Defining Cybersecurity Law
In “Defining Cybersecurity Law”, by Jeff Kosseff, the author appears to be more concerned with improving cybersecurity law than he is with defining it. In this paper, I will give a brief summary and critique of the four substantive sections of this article. I will end with a brief mention of aspects of cybersecurity law that the author missed. My main issues with this article are the author’s (1) preoccupation with prevention of cybersecurity breaches instead of balancing security against values, (2) definition of cybersecurity law is overly aspirational and over-inclusive, (3) underplaying of the the role of litigation penalties and mitigation of harms from cybersecurity breaches and (4) failure to address potential downsides of intervention and technological architecture. U.S.
Kosseff begins the substantive sections of his article with a case study on the 2014 Sony Hack. He uses the massive hack to illustrate the threats, harms, and challenges of modern cybersecurity. He details the process by which the bad actors were able to infiltrate Sony, the various people and organizations harmed, the legal fallout, and the national security implications. The discussion of this large-scale hack and its effects shows why cybersecurity is a topic worthy of concern. The author focuses on the various incentives faced by Sony for and against improving their cybersecurity, the large monetary and intangible damages, the wide-ranging stakeholders that were harmed, and some of the difficulties for various victims to respond to these kinds of attacks. This large scale attack is useful to frame a discussion Cybersecurity challenges, but it doesn’t cover all the challenges. It’s missing balance. It could have benefited with a larger discussion of other types of smaller, more common threats and a larger discussion about the difficulties of stopping cybersecurity threats with the law. In many ways cybersecurity law is like criminal law or laws dealing with national security. The law must always balance competing concerns and values. For example, there is a need to balance values like security, safety, and preventing harm with values like privacy, freedom, and economic efficiency. The legal response to the September 11th attacks was widely criticized for overzealous and ineffective measures. That discussion should also address the risks and harms of the measures used to prevent or stop terrorist attacks. An attempt to remove all risks of terror attacks could plausibly result in a tyrannical or overbearing police presence or a substantial slowdown of economic growth and innovation.
DEFINING CYBERSECURITY LAW
In this section Kosseff begins provides a definition for cybersecurity law and his reasoning for this definition. His process to get to a definition was going through simple questions: (1) what are we securing? (2) Where and whom are we securing? (3) How are we securing?, (4) When are we securing? And, (5) why are we securing? The definition of cybersecurity law he gives is as follows: “…a legal framework that promotes the confidentiality, integrity, and availability of public and private information, systems, and networks, through the use of forward-looking regulations and incentives, with the goal of protecting individual rights and privacy, economic interests, and national security.” One of the positive aspects of this definition is that it expands the common conception of cybersecurity law to more than just securing the confidentiality of information. By including integrity and availability and systems and networks in what cybersecurity is securing, the expanded definition can apply to laws about things like DDOS attacks and various kinds of fraudulent electronic information. However, apart from this increased applicability, this definition suffers from being overly general and overly aspirational. A definition should explain or describe what something is and how it functions. Mixing aspirational language into a definition of a general term leads to logical issues. Kosseff’s definition of cybersecurity includes words like “promotes”, and “with the goal of”. These words show that Kosseff is using the term as a stand-in for a particular view on what cybersecurity law should be, as opposed to simply describing what cybersecurity law is and what it pertains to. Further, he includes in his definition “through the use of forward-looking regulations”. Including the value-laden language in the definition makes the term objectionable for anyone who disagrees with those values. And further, defining cybersecurity law this way leads to absurdity. Later on this paper, the author describes the current cybersecurity law framework as being backward looking. Because his definition of cybersecurity law is that it’s “forward-looking” the current US cybersecurity laws he describes are not cybersecurity law. Another issue with this definition is that it is overly broad. Kosseff never qualifies any part of the definition so that it has to relate to computers, the internet, or even electronics. According to this definition, laws ensuring the availability of physical paper books in a public library would be a form of cybersecurity law. If accepted generally, the aspirational language and over-applicability of this definition would make the “cybersecurity law” less clear and less useful for legal professionals seeking understanding and guidance in this area of the law.
