseff’s conclusion that integrity and availability are currently not adequately addressed in cybersecurity law. As discussed in the definition section, the law should take steps forward in these areas to prevent cybersecurity threats like DDOS attacks. Second, throughout the article, the author has stressed the importance of preventing the harms caused by major cybersecurity attacks. I agree, in part, that more could be done to protect national security and economic interests from cybersecurity threats. However, these measures need to be balanced against other values. Third, the author believes that government and business cooperation will improve cybersecurity. “Cooperation is particularly important for cybersecurity law, as compared to other business laws because companies’ goals often but not always are aligned with those of the government.” As outlined in the previous section, I don’t think the author properly addresses the moral hazards involved with this type of cooperation. And last, the author feels that forward-looking laws are missing and necessary in a cybersecurity legal framework. I think many of the things the author thinks can only be done through tax incentives can be done equally well with civil litigation and administrative penalties if the monetary damages from substandard cybersecurity are high enough.
WHAT THIS ARTICLE DOES NOT ADDRESS
There are many aspects of cybersecurity that can be improved or weakened through computer and code architecture. When computers or networks are set up in certain ways, specific types of cybersecurity threats become non-existent. Open source code, blockchain technology, and encryption are a few examples. Although these solutions may close some threats and open others, in general, there are numerous ways individuals can protect their security without the need for legislation. In open-source code, both IT professionals and amateurs can go through the code, uncover vulnerabilities, fix them, and disseminate solutions within a community. Linux operating systems are an excellent example of this. They are renowned for their security due to a decentralized and open approach. Another instance of architecture enhancing security is the Bitcoin blockchain. It’s decentralized and open in the sense that all transactions can be viewed on the public ledger. One more relevant aspect of architecture is the compartmentalizing of electronic information and infrastructure. Unlike a top-down approach, which creates a large vulnerability at the top that could potentially bring down the whole internet, a bottom-up, compartmentalized, decentralized approach may result in systems that are more resilient and less appealing to hackers. In conclusion, while I found this article informative, I felt it was overly concerned with preventing all hacks from happening from a military perspective, as opposed to a design or a public planning perspective. Because of this, the article cut itself off from deeper conceptions of architecture, mitigation, and balance.
Defining Cybersecurity Law. (2019, Feb 25). Retrieved from https://papersowl.com/examples/defining-cybersecurity-law/