ASSESSMENT OF CURRENT U.S. CYBERSECURITY LAW
I saw the assessment of laws relating to cybersecurity in the United States in section 4 as the most useful part of this article. The summary of cybersecurity laws helps simplify the disparate legal processes and makes it easier for readers to determine what sort of cybersecurity issues are covered and neglected. The author focuses on six categories of laws associated with cybersecurity (1) data security statutes (2) data breach notification statutes (3) data security litigation (4) computer hacking laws (5) electronic surveillance laws and (6) the Cybersecurity Act of 2015. Kosseff then goes on to say how these current laws measure up to his definition. Here, I took issue with his assessment of data breach notification statutes, his dismissal of data security litigation and penalties, and the lack of an argument for why cybersecurity act will actually improve cybersecurity. Data Breach Notification As noted in Section II, this author is very concerned with the prevention of large-scale future attacks. You can see the author’s impulse to over-value security again in the subsection on Data Breach Notification statutes. The author briefly mentions some of the positives of mandatory notification but treats these laws mostly dismissively. “To the extent that data breach-notification laws serve a useful purpose, it is unclear whether they actually prevent data breaches from occurring in the future.” Notable here is that he focuses on the extent to which data breach notification prevent data breaches. It’s notable because that isn’t the primary purpose of data breach notification. The purpose of these laws is to give individuals or businesses time and information so that they can take steps to protect themselves. The author minimizes notification as a method for improving cybersecurity again later on the article, “If any of the laws require notice, the companies then must carefully draft a notice to each consumer to ensure that they meet each state’s procedural requirements. In the meantime, the companies are not devoting these resources to fixing the vulnerability that caused the breach in the first place, or preventing future attacks.” This again shows the author’s lack of regard for mitigation as a tool for improving cybersecurity. Data Security Litigation Kosseff continually stresses that cybersecurity law should be more forward-looking. He says this for two reasons. First, “… for some companies, regulatory and litigation penalties alone will not deter bad behavior”. And second, “A regulatory model based on coercion and deterrence assumes robust government oversight through extensive government monitoring and inspections coupled with penalties for observed violations”. I disagree with both contentions. The first contention, that litigation penalties alone will not deter bad behavior, is incorrect because it assumes the current level of penalties couldn’t be raised to a higher level. Congress could grant further causes of action or add punitive damages to add to litigation penalties. It’s generally accepted that businesses will put in preventative measures as soon as predicted penalties outweigh the costs of implementing security measures. The second contention regarding penalties and deterrence, that a reliance on these methods would require onerous government oversight and monitoring, is also incorrect. For example, Medical malpractice suits are a deterrent for doctors to make avoidable mistakes. Doctors need to prevent avoidable mistakes to avoid catastrophic fines, and costly insurance premiums and deductibles so they don’t go out of business. This process is backward-looking, it is a deterrent, and it does not require large intrusive government agency conducting oversight and inspections. Cybersecurity Act The arguments in favor of the cybersecurity act are not well supported in this piece. The author likes the act because it allows for cooperation between private entities in the government but does not explain why that cooperation will necessarily lead to positive results and better cybersecurity. According to the author, the Cybersecurity act does a few useful things. It allows; (1) monitoring information systems for cybersecurity purposes (2) “defensive measures for cybersecurity purposes; and (3) sharing of information about cyber threat indicators or defensive measures with other private entities or the federal government. Presumably, this makes cybersecurity more robust. However, it’s not clear that business and government aims are actually always in line with policies that improve cybersecurity. Governments would like to have more control and more ability to investigate crimes. They generally want control. Corporations want more information about customers to sell them ads and or direct their behavior through marketing. Both of these goals are often going to be aligned against strong cybersecurity. In the case of governments, they have been criticized by internet activists and organizations like the EFF for seeking to create backdoors to circumvent encryption. The ability to encrypt messages is crucial to sending secure messages for human rights activists, journalists, protecting trade secrets, protecting user data, etc. etc. The problem with the government backdoor for encryption is that a backdoor for the government will also be accessible by a bad actor, thus weakening security. In the case of private companies, saving vast amounts of unnecessary user data for use in their business model creates a valuable resource and incentive for bad actors to try and access. Another example is businesses pushing sensitive data to the cloud. It may be good for the business to streamline some service and market it a certain way even though that service is creating unnecessary cybersecurity risks. The author briefly brings up part of my concern: “this open-ended communication can pose problems. Despite requirements for private entities to take steps to remove personal information before sharing cyber-threat indicators, critics attacked the statute for potentially immunizing companies that violate individuals’ privacy rights while not necessarily helping companies improve their cybersecurity.” According to the author “the cybersecurity act may encourage companies to improve their cybersecurity to prevent data breaches (and therefore promote individual privacy), the Cybersecurity act also helps to address threats to companies business operations (by allowing the sharing of information about DDOS attacks) and to national security (by allowing companies and the government to more agilely cooperate and identify emerging threats). While it may be true that sharing some of this data may be good for preventing things like DDOS attacks. It’s unclear that these positives of cooperation outweigh the risks.
GAPS IN CYBERSECURITY LAW
In the final section, Kosseff points out the major gaps he sees in Cybersecurity law. He points to four areas: (1) integrity and availability, (2) economic interests and national security, (3) cooperative laws, and (4) forward-looking laws. These subjects are all aspects of this article he has been focused on throughout Kosseff’s article and has all been mentioned in this paper. I will briefly revisit them in turn. First, I agree with Kosseff’s conclusion that integrity and availability are currently not adequately addressed in Cybersecurity law. As discussed in the definition section, the law should take steps forward in these areas to prevent cybersecurity threats like DDOS attacks. Second, throughout the article, the author has stressed the importance of preventing the harms caused by major cybersecurity attacks. I agree with the author in part that more could be done to protect national security and economic interests from cybersecurity threats. However, these measures need to be balanced against other values. Third, the author believes that government and business cooperation will improve cybersecurity. “Cooperation is particularly important for cybersecurity law, as compared to other business laws because company’s goals often but not always are aligned with those of the government.” As outlined in the previous section, I don’t think the author properly addresses the moral hazards involved with this type of cooperation. And last, the author feels that forward-looking laws are missing and necessary in a cybersecurity legal framework. I think many of the things the author thinks can only be done through tax incentives can be done equally well with civil litigation and administrative penalties if the monetary damages from substandard cybersecurity are high enough.
WHAT THIS ARTICLE DOES NOT ADDRESS
There are many aspects of cybersecurity that can be improved or weakened through computer and code architecture. When computers or networks are set up in certain ways, certain kinds of cybersecurity threats become non-existent. A few examples are open source code, blockchain technology, and encryption. Sometimes these solutions may close some threats and open others, but in general, there are lots of ways individuals protect their security without the need for legislation. In open-source code, IT professionals and amateurs are all able to go through the code. They can all find vulnerabilities, fix them, and disseminate solutions within a community. Linux operating systems are a great example. They are notorious for security because of a decentralized and open approach. Another example of architecture creating security is the bitcoin blockchain. Again it’s decentralized and open in the sense that all transactions can be viewed on the public ledger. Another way Architecture is relevant would be in compartmentalizing electronic information and infrastructure. Whereas a top-down approach creates on large vulnerability at the top that might bring down the whole internet, a bottom-up compartmentalized decentralized approach might result in systems that are more resilient and less lucrative for hackers. In conclusion, I felt this article was informative but also that it was too concerned with preventing all hacks from happening from a sort of military perspective as opposed to a design or a public planning perspective. Because of this, the article closed itself off from deeper conceptions of architecture, mitigation, and balance.